9c88c66f44eba049dcf45204315aaf8ba1e660822f9e97aec51b1c305f5fdf14 (SHA256)
Kraken.exe
Windows Exe (x86-32)
Created at 2018-09-14 09:46:00
Notifications (1/1)
The maximum number of reputation file hash requests (20 per analysis) was exceeded. As a result, the reputation status could not be queried for all file hashes. In order to get the reputation status for all file hashes, please increase the 'Max File Hash Requests' setting in the system configurations.
Monitored Processes
Behavior Information - Grouped by Category
Process #1: kraken.exe
7902
79
| Information | Value |
|---|---|
| ID | #1 |
| File Name | c:\users\ciihmnxmn6ps\desktop\kraken.exe |
| Command Line | "C:\Users\CIiHmnxMn6Ps\Desktop\Kraken.exe" |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:00:31, Reason: Analysis Target |
| Unmonitor | End Time: 00:02:37, Reason: Self Terminated |
| Monitor Duration | 00:02:06 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xfdc |
| Parent PID | 0x820 (c:\windows\explorer.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
FE0
0x
FE4
0x
FE8
0x
FEC
0x
C58
0x
C54
0x
C4C
0x
C78
0x
C84
0x
C80
0x
908
0x
704
0x
F88
0x
828
0x
538
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000020000 | 0x00020000 | 0x0003ffff | Private Memory | - |
|
|
|
- |
| kraken.exe | 0x00220000 | 0x002a9fff | Memory Mapped File | rwx |
|
|
|
|
| private_0x00000000002b0000 | 0x002b0000 | 0x002cffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000002b0000 | 0x002b0000 | 0x002bffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x00000000002c0000 | 0x002c0000 | 0x002c6fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000002d0000 | 0x002d0000 | 0x002e3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000002f0000 | 0x002f0000 | 0x003effff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000003f0000 | 0x003f0000 | 0x003f3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000400000 | 0x00400000 | 0x00400fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000410000 | 0x00410000 | 0x00411fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00420000 | 0x004ddfff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000004e0000 | 0x004e0000 | 0x004e6fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000004f0000 | 0x004f0000 | 0x004f6fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000500000 | 0x00500000 | 0x00500fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000510000 | 0x00510000 | 0x00510fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000520000 | 0x00520000 | 0x00520fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000530000 | 0x00530000 | 0x00536fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000540000 | 0x00540000 | 0x0054ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000550000 | 0x00550000 | 0x0064ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000650000 | 0x00650000 | 0x00652fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000000660000 | 0x00660000 | 0x00660fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000000670000 | 0x00670000 | 0x00670fff | Pagefile Backed Memory | rw |
|
|
|
- |
| l_intl.nls | 0x00680000 | 0x00682fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000000000690000 | 0x00690000 | 0x00690fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000006a0000 | 0x006a0000 | 0x006affff | Private Memory | rw |
|
|
|
- |
| sorttbls.nlp | 0x006a0000 | 0x006a4fff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000006b0000 | 0x006b0000 | 0x006bffff | Private Memory | rwx |
|
|
|
- |
| private_0x00000000006c0000 | 0x006c0000 | 0x006cffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000006d0000 | 0x006d0000 | 0x006dffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000006d0000 | 0x006d0000 | 0x006d0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000006e0000 | 0x006e0000 | 0x006effff | Private Memory | rw |
|
|
|
- |
| private_0x00000000006f0000 | 0x006f0000 | 0x007effff | Private Memory | rw |
|
|
|
- |
| private_0x00000000007f0000 | 0x007f0000 | 0x008effff | Private Memory | rw |
|
|
|
- |
| private_0x00000000008f0000 | 0x008f0000 | 0x008fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000900000 | 0x00900000 | 0x0090ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000910000 | 0x00910000 | 0x0091ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000920000 | 0x00920000 | 0x0092ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000920000 | 0x00920000 | 0x00926fff | Private Memory | rwx |
|
|
|
- |
| private_0x0000000000930000 | 0x00930000 | 0x0093ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000940000 | 0x00940000 | 0x00ac7fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000ad0000 | 0x00ad0000 | 0x00c50fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000c60000 | 0x00c60000 | 0x0205ffff | Pagefile Backed Memory | r |
|
|
|
- |
| sortdefault.nls | 0x02060000 | 0x02396fff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000023a0000 | 0x023a0000 | 0x1a39ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000001a3a0000 | 0x1a3a0000 | 0x1aa6ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000001aa70000 | 0x1aa70000 | 0x1ab7bfff | Private Memory | rw |
|
|
|
- |
| private_0x000000001ab80000 | 0x1ab80000 | 0x1ac7ffff | Private Memory | rw |
|
|
|
- |
| rpcss.dll | 0x1ac80000 | 0x1ad55fff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000001ac80000 | 0x1ac80000 | 0x1ad6ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000001ac80000 | 0x1ac80000 | 0x1ac8ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000001ac90000 | 0x1ac90000 | 0x1ac9ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000001ac90000 | 0x1ac90000 | 0x1acaffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x000000001aca0000 | 0x1aca0000 | 0x1acaffff | Private Memory | rw |
|
|
|
- |
| private_0x000000001acb0000 | 0x1acb0000 | 0x1acbffff | Private Memory | rw |
|
|
|
- |
| private_0x000000001acc0000 | 0x1acc0000 | 0x1accffff | Private Memory | rw |
|
|
|
- |
| private_0x000000001acd0000 | 0x1acd0000 | 0x1acdffff | Private Memory | rw |
|
|
|
- |
| private_0x000000001ace0000 | 0x1ace0000 | 0x1aceffff | Private Memory | rw |
|
|
|
- |
| private_0x000000001acf0000 | 0x1acf0000 | 0x1acfffff | Private Memory | rw |
|
|
|
- |
| private_0x000000001ad00000 | 0x1ad00000 | 0x1ad0ffff | Private Memory | rw |
|
|
|
- |
| sortkey.nlp | 0x1ad10000 | 0x1ad50fff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000001ad60000 | 0x1ad60000 | 0x1ad6ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000001ad70000 | 0x1ad70000 | 0x1ae6ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000001ae70000 | 0x1ae70000 | 0x1ae7ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000001ae80000 | 0x1ae80000 | 0x1ae8ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000001ae90000 | 0x1ae90000 | 0x1ae9ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000001aea0000 | 0x1aea0000 | 0x1aeaffff | Private Memory | rw |
|
|
|
- |
| private_0x000000001aeb0000 | 0x1aeb0000 | 0x1aebffff | Private Memory | rw |
|
|
|
- |
| mscorrc.dll | 0x1aec0000 | 0x1af13fff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000001af20000 | 0x1af20000 | 0x1af2ffff | Private Memory | rw |
|
|
|
- |
| kernelbase.dll.mui | 0x1af20000 | 0x1affefff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000001af30000 | 0x1af30000 | 0x1af3ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000001af40000 | 0x1af40000 | 0x1af4ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000001af50000 | 0x1af50000 | 0x1af5ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000001b000000 | 0x1b000000 | 0x1b0fffff | Private Memory | rw |
|
|
|
- |
| private_0x000000001b100000 | 0x1b100000 | 0x1b1fffff | Private Memory | rw |
|
|
|
- |
| msvcr80.dll | 0x72f60000 | 0x73028fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x00007ff5ffdf0000 | 0x7ff5ffdf0000 | 0x7ff5ffdfffff | Private Memory | rwx |
|
|
|
- |
| private_0x00007ff5ffe00000 | 0x7ff5ffe00000 | 0x7ff5ffe8ffff | Private Memory | rwx |
|
|
|
- |
| pagefile_0x00007ff5ffe90000 | 0x7ff5ffe90000 | 0x7ff5fff8ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00007ff5fff90000 | 0x7ff5fff90000 | 0x7ff5fffb2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00007ff5fffb3000 | 0x7ff5fffb3000 | 0x7ff5fffb4fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff5fffb5000 | 0x7ff5fffb5000 | 0x7ff5fffb6fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff5fffb7000 | 0x7ff5fffb7000 | 0x7ff5fffb8fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff5fffb9000 | 0x7ff5fffb9000 | 0x7ff5fffbafff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff5fffbb000 | 0x7ff5fffbb000 | 0x7ff5fffbcfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff5fffbd000 | 0x7ff5fffbd000 | 0x7ff5fffbefff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff5fffbf000 | 0x7ff5fffbf000 | 0x7ff5fffbffff | Private Memory | rw |
|
|
|
- |
| private_0x00007ffa7f3b0000 | 0x7ffa7f3b0000 | 0x7ffa7f3bffff | Private Memory | - |
|
|
|
- |
| private_0x00007ffa7f3c0000 | 0x7ffa7f3c0000 | 0x7ffa7f3cffff | Private Memory | - |
|
|
|
- |
| private_0x00007ffa7f3d0000 | 0x7ffa7f3d0000 | 0x7ffa7f46ffff | Private Memory | - |
|
|
|
- |
| private_0x00007ffa7f470000 | 0x7ffa7f470000 | 0x7ffa7f47ffff | Private Memory | - |
|
|
|
- |
| private_0x00007ffa7f480000 | 0x7ffa7f480000 | 0x7ffa7f4effff | Private Memory | - |
|
|
|
- |
| private_0x00007ffa7f4f0000 | 0x7ffa7f4f0000 | 0x7ffa7f4fffff | Private Memory | - |
|
|
|
- |
| private_0x00007ffa7f500000 | 0x7ffa7f500000 | 0x7ffa7f53ffff | Private Memory | - |
|
|
|
- |
| private_0x00007ffa7f540000 | 0x7ffa7f540000 | 0x7ffa7f54ffff | Private Memory | - |
|
|
|
- |
| private_0x00007ffa7f550000 | 0x7ffa7f550000 | 0x7ffa7f55ffff | Private Memory | - |
|
|
|
- |
| private_0x00007ffa7f560000 | 0x7ffa7f560000 | 0x7ffa7f56ffff | Private Memory | - |
|
|
|
- |
| system.xml.ni.dll | 0x7ffadb3d0000 | 0x7ffadba78fff | Memory Mapped File | rwx |
|
|
|
- |
| system.windows.forms.ni.dll | 0x7ffadba80000 | 0x7ffadcb18fff | Memory Mapped File | rwx |
|
|
|
- |
| system.ni.dll | 0x7ffadcb20000 | 0x7ffadd54ffff | Memory Mapped File | rwx |
|
|
|
- |
| system.drawing.ni.dll | 0x7ffadd680000 | 0x7ffadd8b8fff | Memory Mapped File | rwx |
|
|
|
- |
| mscorjit.dll | 0x7ffadd8c0000 | 0x7ffadda42fff | Memory Mapped File | rwx |
|
|
|
- |
| system.configuration.ni.dll | 0x7ffaddac0000 | 0x7ffaddc06fff | Memory Mapped File | rwx |
|
|
|
- |
| mscorlib.ni.dll | 0x7ffaddc10000 | 0x7ffadeaedfff | Memory Mapped File | rwx |
|
|
|
- |
| mscorwks.dll | 0x7ffadeaf0000 | 0x7ffadf48ffff | Memory Mapped File | rwx |
|
|
|
- |
| mscoreei.dll | 0x7ffae0930000 | 0x7ffae09c6fff | Memory Mapped File | rwx |
|
|
|
- |
| version.dll | 0x7ffaeb6f0000 | 0x7ffaeb6f9fff | Memory Mapped File | rwx |
|
|
|
- |
| ondemandconnroutehelper.dll | 0x7ffaebc80000 | 0x7ffaebc94fff | Memory Mapped File | rwx |
|
|
|
- |
| rtutils.dll | 0x7ffaecfa0000 | 0x7ffaecfb3fff | Memory Mapped File | rwx |
|
|
|
- |
| mscoree.dll | 0x7ffaed070000 | 0x7ffaed0d7fff | Memory Mapped File | rwx |
|
|
|
- |
| rasapi32.dll | 0x7ffaed120000 | 0x7ffaed1d8fff | Memory Mapped File | rwx |
|
|
|
- |
| rasman.dll | 0x7ffaed370000 | 0x7ffaed396fff | Memory Mapped File | rwx |
|
|
|
- |
| culture.dll | 0x7ffaed390000 | 0x7ffaed399fff | Memory Mapped File | rwx |
|
|
|
- |
| winhttp.dll | 0x7ffaef620000 | 0x7ffaef6f5fff | Memory Mapped File | rwx |
|
|
|
- |
| dhcpcsvc.dll | 0x7ffaf07f0000 | 0x7ffaf0809fff | Memory Mapped File | rwx |
|
|
|
- |
| dhcpcsvc6.dll | 0x7ffaf0810000 | 0x7ffaf0825fff | Memory Mapped File | rwx |
|
|
|
- |
| winnsi.dll | 0x7ffaf1940000 | 0x7ffaf194afff | Memory Mapped File | rwx |
|
|
|
- |
| iphlpapi.dll | 0x7ffaf1960000 | 0x7ffaf1997fff | Memory Mapped File | rwx |
|
|
|
- |
| apphelp.dll | 0x7ffaf2b90000 | 0x7ffaf2c07fff | Memory Mapped File | rwx |
|
|
|
- |
| uxtheme.dll | 0x7ffaf2d10000 | 0x7ffaf2da5fff | Memory Mapped File | rwx |
|
|
|
- |
| rsaenh.dll | 0x7ffaf3960000 | 0x7ffaf3992fff | Memory Mapped File | rwx |
|
|
|
- |
| mswsock.dll | 0x7ffaf3ca0000 | 0x7ffaf3cfcfff | Memory Mapped File | rwx |
|
|
|
- |
| cryptsp.dll | 0x7ffaf3d00000 | 0x7ffaf3d16fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x7ffaf41e0000 | 0x7ffaf41eafff | Memory Mapped File | rwx |
|
|
|
- |
| bcrypt.dll | 0x7ffaf4260000 | 0x7ffaf4287fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x7ffaf4290000 | 0x7ffaf42fafff | Memory Mapped File | rwx |
|
|
|
- |
| powrprof.dll | 0x7ffaf4440000 | 0x7ffaf4489fff | Memory Mapped File | rwx |
|
|
|
- |
| profapi.dll | 0x7ffaf4490000 | 0x7ffaf44a2fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel.appcore.dll | 0x7ffaf44d0000 | 0x7ffaf44defff | Memory Mapped File | rwx |
|
|
|
- |
| windows.storage.dll | 0x7ffaf4590000 | 0x7ffaf4bb7fff | Memory Mapped File | rwx |
|
|
|
- |
| shcore.dll | 0x7ffaf4bc0000 | 0x7ffaf4c72fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x7ffaf4e50000 | 0x7ffaf502cfff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x7ffaf5140000 | 0x7ffaf528dfff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x7ffaf5290000 | 0x7ffaf53b5fff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x7ffaf53c0000 | 0x7ffaf53f5fff | Memory Mapped File | rwx |
|
|
|
- |
| ole32.dll | 0x7ffaf55b0000 | 0x7ffaf56f0fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x7ffaf5700000 | 0x7ffaf579cfff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x7ffaf57a0000 | 0x7ffaf57fafff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x7ffaf5800000 | 0x7ffaf5984fff | Memory Mapped File | rwx |
|
|
|
- |
| shell32.dll | 0x7ffaf5990000 | 0x7ffaf6eb4fff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x7ffaf6f70000 | 0x7ffaf70cbfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x7ffaf70d0000 | 0x7ffaf717cfff | Memory Mapped File | rwx |
|
|
|
- |
| oleaut32.dll | 0x7ffaf7190000 | 0x7ffaf724dfff | Memory Mapped File | rwx |
|
|
|
- |
| combase.dll | 0x7ffaf72e0000 | 0x7ffaf755bfff | Memory Mapped File | rwx |
|
|
|
- |
| ws2_32.dll | 0x7ffaf7560000 | 0x7ffaf75c8fff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x7ffaf75d0000 | 0x7ffaf7675fff | Memory Mapped File | rwx |
|
|
|
- |
| nsi.dll | 0x7ffaf7680000 | 0x7ffaf7687fff | Memory Mapped File | rwx |
|
|
|
- |
| shlwapi.dll | 0x7ffaf7860000 | 0x7ffaf78b0fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
|
For performance reasons, the remaining 75 entries are omitted.
The remaining entries can be found in flog.txt. |
||||||||
Created Files
| Filename | File Size | Hash Values | YARA Match | Actions |
|---|---|---|---|---|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\00000538-Lock.onion | 1.97 KB |
MD5:
a3d92aff31e1f61e75a4ac3edfabb46e
SHA1: 69c99771dd61b2e366107aeefce269b39775ff18 SHA256: 036d7954fa6f58d113643c5d378337460422c772e797c52639e7d3cb08ff7be2 SSDeep: 24:g3UYCvLQw0NarIoJtnIG5MgecIdjSVe39WNsA1lUaFnP1nmsVXhR0gxpbFYn3ipW:8AkmnZMFft93G51l7P5BvPxO4egg |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\scan_poster2x.jpg | 82.98 KB |
MD5:
db57949925606aa90a4cda70637ba6d7
SHA1: 0cfe3ba979ed561fc621a4b26afff45c243b062b SHA256: c58a6362d8510a4bb6333810c9ef30aa389e04a7e2e9a53779586826101a7257 SSDeep: 1536:xiRfP2+NVd0L2oExidaQ/gHL1FHPbv8klW5nGwLtfhQt45hOKKqcANme7QMTCB9r:xiRG+yL2ohapFv78AwLtpQtGKqcMP7js |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\fr-ma\ui-strings.js | 11.23 KB |
MD5:
40bbdf9998bb3e54d262f45de318c0ef
SHA1: 41b41b39029c5d8ede304c174b53e92dd7989fe4 SHA256: ad4072217fc1d115270af134d6691a35fd3d10df3a2785a1ea43a05ce38d98a5 SSDeep: 192:WjVszqVRhy0Hk+Gg0DG9DEB+zgJ3Ytk85OgVf1V3ahO6glXFbXkl5Kr:Wj/yom6WB+Q85tBoODbkDKr |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\new_icons_retina.png | 17.86 KB |
MD5:
df8e3193c2490c39d86eb12b53f45c95
SHA1: d730b9a5c6cf85e2d4a0fb13ecb8144b0dceee90 SHA256: 848181af90b0cd35ef654d5534da66d370541b97a2c1411569619e74d3e9c59b SSDeep: 384:dwhdjkRjhLW4yO94ClpsmBZwQxJ6+zLr07gUnMbvfLBOEW2MZ35Uw:UeRF/SvQxJ6wX07gUnMbLBBgjUw |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\hu-hu\ui-strings.js | 10.89 KB |
MD5:
7d23203cb8bd60759668f1c0bc817b87
SHA1: 50d5beef2e1457847411dd67c684caba03c97fcf SHA256: 9943d7bcb5fd36528d2c78afb153e3aa207f0719912b0358efac866b0784097e SSDeep: 192:rpwPPaDuqu/z7GmzjTEErEvAB1n9jF6dxLtzGF+3aeUt1/XwTD2EAJcx6KtNmoLr:r6i6qgmmzHE1A3xkjtplUtu2Er8ULFcG |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\images\themes\dark\00000577-Lock.onion | 1.67 KB |
MD5:
47082eb3dfad1d919aa1adedc124e201
SHA1: faf21a950a1de3650b5b546dddded608c70655c7 SHA256: b3dadd4e3361571b442bcb616ccad67257debe113e5f40998afb6a9b0a77acda SSDeep: 48:9MZXNTfuJ7JSP5zN6030AXwZPfn+37/TSwStUOC:9ANy2RN6YXwZ3+bT+G |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\illustrations_retina.png | 19.86 KB |
MD5:
ad89ba80abdcbf925334902afaedc07a
SHA1: c98547c561f3c644f83eb8dbf8546e25693c62bd SHA256: 779d01a31ebcc65f12e67991cd22a19c5b794484803dbe556e87ce3cededdb3e SSDeep: 384:F6EwEoUR0r/UTXO+6L5bU2OiI65ag9hkdKbsIVrtF6QKUaFSHJypcdSoT8jk1D5U:F6qR0rol2DI6rzVuQUFSHkiJggh5sGWx |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\icons.png | 8.38 KB |
MD5:
fb3cc4d78ef4b51c2ef2061c8600b032
SHA1: 4788f4c8fb1041744798f1cf30e0c79e1faf0dee SHA256: 301698a3e5ba24624597a61126bf17def3b0a0186c31214c70419768fa2bb2c1 SSDeep: 192:kx/VExynRAeE9HIUMQ+qdU7cdlaTASsg7yS29jP:kx/VExy8IUEccUa8SsfS2RP |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\organize_poster2x-dark.jpg | 68.09 KB |
MD5:
abd1232fc81b6eb052aec30ca3bc3afd
SHA1: aaa71867a0e2688a1f2e1cf63da1ed0c65939cdd SHA256: c813e31ba991a32d67e179cff74e192f62a8d27ec67a5b4e7ca20c22d11e124f SSDeep: 1536:0Cx3pEUUeSXvOq8HV0m7y/gmU9hevqWcZHD9XX3q1TGj61X6Xi:0ZXfo10mm/gGvqWcZHD96p861KXi |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\plugins\selection-action-plugins\epdf\00000292-Lock.onion | 3.64 KB |
MD5:
5f96b495fef55c8da20f3a6cda7c3f76
SHA1: e171ef1faa637dc5b3d933224cb39b6931e37efe SHA256: fa8a500bbd30fd57840d95f24b6a3ccd5562df369ea50355faa813ffe37d4b2f SSDeep: 96:F9bQfx/0Yi3ZLSxORb6sHxqMqhCFyQQpHOSSgYDZ5uAEZV:F9bEd+ZLkORbXahNQQZOCYNIAU |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\00000545-Lock.onion | 1.62 KB |
MD5:
0c8ccf762d6958c8aa980661bef66bb9
SHA1: 3374e3c9ccebe6b52c636d1563e6e7c387052a97 SHA256: 9d73a951b259dc06822273c7c632ddbb24d7a05c0b11fd122f2e9eeef12d1861 SSDeep: 24:AKxpvnZaP43uc4iT/lBkwYW6gSXq+wRwDzfsMCDQMEGiYEVPPC6Vpex6Gq9Ua:/xp6T9i7lawYWGCeOD4nlpm6Gq9b |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\organize_poster2x.jpg | 68.09 KB |
MD5:
4f8baa2eb89f00aaf53db2b533910121
SHA1: 5c47ae13a2debb8e352a293c2d9fa6a2de06274a SHA256: bbd73d4fdc4a2077911d85cca9a815c5baae4104ef02d06c472fed5f5344b9a9 SSDeep: 1536:4SO+meNvsdDg9/dzoLu9oUt+ugN1amHSl8wq49cchKWDb9JJff:4SO+mWG6/dz1gNPHJcXln |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\plugins\selection-action-plugins\epdf\00000293-Lock.onion | 2.91 KB |
MD5:
772e65fe2a10f592853d16130eacc89b
SHA1: 88a8cce0cc1a088fe0f23c55b7450315123ce9e4 SHA256: 7a177596cc26cd113a76448f181a05127fc1cdab58dc580080b498edc822b108 SSDeep: 48:GW3jWqJTXR9/Ik7XdELwnkaqhgR7sOjU0wwGR1do4PvN/o524i3bpRVGf8RMKFLX:v3//f7XvkaqGRnj0wMTrn6524mC8R5tn |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\ca-es\ui-strings.js | 16.77 KB |
MD5:
103e7d4285d9fd4572b6620fc05f3b2e
SHA1: 3ba6c877ceeb4386987f5a92caeabfaaf0e7091c SHA256: 7c260fec4304a0a3e646ecf6f751ad9b34e23fd740b9461fefa98ef233b91e63 SSDeep: 384:kchjky5N7G03kojVYSj78rH+GsrXxXNmxWd5qYXV:kchjkSq03nj57ovsrqI5XV |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\cs-cz\ui-strings.js | 16.66 KB |
MD5:
1da01d4ac9e07abbb47e017accc8bae5
SHA1: 45d7a35617a2feb3ed9a0998b44cd9e075e5c188 SHA256: 06f5452ae7491d9e8292abb98529bd7f650d7f5810bf45bc2ad5f58c7cc38065 SSDeep: 384:QJOc8yFVVbvNA89hWllRSJ3GfBqwtepVT:AOcfVbvNA88PMWfBtOVT |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\eu-es\00000552-Lock.onion | 15.06 KB |
MD5:
25e4a93a2e5474243e5bbc125b94ddeb
SHA1: 82ad9b075069ac4fa378438e09e3a12d4c3368c3 SHA256: 8066824d504e370fc23462742206a0287743e3011ab7c17e635d340d2cc53326 SSDeep: 384:OUO4/yTEb8vhXsoO0VFouvGLLczVYBUFtpfq8mVIK8:3qIb8vhXvrvy0V+Qt9qz4 |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\zh-tw\PlayStore_icon.svg | 6.67 KB |
MD5:
905ff9f3cfbcf8ddbd0eb74bb8bfee78
SHA1: 6ca14184b9d639ccdb2711505cbfd668d27ef3ca SHA256: 4cdeb236babb32f53821472230866e62a897e3ecce4fd6c0cf854a96c9e978d3 SSDeep: 192:jO29ub0bBFIikKL4lt1C6dNLm3PgHwqc/XaZ:jP9eyjIikKMlnd9m3YHw9m |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\en-il\ui-strings.js | 9.36 KB |
MD5:
de7be05fd83b0df9f8ae48e72332fb39
SHA1: 34641a57abb4d2bba9c6f1bb1523a4ee0b469702 SHA256: 7209a7a89882ccc3bdb96ae5d23a9fd66676b5a9c3e96e892bdd956aa00c5b29 SSDeep: 192:68e/+4+TWWN1QbdkA4ohcq1x5/d/Nb4d5aQdZ3fu+vU:xe/+TdN1QpXDcovFKdMQdJfI |
|
|
| C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\Installer\chrome.7z | 10.00 MB |
MD5:
bcb39190507a3d384885187c95a1c538
SHA1: 218134b49a96db372e91a83b2901c3d008fb03e8 SHA256: 87d22b8e31f60ae8e9e6bdeff45b76c43cfc6e226710a98e36d95013e700112b SSDeep: 196608:EeUhGrDwd3fHoGYMvi6vxXeiozV+5tGd+XZgkrpdQi5aC:E1h3d3foqd1eiows+XZg+5F |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\hr-hr\ui-strings.js | 10.00 KB |
MD5:
97abfdc970422d67e0211ce3e063a345
SHA1: 50b4828c8ce1736537d0c4869b7909b36c4970b9 SHA256: 9ac992d1fe437cbd808f26a807d8de3de838d0c6d58ec7bf4306b402ac39a58f SSDeep: 192:FkLqOY+3rngDCH3q+z7s+AbZ8v8D410ULbWScU8GXq4p5/4jFAFek9er97BNyjl:KmO9rgy3qae9gB02bWMLpSK9O91G |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\example_icons2x.png | 6.00 KB |
MD5:
1dc3d44b50465f1fcccb7a2958ea4b2c
SHA1: 46c09c00031e9c2f48f445a0e38101112e2048b7 SHA256: 820b85cbbe286013bf354ebf9d517b7e1bec186890e7f45364271b5da4ebf3b1 SSDeep: 96:yhzQeZzQEmIfCF8wEnxVSlrAKF2SVSI1Tr+6rnNLj0D29tkAT5yhJVgG5t3WWw5:kZqCwOxVSlrtaEVjiivK8G7A5 |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\ru-ru\00000566-Lock.onion | 21.66 KB |
MD5:
ac9ed7b951e34b78d64bb198c09b9ea1
SHA1: c46bd2210ad99daf56f0ef0e4f34c16779170017 SHA256: f8e8101d2359ba8183fb8712bc9320a31f46788972e7149603f886bb3d348583 SSDeep: 384:0S7CMaIrja7uyh5B17g2fjbbSuj9jleCUApOiM1kajRAXSB4cGtv5qhnhm:DCMj3adB1821j9jleCDOxf0SBLGtkhm |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\css\00000295-Lock.onion | 5.02 KB |
MD5:
cc7984f4f33f76f8cb906e019251ea5d
SHA1: 7775133f6b3832d802f7870d781db76a986da2c8 SHA256: 7ba2c9ea425415ccbe5b2a6767a1548dc29fe50383dbf49b1e712d88be269c3f SSDeep: 96:fAe9lr6V6vNaBLgwnlEsqIp8E5FIsipgOhfWQG+ACuNQIbpf7u:fe8EBLZlpqroUnA3NrZ7u |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\fr-fr\00000554-Lock.onion | 16.75 KB |
MD5:
17ddc07cdf45b25ec55b07730b96c6db
SHA1: a7fc78b00883a901f30e6a47fc8ad6511dc3b6ce SHA256: 35a0daa199e8b8fe4e9b10540fde7e45d5955ec687f682d5c35503561adc660c SSDeep: 384:/0rSb9YefgHoi3YGkM7pyGb0tYyeR+Ozubse9LWIdmS3skR3nB:/0rmniIGXlPxyeqbVE1SR |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\redact_poster.jpg | 27.94 KB |
MD5:
cfdbbd7a489b0a50d9916741526de1d0
SHA1: 20cd4aa128aaf35578c724c92c4d333fab29cd4c SHA256: b59257c0f7435b6ef18199dbed4c0eef7f946b80425ce5ee0f9acf61bf738983 SSDeep: 768:XrkZ9JxZu7x+23UUM1SLr36LsfOJxLUYv:XYrJxZIx+221cr3Gsf+wYv |
|
|
| C:\ProgramData\Eula.txt | 7.31 KB |
MD5:
8c24c4084cdc3b7e7f7a88444a012bfc
SHA1: 5ab806618497189342722d42dc382623ac3e1b55 SHA256: 8329bcbadc7f81539a4969ca13f0be5b8eb7652b912324a1926fc9bfb6ec005a SSDeep: 192:RCVPxjERdQe/lb9iLbRvhSXH3DsDw3zF55Mz6h:RcFERdXlRiLbujuw3zF55jh |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\eu-es\ui-strings.js | 9.92 KB |
MD5:
3a97b22fe1875a5404e1a722964c0d05
SHA1: 986ce6231b0b3a4143494c9509e1c28091112901 SHA256: 0e49aefffdb0d6c07c3613c42cf665be03324151810bcc674ef3ba00fb3aa2aa SSDeep: 192:WfEnnte+6eiBdtmXBXd2GTOfCFbWbEathiY03gc5Dujg+y0y7nkdBuPPZaumB:W14iBdIKGTO4bWX3i73Nujg+JxaxnmB |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\plugins\selection-action-plugins\cpdf\00000290-Lock.onion | 3.33 KB |
MD5:
1afea0514680fef446d45ac121bfc9be
SHA1: b3b151714779f63b0185448aa066a6fdf7377372 SHA256: f3e685fc6d2c63d21d483ab66155abc5e42e05b075de5249c9d8ba6606ef95d1 SSDeep: 96:m70R81fzxfgBsk5l4/sSH7yJFDdaHnxRPTSAeTr5:m7g81dfgBfMluzd6xlSp5 |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\cs-cz\00000547-Lock.onion | 15.77 KB |
MD5:
965fc921a91495ced80022a606a80dc9
SHA1: b920e5d747a84d7d2f96ac1386b7fc2f0d250583 SHA256: 19945eaeee836a5a9c087050387f094d6db31fbe823d02d4b3ea4e4504864645 SSDeep: 384:4BEd5Npij4xh7JY/aVv1bxr7cuRI5OjVe8zla0TpGCw6P:4BEPi4L7IcxxrjW5OPzRs6P |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\css\00000575-Lock.onion | 5.05 KB |
MD5:
25ffc8faa03401e6952dfe3aba71e9ab
SHA1: 476a7fef36a0265e746987f0e84b93077a85ce71 SHA256: 007c65f0779cbfb14e9b6b794e0dc35b67b7476988a0b0e8607184b8686de904 SSDeep: 96:atYkfhIaFrezd5iGyk8QS0LG6op2RzzH0xg/z1TbsY7782WpSH+wEaxlBV8:atY1p22Sc7Nz8gZTgY/8XSjv1V8 |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\selector.js | 17.89 KB |
MD5:
7788fd5f646c96a9178895624c92911b
SHA1: 04ea6d20b015f8f6d027bf69fee9773848c82e6a SHA256: 7a6a4b3b18de72eb9533a07e68ec92da9772f327e9215e65903c19d6fafd4eb6 SSDeep: 384:wIPZOzkIyOYRZpgTqrL9YjaPNS7K8T0kCisJ54UGNvI2bdEupe+M:ZkMZIopYjaPNS28ThxshGNQrszM |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\icons_ie8.gif | 8.47 KB |
MD5:
83712c3c5fbd1fec64560ad2fcd00536
SHA1: eeef17f6a896e873b7b356f23ebcf1d83e831858 SHA256: 9481bb56b1b75f33370b94ae568bac9b3ca7226e8f71488fbea24a60ffdf963e SSDeep: 192:vo2UREtP4BVn8s0HmcFC9INqN88y66D09XNfCO//+p69D+n:g2U8Pyn8sUFC9SqH6DuNPGq0 |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\zh-cn\00000927-Lock.onion | 14.25 KB |
MD5:
e7202b51b78cfea5a3e9a052e07dec41
SHA1: 196b3ce57635b81fcc22ded19d5913f39cb23e68 SHA256: 91971e7a2fcbdd5af767d54ee676cdfaf3c50b56fd09288637bb940fbe189740 SSDeep: 384:XAWTBlTOoxJgXTlE0k93NYBPV3UfuYGJFx/:XRBliCJgXTlE3uBPBNLFx/ |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\scan_poster.jpg | 30.14 KB |
MD5:
b6fbb6435a93fb782e0cebaf651428fa
SHA1: 35efee550173900323e8208ac86d08ef6646ba8c SHA256: 9ca1fc48cd0d35024635c54eb1bb0a2b0f2854e40829ecf4d88f0d56bd8e881a SSDeep: 768:umT5QejXYz3cfChXbd2ARCEGIdIocPMTBoJAhG6zsM8yE0DKjVFyh9jEy:n+47fOrvpGSqwBmAhp4nyMGEy |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\protect_poster2x.jpg | 58.17 KB |
MD5:
91120505cdb0d059b6b81afc8022ef20
SHA1: 50c8e1afb06e1687bc643d492fdb153e1ae3568d SHA256: 5363bf091b4164870d97210253c6393b30219861e9ef1acf75ddc5fc4e2ae962 SSDeep: 1536:Bcr/BmgV76r6XTAeYTz+R+vyY3hdnQPVySxsbg:BSAG2e8Bz+RfY3jg |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\00000540-Lock.onion | 1.52 KB |
MD5:
3ddc772c2cfe1de7b87bafd4f067e056
SHA1: b37af95e71f473a0cccd8d3ca8e3259d99256102 SHA256: 41b1e782fbd4f22c9321a191d8fb1a1ac15b6bc3cdf788ce4456bba120612962 SSDeep: 24:a/CV9jvV4b4JRMK54vaXLTMGhNmfXafIfdZJc1rx4jTV6IdT9urKG/SKibAnkqn:X9jd6CRMK66MpVZJErinJdwrj/PkM |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\icons_retina.png | 15.61 KB |
MD5:
a8efb389201cb91c5c284790c026ffaf
SHA1: e81d3eeea4517c3a71e77a309d5787fed4c5fefc SHA256: 75975222fababb1c50fc21aa74ffb726d22531b5f4462be519a5af1044547634 SSDeep: 384:dwP5PjtGfj0Z8BnI6AomuXeZYxyErsBxf8W6I:dwP5PJgfBnIhlYeZY9sBxWI |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\css\00000294-Lock.onion | 1.69 KB |
MD5:
6f35a321c1a04e7f600d40a3d6e1a833
SHA1: 6f9a28806406942f07e9dbfe66f810288eec0ca1 SHA256: 2dafed71bc08801a90e406d0925b1960302f991dd986835a7677274f5ce0c754 SSDeep: 48:s3PHNk3IFDIEwdTsrpqWrQRYKEWQKULCi3JCuAS:P4FsuNhrfPKS9CuAS |
|
|
| C:\ProgramData\Microsoft.zip | 157.33 KB |
MD5:
5fffb905d9a881a36420a40f7ea1e999
SHA1: ca06e8c601d802b3c18d2de0c37ce4fff8ae782a SHA256: e78fe7d61b760118529858351c20e2814d5ca8a0c16e7c65fd180fd12f431824 SSDeep: 3072:lGaL6nBYtIFRgWoIutqXZuyVnrhuMUK18cih4hodDphXYYx0wvZXrLoyy4d3U8Pc:lGY6nBkztqjn8cC4h+phXYelvpN3E8Pc |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\themes\dark\icons_retina.png | 15.61 KB |
MD5:
c3d33c9b68ba3aa2fb2145e01843520f
SHA1: 928e8de5c1b7c3d8fa7536ec8176068e9104d1bc SHA256: d1b4eac277fcbab7b93ee3c504f1d61b8fb206445b273a09c98f07b18a983144 SSDeep: 384:CarTH29ixkwjkLKhXxYIt9wyZe9HdSC4QGms1bcWMVvKsg:f8ixkZOhG8xeZdLGmyj/j |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\nl-nl\00000561-Lock.onion | 16.17 KB |
MD5:
c88258557b651fe7e63bc99183e82e70
SHA1: ac2420f977fb5b450d8a13037f80f84c0c6ca6c1 SHA256: dd4d232655944536801abd530a91931145590bdd15e1696eee2bd3ad5a4f4af7 SSDeep: 384:lmRAbLCePTP9j/kjVBkN4OwQhprLsq1B82Z:sRheBjcbpQhprLsqr82Z |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\da-dk\00000548-Lock.onion | 15.08 KB |
MD5:
e63e8461ae64f4deea7cf637cbe5e86d
SHA1: 1b54cef00ca39c987d63a6c731da667e5bd3c336 SHA256: 1dd6aea21e5bb20803392eab446ce4d757f3834aeb3a2282f238ae0b661957e3 SSDeep: 384:jwY2HG8xyK/PxCVgZg/A32F2obV0v7JWDIGo6:Z+TB8/AQjVNo6 |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\new_icons.png | 8.69 KB |
MD5:
29fb426ad7056e6f466d1a74744a3e58
SHA1: e3e62eab66e6cc0a81afc7a9a6be075b62a4c939 SHA256: 13261f49e17d73d1f8d7f2567bf4b6511b5ea54e55716269f0a3c8616ab49521 SSDeep: 192:uV0l5QSHGeJq51cIxeTT6zS6bx9crk6AUDyrI2domJ3MU1UUa:FQSmiq51E6ZFiAIyEWomq4UUa |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\optimize_poster.jpg | 23.97 KB |
MD5:
67373c4a76559649d9e4fcceeeb35b7c
SHA1: 5a1c1c1efb58646c50c60f19503aefab458439cf SHA256: 3633adee017a9c9647a8904b5f6504e0f099141928cbfc61d8eff97efd7f326c SSDeep: 384:oILFvXxD0fdVv8QAsR7IjDCi+J7TmPSkr8ByjYa3Vyt44BnN7jscahcXlAe:Bv6fdFAIIt87Fk3YxHBnFjscnz |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\images\00000576-Lock.onion | 1.67 KB |
MD5:
82a43b9814fda16ba34402a694b162fa
SHA1: 312e187a840b92acd0a6b6dc3548d9d5a24e4b34 SHA256: 0aecba8482521357ef8c6b8ca8bf103a3836b514b1508b8a44b0552b419648c7 SSDeep: 48:Kvi3VxyWpXZUcltzbZuaGC+7F8TQ9ixU+b2k1+R3:2CVsWpJU+fZqmEAxU+b2k8 |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\uk-ua\00000571-Lock.onion | 21.98 KB |
MD5:
21a1949f88e83c401a018be4e997f91e
SHA1: 7dff8d62230994bee0808f8525953b3f6981db46 SHA256: e7093668d4f8c4e03e11bda7966c5f706d346207f713e98895729421aa4366a1 SSDeep: 384:2ivNBbSnLuiRWfcy1O+cUQn9sSkg3GwGiBs/CAR2fVIJ9bW1dwuGwwjXrCjFxffK:rPSLfRWUy/+lGiBs/CxtZ1ifjAPs1Gj4 |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\protect_poster.jpg | 23.31 KB |
MD5:
eec163e103125cabd371256b0e8b633b
SHA1: ec394df0ab994ac7146612c0dd5d376410351be0 SHA256: 2e4fb1ced45ffe9669201240d4465a214ca395f5d2009d27518e9ef6454f3ff4 SSDeep: 384:lRte47haKuJxEtaXAc6M8GRk9fn8+gpWtUTaqa+t8kG45fy3cPS79:lDe47hNFkXKM8Cy/zyWyGqlPdfy3c6Z |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\es-es\00000551-Lock.onion | 15.98 KB |
MD5:
0cc11fe027f1f46ff4731e02d75804d7
SHA1: 57dcd71a35db8aa47966b0c16b517b1f5382abba SHA256: 6eb5f718c45c595177619e43c73a72a902430f8c8e479599256f3ab4a8c2340b SSDeep: 384:up6i+BMwii+CxC2z7i+BPUpwTuSvGBhQ5TnHDB:0p+BMwfxbzG+WwTXuBK5TjB |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\themes\dark\icons_ie8.gif | 8.47 KB |
MD5:
b7e434e1794fb30c5b2ed158edcd018d
SHA1: 790d86af467d9798e92afe710baedd055794ab11 SHA256: c4ef7eaa95675083ca7444f2a16f7e7113247522ab40cb323b1bafe26369b4f5 SSDeep: 192:1In119lwfUwWmHqRqtJAWHwtToAyErG6nWBqHMhyfr:a1PqUHm0oWWHwtoAyEDnWBqH2yfr |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\themes\dark\icons.png | 8.38 KB |
MD5:
ab58f93b204bcf4d3d36e92408971adc
SHA1: 9e04aed00e37bcaecbd010af16e206248140f79c SHA256: 2e271d34d6a1a0b6d24c2a1f682ced49fa987a2bed1a56d487a239ddaa44685a SSDeep: 192:kLxqS1dB/te+s9YL9bncCzkFJxdiVe7XICGSq2/7IYHsXXyM+5:k9qSr7PiCzkjKTS5/7oXyM+5 |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\00000539-Lock.onion | 1.97 KB |
MD5:
eedd177b26eaa34ce01169cf62a06b47
SHA1: ac5c1fcf52d564464eaf56981a5e440ec17e1bd6 SHA256: 9b53c629ff34da2f3c61c4fbfc384e2c21cfbe5fa1743d211406f3334cc50b3a SSDeep: 48:VS/1trkldmYsSBIXjEg3IVlJ1/LbuIUpIEDsm++SzS5qlaLtyXK:KtAsYMzBYl/CIEDs7z8fZAK |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\hu-hu\00000556-Lock.onion | 15.94 KB |
MD5:
97e2bd08ecade37a70bfc7d26c5bdf3d
SHA1: 247d36fdbae32823efb42b9ce746ab8ae31398c8 SHA256: 272118fca9f160f026e7ef90bd82e5431c66fc7d8094838f8490fa2604ff6add SSDeep: 384:fcM+BuY0Bt2Rp3UnOImwH9cmf+9bFyC0R9D0joKn0wd45GpJ0DmU3d7Y:fc1TOQRpkOVwdBG5sCwW05GPa3k |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\illustrations.png | 9.09 KB |
MD5:
f82b369623032cc6d82417693d617135
SHA1: 38f177d6461b70ebc38ef00ed4cb053c189d3ea8 SHA256: 2d177d4a3e6a86b33d0810857ba42b867069deb98f2a048dfb3327293387c8cf SSDeep: 96:TFgCDMw65MyRop5PgvJUDuthjMb3t6julET/wrnDqwG+w8OzhQnDW3IAck6vTSy4:xgxeCM6ju+TgqP8ioR5RvTSyf1OunBfO |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\sl-si\00000568-Lock.onion | 15.06 KB |
MD5:
229f97cdc7fcbe0626fb5326a0bd3466
SHA1: 33fc2739208179d14dff5c1d9de458284c597c22 SHA256: 66739e58fddba9e24c035e2993d48efceb62d76d4b9aa9fe591eef04c7e91804 SSDeep: 384:kj4TUxsnOrQ5wwOgmiAlpQS4qsCnOHhEJZGh1Yy:kj4TUxdQOwssSpsCnOHhT1Yy |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\fi-fi\00000553-Lock.onion | 15.64 KB |
MD5:
6db0e080fb7316edf6dc5fe95c2f0733
SHA1: 87319f678a7bc1ad176957b3cffaa7b2318ad5cc SHA256: f3265ff968cbf81e460a647759990df0699d92d9de9560613cb8096f8ac67a7b SSDeep: 192:A5O5UMtr7GXaxETdmCgnIlGGjmBSfhYjZgm4cj4bO1uZcFW7EsJ2qcDpVVBXlvxx:x5tma7fGsO4wO0ZV7EsJ2JD/Xlv9Covn |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\fi-fi\ui-strings.js | 10.11 KB |
MD5:
2f183925fd19d6f083621d16cf3e7472
SHA1: 3e3a7a9fd1e7d008c03552bf73ca8d896fd842cb SHA256: cfb52c86c0b64ac07dc1ff274a6ef0b9edca9325bc329ef1fcb83cb4967cfe34 SSDeep: 192:58qfB1g/nmAq1f6fI+GW5PmO9YsDprqF6ysRrATp1k7wh5m13cLI9WjiBFNDL:58VOAq1fLoPB1rIQrAd1k7doI9WYZL |
|
|
| C:\PerfLogs\# How to Decrypt Files.html | 11.78 KB |
MD5:
855095155222830e0269875f32ca635f
SHA1: 56b1b506b8fd5c4cb427f2706a99d7ee0f15d772 SHA256: 9e24110e8db7e18faba2e80d5558c8de7a2d1f3b6d8746879ebf87c4e96f931e SSDeep: 192:0Oota5SqD1ajqaqj5i231NUMVrKF01xpFG3oly52jtZxzemjsewuqyjGEI:wanD1ajq5r3K4E3oU5WR7IeCjB |
|
|
| C:\ProgramData\sdelete64.exe | 163.14 KB |
MD5:
ff4cc6c8e77e184246fa687eab0b0807
SHA1: 9fa2cfcc7dac712eff626ff7437d579ccc3ca58a SHA256: 29a7b149b75d216ac057edcf963e424ec40fa1150c415f812ecdabd934c85386 SSDeep: 3072:c4ZJe7NvuMBzWYbDEjTs9w28NkI5UFZTtbxSvknIMo:c4beJv3bojTs9TESZg9 |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\plugin.js | 332.00 KB |
MD5:
9ed5507a5fdea4499c29ca2e19a7c622
SHA1: 5cf5d523e57c46999535c4cea1eac68025cb49d7 SHA256: 4d377429a5923b4f1d9bc48af2f028684af4d21670591398c1d0895d1c51e2ee SSDeep: 6144:WzI7QRFsR0LP/1FJHIG8duTxp7jpIzX/WgxuiOkZf9vE6V5GnkSCBS83Y:XYI0T/1Fedgp7jkvbpZ/HYHoSOY |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\zh-tw\00000573-Lock.onion | 14.19 KB |
MD5:
1e23be827162e6a8a7a622d869a4a46f
SHA1: 71c9f9e4131f9f06762220c50b79e6afea65f2ce SHA256: 36d1f730fa5f05c77359ad8d0b8fc290321ba8871f195fc65d5e2845acbd08b3 SSDeep: 192:Qk6Nrf5RtH72yZFPJN1CmpBmDP3vMk9rIyLoTznAMem3l63ysFfc6Iowxo66sw5H:qB/7XUDPUiTofAdcLAJIxVw5Hki |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\pt-br\00000563-Lock.onion | 15.83 KB |
MD5:
d9ca2827280c64de443c2fa5cde1cddf
SHA1: f3a9741abdc09a295db00c6e885197e723ab292a SHA256: 240e45391ed80701257d66316e4e8fdf71d27a91c9aa554917b518d5a4080203 SSDeep: 384:GfYKxvaVPdeH+mcJTmwSc5ai8IW7UDEC8UnnD1XaCfkd:GxaE+m4mw1W7UPBaYkd |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\images\00000296-Lock.onion | 1.67 KB |
MD5:
48196c3b008bcabe1d63afb9a2e3d62c
SHA1: f05bae782ad2da95e932805ff081c3a7fc418888 SHA256: 8ac5e6a2191639ff66705c380170ba644e2fc997a47d55a5e85fed2584788094 SSDeep: 24:64wS1Y6ALo8biWKHMU1G9qqHhvAh6J8yDYdfjbpdxkgMJRWmtC2oj/JFh/t:ftiLo8WTsUU9qqBIaUDdUJRVtCNj/bhl |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\root\00000565-Lock.onion | 14.38 KB |
MD5:
fc5baee6b989d91ae8b7a3950da729b1
SHA1: 57fdbde429fa53a36d1e7cf6973815a61ce3469e SHA256: 819c1707df4ad8d9c853a2aa3b34031b2dd048a127da64dbd1c13751cf626787 SSDeep: 192:WTO1JatKC1qYzjJlLdnDmprwDhJBOGmsw+e4k5keqNr5j1S1RbEu17H3XKlWNhuz:WTKwtKnklDVJB2vhaeqTZbu17H1WZ |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\ja-jp\00000558-Lock.onion | 18.17 KB |
MD5:
67291398659d77ffba258862f4055b54
SHA1: 1234d8e85c393143b49cb575e0ca3a8b0e5b2773 SHA256: a0a6ef12d9657853d48922ac8764c1f7fc1f2319e4a12c2f04201672258b44c9 SSDeep: 384:hG/3pnBSULvykWzsJ8I62YXULRE65VYsMyrOIUto:hGvpnoUeRA8erz5VYsMLbo |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\images\themes\dark\00000297-Lock.onion | 1.67 KB |
MD5:
29ab582ca66674e861e159b71b00315b
SHA1: 41561b5fdd20a184246364c93ddfd6fd89e2582d SHA256: 175e980d35226aa10dea8e78c5d74f8320d0915115ee39eee1edffe1fbea4cd9 SSDeep: 48:5ydw8Yll2PShWXZ1MgtLIabAKEqmVmINSVRUR2vBEOR:5XlMmWJ1FCX+RUR2vhR |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\sk-sk\00000567-Lock.onion | 16.06 KB |
MD5:
d3fe71379f78b586c0e568f1ae3c78f5
SHA1: 57cc5763c49cd64f7e8da7e334e4c0aa40520315 SHA256: 5a4fb19b594212bf7ecdfaade4ab2f95ee64a27c5a72ec506114b4ea7d166d65 SSDeep: 384:7ohAZ+ZFKZ4S2JKcjjFzL/epzveTyBM96iB9MlWsahpXAmr6:7+5zLjFzLmFe8M9fWlWPQd |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\themes\dark\00000543-Lock.onion | 1.52 KB |
MD5:
41cf76b9c142b9ab6e9f40179de5ff12
SHA1: 20d645c91902a3588bf09ce0eb3068ae5538ebde SHA256: 66d2cf56d435751986b60003d883a234869e9111efab117be884bbb1949a8023 SSDeep: 24:Rv1GYORBCd8dq6YL1IQGEY9pgWSLnlFsJuoiC4L9gSxLnTGNUlRqUxA+GpMboWAq:Rv1KBCTLbWSDAT2gcTGaDqY/MrezFGk |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\optimize_poster2x.jpg | 65.84 KB |
MD5:
af404b612ff55262454e78e34c7512f8
SHA1: a13356cedaf3867b710a48cadcfb52501fff89c3 SHA256: 82dd0596a2d3ce8ab9159bc36c13eda96945003e07f31b4be3fca0a27bc64607 SSDeep: 1536:3psLkrRQewBrcLAGQ5I/pYj2eiHgAKXxBvv5l9nBwKVi8tuAX5TI:3p7FLW6II/p7rHgxBlHwKVis5TI |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\pl-pl\00000562-Lock.onion | 15.98 KB |
MD5:
95f6d066c4b90575f659d2f9cf4683ac
SHA1: 1521e03bd063f0d2683e521743b1da949f1b9892 SHA256: f847f6bd854ef97d8280e3250f15d012b220c4cda9d8b35547d5f798ca4945c9 SSDeep: 384:r1lvNLMCgn/mwzjNySECRKzHqyCQ3ITmJ7jz9oNbSuDX:dwNnB7JRKzH+QTJjGNPX |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\00000298-Lock.onion | 1.59 KB |
MD5:
70fb042090fc9f5309303df43c863da9
SHA1: 189c592aeba562c05574a23d425e927a600e6b8a SHA256: 3987eb05b220e71d0bb1481d8cb3db7f96139df5da1fad4b9309844b0666a763 SSDeep: 48:bZAtWx78JHwfF6PPAaTKosyrSoRsUEB/PRMI5b:bZAsJ896F6PXTKoskSipq/N5b |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\es-es\ui-strings.js | 10.33 KB |
MD5:
9ace209c980df2d10dc67f82d4727264
SHA1: 6c7a8f3326462b056e3982d6e6ad924e4eb6a0ca SHA256: 48d5d91d4ed81e1f19e51e9bdfd7d432c709576ca013da0d56a4f369a7599436 SSDeep: 192:QLS0EHI1oWVZoVRkH08NFX4lKidZdw5tNYNQ283VNDpPqFjYk2nWnhBSC:+SPHI1BZoXoXVid85tVlpPWjff+C |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\tr-tr\00000570-Lock.onion | 15.25 KB |
MD5:
9e5168ea8f4ce371a06e3a58eb8d9505
SHA1: e79644e15f65a85ac3fa79d2728be443cd4c77e8 SHA256: efef790693c0d0eedd0befdd7f9dcf21f3edbfe7749a60dfb9287e64447c0af7 SSDeep: 192:oqsICj5mEqxuyAlffdBAQs+igQVmQkeX49ywyFbfLCqzrzmlUQXrXcQvhoNguAXO:oRIO5uuysD0SeI9yfVf2aaWsvosXOuq |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\de-de\00000549-Lock.onion | 17.22 KB |
MD5:
685f2ed5f393580d3b56e72149834276
SHA1: 8cebfd209eea930e8795c282f852f5f954acf061 SHA256: ee40de56ce969d80f6da1b2ee527a8eaa0e4635a65dab5b21f398c4c2041f05a SSDeep: 384:qTok8/EhPBVfRn9jyrmIkQANL8nz0L2cs8tV6S168Q:9Mh5VJckQK8z62cs89I7 |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\ui-strings.js | 1.69 KB |
MD5:
eb2c7da749ddbaf4cb3bb68b8dd98afc
SHA1: 582372f3bbb114780cd2c35b3482b1d77d0b336e SHA256: edb29007b7ba7d93893acb369b23d82a4d3377b93972747762b6634ba3bb5edd SSDeep: 24:ce0RBzKaZGJq5AVFMy5GjywHm+ApH4rTT66L1bm3QEN+PdViNVK9kZ9wlwcUAQh:cFRUyANQJG+ApYrTvb1dVqVKMtcde |
|
|
| C:\ProgramData\sdelete.exe | 152.63 KB |
MD5:
f2bbf310a35f43916db6b664325b76a9
SHA1: 47ab6883dbf15736755eea62e4a0f9594b54071c SHA256: e75ef627bc6475287e73349e5ed4f9d9b831c9535c7b2751ed0d217c93a4b997 SSDeep: 3072:wzuoRFwoaXkn3uT8ZUF7jAcxtiBRrKyOf:w5pN3u97SyHf |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\nb-no\00000560-Lock.onion | 14.81 KB |
MD5:
fc6ac15da6e151e3904ec18b1821c6fa
SHA1: 8dac3f0ba7cb20bdb1e82de7ac6379cf3e7e1d62 SHA256: ea16deba87dc24a9c0a578c8e69dbd48077ef1bb5c4b8b90286cbb8b40047f5c SSDeep: 384:k45ux6T8/EkCZq+LDUWYcbAYlaC2FqXfWtpaDJe3TB:yjCk+LDUWYDeaCfXwpatwl |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\themes\dark\00000541-Lock.onion | 1.97 KB |
MD5:
bf1e2e5b0251fc25baffe8c76254a853
SHA1: f37aa7b2c9a93e31ca9eb8ae179bdeab9392f3d2 SHA256: 4018936c8a23e643b7fe76e94062e5b446edf787556ac8c4321ea7b522afc530 SSDeep: 48:icfBaBw/RSRZFlglIFIvWRYkgKWEXJCPUAI1Sug2JFol0n:iOmZFlpafEJOUH48FH |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\ca-es\00000546-Lock.onion | 16.22 KB |
MD5:
357656a7d7b4cf76f14de55bab0f00d8
SHA1: 2598b7dd64fb966804ce7e0351b21382a7f915c9 SHA256: 08701e2860503f6fef8e2c51fd86eb2d524f3e56501ac59fc470502bf8dcd555 SSDeep: 384:f0VzQ5kYW0DxK4OQ0EtNnrun92PKCbL3I88sKb3krmYSHEz7w:nTxIsNn6n92J3CsKb3kSYcD |
|
|
| C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\VisualElements\00001277-Lock.onion | 22.33 KB |
MD5:
b216a671d1dbb2faa07a63d8b05e6871
SHA1: 2bf62173b0297e736fd53639e3b475645aa8c10c SHA256: 7ed1b90d21a93708794d6880b80392c069c80993451718042ac747e703e2831a SSDeep: 384:ntPB+2kvnzis952/naa2gsOAyLnWDLfG2PmGuaiudtzl+AiuGT9IbZxNtcsuG:ntP43us3Cnrl0jG2uiiul+puc9IFxnc8 |
|
|
| C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\VisualElements\00001278-Lock.onion | 8.25 KB |
MD5:
907ef47bc0b228e75465e79fa20fd7d5
SHA1: f587fd0e04f5d9a0a6d068ac61800ef4f05aab9f SHA256: eafb66bf34676770d5350fe35cc7a9c927b3859bf1deb9ad45c6ed04041c7277 SSDeep: 192:2NT7ZbS7FUxZrDdACBgLzrVMkGsjnO2aJazoJC0SVYlaiOo7:21dKyDVPBgPtG0oYzt0blaq7 |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\it-it\00000557-Lock.onion | 15.73 KB |
MD5:
8a279f75689c4d61c14e5f68444fe2e0
SHA1: 09cb3e20206750f75da103e827caae3c256365a1 SHA256: 4c556d6edf08915fa703da67e2fb13d39b23985d6362735ced6926eaf7c23ac6 SSDeep: 384:ZivTrQ3k6KtGOUFANSAHpKFfws1CI5orPyNFiFXKOz8as90UyuhUG:cvTU3Ni4eSgpy5omNFh0huhN |
|
|
| C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\VisualElements\00001279-Lock.onion | 8.17 KB |
MD5:
33c3c29c377a5f67c8a84f952751115f
SHA1: 903e04d12d1885715828edc0aafe1ea602a8bd17 SHA256: 162edc9b51fbb563ae0d470e110975da4613fca7624c551c885ab4ab8ab2e4b5 SSDeep: 192:xsKYAFh9ZaR8LESIqmwTNxMPGTtYbj07/vKtXdidgnLI4q5z:WkF0RPSIqmwTNPtYbQTvLdWELp |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\organize_poster.jpg | 68.09 KB |
MD5:
b7fd98543397b4e13d395cc89895a180
SHA1: a4c135c94b34cbbe944e0d0b12b8182ed4da87e9 SHA256: c9828ba00064046cb24f40ad39c3968caf7baa41290fcef96f039dfe9b04b5c3 SSDeep: 1536:riogNlcLuX1pgFQGr9XfDJ1802Uv2YHwDReaE1z5uGnp7G:ngPcLuXvgffHwRXDReF5uW7G |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\ca-es\00000299-Lock.onion | 1.61 KB |
MD5:
eb640a5a1059c16b2189a4c77e4f9e6c
SHA1: d10928b4186433a1b5add483bfa66d861927b069 SHA256: 84318a3003cafd6559932f01e98c5fb214ae472df98dd1d81a705bc323ac127a SSDeep: 48:Oqn08YgdH3qTSxok6PTJwGzs4GBQ66LyY52x:/d6TwokeTJwGzyBmLyY52x |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\fr-fr\ui-strings.js | 11.23 KB |
MD5:
e285d1646649e9456613a00aba23f82a
SHA1: e393e9027f20559d1db19d76209e92065469c561 SHA256: 9816f91d84f2adbc48069987aea2056210c140fa4d84cf93be557332ed9b5abf SSDeep: 192:OHzmPgjn/AZpZummEZxia6bbno3gVZ2EEvLXDVBhVOGzOF6VC1Egk8JTFki5HzE:hcCpZuREZ09roYETXhDVOGzM1fkcki54 |
|
|
| C:\ProgramData\Safe.exe | 847.50 KB |
MD5:
c13d28dd3d19f5e01ef708fcdbb5e3b2
SHA1: e1791cc248bef5abbf3cb015e18a7ba88f0eee98 SHA256: 9c5b36db0d61dbf12414ac7c09f6c89395ac6af0438959a858e4cffcf6df4192 SSDeep: 24576:cAHnh+eWsN3skA4RV1Hom2KXMmHayfgO5:7h+ZkldoPK8YayH |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\1494870C-9912-C184-4CC9-B401-A53F4D8DE290.pdf | 182.96 KB |
MD5:
dbcbee51b39a86edda0d4b5bda82fa02
SHA1: 6090fc43bacc32f3ee9c6d3e8c36326d3579606e SHA256: 341a1ef149a50111eee312706a894cc1a3222b1b4a8d8881b00c8ec3abeb6070 SSDeep: 3072:mX5M/ioET7/Z/qYFuWNjfbHuX2T/5/dGc4uka2AtSyNLMDTJ5MtvVmbvA:25M/Cj/uXa5McZd2At7mJ5MuzA |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\css\00000574-Lock.onion | 1.69 KB |
MD5:
f6398b5ccd5c91dbe0d44da446b5b45f
SHA1: 3a34969a94c98e257e754e5cc0310a83408a5e8a SHA256: 714bee5a2292bf7934bd1c1788e34e5caf65e1f3e2e610e9539ec06f7c6833da SSDeep: 48:/nrpyHXtOGbJDUrrXyRVtv/8tOgUkak566W0Pb6/vtCdV:/rG/JDeTIkF5BrW3gV |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\ro-ro\00000564-Lock.onion | 16.23 KB |
MD5:
d4f62447c6caa53e09e74c686a73073e
SHA1: 838a7ac072c4eedb7eb56ea86f1754603940b1c8 SHA256: 389dd4b1eb8daf808c2e61cec8c99167fc186726457c1de4ae5c01d713bcdb84 SSDeep: 384:P2dZYSg7jJpAciG5YNliAFzMlmtDfqKCbqPhPJiE8:P2dZYnJpAFiYNlHPaqPhP8 |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\themes\dark\00000542-Lock.onion | 1.97 KB |
MD5:
57a91bf2309cb3ed95d1a3502b541bac
SHA1: adfee7a86c112179d66f98bddb4b5d3be681c3a9 SHA256: a4dcea6ff76b2e48005303f606ae882102b9170c0652c20e3daca79dd848cb92 SSDeep: 48:WQqauaIVqy1FN7++th/GaWQquLrIHQcNNoMbIQ:qgiK+tVGaWQquYwcfrIQ |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\zh-cn\00000572-Lock.onion | 14.42 KB |
MD5:
c6bcd81f6ee185535a984e9691bfa775
SHA1: 6ecb210402423c4c58c9006e581099c9d8b5478c SHA256: d9f121ef574f20addcc92114e96ad981c35f28bf05968dd90433fc75d9c63e7a SSDeep: 192:CISvdIk7Aooj6MFXWeEBkF/M5cZC+FfQAGdy48RasVhP0P8N6Nt5JQWqcIXDXCIW:CIsddENF0kFk5cZiAX4WLP/6BqcIb6p |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\ko-kr\00000559-Lock.onion | 16.45 KB |
MD5:
aefb07730aebec48974aa20c93ed26b4
SHA1: 41ce10ec2c593da6b713d47149d4c02a8bc8779f SHA256: 67def18c32d187c534db99d876fdb5096260d4d5b9e4ba7325524fd097164825 SSDeep: 384:KnbotwwKGV4JVlzY92FVz8ZCnWnHyPLc4wyQECfF:SboaDa2rzY9it8IWHqIRxRfF |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\js\nls\00000578-Lock.onion | 1.59 KB |
MD5:
0b9f6683e25b8e488e5bc468dc67b3d7
SHA1: 718cf4dd447eb73640fc9e2d2e6bf660a4cf0402 SHA256: 0dbade5da71542a18229965d9804f0e1ff6ad217586c69d9adce5083304de442 SSDeep: 48:5uxT8vz5LViRrT/tLCfPivsVeYsd1PYnNJ9c5qGZ5zPPZ5t:5uxT8v1SrTVKi0CPAnyqMZPh5t |
|
|
| C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\VisualElements\00001276-Lock.onion | 17.55 KB |
MD5:
92b3db580811d866ae747e056fbd32ad
SHA1: d23c051e4b27b5c85480b48196e2ed7992781131 SHA256: 7242b3fcc0f3eaa6706dd78e136897f38e235c6ae1eb40e7bf7adfcd5364e444 SSDeep: 384:VlE95T4Q/UGaFT4v7hEpOpEH6Xu83nzk8xqon9R:jsKJeep/6e4zkr+7 |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\redact_poster2x.jpg | 68.98 KB |
MD5:
0414e745944512adc2e569f6ec56dee1
SHA1: 015f94e240453df5ba5289cddb0469c6c8fa151b SHA256: 658035de5b7866b7b33e95402563b7e1b1ec5d41b0e4d2ce26fe2028040040bb SSDeep: 1536:VzMGEX653oeestUKp5w0yG6QzgLQo6ZS1rSEa5bz/X:VzV3oQUKTPzgqZS1rYTX |
|
|
| C:\ProgramData\NoMoreLog.zip | 424.71 KB |
MD5:
c32de23012079cd05c10307ea42b89a5
SHA1: 372f4ac7918badc107bec744791f1a6856d0f222 SHA256: cd0eefc487b93838af927a9ea050d62d48275372f3a37f51ca0460064644258b SSDeep: 12288:LscnMD/K0FQwcbU5ZDv/Zd6kEpliRalbgr1K:Lsc70FQfQr7/6kml4als1K |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AGMGPUOptIn.ini | 2.19 KB |
MD5:
88498b444c4b5e0e3845c19bedca793b
SHA1: 24e8090890dc83cba1ba967da785230fb36c7f29 SHA256: 09805616f6816d114afa36f81e64d666399c0d94b4f503f364b39751bcb52444 SSDeep: 48:8Pg5FegPG3286PpM6Gyny09TrtFG9yBLIsM:dwgeN6gyJ/4Oe |
|
|
| C:\ProgramData\release.bat | 0.77 KB |
MD5:
168d004edc82b4a7c11b09c1e3b223d8
SHA1: 7d1ca31490cf87fdf228a7bc33f7d8b66eabfeff SHA256: 60400532cf0ec1271d0717e2064de6d14a770b9a78c34b6082788cbe38755f15 SSDeep: 12:qaPEfVQsbeVQsD76VpR3vfrCFI4vINZf3XeOHiFuYZzvc4/HcYmKUwoarCwa6:xCQsbwQsKV/og3XfvYZbF/vN1ogP |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\zh-tw\AppStore_icon.svg | 15.50 KB |
MD5:
e329b42eb14d31918528f8699785224c
SHA1: 9f59755c78254817062f4be15f9125f842a03ec8 SHA256: 6970b235576a7e62b862d998d3a030bea48aaf59d3eff19ca0bcbb55434cb425 SSDeep: 384:Zn0B1v5TSsmqrFbvEvN8YogWJn4ZyJ3bbXCtZjaUcHu7udW:u7vOq9Mi/kIfCjdKA |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\en-gb\00000550-Lock.onion | 14.42 KB |
MD5:
3277af2d6756c2a39fc6a6b66c9173ec
SHA1: 9cf5261aed578cd51b02413ba060af908e6569c6 SHA256: c6408fd00239a7732585cbb5d85e657c18a16826229ad5994a360f81f68a28ce SSDeep: 192:J8lrEVqb5zls0QmsHIdjPvqlUrWAwQ79S9X5cNLPXS3DAUw2j6z2qylRpIwKvKlY:ql8ss0SKznG5oPX2wU46TIwK0Y |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\hr-hr\00000555-Lock.onion | 15.30 KB |
MD5:
4566f65e4676761e121367bb6d905853
SHA1: 1b08487fe4cac6f6de5449d7f86f2006932093f0 SHA256: d91ce866b8a025e39a1b5b99e2b15d963e96e3093ddf7d9f1d01355e744442fb SSDeep: 384:ZWLgVfckygL0rJQU2rJMit4ZPL2KHgbOu29r:L0FguJLc4ZxS6r |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\plugins\selection-action-plugins\cpdf\00000291-Lock.onion | 2.91 KB |
MD5:
5bf84a03ed6cd6a6f9a26465047bd81a
SHA1: 55c6f904a2b6ff4c6e537571a6bca3294c8b5f05 SHA256: 94b32f0e46aca395560faa0f54002875a93cafb875a9f7079ac57d7c9c7e7481 SSDeep: 48:6JV+p/uqi4Lm4EzuScAph+dq3Ld7IDYVxJqLi8dsmZXD7V+pFLKyHk4TWOrWCHdk:6JQfm1uSlL+d8Ld7JLqLrrNtiLZkMWPN |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\zh-cn\PlayStore_icon.svg | 7.75 KB |
MD5:
00e8da0b9f52c2424921dd8eab19aeff
SHA1: 10a74ac96233929bb201084fbda6c4f059b9537c SHA256: 26167d97e8358c143ed740073ad934a5ebd17a9b2fa6a188af3a2292d7de8c55 SSDeep: 192:4kmZihix8KaugYAt2ucVPSM/4IV24hqE1Lk:rm8hixSKYO1SWN5q |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\sv-se\00000569-Lock.onion | 15.16 KB |
MD5:
21e3702434943c2d530e0e6dcde397d8
SHA1: 49f09428b1f8a651f6413009210260d598a47e60 SHA256: 8b1fe136a33553fcb58a635e5661b4f570413e0369a41d80907b802e71508acf SSDeep: 384:lTnYNWyT5L6cC0K1waZsDaFkC+n086HGc89dpr:lz4WA5UX1ww3W0fTapr |
|
|
Modified Files
| Filename | File Size | Hash Values | YARA Match | Actions |
|---|---|---|---|---|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\hu-hu\ui-strings.js | 10.39 KB |
MD5:
40b470f1a770360c8111b65a4be4480b
SHA1: e344b876f6dc789c2dafc1e1393ef17c09d85fae SHA256: d1a8e4bc61d32224eee151b6ad8e9ad6e4b9372e3ced603d6106bf7db60a30ce SSDeep: 192:rpwPPaDuqu/z7GmzjTEErEvAB1n9jF6dxLtzGF+3aeUt1/XwTD2EAJcx6KtNmoLN:r6i6qgmmzHE1A3xkjtplUtu2Er8ULFcc |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\scan_poster2x.jpg | 82.98 KB |
MD5:
db57949925606aa90a4cda70637ba6d7
SHA1: 0cfe3ba979ed561fc621a4b26afff45c243b062b SHA256: c58a6362d8510a4bb6333810c9ef30aa389e04a7e2e9a53779586826101a7257 SSDeep: 1536:xiRfP2+NVd0L2oExidaQ/gHL1FHPbv8klW5nGwLtfhQt45hOKKqcANme7QMTCB9r:xiRG+yL2ohapFv78AwLtpQtGKqcMP7js |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\fr-fr\ui-strings.js | 10.73 KB |
MD5:
6621f6e3f6f01ee83369e1bb43220250
SHA1: 2c50465545b97889072297de7e02ec4ad6f889bd SHA256: 6bd0ef665193d400497206344f6e1ca6cd804e9c9e2049effd16ba94ca07148e SSDeep: 192:OHzmPgjn/AZpZummEZxia6bbno3gVZ2EEvLXDVBhVOGzOF6VC1Egk8JTFkip:hcCpZuREZ09roYETXhDVOGzM1fkckip |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\fr-ma\ui-strings.js | 11.23 KB |
MD5:
40bbdf9998bb3e54d262f45de318c0ef
SHA1: 41b41b39029c5d8ede304c174b53e92dd7989fe4 SHA256: ad4072217fc1d115270af134d6691a35fd3d10df3a2785a1ea43a05ce38d98a5 SSDeep: 192:WjVszqVRhy0Hk+Gg0DG9DEB+zgJ3Ytk85OgVf1V3ahO6glXFbXkl5Kr:Wj/yom6WB+Q85tBoODbkDKr |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\new_icons_retina.png | 17.86 KB |
MD5:
df8e3193c2490c39d86eb12b53f45c95
SHA1: d730b9a5c6cf85e2d4a0fb13ecb8144b0dceee90 SHA256: 848181af90b0cd35ef654d5534da66d370541b97a2c1411569619e74d3e9c59b SSDeep: 384:dwhdjkRjhLW4yO94ClpsmBZwQxJ6+zLr07gUnMbvfLBOEW2MZ35Uw:UeRF/SvQxJ6wX07gUnMbLBBgjUw |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\hu-hu\ui-strings.js | 10.89 KB |
MD5:
7d23203cb8bd60759668f1c0bc817b87
SHA1: 50d5beef2e1457847411dd67c684caba03c97fcf SHA256: 9943d7bcb5fd36528d2c78afb153e3aa207f0719912b0358efac866b0784097e SSDeep: 192:rpwPPaDuqu/z7GmzjTEErEvAB1n9jF6dxLtzGF+3aeUt1/XwTD2EAJcx6KtNmoLr:r6i6qgmmzHE1A3xkjtplUtu2Er8ULFcG |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\illustrations_retina.png | 19.86 KB |
MD5:
ad89ba80abdcbf925334902afaedc07a
SHA1: c98547c561f3c644f83eb8dbf8546e25693c62bd SHA256: 779d01a31ebcc65f12e67991cd22a19c5b794484803dbe556e87ce3cededdb3e SSDeep: 384:F6EwEoUR0r/UTXO+6L5bU2OiI65ag9hkdKbsIVrtF6QKUaFSHJypcdSoT8jk1D5U:F6qR0rol2DI6rzVuQUFSHkiJggh5sGWx |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\icons.png | 8.38 KB |
MD5:
fb3cc4d78ef4b51c2ef2061c8600b032
SHA1: 4788f4c8fb1041744798f1cf30e0c79e1faf0dee SHA256: 301698a3e5ba24624597a61126bf17def3b0a0186c31214c70419768fa2bb2c1 SSDeep: 192:kx/VExynRAeE9HIUMQ+qdU7cdlaTASsg7yS29jP:kx/VExy8IUEccUa8SsfS2RP |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\organize_poster2x-dark.jpg | 68.09 KB |
MD5:
abd1232fc81b6eb052aec30ca3bc3afd
SHA1: aaa71867a0e2688a1f2e1cf63da1ed0c65939cdd SHA256: c813e31ba991a32d67e179cff74e192f62a8d27ec67a5b4e7ca20c22d11e124f SSDeep: 1536:0Cx3pEUUeSXvOq8HV0m7y/gmU9hevqWcZHD9XX3q1TGj61X6Xi:0ZXfo10mm/gGvqWcZHD96p861KXi |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\optimize_poster.jpg | 23.47 KB |
MD5:
1556434720b44b467adffe21365b0624
SHA1: bed3eb74fa34660f4fc7e9e7af0adaf35ff82c7a SHA256: b2e807be1d6f3e6c3a6d9c2c331e494877f5f564bbb9d18e38c846a1b5a920b6 SSDeep: 384:oILFvXxD0fdVv8QAsR7IjDCi+J7TmPSkr8ByjYa3Vyt44BnN7jscahcXls:Bv6fdFAIIt87Fk3YxHBnFjscns |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\organize_poster2x.jpg | 68.09 KB |
MD5:
4f8baa2eb89f00aaf53db2b533910121
SHA1: 5c47ae13a2debb8e352a293c2d9fa6a2de06274a SHA256: bbd73d4fdc4a2077911d85cca9a815c5baae4104ef02d06c472fed5f5344b9a9 SSDeep: 1536:4SO+meNvsdDg9/dzoLu9oUt+ugN1amHSl8wq49cchKWDb9JJff:4SO+mWG6/dz1gNPHJcXln |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\ca-es\ui-strings.js | 16.77 KB |
MD5:
103e7d4285d9fd4572b6620fc05f3b2e
SHA1: 3ba6c877ceeb4386987f5a92caeabfaaf0e7091c SHA256: 7c260fec4304a0a3e646ecf6f751ad9b34e23fd740b9461fefa98ef233b91e63 SSDeep: 384:kchjky5N7G03kojVYSj78rH+GsrXxXNmxWd5qYXV:kchjkSq03nj57ovsrqI5XV |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\cs-cz\ui-strings.js | 16.66 KB |
MD5:
1da01d4ac9e07abbb47e017accc8bae5
SHA1: 45d7a35617a2feb3ed9a0998b44cd9e075e5c188 SHA256: 06f5452ae7491d9e8292abb98529bd7f650d7f5810bf45bc2ad5f58c7cc38065 SSDeep: 384:QJOc8yFVVbvNA89hWllRSJ3GfBqwtepVT:AOcfVbvNA88PMWfBtOVT |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\organize_poster2x-dark.jpg | 67.59 KB |
MD5:
4ef121d5600c5afca6fe9a25904e8b88
SHA1: e7764367a4718e321ddba0ac171b1b7f7c6947b2 SHA256: e39e21e54b66c229687e50e01db04d991ca79c44e4d85f5d4f850b088ace1ece SSDeep: 1536:0Cx3pEUUeSXvOq8HV0m7y/gmU9hevqWcZHD9XX3q1TGj61X6X6:0ZXfo10mm/gGvqWcZHD96p861KX6 |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\zh-tw\PlayStore_icon.svg | 6.67 KB |
MD5:
905ff9f3cfbcf8ddbd0eb74bb8bfee78
SHA1: 6ca14184b9d639ccdb2711505cbfd668d27ef3ca SHA256: 4cdeb236babb32f53821472230866e62a897e3ecce4fd6c0cf854a96c9e978d3 SSDeep: 192:jO29ub0bBFIikKL4lt1C6dNLm3PgHwqc/XaZ:jP9eyjIikKMlnd9m3YHw9m |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\en-il\ui-strings.js | 9.36 KB |
MD5:
de7be05fd83b0df9f8ae48e72332fb39
SHA1: 34641a57abb4d2bba9c6f1bb1523a4ee0b469702 SHA256: 7209a7a89882ccc3bdb96ae5d23a9fd66676b5a9c3e96e892bdd956aa00c5b29 SSDeep: 192:68e/+4+TWWN1QbdkA4ohcq1x5/d/Nb4d5aQdZ3fu+vU:xe/+TdN1QpXDcovFKdMQdJfI |
|
|
| C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\Installer\chrome.7z | 10.00 MB |
MD5:
bcb39190507a3d384885187c95a1c538
SHA1: 218134b49a96db372e91a83b2901c3d008fb03e8 SHA256: 87d22b8e31f60ae8e9e6bdeff45b76c43cfc6e226710a98e36d95013e700112b SSDeep: 196608:EeUhGrDwd3fHoGYMvi6vxXeiozV+5tGd+XZgkrpdQi5aC:E1h3d3foqd1eiows+XZg+5F |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\hr-hr\ui-strings.js | 9.50 KB |
MD5:
15fba68edc9c80f3c84b20a08259d632
SHA1: 6833ebdf491aa3ba53bf239d582cad2ec5f2886c SHA256: f0d4d5364f887f33962e9accafcb5dcecf39b2bb5c3334712f8e32dc7f6f3210 SSDeep: 192:FkLqOY+3rngDCH3q+z7s+AbZ8v8D410ULbWScU8GXq4p5/4jFAFek9er97B7:KmO9rgy3qae9gB02bWMLpSK9O917 |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\hr-hr\ui-strings.js | 10.00 KB |
MD5:
97abfdc970422d67e0211ce3e063a345
SHA1: 50b4828c8ce1736537d0c4869b7909b36c4970b9 SHA256: 9ac992d1fe437cbd808f26a807d8de3de838d0c6d58ec7bf4306b402ac39a58f SSDeep: 192:FkLqOY+3rngDCH3q+z7s+AbZ8v8D410ULbWScU8GXq4p5/4jFAFek9er97BNyjl:KmO9rgy3qae9gB02bWMLpSK9O91G |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\example_icons2x.png | 6.00 KB |
MD5:
1dc3d44b50465f1fcccb7a2958ea4b2c
SHA1: 46c09c00031e9c2f48f445a0e38101112e2048b7 SHA256: 820b85cbbe286013bf354ebf9d517b7e1bec186890e7f45364271b5da4ebf3b1 SSDeep: 96:yhzQeZzQEmIfCF8wEnxVSlrAKF2SVSI1Tr+6rnNLj0D29tkAT5yhJVgG5t3WWw5:kZqCwOxVSlrtaEVjiivK8G7A5 |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\themes\dark\icons.png | 7.88 KB |
MD5:
c3984910bcb5452b4023a359bb6b2ed1
SHA1: 68d1982928182b632184aa29a865c618e839ab6b SHA256: 620a507b9b137609fc65e4950f6e725fd99f4056fb32462b98f45e72e3445ab3 SSDeep: 192:kLxqS1dB/te+s9YL9bncCzkFJxdiVe7XICGSq2/7IYHsXXyo:k9qSr7PiCzkjKTS5/7oXyo |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\redact_poster.jpg | 27.94 KB |
MD5:
cfdbbd7a489b0a50d9916741526de1d0
SHA1: 20cd4aa128aaf35578c724c92c4d333fab29cd4c SHA256: b59257c0f7435b6ef18199dbed4c0eef7f946b80425ce5ee0f9acf61bf738983 SSDeep: 768:XrkZ9JxZu7x+23UUM1SLr36LsfOJxLUYv:XYrJxZIx+221cr3Gsf+wYv |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\eu-es\ui-strings.js | 9.92 KB |
MD5:
3a97b22fe1875a5404e1a722964c0d05
SHA1: 986ce6231b0b3a4143494c9509e1c28091112901 SHA256: 0e49aefffdb0d6c07c3613c42cf665be03324151810bcc674ef3ba00fb3aa2aa SSDeep: 192:WfEnnte+6eiBdtmXBXd2GTOfCFbWbEathiY03gc5Dujg+y0y7nkdBuPPZaumB:W14iBdIKGTO4bWX3i73Nujg+JxaxnmB |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AGMGPUOptIn.ini | 1.69 KB |
MD5:
7ab906f5ee8f8e643f44f2d60311c767
SHA1: 15c9f1d52d586a12011407c4fd8bc2c2978fcf3f SHA256: 28a8aeac5c53b50d9c89958c404f9aaa2106a0168dc23e6428c71e21a293fbc3 SSDeep: 24:5eBYbDOo35bBhheg+gkNUfbCjV29ANd81lBJnPpaQaviVZyv1/p04L44giy5GV0o:8Pg5FegPG3286PpM6Gyny09TW |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\selector.js | 17.89 KB |
MD5:
7788fd5f646c96a9178895624c92911b
SHA1: 04ea6d20b015f8f6d027bf69fee9773848c82e6a SHA256: 7a6a4b3b18de72eb9533a07e68ec92da9772f327e9215e65903c19d6fafd4eb6 SSDeep: 384:wIPZOzkIyOYRZpgTqrL9YjaPNS7K8T0kCisJ54UGNvI2bdEupe+M:ZkMZIopYjaPNS28ThxshGNQrszM |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\icons_ie8.gif | 8.47 KB |
MD5:
83712c3c5fbd1fec64560ad2fcd00536
SHA1: eeef17f6a896e873b7b356f23ebcf1d83e831858 SHA256: 9481bb56b1b75f33370b94ae568bac9b3ca7226e8f71488fbea24a60ffdf963e SSDeep: 192:vo2UREtP4BVn8s0HmcFC9INqN88y66D09XNfCO//+p69D+n:g2U8Pyn8sUFC9SqH6DuNPGq0 |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\scan_poster.jpg | 30.14 KB |
MD5:
b6fbb6435a93fb782e0cebaf651428fa
SHA1: 35efee550173900323e8208ac86d08ef6646ba8c SHA256: 9ca1fc48cd0d35024635c54eb1bb0a2b0f2854e40829ecf4d88f0d56bd8e881a SSDeep: 768:umT5QejXYz3cfChXbd2ARCEGIdIocPMTBoJAhG6zsM8yE0DKjVFyh9jEy:n+47fOrvpGSqwBmAhp4nyMGEy |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\protect_poster2x.jpg | 58.17 KB |
MD5:
91120505cdb0d059b6b81afc8022ef20
SHA1: 50c8e1afb06e1687bc643d492fdb153e1ae3568d SHA256: 5363bf091b4164870d97210253c6393b30219861e9ef1acf75ddc5fc4e2ae962 SSDeep: 1536:Bcr/BmgV76r6XTAeYTz+R+vyY3hdnQPVySxsbg:BSAG2e8Bz+RfY3jg |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\protect_poster.jpg | 22.81 KB |
MD5:
cc20bf380f20bada5b9c16a6c7762bed
SHA1: 73c7e2e28a6449c401fb3cb9f5f9c20a0248dfc4 SHA256: 9dc0a21aaef574b7951cfe275fcc534ba83eb9eae408ee7ec4dc9ab6c26a74f1 SSDeep: 384:lRte47haKuJxEtaXAc6M8GRk9fn8+gpWtUTaqa+t8kG45fy3cPSf:lDe47hNFkXKM8Cy/zyWyGqlPdfy3c6f |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\icons_retina.png | 15.61 KB |
MD5:
a8efb389201cb91c5c284790c026ffaf
SHA1: e81d3eeea4517c3a71e77a309d5787fed4c5fefc SHA256: 75975222fababb1c50fc21aa74ffb726d22531b5f4462be519a5af1044547634 SSDeep: 384:dwP5PjtGfj0Z8BnI6AomuXeZYxyErsBxf8W6I:dwP5PJgfBnIhlYeZY9sBxWI |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\fr-ma\ui-strings.js | 10.73 KB |
MD5:
796ad2c241b47c8f9f53ffbc277ecca3
SHA1: 6c574b5f6a1e8a663cf138bf5e6ee315ff3dd899 SHA256: 0fc937fe2b11ea2c1d57ec4a28fe5fa3f8ed484bc65fc00332193ac82af9ed07 SSDeep: 192:WjVszqVRhy0Hk+Gg0DG9DEB+zgJ3Ytk85OgVf1V3ahO6glXFbXki:Wj/yom6WB+Q85tBoODbki |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\themes\dark\icons_retina.png | 15.61 KB |
MD5:
c3d33c9b68ba3aa2fb2145e01843520f
SHA1: 928e8de5c1b7c3d8fa7536ec8176068e9104d1bc SHA256: d1b4eac277fcbab7b93ee3c504f1d61b8fb206445b273a09c98f07b18a983144 SSDeep: 384:CarTH29ixkwjkLKhXxYIt9wyZe9HdSC4QGms1bcWMVvKsg:f8ixkZOhG8xeZdLGmyj/j |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\redact_poster.jpg | 27.44 KB |
MD5:
3a491f6883d01683e4d8e3271b6b24bb
SHA1: 6e0feed824ebf19ea9fd07137dae872fc55e44ae SHA256: e7b9e3fdac402e112dafbc1316eb10667bd5dffe4e441c1139041469d0e6ccfd SSDeep: 768:XrkZ9JxZu7x+23UUM1SLr36LsfOJxLUYW:XYrJxZIx+221cr3Gsf+wYW |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\new_icons.png | 8.69 KB |
MD5:
29fb426ad7056e6f466d1a74744a3e58
SHA1: e3e62eab66e6cc0a81afc7a9a6be075b62a4c939 SHA256: 13261f49e17d73d1f8d7f2567bf4b6511b5ea54e55716269f0a3c8616ab49521 SSDeep: 192:uV0l5QSHGeJq51cIxeTT6zS6bx9crk6AUDyrI2domJ3MU1UUa:FQSmiq51E6ZFiAIyEWomq4UUa |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\optimize_poster.jpg | 23.97 KB |
MD5:
67373c4a76559649d9e4fcceeeb35b7c
SHA1: 5a1c1c1efb58646c50c60f19503aefab458439cf SHA256: 3633adee017a9c9647a8904b5f6504e0f099141928cbfc61d8eff97efd7f326c SSDeep: 384:oILFvXxD0fdVv8QAsR7IjDCi+J7TmPSkr8ByjYa3Vyt44BnN7jscahcXlAe:Bv6fdFAIIt87Fk3YxHBnFjscnz |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\organize_poster.jpg | 67.59 KB |
MD5:
a18874c90d9258533580cd5c9b84cc99
SHA1: ddc2d67cc8097d6558b8135a48b709097c081ddb SHA256: 1756cbb4f2523a5151287f58eac088d98d75163064edb0c8eeab8a9bb8cf9f31 SSDeep: 1536:riogNlcLuX1pgFQGr9XfDJ1802Uv2YHwDReaE1z5uGnp7S:ngPcLuXvgffHwRXDReF5uW7S |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\protect_poster.jpg | 23.31 KB |
MD5:
eec163e103125cabd371256b0e8b633b
SHA1: ec394df0ab994ac7146612c0dd5d376410351be0 SHA256: 2e4fb1ced45ffe9669201240d4465a214ca395f5d2009d27518e9ef6454f3ff4 SSDeep: 384:lRte47haKuJxEtaXAc6M8GRk9fn8+gpWtUTaqa+t8kG45fy3cPS79:lDe47hNFkXKM8Cy/zyWyGqlPdfy3c6Z |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\themes\dark\icons_ie8.gif | 8.47 KB |
MD5:
b7e434e1794fb30c5b2ed158edcd018d
SHA1: 790d86af467d9798e92afe710baedd055794ab11 SHA256: c4ef7eaa95675083ca7444f2a16f7e7113247522ab40cb323b1bafe26369b4f5 SSDeep: 192:1In119lwfUwWmHqRqtJAWHwtToAyErG6nWBqHMhyfr:a1PqUHm0oWWHwtoAyEDnWBqH2yfr |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\themes\dark\icons.png | 8.38 KB |
MD5:
ab58f93b204bcf4d3d36e92408971adc
SHA1: 9e04aed00e37bcaecbd010af16e206248140f79c SHA256: 2e271d34d6a1a0b6d24c2a1f682ced49fa987a2bed1a56d487a239ddaa44685a SSDeep: 192:kLxqS1dB/te+s9YL9bncCzkFJxdiVe7XICGSq2/7IYHsXXyM+5:k9qSr7PiCzkjKTS5/7oXyM+5 |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\illustrations.png | 9.09 KB |
MD5:
f82b369623032cc6d82417693d617135
SHA1: 38f177d6461b70ebc38ef00ed4cb053c189d3ea8 SHA256: 2d177d4a3e6a86b33d0810857ba42b867069deb98f2a048dfb3327293387c8cf SSDeep: 96:TFgCDMw65MyRop5PgvJUDuthjMb3t6julET/wrnDqwG+w8OzhQnDW3IAck6vTSy4:xgxeCM6ju+TgqP8ioR5RvTSyf1OunBfO |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\1494870C-9912-C184-4CC9-B401-A53F4D8DE290.pdf | 182.46 KB |
MD5:
8fb2220650486e3c7e45aacd11195b28
SHA1: a781f23ae8b8d82c801f2a1991bd20b5c44f33e8 SHA256: bd885fb7f9ad7190e603f77f88828f5270a71ca1796f7c14f7a0faf4591566fd SSDeep: 3072:mX5M/ioET7/Z/qYFuWNjfbHuX2T/5/dGc4uka2AtSyNLMDTJ5MtvVmbvR:25M/Cj/uXa5McZd2At7mJ5MuzR |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\redact_poster2x.jpg | 68.48 KB |
MD5:
a0a5fea2bfb7409683891cbc9e0462a7
SHA1: 9296745713a279559568db17592a1972d165e6c4 SHA256: a38458091fa5900eddb29cf6afb620e6a13c0754bfd2c5864ac663deb002e9dd SSDeep: 1536:VzMGEX653oeestUKp5w0yG6QzgLQo6ZS1rSEa5bzG:VzV3oQUKTPzgqZS1rY6 |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\icons.png | 7.88 KB |
MD5:
b326fb5b9cc4f8fd908f95022e42b395
SHA1: b34d0cd1c4951fa5c4820d9539dcf771e5335273 SHA256: d71e4f72a699bb30816a3a7620b5bac3ad5186855864a5842bd8269a1f37313d SSDeep: 192:kx/VExynRAeE9HIUMQ+qdU7cdlaTASsg7yS2k:kx/VExy8IUEccUa8SsfS2k |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\fi-fi\ui-strings.js | 10.11 KB |
MD5:
2f183925fd19d6f083621d16cf3e7472
SHA1: 3e3a7a9fd1e7d008c03552bf73ca8d896fd842cb SHA256: cfb52c86c0b64ac07dc1ff274a6ef0b9edca9325bc329ef1fcb83cb4967cfe34 SSDeep: 192:58qfB1g/nmAq1f6fI+GW5PmO9YsDprqF6ysRrATp1k7wh5m13cLI9WjiBFNDL:58VOAq1fLoPB1rIQrAd1k7doI9WYZL |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\es-es\ui-strings.js | 9.83 KB |
MD5:
f1208299ee44760fbf2f4333c7839979
SHA1: 8d1b1bb140be34a0f3ddb14c989726e502723d83 SHA256: 0a7c19b5e77ae385b6aae450711506d7cc5eea71ee3f46d5161ee630980d9f71 SSDeep: 192:QLS0EHI1oWVZoVRkH08NFX4lKidZdw5tNYNQ283VNDpPqFjYk2nWF:+SPHI1BZoXoXVid85tVlpPWjfd |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\zh-tw\PlayStore_icon.svg | 6.17 KB |
MD5:
03d1b92f4756ce7fabce9d92c9f44a23
SHA1: 7309082d886e8c4bb06399a76c8d5ce72345c417 SHA256: 6837a1a8cc8537687515376198d5a178a1ed492fa327f577e3673a06ca2dce38 SSDeep: 192:jO29ub0bBFIikKL4lt1C6dNLm3PgHwqc/Xac:jP9eyjIikKMlnd9m3YHw9/ |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\plugin.js | 332.00 KB |
MD5:
9ed5507a5fdea4499c29ca2e19a7c622
SHA1: 5cf5d523e57c46999535c4cea1eac68025cb49d7 SHA256: 4d377429a5923b4f1d9bc48af2f028684af4d21670591398c1d0895d1c51e2ee SSDeep: 6144:WzI7QRFsR0LP/1FJHIG8duTxp7jpIzX/WgxuiOkZf9vE6V5GnkSCBS83Y:XYI0T/1Fedgp7jkvbpZ/HYHoSOY |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\selector.js | 17.39 KB |
MD5:
b76addfcaeb3b554e7379b29ca137278
SHA1: 6db31aafd7b7973851f3ca9dda7a9cbf42bff7c5 SHA256: a7253bdc6059a8417ef0f1e61655adae95b542e9c043b686e50cf09539122f50 SSDeep: 384:wIPZOzkIyOYRZpgTqrL9YjaPNS7K8T0kCisJ54UGNvI2bdr:ZkMZIopYjaPNS28ThxshGNQ8 |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\ca-es\ui-strings.js | 16.27 KB |
MD5:
e9ec08de96f28f65bda2687d21eeb6fe
SHA1: 5a090f17da2f86aad253b43bb69ea23cf27151ab SHA256: 6ae5c15b994a1335ddc43fe7485d5a0558204ce5eef068549bc27ac4363a6e07 SSDeep: 384:kchjky5N7G03kojVYSj78rH+GsrXxXNmxWd5qYp:kchjkSq03nj57ovsrqI5p |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\optimize_poster2x.jpg | 65.34 KB |
MD5:
a0ae7a0009444008aefe96aaa3e80774
SHA1: ea1127a806ecee567edc8ac3cda6f956210f0e07 SHA256: b82d2b9814efa79af42cf732ccef0bc258720ccbe24c167460015a99958163b3 SSDeep: 1536:3psLkrRQewBrcLAGQ5I/pYj2eiHgAKXxBvv5l9nBwKVi8tuAX5T4:3p7FLW6II/p7rHgxBlHwKVis5T4 |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\zh-cn\PlayStore_icon.svg | 7.25 KB |
MD5:
abfd910ec5b62a6e71f8afc521009b13
SHA1: e06c26ba13d374429b7299255a4a95491ffd1102 SHA256: f1214f171c96fe18fdf51f76b210fd86a3efea9ba28c25faf2efd39f74ea31a3 SSDeep: 192:4kmZihix8KaugYAt2ucVPSM/4IV24hqEt:rm8hixSKYO1SWN5t |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\scan_poster2x.jpg | 82.48 KB |
MD5:
0a16ea202de1909e8eb3fd7bbc430293
SHA1: f47718cd3c98bb4cb95f9036ab283cf5aed532cc SHA256: aa87b136c3d562ed6f4e976247eb786729e60bfb3e51bf5a2ac38378d930a343 SSDeep: 1536:xiRfP2+NVd0L2oExidaQ/gHL1FHPbv8klW5nGwLtfhQt45hOKKqcANme7QMTCB9f:xiRG+yL2ohapFv78AwLtpQtGKqcMP7jU |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\ui-strings.js | 1.19 KB |
MD5:
43912f317546fd95b0590628fccd8f97
SHA1: deca48c995a256a40f500e04aeb0e18bbc7953a9 SHA256: 445a47cf70d0813c4f06f07b67b585175ef6df11da2dc7254e13eec6555fcbef SSDeep: 24:ce0RBzKaZGJq5AVFMy5GjywHm+ApH4rTT66L1bm3QEz:cFRUyANQJG+ApYrTvb1e |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\icons_ie8.gif | 7.97 KB |
MD5:
fdb24ee938c1d44d1967bb6a48ec1b2d
SHA1: 3682a46328ff0b8e928d12914bca099a49e8caf3 SHA256: 20455d7556f9f88c04aaf1ff52a0550810bf05619b499945c34719b0adac230a SSDeep: 192:vo2UREtP4BVn8s0HmcFC9INqN88y66D09XNfCO//+p69D+l:g2U8Pyn8sUFC9SqH6DuNPGqq |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\icons_retina.png | 15.11 KB |
MD5:
ca9d0f9c30967baa45bddcc345962a83
SHA1: 1088be3ea1915e646b23b2492dca32427399564f SHA256: 284c8d939c610339a015feb1cd82005b331e18bfc625e6b4408f4b6d541130e0 SSDeep: 384:dwP5PjtGfj0Z8BnI6AomuXeZYxyErsBxf8WF:dwP5PJgfBnIhlYeZY9sBx5 |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\cs-cz\ui-strings.js | 16.16 KB |
MD5:
8d810b0030353165249bd02f9dfdb2a6
SHA1: c53c6a6b0e5faa2d142765a055ee0086f06c4732 SHA256: 28c1d3a6dba3c33904cb875d98d1985be035e19c9781e32cceab7adf453bc794 SSDeep: 384:QJOc8yFVVbvNA89hWllRSJ3GfBqwtepVU:AOcfVbvNA88PMWfBtOVU |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\optimize_poster2x.jpg | 65.84 KB |
MD5:
af404b612ff55262454e78e34c7512f8
SHA1: a13356cedaf3867b710a48cadcfb52501fff89c3 SHA256: 82dd0596a2d3ce8ab9159bc36c13eda96945003e07f31b4be3fca0a27bc64607 SSDeep: 1536:3psLkrRQewBrcLAGQ5I/pYj2eiHgAKXxBvv5l9nBwKVi8tuAX5TI:3p7FLW6II/p7rHgxBlHwKVis5TI |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\protect_poster2x.jpg | 57.67 KB |
MD5:
33a56526c695db1b3d78ab7d6e7413da
SHA1: f193933fdda3e9a4dfc8536aee6a138d9325bece SHA256: 13adf3476060654e261f5045de13ced0784750ea2e20d257e81ef6236846a913 SSDeep: 1536:Bcr/BmgV76r6XTAeYTz+R+vyY3hdnQPVySxsbQ:BSAG2e8Bz+RfY3jQ |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\new_icons.png | 8.19 KB |
MD5:
894df75768bbc717792e44042cf7629b
SHA1: aefb9c5078fcd0ca837cc06c6c19020a68cba8ca SHA256: 9ee08c55c7cde5367e9617914f755961ff0b1c4423179cb5990f78f5014b3015 SSDeep: 192:uV0l5QSHGeJq51cIxeTT6zS6bx9crk6AUDyrI2domJ3MUJ:FQSmiq51E6ZFiAIyEWomqG |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\es-es\ui-strings.js | 10.33 KB |
MD5:
9ace209c980df2d10dc67f82d4727264
SHA1: 6c7a8f3326462b056e3982d6e6ad924e4eb6a0ca SHA256: 48d5d91d4ed81e1f19e51e9bdfd7d432c709576ca013da0d56a4f369a7599436 SSDeep: 192:QLS0EHI1oWVZoVRkH08NFX4lKidZdw5tNYNQ283VNDpPqFjYk2nWnhBSC:+SPHI1BZoXoXVid85tVlpPWjff+C |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\ui-strings.js | 1.69 KB |
MD5:
eb2c7da749ddbaf4cb3bb68b8dd98afc
SHA1: 582372f3bbb114780cd2c35b3482b1d77d0b336e SHA256: edb29007b7ba7d93893acb369b23d82a4d3377b93972747762b6634ba3bb5edd SSDeep: 24:ce0RBzKaZGJq5AVFMy5GjywHm+ApH4rTT66L1bm3QEN+PdViNVK9kZ9wlwcUAQh:cFRUyANQJG+ApYrTvb1dVqVKMtcde |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\organize_poster2x.jpg | 67.59 KB |
MD5:
051bd0cf044d214bb6320a382a62ae83
SHA1: cb8b9149a4d408743f8f79d23b9fc715a726f6b5 SHA256: 1bce345765e31ada22695fe2c27be3e17ab0ae5d35dd5e7df237a204d9c698c8 SSDeep: 1536:4SO+meNvsdDg9/dzoLu9oUt+ugN1amHSl8wq49cchKWDb9JJf7:4SO+mWG6/dz1gNPHJcXlj |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\themes\dark\icons_ie8.gif | 7.97 KB |
MD5:
af6f1ce8f2aad964cbdc05b6543bb341
SHA1: 6e159acbc4458d3b67c5be5d8f2fb2e14fd4afa6 SHA256: 8384f32e43e458f791c7e33d13677768d12cace472b3ed532cf4f8d1dabb3f48 SSDeep: 192:1In119lwfUwWmHqRqtJAWHwtToAyErG6nWBqHMhyfh:a1PqUHm0oWWHwtoAyEDnWBqH2yfh |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\new_icons_retina.png | 17.36 KB |
MD5:
47d9f0f65742c4987304cffb176bdca8
SHA1: c705adcf042c325559b2c59612dd2bde6779c418 SHA256: e203a9a84036bf7600b42d39397c04a8fcf74de85f36809dd60b8d2438c0c13d SSDeep: 384:dwhdjkRjhLW4yO94ClpsmBZwQxJ6+zLr07gUnMbvfLBOEW2MZ3t:UeRF/SvQxJ6wX07gUnMbLBBg3 |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\organize_poster.jpg | 68.09 KB |
MD5:
b7fd98543397b4e13d395cc89895a180
SHA1: a4c135c94b34cbbe944e0d0b12b8182ed4da87e9 SHA256: c9828ba00064046cb24f40ad39c3968caf7baa41290fcef96f039dfe9b04b5c3 SSDeep: 1536:riogNlcLuX1pgFQGr9XfDJ1802Uv2YHwDReaE1z5uGnp7G:ngPcLuXvgffHwRXDReF5uW7G |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\scan_poster.jpg | 29.64 KB |
MD5:
d3e894ac56f23630b4e446f35cc76216
SHA1: 07968dc5b81c7fdf17c1a0ce4c54bd9c6c0683a4 SHA256: 48ad63da0e65139ceaa2d0168568058bdb6c992865c1a3db8d5c41e45fc6c73b SSDeep: 768:umT5QejXYz3cfChXbd2ARCEGIdIocPMTBoJAhG6zsM8yE0DKjVFyh9jEw:n+47fOrvpGSqwBmAhp4nyMGEw |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\fr-fr\ui-strings.js | 11.23 KB |
MD5:
e285d1646649e9456613a00aba23f82a
SHA1: e393e9027f20559d1db19d76209e92065469c561 SHA256: 9816f91d84f2adbc48069987aea2056210c140fa4d84cf93be557332ed9b5abf SSDeep: 192:OHzmPgjn/AZpZummEZxia6bbno3gVZ2EEvLXDVBhVOGzOF6VC1Egk8JTFki5HzE:hcCpZuREZ09roYETXhDVOGzM1fkcki54 |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\themes\dark\icons_retina.png | 15.11 KB |
MD5:
3106b6d0f6aeca7bc0fcc08dbdf829c3
SHA1: 0bf9062c33b9aae94e9c7908f9ca6864c64bec67 SHA256: 5fd2e6dc51999c4b5c496c2f33bd268d426fa5fe2e0870e18a3c92a768c3cb17 SSDeep: 384:CarTH29ixkwjkLKhXxYIt9wyZe9HdSC4QGms1bcWMVvh:f8ixkZOhG8xeZdLGmyjE |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\1494870C-9912-C184-4CC9-B401-A53F4D8DE290.pdf | 182.96 KB |
MD5:
dbcbee51b39a86edda0d4b5bda82fa02
SHA1: 6090fc43bacc32f3ee9c6d3e8c36326d3579606e SHA256: 341a1ef149a50111eee312706a894cc1a3222b1b4a8d8881b00c8ec3abeb6070 SSDeep: 3072:mX5M/ioET7/Z/qYFuWNjfbHuX2T/5/dGc4uka2AtSyNLMDTJ5MtvVmbvA:25M/Cj/uXa5McZd2At7mJ5MuzA |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\example_icons2x.png | 5.50 KB |
MD5:
f7876a8aa89a2accbe8c31f465387c99
SHA1: e928c32ddad7dc9f6d02412f633d0db844408670 SHA256: 8a85a2ac8698fec454cf47748b372d35a8afd552ec398a61329241e18c19b645 SSDeep: 96:yhzQeZzQEmIfCF8wEnxVSlrAKF2SVSI1Tr+6rnNLj0D29tkAT5yhJVgG5w:kZqCwOxVSlrtaEVjiivK8Gm |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\illustrations.png | 8.59 KB |
MD5:
ba8db7473c804274ede06e3105e05176
SHA1: 82ec317c44791cfa249ac39e1df4324873e6c27c SHA256: 52e41eab1247256e0379b3dc115f8352db808c383c746a61bdaea1b7e288aaec SSDeep: 96:TFgCDMw65MyRop5PgvJUDuthjMb3t6julET/wrnDqwG+w8OzhQnDW3IAck6vTSyX:xgxeCM6ju+TgqP8ioR5RvTSyf1OunBfp |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\en-il\ui-strings.js | 8.86 KB |
MD5:
3b500316ea0947df32318385275fd317
SHA1: 6d6b302b98340ef80c215a48f64edb41fc440c2a SHA256: 3028fca6724638bf19fe18770cfa620fe3f0f61909ea4385b4e30e7daa89f7cf SSDeep: 192:68e/+4+TWWN1QbdkA4ohcq1x5/d/Nb4d5aQd6:xe/+TdN1QpXDcovFKdMQd6 |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\redact_poster2x.jpg | 68.98 KB |
MD5:
0414e745944512adc2e569f6ec56dee1
SHA1: 015f94e240453df5ba5289cddb0469c6c8fa151b SHA256: 658035de5b7866b7b33e95402563b7e1b1ec5d41b0e4d2ce26fe2028040040bb SSDeep: 1536:VzMGEX653oeestUKp5w0yG6QzgLQo6ZS1rSEa5bz/X:VzV3oQUKTPzgqZS1rYTX |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AGMGPUOptIn.ini | 2.19 KB |
MD5:
88498b444c4b5e0e3845c19bedca793b
SHA1: 24e8090890dc83cba1ba967da785230fb36c7f29 SHA256: 09805616f6816d114afa36f81e64d666399c0d94b4f503f364b39751bcb52444 SSDeep: 48:8Pg5FegPG3286PpM6Gyny09TrtFG9yBLIsM:dwgeN6gyJ/4Oe |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\eu-es\ui-strings.js | 9.42 KB |
MD5:
f392cc9e03495d9c8aed4866b3e29746
SHA1: c013eeba50560c60c19b40e9fa6ab5e939bbb827 SHA256: 3af037baa3ab29830b5b452493a5aff7ce188827dcaea87d9803a20fa132abf0 SSDeep: 192:WfEnnte+6eiBdtmXBXd2GTOfCFbWbEathiY03gc5Dujg+y0y7nkdBuPPZ6:W14iBdIKGTO4bWX3i73Nujg+Jxax6 |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\zh-tw\AppStore_icon.svg | 15.50 KB |
MD5:
e329b42eb14d31918528f8699785224c
SHA1: 9f59755c78254817062f4be15f9125f842a03ec8 SHA256: 6970b235576a7e62b862d998d3a030bea48aaf59d3eff19ca0bcbb55434cb425 SSDeep: 384:Zn0B1v5TSsmqrFbvEvN8YogWJn4ZyJ3bbXCtZjaUcHu7udW:u7vOq9Mi/kIfCjdKA |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\plugin.js | 331.50 KB |
MD5:
780cce6641cfeefb031f9f6c1fe6e0ff
SHA1: 08ecfa03667650b0b16ab036db28ec1742ff4280 SHA256: 593402013b00ed76ccba359022495187c970c677e6cb18c68364a4ccdc1cff33 SSDeep: 6144:WzI7QRFsR0LP/1FJHIG8duTxp7jpIzX/WgxuiOkZf9vE6V5GnkSCBS836:XYI0T/1Fedgp7jkvbpZ/HYHoSO6 |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\illustrations_retina.png | 19.36 KB |
MD5:
3fa81e3c1e4eb63c027b1199691b3d46
SHA1: 4a4319ffb2127db496aecbd3d870eecfaff74b72 SHA256: e0b5c076d982ff276a0ad2d9b928b7109f536898de624d17a5b7dc294dfbf555 SSDeep: 384:F6EwEoUR0r/UTXO+6L5bU2OiI65ag9hkdKbsIVrtF6QKUaFSHJypcdSoT8jk1D5N:F6qR0rol2DI6rzVuQUFSHkiJggh5sGWk |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\fi-fi\ui-strings.js | 9.61 KB |
MD5:
ce35ea948638c1f448b74692ecc2b7d1
SHA1: fffcf747748a1b6c919e3b2e5295e56dbe5fee8a SHA256: e7b766b67cb00ebab19da060904df522d6b796a942c863c2f63b2034ba664119 SSDeep: 192:58qfB1g/nmAq1f6fI+GW5PmO9YsDprqF6ysRrATp1k7wh5m13cLI9WjU:58VOAq1fLoPB1rIQrAd1k7doI9Wg |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\zh-cn\PlayStore_icon.svg | 7.75 KB |
MD5:
00e8da0b9f52c2424921dd8eab19aeff
SHA1: 10a74ac96233929bb201084fbda6c4f059b9537c SHA256: 26167d97e8358c143ed740073ad934a5ebd17a9b2fa6a188af3a2292d7de8c55 SSDeep: 192:4kmZihix8KaugYAt2ucVPSM/4IV24hqE1Lk:rm8hixSKYO1SWN5q |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\zh-tw\AppStore_icon.svg | 15.00 KB |
MD5:
88b15ca15c0cdb76fb04ba38741b8343
SHA1: d044f7089b7a97e6196cad0705197263a7663985 SHA256: 40ee5a881365460d668047f90db400879f535bb47ee5b75d329226738083e117 SSDeep: 384:Zn0B1v5TSsmqrFbvEvN8YogWJn4ZyJ3bbXCtZjaUcHuT:u7vOq9Mi/kIfCjdT |
|
|
Host Behavior
File (5816)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Config\machine.config | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\ProgramData\NoMoreLog.zip | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\ProgramData\NoMoreLog.zip | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\ProgramData\Safe.exe | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\ProgramData\Safe.exe | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\PerfLogs\Touch | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\PerfLogs\# How to Decrypt Files.html | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Touch | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Program Files (x86)\Touch | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Touch | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Touch | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\Touch | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\# How to Decrypt Files.html | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Touch | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\1494870C-9912-C184-4CC9-B401-A53F4D8DE290.pdf | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\1494870C-9912-C184-4CC9-B401-A53F4D8DE290.pdf | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\1494870C-9912-C184-4CC9-B401-A53F4D8DE290.pdf | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AGMGPUOptIn.ini | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AGMGPUOptIn.ini | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AGMGPUOptIn.ini | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\icons.png | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\icons.png | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\icons.png | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\icons_ie8.gif | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\icons_ie8.gif | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\icons_ie8.gif | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\icons_retina.png | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\icons_retina.png | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\icons_retina.png | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\illustrations.png | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\illustrations.png | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\illustrations.png | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\illustrations_retina.png | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\illustrations_retina.png | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\illustrations_retina.png | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\new_icons.png | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\new_icons.png | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\new_icons.png | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\new_icons_retina.png | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\new_icons_retina.png | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\new_icons_retina.png | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\themes\Touch | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\themes\dark\Touch | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\themes\dark\icons.png | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\themes\dark\icons.png | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\themes\dark\icons.png | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\themes\dark\icons_ie8.gif | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\themes\dark\icons_ie8.gif | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\themes\dark\icons_ie8.gif | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\themes\dark\icons_retina.png | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\themes\dark\icons_retina.png | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\themes\dark\icons_retina.png | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\plugins\rhp\convertpdf-rna-selector.js | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\plugins\rhp\convertpdf-rna-selector.js | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\plugins\rhp\convertpdf-rna-tool-view.js | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\plugins\rhp\convertpdf-rna-tool-view.js | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\plugins\rhp\convertpdf-rna-tool-view.js | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\plugins\rhp\exportpdf-rna-selector.js | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\plugins\rhp\exportpdf-rna-selector.js | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\plugins\rhp\exportpdf-rna-selector.js | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\plugins\rhp\exportpdf-rna-tool-view.js | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\plugins\rhp\exportpdf-rna-tool-view.js | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\plugins\rhp\exportpdf-rna-tool-view.js | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\plugins\rhp\# How to Decrypt Files.html | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\plugins\selection-action-plugins\Touch | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\plugins\selection-action-plugins\cpdf\Touch | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\plugins\selection-action-plugins\cpdf\plugin.js | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\plugins\selection-action-plugins\cpdf\plugin.js | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\plugins\selection-action-plugins\cpdf\plugin.js | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\plugins\selection-action-plugins\cpdf\selector.js | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\plugins\selection-action-plugins\cpdf\selector.js | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\plugins\selection-action-plugins\cpdf\selector.js | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\plugins\selection-action-plugins\cpdf\# How to Decrypt Files.html | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\plugins\selection-action-plugins\epdf\Touch | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\plugins\selection-action-plugins\epdf\plugin.js | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\plugins\selection-action-plugins\epdf\plugin.js | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\plugins\selection-action-plugins\epdf\plugin.js | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\plugins\selection-action-plugins\epdf\selector.js | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\plugins\selection-action-plugins\epdf\selector.js | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\plugins\selection-action-plugins\epdf\selector.js | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\plugins\selection-action-plugins\epdf\# How to Decrypt Files.html | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\plugins\selection-action-plugins\# How to Decrypt Files.html | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\plugins\# How to Decrypt Files.html | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\# How to Decrypt Files.html | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\# How to Decrypt Files.html | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\Touch | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\css\Touch | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\css\main-selector.css | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\css\main-selector.css | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\css\main-selector.css | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\css\main.css | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\css\main.css | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\css\main.css | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\css\# How to Decrypt Files.html | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\images\Touch | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\images\example_icons2x.png | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\images\example_icons2x.png | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\images\example_icons2x.png | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\images\themes\Touch | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\images\themes\dark\Touch | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\images\themes\dark\example_icons2x.png | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\images\themes\dark\example_icons2x.png | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\images\themes\dark\example_icons2x.png | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\images\themes\dark\# How to Decrypt Files.html | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\images\themes\# How to Decrypt Files.html | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\images\# How to Decrypt Files.html | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\Touch | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\Touch | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\ui-strings.js | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\ui-strings.js | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\ui-strings.js | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\ar-ae\Touch | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\ar-ae\# How to Decrypt Files.html | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\ca-es\Touch | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\ca-es\ui-strings.js | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\ca-es\ui-strings.js | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\ca-es\ui-strings.js | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\ca-es\# How to Decrypt Files.html | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\cs-cz\Touch | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\en-il\ui-strings.js | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\en-il\ui-strings.js | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\en-il\ui-strings.js | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\en-il\# How to Decrypt Files.html | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\es-es\Touch | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\es-es\ui-strings.js | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\es-es\ui-strings.js | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\es-es\ui-strings.js | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\es-es\# How to Decrypt Files.html | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\eu-es\Touch | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\eu-es\ui-strings.js | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\eu-es\ui-strings.js | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\eu-es\ui-strings.js | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\eu-es\# How to Decrypt Files.html | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\fi-fi\Touch | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\fi-fi\ui-strings.js | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\fi-fi\ui-strings.js | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\fi-fi\ui-strings.js | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\fi-fi\# How to Decrypt Files.html | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\fr-fr\Touch | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\fr-fr\ui-strings.js | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\fr-fr\ui-strings.js | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\fr-fr\ui-strings.js | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\fr-fr\# How to Decrypt Files.html | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\fr-ma\Touch | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\fr-ma\ui-strings.js | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\fr-ma\ui-strings.js | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\fr-ma\ui-strings.js | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\fr-ma\# How to Decrypt Files.html | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\he-il\Touch | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\he-il\# How to Decrypt Files.html | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\hr-hr\Touch | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\hr-hr\ui-strings.js | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\hr-hr\ui-strings.js | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\hr-hr\ui-strings.js | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\hr-hr\# How to Decrypt Files.html | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\hu-hu\Touch | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\hu-hu\ui-strings.js | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\hu-hu\ui-strings.js | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\hu-hu\ui-strings.js | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\hu-hu\# How to Decrypt Files.html | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\check_2x.png | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\check_2x.png | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\check_2x.png | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\circle_2x.png | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\circle_2x.png | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\circle_2x.png | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\text_2x.png | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\text_2x.png | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\text_2x.png | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\@1x\Touch | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\@1x\themes\Touch | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\@1x\themes\dark\Touch | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\@1x\themes\dark\# How to Decrypt Files.html | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\@1x\themes\# How to Decrypt Files.html | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\@1x\# How to Decrypt Files.html | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\themes\Touch | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\themes\dark\Touch | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\themes\dark\check_2x.png | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\themes\dark\check_2x.png | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\themes\dark\check_2x.png | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\themes\dark\circle_2x.png | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\themes\dark\circle_2x.png | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\themes\dark\circle_2x.png | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\themes\dark\text_2x.png | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\themes\dark\text_2x.png | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\themes\dark\text_2x.png | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\themes\dark\# How to Decrypt Files.html | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\themes\# How to Decrypt Files.html | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\# How to Decrypt Files.html | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\# How to Decrypt Files.html | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\Touch | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\faf-main.js | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\faf-main.js | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\faf-main.js | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\Touch | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\ui-strings.js | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\ui-strings.js | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\ui-strings.js | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\ar-ae\Touch | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\ar-ae\# How to Decrypt Files.html | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\ca-es\Touch | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\ca-es\ui-strings.js | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\ca-es\ui-strings.js | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\ca-es\ui-strings.js | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\ca-es\# How to Decrypt Files.html | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\cs-cz\Touch | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\cs-cz\ui-strings.js | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\cs-cz\ui-strings.js | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\cs-cz\ui-strings.js | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\cs-cz\# How to Decrypt Files.html | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\da-dk\Touch | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\da-dk\ui-strings.js | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\da-dk\ui-strings.js | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\da-dk\ui-strings.js | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\da-dk\# How to Decrypt Files.html | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\de-de\Touch | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\de-de\ui-strings.js | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\de-de\ui-strings.js | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\de-de\ui-strings.js | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\de-de\# How to Decrypt Files.html | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\en-ae\Touch | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\en-ae\# How to Decrypt Files.html | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\en-gb\Touch | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\en-gb\ui-strings.js | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\en-gb\ui-strings.js | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\en-gb\ui-strings.js | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\en-gb\# How to Decrypt Files.html | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\en-il\Touch | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\en-il\# How to Decrypt Files.html | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\es-es\Touch | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\es-es\ui-strings.js | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\es-es\ui-strings.js | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\es-es\ui-strings.js | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\es-es\# How to Decrypt Files.html | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\eu-es\Touch | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\eu-es\ui-strings.js | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\eu-es\ui-strings.js | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\eu-es\ui-strings.js | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\eu-es\# How to Decrypt Files.html | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\fi-fi\Touch | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\fi-fi\ui-strings.js | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\fi-fi\ui-strings.js | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\fi-fi\ui-strings.js | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\fi-fi\# How to Decrypt Files.html | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\fr-fr\Touch | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\fr-fr\ui-strings.js | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\fr-fr\ui-strings.js | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\fr-fr\ui-strings.js | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\fr-fr\# How to Decrypt Files.html | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\fr-ma\Touch | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\fr-ma\# How to Decrypt Files.html | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\he-il\Touch | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\he-il\# How to Decrypt Files.html | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\hr-hr\Touch | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\hr-hr\ui-strings.js | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\hr-hr\ui-strings.js | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\hr-hr\ui-strings.js | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\hr-hr\# How to Decrypt Files.html | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\hu-hu\Touch | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\hu-hu\ui-strings.js | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\hu-hu\ui-strings.js | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\hu-hu\ui-strings.js | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\hu-hu\# How to Decrypt Files.html | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\it-it\Touch | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\it-it\ui-strings.js | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\it-it\ui-strings.js | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\it-it\ui-strings.js | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\it-it\# How to Decrypt Files.html | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\ja-jp\Touch | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\ja-jp\ui-strings.js | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\ja-jp\ui-strings.js | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\ja-jp\ui-strings.js | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\ja-jp\# How to Decrypt Files.html | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\ko-kr\Touch | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\ko-kr\ui-strings.js | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\ko-kr\ui-strings.js | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\ko-kr\ui-strings.js | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\ko-kr\# How to Decrypt Files.html | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\nb-no\Touch | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\nb-no\ui-strings.js | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\nb-no\ui-strings.js | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\nb-no\ui-strings.js | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\nb-no\# How to Decrypt Files.html | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\nl-nl\Touch | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\nl-nl\ui-strings.js | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\nl-nl\ui-strings.js | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\nl-nl\ui-strings.js | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\nl-nl\# How to Decrypt Files.html | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\pl-pl\Touch | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\pl-pl\ui-strings.js | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\pl-pl\ui-strings.js | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\pl-pl\ui-strings.js | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\pl-pl\# How to Decrypt Files.html | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\pt-br\Touch | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\pt-br\ui-strings.js | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\pt-br\ui-strings.js | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\pt-br\ui-strings.js | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\pt-br\# How to Decrypt Files.html | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\ro-ro\Touch | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\ro-ro\ui-strings.js | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\ro-ro\ui-strings.js | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\ro-ro\ui-strings.js | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\ro-ro\# How to Decrypt Files.html | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\root\Touch | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\root\ui-strings.js | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\root\ui-strings.js | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\root\ui-strings.js | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\root\# How to Decrypt Files.html | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\ru-ru\Touch | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\ru-ru\ui-strings.js | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\ru-ru\ui-strings.js | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\ru-ru\ui-strings.js | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\ru-ru\# How to Decrypt Files.html | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\sk-sk\Touch | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\sk-sk\ui-strings.js | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\sk-sk\ui-strings.js | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\sk-sk\ui-strings.js | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\sk-sk\# How to Decrypt Files.html | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\sl-si\Touch | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\sl-si\ui-strings.js | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\sl-si\ui-strings.js | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\sl-si\ui-strings.js | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\sl-si\# How to Decrypt Files.html | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\sl-sl\Touch | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\sl-sl\# How to Decrypt Files.html | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\sv-se\Touch | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\sv-se\ui-strings.js | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\sv-se\ui-strings.js | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\sv-se\ui-strings.js | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\sv-se\# How to Decrypt Files.html | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\tr-tr\Touch | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\tr-tr\ui-strings.js | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\tr-tr\ui-strings.js | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\tr-tr\ui-strings.js | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\tr-tr\# How to Decrypt Files.html | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\uk-ua\Touch | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\uk-ua\ui-strings.js | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\uk-ua\ui-strings.js | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\uk-ua\ui-strings.js | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\uk-ua\# How to Decrypt Files.html | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\zh-cn\Touch | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\zh-cn\ui-strings.js | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\zh-cn\ui-strings.js | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\zh-cn\ui-strings.js | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\zh-cn\# How to Decrypt Files.html | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\zh-tw\Touch | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\zh-tw\ui-strings.js | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\zh-tw\ui-strings.js | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\zh-tw\ui-strings.js | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\zh-tw\# How to Decrypt Files.html | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\# How to Decrypt Files.html | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\# How to Decrypt Files.html | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\# How to Decrypt Files.html | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\Touch | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\css\Touch | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\css\main-selector.css | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\css\main-selector.css | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\css\main-selector.css | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\css\main.css | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\css\main.css | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\css\main.css | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\css\# How to Decrypt Files.html | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\images\Touch | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\images\example_icons2x.png | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\images\example_icons2x.png | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\images\example_icons2x.png | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\images\themes\Touch | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\images\themes\dark\Touch | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\images\themes\dark\example_icons2x.png | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\images\themes\dark\example_icons2x.png | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\images\themes\dark\example_icons2x.png | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\images\themes\dark\# How to Decrypt Files.html | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\images\themes\# How to Decrypt Files.html | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\images\# How to Decrypt Files.html | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\js\Touch | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\js\nls\Touch | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\js\nls\ui-strings.js | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\js\nls\ui-strings.js | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\js\nls\ui-strings.js | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\js\nls\da-dk\Touch | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\example_icons2x.png | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\example_icons2x.png | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\optimize_poster.jpg | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\optimize_poster.jpg | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\optimize_poster.jpg | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\optimize_poster2x.jpg | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\optimize_poster2x.jpg | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\optimize_poster2x.jpg | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\organize_poster.jpg | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\organize_poster.jpg | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\organize_poster.jpg | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\organize_poster2x-dark.jpg | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\organize_poster2x-dark.jpg | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\organize_poster2x-dark.jpg | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\organize_poster2x.jpg | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\organize_poster2x.jpg | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\organize_poster2x.jpg | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\protect_poster.jpg | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\protect_poster.jpg | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\protect_poster.jpg | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\protect_poster2x.jpg | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\protect_poster2x.jpg | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\protect_poster2x.jpg | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\redact_poster.jpg | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\redact_poster.jpg | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\redact_poster.jpg | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\redact_poster2x.jpg | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\redact_poster2x.jpg | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\redact_poster2x.jpg | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\scan_poster.jpg | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\scan_poster.jpg | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\scan_poster.jpg | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\scan_poster2x.jpg | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\scan_poster2x.jpg | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\scan_poster2x.jpg | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\tr-tr\# How to Decrypt Files.html | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\zh-cn\Touch | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\zh-cn\AppStore_icon.svg | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\zh-cn\AppStore_icon.svg | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\zh-cn\AppStore_icon.svg | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\zh-cn\PlayStore_icon.svg | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\zh-cn\PlayStore_icon.svg | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\zh-cn\PlayStore_icon.svg | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\zh-cn\# How to Decrypt Files.html | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\zh-tw\Touch | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\zh-tw\AppStore_icon.svg | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\zh-tw\AppStore_icon.svg | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\zh-tw\AppStore_icon.svg | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\zh-tw\PlayStore_icon.svg | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\zh-tw\PlayStore_icon.svg | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\zh-tw\PlayStore_icon.svg | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\zh-tw\# How to Decrypt Files.html | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\# How to Decrypt Files.html | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\# How to Decrypt Files.html | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\# How to Decrypt Files.html | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\Touch | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\plugin.js | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\plugin.js | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\plugin.js | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\selector.js | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\selector.js | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\selector.js | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\Touch | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\ui-strings.js | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\ui-strings.js | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\ui-strings.js | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\ar-ae\Touch | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\ar-ae\# How to Decrypt Files.html | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\ca-es\Touch | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\ca-es\ui-strings.js | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\ca-es\ui-strings.js | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\ca-es\ui-strings.js | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\ca-es\# How to Decrypt Files.html | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\cs-cz\Touch | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\cs-cz\ui-strings.js | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\cs-cz\ui-strings.js | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\cs-cz\ui-strings.js | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\cs-cz\# How to Decrypt Files.html | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\da-dk\Touch | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\Installer\chrome.7z | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\Installer\chrome.7z | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\Installer\# How to Decrypt Files.html | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\Locales\Touch | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\Locales\# How to Decrypt Files.html | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\VisualElements\Touch | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\VisualElements\logo.png | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\VisualElements\logo.png | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\VisualElements\logo.png | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\VisualElements\logocanary.png | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\VisualElements\logocanary.png | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\VisualElements\logocanary.png | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\VisualElements\smalllogo.png | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\VisualElements\smalllogo.png | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\VisualElements\smalllogo.png | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\VisualElements\smalllogocanary.png | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\VisualElements\smalllogocanary.png | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\VisualElements\smalllogocanary.png | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\VisualElements\# How to Decrypt Files.html | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\WidevineCdm\Touch | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\WidevineCdm\_platform_specific\Touch | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\WidevineCdm\_platform_specific\win_x64\Touch | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\WidevineCdm\_platform_specific\win_x64\# How to Decrypt Files.html | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\WidevineCdm\_platform_specific\# How to Decrypt Files.html | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\WidevineCdm\# How to Decrypt Files.html | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\# How to Decrypt Files.html | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Google\Chrome\Application\SetupMetrics\Touch | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Program Files (x86)\Google\Chrome\Application\SetupMetrics\# How to Decrypt Files.html | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Google\Chrome\Application\# How to Decrypt Files.html | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Google\Chrome\# How to Decrypt Files.html | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Google\CrashReports\Touch | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Program Files (x86)\Google\CrashReports\# How to Decrypt Files.html | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Google\# How to Decrypt Files.html | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Internet Explorer\Touch | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Program Files (x86)\Internet Explorer\en-US\Touch | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Program Files (x86)\Internet Explorer\en-US\# How to Decrypt Files.html | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Internet Explorer\images\Touch | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Program Files (x86)\Internet Explorer\images\# How to Decrypt Files.html | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Internet Explorer\SIGNUP\Touch | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Program Files (x86)\Internet Explorer\SIGNUP\# How to Decrypt Files.html | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\ProgramData\Microsoft.zip | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\ProgramData\Microsoft.zip | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\ProgramData\sdelete.exe | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\ProgramData\sdelete.exe | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\ProgramData\sdelete64.exe | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\ProgramData\sdelete64.exe | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\ProgramData\Eula.txt | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\ProgramData\Eula.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\ProgramData\release.bat | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
1 | |
| Create Pipe | Anonymous read pipe | size = 0 |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\Desktop\Kraken.config | type = file_attributes |
|
3 | |
| Get Info | C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Config\machine.config | type = file_attributes |
|
2 | |
| Get Info | C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Config\machine.config | type = file_type |
|
2 | |
| Get Info | C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Config\machine.config | type = size, size_out = 0 |
|
1 | |
| Get Info | C:\ | type = file_attributes |
|
2 | |
| Get Info | C:\ProgramData\ | type = file_attributes |
|
1 | |
| Get Info | C:\ProgramData\NoMoreLog.zip | type = file_type |
|
4 | |
| Get Info | C:\ProgramData\NoMoreLog.zip | type = size, size_out = 0 |
|
1 | |
| Get Info | C:\ProgramData | type = file_attributes |
|
1 | |
| Get Info | C:\ProgramData\Safe.exe | type = file_type |
|
2 | |
| Get Info | C:\ProgramData\Safe.exe | type = file_attributes |
|
2 | |
| Get Info | C:\ProgramData\Safe.exe | type = file_type |
|
2 | |
| Get Info | - | type = file_type |
|
1 | |
| Get Info | C:\bootmgr | type = file_attributes |
|
1 | |
| Get Info | C:\BOOTNXT | type = file_attributes |
|
1 | |
| Get Info | C:\hiberfil.sys | type = file_attributes |
|
1 | |
| Get Info | C:\pagefile.sys | type = file_attributes |
|
1 | |
| Get Info | C:\swapfile.sys | type = file_attributes |
|
1 | |
| Get Info | C:\$Recycle.Bin | type = file_attributes |
|
1 | |
| Get Info | C:\Boot | type = file_attributes |
|
1 | |
| Get Info | C:\Config.Msi | type = file_attributes |
|
1 | |
| Get Info | C:\Documents and Settings | type = file_attributes |
|
1 | |
| Get Info | C:\PerfLogs | type = file_attributes |
|
1 | |
| Get Info | C:\PerfLogs\Touch | type = file_type |
|
2 | |
| Get Info | C:\PerfLogs\# How to Decrypt Files.html | type = file_type |
|
2 | |
| Get Info | C:\Program Files | type = file_attributes |
|
1 | |
| Get Info | C:\Program Files\Touch | type = file_type |
|
2 | |
| Get Info | C:\Program Files (x86) | type = file_attributes |
|
1 | |
| Get Info | C:\Program Files (x86)\Touch | type = file_type |
|
2 | |
| Get Info | C:\Program Files (x86)\Adobe | type = file_attributes |
|
1 | |
| Get Info | C:\Program Files (x86)\Adobe\Touch | type = file_type |
|
2 | |
| Get Info | C:\Program Files (x86)\Adobe\bound desert.exe | type = file_attributes |
|
2 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC | type = file_attributes |
|
1 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Touch | type = file_type |
|
2 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\ReadMe.htm | type = file_attributes |
|
2 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl | type = file_attributes |
|
1 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\Touch | type = file_type |
|
2 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\AiodLite.dll | type = file_attributes |
|
2 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\# How to Decrypt Files.html | type = file_type |
|
2 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader | type = file_attributes |
|
1 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Touch | type = file_type |
|
2 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\1494870C-9912-C184-4CC9-B401-A53F4D8DE290.pdf | type = file_attributes |
|
5 | |
| Get Info | C:\Windows\Microsoft.NET\Framework64\v2.0.50727\config\machine.config | type = file_attributes |
|
1 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\1494870C-9912-C184-4CC9-B401-A53F4D8DE290.pdf | type = file_type |
|
4 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\1494870C-9912-C184-4CC9-B401-A53F4D8DE290.pdf | type = file_type |
|
2 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\00000000-Lock.onion | type = file_attributes |
|
1 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\00000000-Lock.onion | type = file_attributes |
|
2 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\A3DUtils.dll | type = file_attributes |
|
2 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ACE.dll | type = file_attributes |
|
2 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe | type = file_attributes |
|
2 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Acrofx32.dll | type = file_attributes |
|
2 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.dll | type = file_attributes |
|
2 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe | type = file_attributes |
|
2 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe | type = file_attributes |
|
2 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Res.dll | type = file_attributes |
|
2 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroSup64.dll | type = file_attributes |
|
2 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe | type = file_attributes |
|
2 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe | type = file_attributes |
|
2 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Adobe.Reader.Dependencies.manifest | type = file_attributes |
|
2 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe | type = file_attributes |
|
2 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeLinguistic.dll | type = file_attributes |
|
2 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\adoberfp.dll | type = file_attributes |
|
2 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeXMP.dll | type = file_attributes |
|
2 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AGM.dll | type = file_attributes |
|
2 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AGMGPUOptIn.ini | type = file_attributes |
|
5 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AGMGPUOptIn.ini | type = file_type |
|
26 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\00000001-Lock.onion | type = file_attributes |
|
1 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\00000001-Lock.onion | type = file_attributes |
|
2 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ahclient.dll | type = file_attributes |
|
2 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AIDE.dll | type = file_attributes |
|
2 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe | type = file_attributes |
|
2 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AXE8SharedExpat.dll | type = file_attributes |
|
2 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AXSLE.dll | type = file_attributes |
|
2 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\BIB.dll | type = file_attributes |
|
2 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\BIBUtils.dll | type = file_attributes |
|
2 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ccme_asym.dll | type = file_attributes |
|
2 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ccme_base.dll | type = file_attributes |
|
2 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ccme_base_non_fips.dll | type = file_attributes |
|
2 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ccme_ecc.dll | type = file_attributes |
|
2 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Click on 'Change' to select default PDF handler.pdf | type = file_attributes |
|
5 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\00000002-Lock.onion | type = file_attributes |
|
1 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\00000002-Lock.onion | type = file_attributes |
|
2 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\CoolType.dll | type = file_attributes |
|
2 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\cryptocme.dll | type = file_attributes |
|
2 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\cryptocme.sig | type = file_attributes |
|
2 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\DirectInk.dll | type = file_attributes |
|
2 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe | type = file_attributes |
|
2 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ExtendScript.dll | type = file_attributes |
|
2 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\icucnv40.dll | type = file_attributes |
|
2 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\icudt40.dll | type = file_attributes |
|
2 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\JP2KLib.dll | type = file_attributes |
|
2 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\logsession.dll | type = file_attributes |
|
2 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe | type = file_attributes |
|
2 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Onix32.dll | type = file_attributes |
|
2 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\PDFPrevHndlr.dll | type = file_attributes |
|
2 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\PDFSigQFormalRep.pdf | type = file_attributes |
|
5 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\00000003-Lock.onion | type = file_attributes |
|
1 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\00000003-Lock.onion | type = file_attributes |
|
2 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\pe.dll | type = file_attributes |
|
2 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\pmd.cer | type = file_attributes |
|
2 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe | type = file_attributes |
|
2 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\rt3d.dll | type = file_attributes |
|
2 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\RTC.der | type = file_attributes |
|
5 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\00000004-Lock.onion | type = file_attributes |
|
1 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\00000004-Lock.onion | type = file_attributes |
|
2 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ScCore.dll | type = file_attributes |
|
2 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\sqlite.dll | type = file_attributes |
|
2 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ViewerPS.dll | type = file_attributes |
|
2 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Welcome.pdf | type = file_attributes |
|
5 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\00000005-Lock.onion | type = file_attributes |
|
1 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\00000005-Lock.onion | type = file_attributes |
|
2 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe | type = file_attributes |
|
2 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp | type = file_attributes |
|
1 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU | type = file_attributes |
|
1 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\AppCenter_R.aapp | type = file_attributes |
|
2 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\Certificates_R.aapp | type = file_attributes |
|
2 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\CollectSignatures.aapp | type = file_attributes |
|
2 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\Combine_R_RHP.aapp | type = file_attributes |
|
2 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\Comments.aapp | type = file_attributes |
|
2 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\Compare_R_RHP.aapp | type = file_attributes |
|
2 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\CPDF_Full.aapp | type = file_attributes |
|
2 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\CPDF_RHP.aapp | type = file_attributes |
|
2 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\Edit_R_Exp_RHP.aapp | type = file_attributes |
|
2 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\Edit_R_Full.aapp | type = file_attributes |
|
2 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\Edit_R_RHP.aapp | type = file_attributes |
|
2 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\EPDF_Full.aapp | type = file_attributes |
|
2 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\EPDF_RHP.aapp | type = file_attributes |
|
2 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\FillSign.aapp | type = file_attributes |
|
2 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\Home.aapp | type = file_attributes |
|
2 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\Measure.aapp | type = file_attributes |
|
2 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\MoreTools.aapp | type = file_attributes |
|
2 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\OptimizePDF_R_RHP.aapp | type = file_attributes |
|
2 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\Pages_R_RHP.aapp | type = file_attributes |
|
2 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\Protect_R_RHP.aapp | type = file_attributes |
|
2 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\Redact_R_RHP.aapp | type = file_attributes |
|
2 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\Scan_R_RHP.aapp | type = file_attributes |
|
2 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\Stamp.aapp | type = file_attributes |
|
2 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\TrackedSend.aapp | type = file_attributes |
|
2 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\Viewer.aapp | type = file_attributes |
|
2 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF | type = file_attributes |
|
1 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\cef.pak | type = file_attributes |
|
2 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\cef_100_percent.pak | type = file_attributes |
|
2 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\cef_200_percent.pak | type = file_attributes |
|
2 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\cef_extensions.pak | type = file_attributes |
|
2 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\chrome_elf.dll | type = file_attributes |
|
2 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\COPYING.LGPLv2.1.txt | type = file_attributes |
|
5 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\00000006-Lock.onion | type = file_attributes |
|
1 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\00000006-Lock.onion | type = file_attributes |
|
2 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\icons.png | type = file_attributes |
|
4 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\icons.png | type = file_type |
|
6 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\00000215-Lock.onion | type = file_attributes |
|
1 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\00000215-Lock.onion | type = file_attributes |
|
2 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\icons_ie8.gif | type = file_attributes |
|
5 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\icons_ie8.gif | type = file_type |
|
6 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\00000216-Lock.onion | type = file_attributes |
|
1 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\00000216-Lock.onion | type = file_attributes |
|
2 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\icons_retina.png | type = file_attributes |
|
5 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\icons_retina.png | type = file_type |
|
6 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\00000217-Lock.onion | type = file_attributes |
|
1 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\00000217-Lock.onion | type = file_attributes |
|
2 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\illustrations.png | type = file_attributes |
|
5 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\illustrations.png | type = file_type |
|
6 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\00000218-Lock.onion | type = file_attributes |
|
1 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\00000218-Lock.onion | type = file_attributes |
|
2 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\illustrations_retina.png | type = file_attributes |
|
5 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\illustrations_retina.png | type = file_type |
|
6 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\00000219-Lock.onion | type = file_attributes |
|
1 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\00000219-Lock.onion | type = file_attributes |
|
2 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\new_icons.png | type = file_attributes |
|
5 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\new_icons.png | type = file_type |
|
6 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\00000220-Lock.onion | type = file_attributes |
|
1 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\00000220-Lock.onion | type = file_attributes |
|
2 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\new_icons_retina.png | type = file_attributes |
|
5 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\new_icons_retina.png | type = file_type |
|
6 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\00000221-Lock.onion | type = file_attributes |
|
1 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\00000221-Lock.onion | type = file_attributes |
|
2 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\themes | type = file_attributes |
|
1 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\themes\Touch | type = file_type |
|
2 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\themes\dark | type = file_attributes |
|
1 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\themes\dark\Touch | type = file_type |
|
2 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\themes\dark\bg_patterns_header.png | type = file_attributes |
|
2 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\themes\dark\bg_pattern_RHP.png | type = file_attributes |
|
2 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\themes\dark\icons.png | type = file_attributes |
|
5 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\themes\dark\icons.png | type = file_type |
|
6 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\themes\dark\00000222-Lock.onion | type = file_attributes |
|
1 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\themes\dark\00000222-Lock.onion | type = file_attributes |
|
2 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\themes\dark\icons_ie8.gif | type = file_attributes |
|
5 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\themes\dark\icons_ie8.gif | type = file_type |
|
6 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\themes\dark\00000223-Lock.onion | type = file_attributes |
|
1 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\themes\dark\00000223-Lock.onion | type = file_attributes |
|
2 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\themes\dark\icons_retina.png | type = file_attributes |
|
5 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\themes\dark\icons_retina.png | type = file_type |
|
6 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\themes\dark\00000224-Lock.onion | type = file_attributes |
|
1 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\themes\dark\00000224-Lock.onion | type = file_attributes |
|
2 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\themes\dark\illustrations.png | type = file_attributes |
|
4 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\plugins\rhp\convertpdf-rna-selector.js | type = file_type |
|
2 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\plugins\rhp\00000286-Lock.onion | type = file_attributes |
|
1 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\plugins\rhp\convertpdf-rna-selector.js | type = file_attributes |
|
1 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\plugins\rhp\00000286-Lock.onion | type = file_attributes |
|
2 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\plugins\rhp\convertpdf-rna-tool-view.js | type = file_attributes |
|
5 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\plugins\rhp\convertpdf-rna-tool-view.js | type = file_type |
|
3 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\plugins\rhp\00000287-Lock.onion | type = file_attributes |
|
1 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\plugins\rhp\00000287-Lock.onion | type = file_attributes |
|
2 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\plugins\rhp\exportpdf-rna-selector.js | type = file_attributes |
|
5 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\plugins\rhp\exportpdf-rna-selector.js | type = file_type |
|
3 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\plugins\rhp\00000288-Lock.onion | type = file_attributes |
|
1 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\plugins\rhp\00000288-Lock.onion | type = file_attributes |
|
2 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\plugins\rhp\exportpdf-rna-tool-view.js | type = file_attributes |
|
5 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\plugins\rhp\exportpdf-rna-tool-view.js | type = file_type |
|
3 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\plugins\rhp\00000289-Lock.onion | type = file_attributes |
|
1 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\plugins\rhp\00000289-Lock.onion | type = file_attributes |
|
2 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\plugins\rhp\# How to Decrypt Files.html | type = file_type |
|
1 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\plugins\selection-action-plugins | type = file_attributes |
|
1 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\plugins\selection-action-plugins\Touch | type = file_type |
|
1 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\plugins\selection-action-plugins\cpdf | type = file_attributes |
|
1 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\plugins\selection-action-plugins\cpdf\Touch | type = file_type |
|
1 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\plugins\selection-action-plugins\cpdf\plugin.js | type = file_attributes |
|
5 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\plugins\selection-action-plugins\cpdf\plugin.js | type = file_type |
|
3 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\plugins\selection-action-plugins\cpdf\00000290-Lock.onion | type = file_attributes |
|
1 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\plugins\selection-action-plugins\cpdf\00000290-Lock.onion | type = file_attributes |
|
2 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\plugins\selection-action-plugins\cpdf\selector.js | type = file_attributes |
|
5 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\plugins\selection-action-plugins\cpdf\selector.js | type = file_type |
|
3 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\plugins\selection-action-plugins\cpdf\00000291-Lock.onion | type = file_attributes |
|
1 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\plugins\selection-action-plugins\cpdf\00000291-Lock.onion | type = file_attributes |
|
2 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\plugins\selection-action-plugins\cpdf\# How to Decrypt Files.html | type = file_type |
|
1 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\plugins\selection-action-plugins\epdf | type = file_attributes |
|
1 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\plugins\selection-action-plugins\epdf\Touch | type = file_type |
|
1 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\plugins\selection-action-plugins\epdf\plugin.js | type = file_attributes |
|
5 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\plugins\selection-action-plugins\epdf\plugin.js | type = file_type |
|
3 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\plugins\selection-action-plugins\epdf\00000292-Lock.onion | type = file_attributes |
|
1 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\plugins\selection-action-plugins\epdf\00000292-Lock.onion | type = file_attributes |
|
2 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\plugins\selection-action-plugins\epdf\selector.js | type = file_attributes |
|
5 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\plugins\selection-action-plugins\epdf\selector.js | type = file_type |
|
3 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\plugins\selection-action-plugins\epdf\00000293-Lock.onion | type = file_attributes |
|
1 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\plugins\selection-action-plugins\epdf\00000293-Lock.onion | type = file_attributes |
|
2 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\plugins\selection-action-plugins\epdf\# How to Decrypt Files.html | type = file_type |
|
1 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\plugins\selection-action-plugins\# How to Decrypt Files.html | type = file_type |
|
1 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\plugins\# How to Decrypt Files.html | type = file_type |
|
1 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\# How to Decrypt Files.html | type = file_type |
|
1 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\# How to Decrypt Files.html | type = file_type |
|
1 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf | type = file_attributes |
|
1 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\Touch | type = file_type |
|
1 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\css | type = file_attributes |
|
1 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\css\Touch | type = file_type |
|
1 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\css\main-selector.css | type = file_attributes |
|
5 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\css\main-selector.css | type = file_type |
|
3 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\css\00000294-Lock.onion | type = file_attributes |
|
1 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\css\00000294-Lock.onion | type = file_attributes |
|
2 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\css\main.css | type = file_attributes |
|
5 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\css\main.css | type = file_type |
|
3 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\css\00000295-Lock.onion | type = file_attributes |
|
1 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\css\00000295-Lock.onion | type = file_attributes |
|
2 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\css\# How to Decrypt Files.html | type = file_type |
|
1 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\images | type = file_attributes |
|
1 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\images\Touch | type = file_type |
|
1 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\images\example_icons.png | type = file_attributes |
|
2 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\images\example_icons2x.png | type = file_attributes |
|
5 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\images\example_icons2x.png | type = file_type |
|
3 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\images\00000296-Lock.onion | type = file_attributes |
|
1 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\images\00000296-Lock.onion | type = file_attributes |
|
2 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\images\rhp_world_icon.png | type = file_attributes |
|
2 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\images\rhp_world_icon_2x.png | type = file_attributes |
|
2 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\images\rhp_world_icon_hover.png | type = file_attributes |
|
2 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\images\rhp_world_icon_hover_2x.png | type = file_attributes |
|
2 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\images\themes | type = file_attributes |
|
1 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\images\themes\Touch | type = file_type |
|
1 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\images\themes\dark | type = file_attributes |
|
1 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\images\themes\dark\Touch | type = file_type |
|
1 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\images\themes\dark\example_icons.png | type = file_attributes |
|
2 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\images\themes\dark\example_icons2x.png | type = file_attributes |
|
5 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\images\themes\dark\example_icons2x.png | type = file_type |
|
3 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\images\themes\dark\00000297-Lock.onion | type = file_attributes |
|
1 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\images\themes\dark\00000297-Lock.onion | type = file_attributes |
|
2 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\images\themes\dark\rhp_world_icon.png | type = file_attributes |
|
2 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\images\themes\dark\rhp_world_icon_2x.png | type = file_attributes |
|
2 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\images\themes\dark\rhp_world_icon_hover.png | type = file_attributes |
|
2 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\images\themes\dark\rhp_world_icon_hover_2x.png | type = file_attributes |
|
2 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\images\themes\dark\# How to Decrypt Files.html | type = file_type |
|
1 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\images\themes\# How to Decrypt Files.html | type = file_type |
|
1 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\images\# How to Decrypt Files.html | type = file_type |
|
1 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js | type = file_attributes |
|
1 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\Touch | type = file_type |
|
1 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\plugin.js | type = file_attributes |
|
2 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls | type = file_attributes |
|
1 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\Touch | type = file_type |
|
1 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\ui-strings.js | type = file_attributes |
|
5 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\ui-strings.js | type = file_type |
|
3 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\00000298-Lock.onion | type = file_attributes |
|
1 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\00000298-Lock.onion | type = file_attributes |
|
2 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\ar-ae | type = file_attributes |
|
1 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\ar-ae\Touch | type = file_type |
|
1 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\ar-ae\# How to Decrypt Files.html | type = file_type |
|
1 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\ca-es | type = file_attributes |
|
1 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\ca-es\Touch | type = file_type |
|
1 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\ca-es\ui-strings.js | type = file_attributes |
|
5 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\ca-es\ui-strings.js | type = file_type |
|
3 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\ca-es\00000299-Lock.onion | type = file_attributes |
|
1 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\ca-es\00000299-Lock.onion | type = file_attributes |
|
2 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\ca-es\# How to Decrypt Files.html | type = file_type |
|
1 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\cs-cz | type = file_attributes |
|
1 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\cs-cz\Touch | type = file_type |
|
1 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\en-il\ui-strings.js | type = file_type |
|
6 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\en-il\00000420-Lock.onion | type = file_attributes |
|
1 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\en-il\ui-strings.js | type = file_attributes |
|
1 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\en-il\00000420-Lock.onion | type = file_attributes |
|
2 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\en-il\# How to Decrypt Files.html | type = file_type |
|
2 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\es-es | type = file_attributes |
|
1 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\es-es\Touch | type = file_type |
|
2 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\es-es\ui-strings.js | type = file_attributes |
|
5 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\es-es\ui-strings.js | type = file_type |
|
6 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\es-es\00000421-Lock.onion | type = file_attributes |
|
1 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\es-es\00000421-Lock.onion | type = file_attributes |
|
2 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\es-es\# How to Decrypt Files.html | type = file_type |
|
2 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\eu-es | type = file_attributes |
|
1 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\eu-es\Touch | type = file_type |
|
2 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\eu-es\ui-strings.js | type = file_attributes |
|
5 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\eu-es\ui-strings.js | type = file_type |
|
6 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\eu-es\00000422-Lock.onion | type = file_attributes |
|
1 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\eu-es\00000422-Lock.onion | type = file_attributes |
|
2 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\eu-es\# How to Decrypt Files.html | type = file_type |
|
2 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\fi-fi | type = file_attributes |
|
1 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\fi-fi\Touch | type = file_type |
|
2 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\fi-fi\ui-strings.js | type = file_attributes |
|
5 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\fi-fi\ui-strings.js | type = file_type |
|
6 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\fi-fi\00000423-Lock.onion | type = file_attributes |
|
1 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\fi-fi\00000423-Lock.onion | type = file_attributes |
|
2 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\fi-fi\# How to Decrypt Files.html | type = file_type |
|
2 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\fr-fr | type = file_attributes |
|
1 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\fr-fr\Touch | type = file_type |
|
2 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\fr-fr\ui-strings.js | type = file_attributes |
|
5 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\fr-fr\ui-strings.js | type = file_type |
|
6 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\fr-fr\00000424-Lock.onion | type = file_attributes |
|
1 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\fr-fr\00000424-Lock.onion | type = file_attributes |
|
2 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\fr-fr\# How to Decrypt Files.html | type = file_type |
|
2 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\fr-ma | type = file_attributes |
|
1 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\fr-ma\Touch | type = file_type |
|
2 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\fr-ma\ui-strings.js | type = file_attributes |
|
5 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\fr-ma\ui-strings.js | type = file_type |
|
6 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\fr-ma\00000425-Lock.onion | type = file_attributes |
|
1 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\fr-ma\00000425-Lock.onion | type = file_attributes |
|
2 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\fr-ma\# How to Decrypt Files.html | type = file_type |
|
2 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\he-il | type = file_attributes |
|
1 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\he-il\Touch | type = file_type |
|
2 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\he-il\# How to Decrypt Files.html | type = file_type |
|
2 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\hr-hr | type = file_attributes |
|
1 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\hr-hr\Touch | type = file_type |
|
2 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\hr-hr\ui-strings.js | type = file_attributes |
|
5 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\hr-hr\ui-strings.js | type = file_type |
|
6 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\hr-hr\00000426-Lock.onion | type = file_attributes |
|
1 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\hr-hr\00000426-Lock.onion | type = file_attributes |
|
2 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\hr-hr\# How to Decrypt Files.html | type = file_type |
|
2 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\hu-hu | type = file_attributes |
|
1 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\hu-hu\Touch | type = file_type |
|
2 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\hu-hu\ui-strings.js | type = file_attributes |
|
5 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\hu-hu\ui-strings.js | type = file_type |
|
6 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\hu-hu\00000427-Lock.onion | type = file_attributes |
|
1 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\hu-hu\00000427-Lock.onion | type = file_attributes |
|
2 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\hu-hu\# How to Decrypt Files.html | type = file_type |
|
2 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\it-it | type = file_attributes |
|
1 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\check_2x.png | type = file_attributes |
|
5 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\check_2x.png | type = file_type |
|
3 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\00000538-Lock.onion | type = file_attributes |
|
1 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\00000538-Lock.onion | type = file_attributes |
|
2 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\circle.cur | type = file_attributes |
|
2 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\circle_2x.png | type = file_attributes |
|
5 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\circle_2x.png | type = file_type |
|
3 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\00000539-Lock.onion | type = file_attributes |
|
1 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\00000539-Lock.onion | type = file_attributes |
|
2 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\dot.cur | type = file_attributes |
|
2 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\dot_2x.png | type = file_attributes |
|
2 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\line.cur | type = file_attributes |
|
2 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\line_2x.png | type = file_attributes |
|
2 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\text.cur | type = file_attributes |
|
2 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\text_2x.png | type = file_attributes |
|
5 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\text_2x.png | type = file_type |
|
3 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\00000540-Lock.onion | type = file_attributes |
|
1 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\00000540-Lock.onion | type = file_attributes |
|
2 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\x.cur | type = file_attributes |
|
2 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\x_2x.png | type = file_attributes |
|
2 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\@1x | type = file_attributes |
|
1 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\@1x\Touch | type = file_type |
|
1 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\@1x\A12_AddBlue@1x.png | type = file_attributes |
|
2 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\@1x\A12_Checkmark_White@1x.png | type = file_attributes |
|
2 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\@1x\A12_Crossmark_White@1x.png | type = file_attributes |
|
2 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\@1x\A12_delete@1x.png | type = file_attributes |
|
2 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\@1x\A12_FilledDot_White@1x.png | type = file_attributes |
|
2 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\@1x\A12_Line_White@1x.png | type = file_attributes |
|
2 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\@1x\A12_Roundrect_White@1x.png | type = file_attributes |
|
2 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\@1x\A12_Sign_White@1x.png | type = file_attributes |
|
2 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\@1x\A12_TypeTextFields_White@1x.png | type = file_attributes |
|
2 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\@1x\Comb_field_White@1x.png | type = file_attributes |
|
2 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\@1x\themes | type = file_attributes |
|
1 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\@1x\themes\Touch | type = file_type |
|
1 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\@1x\themes\dark | type = file_attributes |
|
1 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\@1x\themes\dark\Touch | type = file_type |
|
1 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\@1x\themes\dark\A12_AddBlue@1x.png | type = file_attributes |
|
2 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\@1x\themes\dark\A12_Checkmark_White@1x.png | type = file_attributes |
|
2 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\@1x\themes\dark\A12_Crossmark_White@1x.png | type = file_attributes |
|
2 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\@1x\themes\dark\A12_delete@1x.png | type = file_attributes |
|
2 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\@1x\themes\dark\A12_FilledDot_White@1x.png | type = file_attributes |
|
2 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\@1x\themes\dark\A12_Line_White@1x.png | type = file_attributes |
|
2 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\@1x\themes\dark\A12_Roundrect_White@1x.png | type = file_attributes |
|
2 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\@1x\themes\dark\A12_Sign_White@1x.png | type = file_attributes |
|
2 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\@1x\themes\dark\A12_TypeTextFields_White@1x.png | type = file_attributes |
|
2 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\@1x\themes\dark\Comb_field_White@1x.png | type = file_attributes |
|
2 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\@1x\themes\dark\# How to Decrypt Files.html | type = file_type |
|
1 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\@1x\themes\# How to Decrypt Files.html | type = file_type |
|
1 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\@1x\# How to Decrypt Files.html | type = file_type |
|
1 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\themes | type = file_attributes |
|
1 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\themes\Touch | type = file_type |
|
1 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\themes\dark | type = file_attributes |
|
1 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\themes\dark\Touch | type = file_type |
|
1 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\themes\dark\check.cur | type = file_attributes |
|
2 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\themes\dark\check_2x.png | type = file_attributes |
|
5 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\themes\dark\check_2x.png | type = file_type |
|
3 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\themes\dark\00000541-Lock.onion | type = file_attributes |
|
1 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\themes\dark\00000541-Lock.onion | type = file_attributes |
|
2 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\themes\dark\circle.cur | type = file_attributes |
|
2 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\themes\dark\circle_2x.png | type = file_attributes |
|
5 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\themes\dark\circle_2x.png | type = file_type |
|
3 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\themes\dark\00000542-Lock.onion | type = file_attributes |
|
1 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\themes\dark\00000542-Lock.onion | type = file_attributes |
|
2 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\themes\dark\dot.cur | type = file_attributes |
|
2 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\themes\dark\dot_2x.png | type = file_attributes |
|
2 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\themes\dark\line.cur | type = file_attributes |
|
2 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\themes\dark\line_2x.png | type = file_attributes |
|
2 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\themes\dark\text.cur | type = file_attributes |
|
2 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\themes\dark\text_2x.png | type = file_attributes |
|
5 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\themes\dark\text_2x.png | type = file_type |
|
3 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\themes\dark\00000543-Lock.onion | type = file_attributes |
|
1 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\themes\dark\00000543-Lock.onion | type = file_attributes |
|
2 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\themes\dark\x.cur | type = file_attributes |
|
2 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\themes\dark\x_2x.png | type = file_attributes |
|
2 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\themes\dark\# How to Decrypt Files.html | type = file_type |
|
1 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\themes\# How to Decrypt Files.html | type = file_type |
|
1 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\# How to Decrypt Files.html | type = file_type |
|
1 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\# How to Decrypt Files.html | type = file_type |
|
1 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js | type = file_attributes |
|
1 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\Touch | type = file_type |
|
1 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\faf-main.js | type = file_attributes |
|
5 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\faf-main.js | type = file_type |
|
3 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\00000544-Lock.onion | type = file_attributes |
|
1 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\00000544-Lock.onion | type = file_attributes |
|
2 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls | type = file_attributes |
|
1 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\Touch | type = file_type |
|
1 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\ui-strings.js | type = file_attributes |
|
5 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\ui-strings.js | type = file_type |
|
3 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\00000545-Lock.onion | type = file_attributes |
|
1 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\00000545-Lock.onion | type = file_attributes |
|
2 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\ar-ae | type = file_attributes |
|
1 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\ar-ae\Touch | type = file_type |
|
1 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\ar-ae\# How to Decrypt Files.html | type = file_type |
|
1 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\ca-es | type = file_attributes |
|
1 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\ca-es\Touch | type = file_type |
|
1 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\ca-es\ui-strings.js | type = file_attributes |
|
5 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\ca-es\ui-strings.js | type = file_type |
|
3 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\ca-es\00000546-Lock.onion | type = file_attributes |
|
1 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\ca-es\00000546-Lock.onion | type = file_attributes |
|
2 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\ca-es\# How to Decrypt Files.html | type = file_type |
|
1 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\cs-cz | type = file_attributes |
|
1 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\cs-cz\Touch | type = file_type |
|
1 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\cs-cz\ui-strings.js | type = file_attributes |
|
5 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\cs-cz\ui-strings.js | type = file_type |
|
3 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\cs-cz\00000547-Lock.onion | type = file_attributes |
|
1 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\cs-cz\00000547-Lock.onion | type = file_attributes |
|
2 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\cs-cz\# How to Decrypt Files.html | type = file_type |
|
1 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\da-dk | type = file_attributes |
|
1 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\da-dk\Touch | type = file_type |
|
1 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\da-dk\ui-strings.js | type = file_attributes |
|
5 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\da-dk\ui-strings.js | type = file_type |
|
3 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\da-dk\00000548-Lock.onion | type = file_attributes |
|
1 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\da-dk\00000548-Lock.onion | type = file_attributes |
|
2 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\da-dk\# How to Decrypt Files.html | type = file_type |
|
1 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\de-de | type = file_attributes |
|
1 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\de-de\Touch | type = file_type |
|
1 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\de-de\ui-strings.js | type = file_attributes |
|
5 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\de-de\ui-strings.js | type = file_type |
|
3 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\de-de\00000549-Lock.onion | type = file_attributes |
|
1 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\de-de\00000549-Lock.onion | type = file_attributes |
|
2 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\de-de\# How to Decrypt Files.html | type = file_type |
|
1 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\en-ae | type = file_attributes |
|
1 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\en-ae\Touch | type = file_type |
|
1 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\en-ae\# How to Decrypt Files.html | type = file_type |
|
1 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\en-gb | type = file_attributes |
|
1 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\en-gb\Touch | type = file_type |
|
1 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\en-gb\ui-strings.js | type = file_attributes |
|
5 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\en-gb\ui-strings.js | type = file_type |
|
3 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\en-gb\00000550-Lock.onion | type = file_attributes |
|
1 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\en-gb\00000550-Lock.onion | type = file_attributes |
|
2 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\en-gb\# How to Decrypt Files.html | type = file_type |
|
1 | |
| Get Info | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\en-il | type = file_attributes |
|
1 | |
| Move | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\00000055-Lock.onion | source_filename = C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\illustrations_retina.png |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\# How to Decrypt Files.html | size = 4096 |
|
2 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\# How to Decrypt Files.html | size = 3875 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\1494870C-9912-C184-4CC9-B401-A53F4D8DE290.pdf | size = 79696 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\1494870C-9912-C184-4CC9-B401-A53F4D8DE290.pdf | size = 512 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AGMGPUOptIn.ini | size = 1728 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AGMGPUOptIn.ini | size = 512 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AGMGPUOptIn.ini | size = 186848 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AGMGPUOptIn.ini | size = 468208 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AGMGPUOptIn.ini | size = 1104 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AGMGPUOptIn.ini | size = 77504 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AGMGPUOptIn.ini | size = 4096 |
|
2 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AGMGPUOptIn.ini | size = 27040 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\icons.png | size = 8064 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\icons.png | size = 512 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\icons_ie8.gif | size = 8160 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\icons_ie8.gif | size = 512 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\icons_retina.png | size = 15472 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\icons_retina.png | size = 512 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\illustrations.png | size = 8800 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\illustrations.png | size = 512 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\illustrations_retina.png | size = 19824 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\illustrations_retina.png | size = 512 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\new_icons.png | size = 8384 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\new_icons.png | size = 512 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\new_icons_retina.png | size = 17776 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\new_icons_retina.png | size = 512 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\themes\dark\icons.png | size = 8064 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\themes\dark\icons.png | size = 512 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\themes\dark\icons_ie8.gif | size = 8160 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\themes\dark\icons_ie8.gif | size = 512 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\themes\dark\icons_retina.png | size = 15472 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\themes\dark\icons_retina.png | size = 512 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\plugins\rhp\convertpdf-rna-selector.js | size = 179296 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\plugins\rhp\convertpdf-rna-tool-view.js | size = 385440 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\plugins\rhp\exportpdf-rna-selector.js | size = 179376 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\plugins\rhp\exportpdf-rna-tool-view.js | size = 283632 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\plugins\rhp\# How to Decrypt Files.html | size = 4096 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\plugins\selection-action-plugins\cpdf\plugin.js | size = 2896 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\plugins\selection-action-plugins\cpdf\selector.js | size = 2464 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\plugins\selection-action-plugins\cpdf\# How to Decrypt Files.html | size = 4096 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\plugins\selection-action-plugins\epdf\plugin.js | size = 3216 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\plugins\selection-action-plugins\epdf\selector.js | size = 2464 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\plugins\selection-action-plugins\epdf\# How to Decrypt Files.html | size = 4096 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\plugins\selection-action-plugins\# How to Decrypt Files.html | size = 4096 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\plugins\# How to Decrypt Files.html | size = 4096 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\# How to Decrypt Files.html | size = 4096 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\# How to Decrypt Files.html | size = 4096 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\css\main-selector.css | size = 1216 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\css\main.css | size = 4624 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\css\# How to Decrypt Files.html | size = 4096 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\images\example_icons2x.png | size = 1200 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\images\themes\dark\example_icons2x.png | size = 1200 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\images\themes\dark\# How to Decrypt Files.html | size = 4096 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\images\themes\# How to Decrypt Files.html | size = 4096 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\images\# How to Decrypt Files.html | size = 4096 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\ui-strings.js | size = 1120 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\ar-ae\# How to Decrypt Files.html | size = 4096 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\ca-es\ui-strings.js | size = 1136 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\ca-es\# How to Decrypt Files.html | size = 4096 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\en-il\ui-strings.js | size = 9072 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\en-il\ui-strings.js | size = 512 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\en-il\# How to Decrypt Files.html | size = 4096 |
|
2 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\en-il\# How to Decrypt Files.html | size = 3875 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\es-es\ui-strings.js | size = 10064 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\es-es\ui-strings.js | size = 512 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\es-es\# How to Decrypt Files.html | size = 4096 |
|
2 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\es-es\# How to Decrypt Files.html | size = 3875 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\eu-es\ui-strings.js | size = 9648 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\eu-es\ui-strings.js | size = 512 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\eu-es\# How to Decrypt Files.html | size = 4096 |
|
2 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\eu-es\# How to Decrypt Files.html | size = 3875 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\fi-fi\ui-strings.js | size = 9840 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\fi-fi\ui-strings.js | size = 512 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\fi-fi\# How to Decrypt Files.html | size = 4096 |
|
2 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\fi-fi\# How to Decrypt Files.html | size = 3875 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\fr-fr\ui-strings.js | size = 10992 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\fr-fr\ui-strings.js | size = 512 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\fr-fr\# How to Decrypt Files.html | size = 4096 |
|
2 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\fr-fr\# How to Decrypt Files.html | size = 3875 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\fr-ma\ui-strings.js | size = 10992 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\fr-ma\ui-strings.js | size = 512 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\fr-ma\# How to Decrypt Files.html | size = 4096 |
|
2 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\fr-ma\# How to Decrypt Files.html | size = 3875 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\he-il\# How to Decrypt Files.html | size = 4096 |
|
2 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\he-il\# How to Decrypt Files.html | size = 3875 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\hr-hr\ui-strings.js | size = 9728 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\hr-hr\ui-strings.js | size = 512 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\hr-hr\# How to Decrypt Files.html | size = 4096 |
|
2 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\hr-hr\# How to Decrypt Files.html | size = 3875 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\hu-hu\ui-strings.js | size = 10640 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\hu-hu\ui-strings.js | size = 512 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\hu-hu\# How to Decrypt Files.html | size = 4096 |
|
2 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\hu-hu\# How to Decrypt Files.html | size = 3875 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\check_2x.png | size = 1504 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\circle_2x.png | size = 1504 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\text_2x.png | size = 1040 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\@1x\themes\dark\# How to Decrypt Files.html | size = 4096 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\@1x\themes\# How to Decrypt Files.html | size = 4096 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\@1x\# How to Decrypt Files.html | size = 4096 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\themes\dark\check_2x.png | size = 1504 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\themes\dark\circle_2x.png | size = 1504 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\themes\dark\text_2x.png | size = 1040 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\themes\dark\# How to Decrypt Files.html | size = 4096 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\themes\# How to Decrypt Files.html | size = 4096 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\# How to Decrypt Files.html | size = 4096 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\# How to Decrypt Files.html | size = 4096 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\faf-main.js | size = 635392 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\ui-strings.js | size = 1152 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\ar-ae\# How to Decrypt Files.html | size = 4096 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\ca-es\ui-strings.js | size = 16096 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\ca-es\# How to Decrypt Files.html | size = 4096 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\cs-cz\ui-strings.js | size = 15632 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\cs-cz\# How to Decrypt Files.html | size = 4096 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\da-dk\ui-strings.js | size = 14928 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\da-dk\# How to Decrypt Files.html | size = 4096 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\de-de\ui-strings.js | size = 17120 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\de-de\# How to Decrypt Files.html | size = 4096 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\en-ae\# How to Decrypt Files.html | size = 4096 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\en-gb\ui-strings.js | size = 14256 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\en-gb\# How to Decrypt Files.html | size = 4096 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\en-il\# How to Decrypt Files.html | size = 4096 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\es-es\ui-strings.js | size = 15856 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\es-es\# How to Decrypt Files.html | size = 4096 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\eu-es\ui-strings.js | size = 14912 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\eu-es\# How to Decrypt Files.html | size = 4096 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\fi-fi\ui-strings.js | size = 15504 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\fi-fi\# How to Decrypt Files.html | size = 4096 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\fr-fr\ui-strings.js | size = 16640 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\fr-fr\# How to Decrypt Files.html | size = 4096 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\fr-ma\# How to Decrypt Files.html | size = 4096 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\he-il\# How to Decrypt Files.html | size = 4096 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\hr-hr\ui-strings.js | size = 15152 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\hr-hr\# How to Decrypt Files.html | size = 4096 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\hu-hu\ui-strings.js | size = 15808 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\hu-hu\# How to Decrypt Files.html | size = 4096 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\it-it\ui-strings.js | size = 15600 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\it-it\# How to Decrypt Files.html | size = 4096 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\ja-jp\ui-strings.js | size = 18096 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\ja-jp\# How to Decrypt Files.html | size = 4096 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\ko-kr\ui-strings.js | size = 16336 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\ko-kr\# How to Decrypt Files.html | size = 4096 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\nb-no\ui-strings.js | size = 14656 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\nb-no\# How to Decrypt Files.html | size = 4096 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\nl-nl\ui-strings.js | size = 16048 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\nl-nl\# How to Decrypt Files.html | size = 4096 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\pl-pl\ui-strings.js | size = 15856 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\pl-pl\# How to Decrypt Files.html | size = 4096 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\pt-br\ui-strings.js | size = 15696 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\pt-br\# How to Decrypt Files.html | size = 4096 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\ro-ro\ui-strings.js | size = 16112 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\ro-ro\# How to Decrypt Files.html | size = 4096 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\root\ui-strings.js | size = 14208 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\root\# How to Decrypt Files.html | size = 4096 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\ru-ru\ui-strings.js | size = 21664 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\ru-ru\# How to Decrypt Files.html | size = 4096 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\sk-sk\ui-strings.js | size = 15936 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\sk-sk\# How to Decrypt Files.html | size = 4096 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\sl-si\ui-strings.js | size = 14912 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\sl-si\# How to Decrypt Files.html | size = 4096 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\sl-sl\# How to Decrypt Files.html | size = 4096 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\sv-se\ui-strings.js | size = 15008 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\sv-se\# How to Decrypt Files.html | size = 4096 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\tr-tr\ui-strings.js | size = 15104 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\tr-tr\# How to Decrypt Files.html | size = 4096 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\uk-ua\ui-strings.js | size = 22000 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\uk-ua\# How to Decrypt Files.html | size = 4096 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\zh-cn\ui-strings.js | size = 14256 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\zh-cn\# How to Decrypt Files.html | size = 4096 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\zh-tw\ui-strings.js | size = 14016 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\zh-tw\# How to Decrypt Files.html | size = 4096 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\# How to Decrypt Files.html | size = 4096 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\# How to Decrypt Files.html | size = 4096 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\# How to Decrypt Files.html | size = 4096 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\css\main-selector.css | size = 1216 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\css\main.css | size = 4656 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\css\# How to Decrypt Files.html | size = 4096 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\images\example_icons2x.png | size = 1200 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\images\themes\dark\example_icons2x.png | size = 1200 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\images\themes\dark\# How to Decrypt Files.html | size = 4096 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\images\themes\# How to Decrypt Files.html | size = 4096 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\images\# How to Decrypt Files.html | size = 4096 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\js\nls\ui-strings.js | size = 1120 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\example_icons2x.png | size = 5632 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\example_icons2x.png | size = 512 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\optimize_poster.jpg | size = 24032 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\optimize_poster.jpg | size = 512 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\optimize_poster2x.jpg | size = 66912 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\optimize_poster2x.jpg | size = 512 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\organize_poster.jpg | size = 69216 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\organize_poster.jpg | size = 512 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\organize_poster2x-dark.jpg | size = 69216 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\organize_poster2x-dark.jpg | size = 512 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\organize_poster2x.jpg | size = 69216 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\organize_poster2x.jpg | size = 512 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\protect_poster.jpg | size = 23360 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\protect_poster.jpg | size = 512 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\protect_poster2x.jpg | size = 59056 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\protect_poster2x.jpg | size = 512 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\redact_poster.jpg | size = 28096 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\redact_poster.jpg | size = 512 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\redact_poster2x.jpg | size = 70128 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\redact_poster2x.jpg | size = 512 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\scan_poster.jpg | size = 30352 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\scan_poster.jpg | size = 512 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\scan_poster2x.jpg | size = 84464 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\scan_poster2x.jpg | size = 512 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\scan_poster2x.jpg | size = 18336 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\scan_poster2x.jpg | size = 44976 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\scan_poster2x.jpg | size = 22384 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\scan_poster2x.jpg | size = 30992 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\scan_poster2x.jpg | size = 8944 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\scan_poster2x.jpg | size = 65904 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\scan_poster2x.jpg | size = 25536 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\scan_poster2x.jpg | size = 56448 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\scan_poster2x.jpg | size = 34688 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\scan_poster2x.jpg | size = 79072 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\scan_poster2x.jpg | size = 31008 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\scan_poster2x.jpg | size = 31728 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\scan_poster2x.jpg | size = 14976 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\scan_poster2x.jpg | size = 11920 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\scan_poster2x.jpg | size = 7024 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\scan_poster2x.jpg | size = 13840 |
|
2 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\scan_poster2x.jpg | size = 5616 |
|
3 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\scan_poster2x.jpg | size = 19424 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\scan_poster2x.jpg | size = 5216 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\scan_poster2x.jpg | size = 4096 |
|
15 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\scan_poster2x.jpg | size = 15344 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\scan_poster2x.jpg | size = 5408 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\scan_poster2x.jpg | size = 17952 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\scan_poster2x.jpg | size = 5696 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\scan_poster2x.jpg | size = 24000 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\scan_poster2x.jpg | size = 6848 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\scan_poster2x.jpg | size = 18448 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\scan_poster2x.jpg | size = 26688 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\scan_poster2x.jpg | size = 7824 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\scan_poster2x.jpg | size = 20096 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\scan_poster2x.jpg | size = 7632 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\scan_poster2x.jpg | size = 17712 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\scan_poster2x.jpg | size = 7424 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\scan_poster2x.jpg | size = 17600 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\scan_poster2x.jpg | size = 5760 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\scan_poster2x.jpg | size = 20608 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\scan_poster2x.jpg | size = 6832 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\scan_poster2x.jpg | size = 18672 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\scan_poster2x.jpg | size = 6048 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\scan_poster2x.jpg | size = 19152 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\scan_poster2x.jpg | size = 6736 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\scan_poster2x.jpg | size = 23632 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\scan_poster2x.jpg | size = 6416 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\scan_poster2x.jpg | size = 17488 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\scan_poster2x.jpg | size = 6208 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\scan_poster2x.jpg | size = 21040 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\scan_poster2x.jpg | size = 5456 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\tr-tr\# How to Decrypt Files.html | size = 4096 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\zh-cn\AppStore_icon.svg | size = 14080 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\zh-cn\AppStore_icon.svg | size = 512 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\zh-cn\PlayStore_icon.svg | size = 7424 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\zh-cn\PlayStore_icon.svg | size = 512 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\zh-cn\# How to Decrypt Files.html | size = 4096 |
|
2 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\zh-cn\# How to Decrypt Files.html | size = 3875 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\zh-tw\AppStore_icon.svg | size = 15360 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\zh-tw\AppStore_icon.svg | size = 512 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\zh-tw\PlayStore_icon.svg | size = 6320 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\zh-tw\PlayStore_icon.svg | size = 512 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\zh-tw\# How to Decrypt Files.html | size = 4096 |
|
2 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\zh-tw\# How to Decrypt Files.html | size = 3875 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\# How to Decrypt Files.html | size = 4096 |
|
2 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\# How to Decrypt Files.html | size = 3875 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\# How to Decrypt Files.html | size = 4096 |
|
2 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\# How to Decrypt Files.html | size = 3875 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\# How to Decrypt Files.html | size = 4096 |
|
2 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\# How to Decrypt Files.html | size = 3875 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\plugin.js | size = 339456 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\plugin.js | size = 512 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\selector.js | size = 17808 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\selector.js | size = 512 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\ui-strings.js | size = 1216 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\ui-strings.js | size = 512 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\ar-ae\# How to Decrypt Files.html | size = 4096 |
|
2 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\ar-ae\# How to Decrypt Files.html | size = 3875 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\ca-es\ui-strings.js | size = 16656 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\ca-es\ui-strings.js | size = 512 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\ca-es\# How to Decrypt Files.html | size = 4096 |
|
2 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\ca-es\# How to Decrypt Files.html | size = 3875 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\cs-cz\ui-strings.js | size = 16544 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\cs-cz\ui-strings.js | size = 512 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\cs-cz\# How to Decrypt Files.html | size = 4096 |
|
2 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\cs-cz\# How to Decrypt Files.html | size = 3875 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\da-dk\Touch | size = 14640 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\da-dk\Touch | size = 4096 |
|
18 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\da-dk\Touch | size = 16976 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\da-dk\Touch | size = 12784 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\da-dk\Touch | size = 3648 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\da-dk\Touch | size = 16528 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\da-dk\Touch | size = 16064 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\da-dk\Touch | size = 16272 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\da-dk\Touch | size = 17264 |
|
2 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\da-dk\Touch | size = 16480 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\da-dk\Touch | size = 17600 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\da-dk\Touch | size = 15680 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\da-dk\Touch | size = 18880 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\da-dk\Touch | size = 17008 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\da-dk\Touch | size = 3875 |
|
1 | |
| Write | C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\Installer\chrome.7z | size = 25754224 |
|
1 | |
| Write | C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\Installer\chrome.7z | size = 512 |
|
1 | |
| Write | C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\Installer\# How to Decrypt Files.html | size = 4096 |
|
2 | |
| Write | C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\Installer\# How to Decrypt Files.html | size = 3875 |
|
1 | |
| Write | C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\Locales\# How to Decrypt Files.html | size = 4096 |
|
1 | |
| Write | C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\VisualElements\logo.png | size = 17456 |
|
1 | |
| Write | C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\VisualElements\logocanary.png | size = 22352 |
|
1 | |
| Write | C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\VisualElements\smalllogo.png | size = 7936 |
|
1 | |
| Write | C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\VisualElements\smalllogocanary.png | size = 7856 |
|
1 | |
| Write | C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\VisualElements\# How to Decrypt Files.html | size = 4096 |
|
1 | |
| Write | C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\WidevineCdm\_platform_specific\win_x64\# How to Decrypt Files.html | size = 4096 |
|
1 | |
| Write | C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\WidevineCdm\_platform_specific\# How to Decrypt Files.html | size = 4096 |
|
1 | |
| Write | C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\WidevineCdm\# How to Decrypt Files.html | size = 4096 |
|
1 | |
| Write | C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\# How to Decrypt Files.html | size = 4096 |
|
1 | |
| Write | C:\Program Files (x86)\Google\Chrome\Application\SetupMetrics\# How to Decrypt Files.html | size = 4096 |
|
1 | |
| Write | C:\Program Files (x86)\Google\Chrome\Application\# How to Decrypt Files.html | size = 4096 |
|
1 | |
| Write | C:\Program Files (x86)\Google\Chrome\# How to Decrypt Files.html | size = 4096 |
|
1 | |
| Write | C:\Program Files (x86)\Google\CrashReports\# How to Decrypt Files.html | size = 4096 |
|
1 | |
| Write | C:\Program Files (x86)\Google\# How to Decrypt Files.html | size = 4096 |
|
1 | |
| Write | C:\Program Files (x86)\Internet Explorer\en-US\# How to Decrypt Files.html | size = 4096 |
|
1 | |
| Write | C:\Program Files (x86)\Internet Explorer\images\# How to Decrypt Files.html | size = 4096 |
|
1 | |
| Write | C:\Program Files (x86)\Internet Explorer\SIGNUP\# How to Decrypt Files.html | size = 4096 |
|
1 | |
|
For performance reasons, the remaining 2877 entries are omitted.
The remaining entries can be found in glog.xml. |
|||||
Registry (35)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.net clr networking\Performance | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v2.0.50727 | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Keyboard Layout\Preload | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Console | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Console | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion | value_name = InstallationType, data = 0, type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion | value_name = InstallationType, data = Client, type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance | value_name = Library, data = 0, type = REG_EXPAND_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance | value_name = Library, data = %systemroot%\system32\netfxperf.dll, type = REG_EXPAND_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance | value_name = IsMultiInstance, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance | value_name = IsMultiInstance, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance | value_name = First Counter, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance | value_name = First Counter, data = 5840, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.net clr networking\Performance | value_name = CategoryOptions, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.net clr networking\Performance | value_name = CategoryOptions, data = 3, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.net clr networking\Performance | value_name = FileMappingSize, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.net clr networking\Performance | value_name = FileMappingSize, data = 131072, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.net clr networking\Performance | value_name = Counter Names, type = REG_BINARY |
|
2 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework | value_name = LegacyWPADSupport, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v2.0.50727 | value_name = SchUseStrongCrypto, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Keyboard Layout\Preload | value_name = 1, data = 0, type = REG_SZ |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Keyboard Layout\Preload | value_name = 1, data = 00000409, type = REG_SZ |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Console | value_name = WordLoad, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Console | value_name = WordLoad, type = REG_NONE |
|
1 | |
| Write Value | HKEY_CURRENT_USER\Console | value_name = WordLoad, data = 1, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Enumerate Values | HKEY_CURRENT_USER\Keyboard Layout\Preload | - |
|
1 | |
| Get Key Info | HKEY_CURRENT_USER\Keyboard Layout\Preload | - |
|
1 |
Process (4)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\ProgramData\Safe.exe | show_window = SW_HIDE |
|
1 | |
| Create | "tasklist" /V /FO CSV | os_pid = 0xc68, creation_flags = CREATE_NO_WINDOW, startup_flags = STARTF_USESTDHANDLES, show_window = SW_HIDE |
|
1 | |
| Create | cmd.exe | show_window = SW_HIDE |
|
2 |
Module (2)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create Mapping | - | filename = System Paging File, protection = PAGE_READWRITE, maximum_size = 131072 |
|
1 | |
| Map | - | process_name = c:\users\ciihmnxmn6ps\desktop\kraken.exe, desired_access = FILE_MAP_WRITE |
|
1 |
User (1)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Lookup Privilege | privilege = SeDebugPrivilege, luid = 20 |
|
1 |
System (422)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Open Certificate Store | encoding_type = 65537, flags = 8708 |
|
1 | |
| Open Certificate Store | encoding_type = 65537, flags = 8708 |
|
1 | |
| Get Computer Name | result_out = LHNIWSJ |
|
5 | |
| Get Info | type = Operating System |
|
7 | |
| Get Info | type = Hardware Information |
|
1 | |
| Get Info | type = SYSTEM_PROCESS_INFORMATION |
|
9 | |
| Get Info | type = System Directory, result_out = C:\Windows\system32 |
|
398 |
Mutex (34)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Create | mutex_name = Microsoft-Kraken-LHNIWSJ |
|
1 | |
| Create | mutex_name = Global\.net clr networking |
|
10 | |
| Create | mutex_name = Global\.net clr networking |
|
1 | |
| Create | mutex_name = Global\.net clr networking |
|
5 | |
| Open | mutex_name = Global\.net clr networking, desired_access = MUTEX_MODIFY_STATE, SYNCHRONIZE |
|
1 | |
| Release | mutex_name = Global\.net clr networking |
|
1 | |
| Release | mutex_name = Global\.net clr networking |
|
10 | |
| Release | mutex_name = Global\.net clr networking |
|
5 |
Environment (1)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | name = PROCESSOR_ARCHITEW6432 |
|
1 |
Network Behavior
DNS (2)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Resolve Name | host = ipinfo.io, address_out = 216.239.34.21, 216.239.32.21, 216.239.36.21, 216.239.38.21 |
|
1 | |
| Resolve Name | host = download.sysinternals.com, address_out = 152.199.19.160 |
|
1 |
TCP Sessions (1)
| Information | Value |
|---|---|
| Total Data Sent | 404 bytes |
| Total Data Received | 165.83 KB |
| Contacted Host Count | 1 |
| Contacted Hosts | 152.199.19.160:443 |
TCP Session #1
| Information | Value |
|---|---|
| Handle | 0x814 |
| Address Family | AF_INET |
| Type | SOCK_STREAM |
| Protocol | IPPROTO_TCP |
| Remote Address | 152.199.19.160 |
| Remote Port | 443 |
| Local Address | 0.0.0.0 |
| Local Port | 49429 |
| Data Sent | 404 bytes |
| Data Received | 165.83 KB |
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Create | protocol = IPPROTO_TCP, address_family = AF_INET, type = SOCK_STREAM |
|
1 | |
| Connect | remote_address = 152.199.19.160, remote_port = 443 |
|
1 | |
| Send | flags = NO_FLAG_SET, size = 137, size_out = 137 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 5, size_out = 5 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 69, size_out = 69 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 5, size_out = 5 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 6606, size_out = 6606 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 5, size_out = 5 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 331, size_out = 331 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 5, size_out = 5 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 4, size_out = 4 |
|
1 | |
| Send | flags = NO_FLAG_SET, size = 134, size_out = 134 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 5, size_out = 5 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 202, size_out = 202 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 5, size_out = 5 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 1, size_out = 1 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 5, size_out = 5 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 48, size_out = 48 |
|
1 | |
| Send | flags = NO_FLAG_SET, size = 133, size_out = 133 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 5, size_out = 5 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 32, size_out = 32 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 5, size_out = 5 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 512, size_out = 512 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 5, size_out = 5 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 32, size_out = 32 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 5, size_out = 5 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 16416, size_out = 16416 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 5, size_out = 5 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 32, size_out = 32 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 5, size_out = 5 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 32, size_out = 32 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 5, size_out = 5 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 32, size_out = 32 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 5, size_out = 5 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 16416, size_out = 16416 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 5, size_out = 5 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 32, size_out = 32 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 5, size_out = 5 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 16416, size_out = 5798 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 10618, size_out = 10618 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 5, size_out = 5 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 32, size_out = 32 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 5, size_out = 5 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 16416, size_out = 1020 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 15396, size_out = 15396 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 5, size_out = 5 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 32, size_out = 32 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 5, size_out = 5 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 16416, size_out = 16416 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 5, size_out = 5 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 32, size_out = 32 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 5, size_out = 5 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 16416, size_out = 16416 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 5, size_out = 5 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 32, size_out = 32 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 5, size_out = 5 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 32, size_out = 32 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 5, size_out = 5 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 32, size_out = 32 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 5, size_out = 5 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 16416, size_out = 4132 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 12284, size_out = 1460 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 10824, size_out = 8760 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 2064, size_out = 2064 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 5, size_out = 5 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 16416, size_out = 16416 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 5, size_out = 5 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 32, size_out = 32 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 5, size_out = 5 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 16416, size_out = 16416 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 5, size_out = 5 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 32, size_out = 32 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 5, size_out = 5 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 13680, size_out = 13680 |
|
1 | |
| Close | type = SOCK_STREAM |
|
1 |
Process #2: safe.exe
3256
0
| Information | Value |
|---|---|
| ID | #2 |
| File Name | c:\programdata\safe.exe |
| Command Line | "C:\ProgramData\Safe.exe" |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:00:49, Reason: Child Process |
| Unmonitor | End Time: 00:04:31, Reason: Terminated by Timeout |
| Monitor Duration | 00:03:42 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x8dc |
| Parent PID | 0xfdc (c:\users\ciihmnxmn6ps\desktop\kraken.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
854
0x
2E8
0x
5B0
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x00000000007d0000 | 0x007d0000 | 0x007effff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000007d0000 | 0x007d0000 | 0x007dffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x00000000007e0000 | 0x007e0000 | 0x007e3fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000007f0000 | 0x007f0000 | 0x007f0fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000800000 | 0x00800000 | 0x00813fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000820000 | 0x00820000 | 0x0085ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000860000 | 0x00860000 | 0x00863fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000870000 | 0x00870000 | 0x00871fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000880000 | 0x00880000 | 0x00881fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00890000 | 0x0094dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000950000 | 0x00950000 | 0x0098ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000990000 | 0x00990000 | 0x0099ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000009a0000 | 0x009a0000 | 0x009dffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000009e0000 | 0x009e0000 | 0x009e0fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000009f0000 | 0x009f0000 | 0x009f0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000009f0000 | 0x009f0000 | 0x009f0fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000a00000 | 0x00a00000 | 0x00a01fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000a10000 | 0x00a10000 | 0x00a10fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000a10000 | 0x00a10000 | 0x00a13fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000a20000 | 0x00a20000 | 0x00a23fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000a30000 | 0x00a30000 | 0x00a33fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000a40000 | 0x00a40000 | 0x00a40fff | Pagefile Backed Memory | rw |
|
|
|
- |
| safe.exe | 0x00a80000 | 0x00b59fff | Memory Mapped File | rwx |
|
|
|
|
| private_0x0000000000b60000 | 0x00b60000 | 0x00f5ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000f60000 | 0x00f60000 | 0x00fdffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000ff0000 | 0x00ff0000 | 0x00ffffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001060000 | 0x01060000 | 0x0106ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000001070000 | 0x01070000 | 0x01127fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000001130000 | 0x01130000 | 0x0152ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001530000 | 0x01530000 | 0x0192ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001930000 | 0x01930000 | 0x01d2ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000001d30000 | 0x01d30000 | 0x01eb7fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000001ec0000 | 0x01ec0000 | 0x02040fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000002050000 | 0x02050000 | 0x0344ffff | Pagefile Backed Memory | r |
|
|
|
- |
| sortdefault.nls | 0x03450000 | 0x03786fff | Memory Mapped File | r |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| devobj.dll | 0x74380000 | 0x743a0fff | Memory Mapped File | rwx |
|
|
|
- |
| winmmbase.dll | 0x743b0000 | 0x743d2fff | Memory Mapped File | rwx |
|
|
|
- |
| winnsi.dll | 0x743e0000 | 0x743e7fff | Memory Mapped File | rwx |
|
|
|
- |
| userenv.dll | 0x743f0000 | 0x74408fff | Memory Mapped File | rwx |
|
|
|
- |
| iphlpapi.dll | 0x74410000 | 0x7443ffff | Memory Mapped File | rwx |
|
|
|
- |
| wininet.dll | 0x74440000 | 0x74663fff | Memory Mapped File | rwx |
|
|
|
- |
| mpr.dll | 0x74670000 | 0x74686fff | Memory Mapped File | rwx |
|
|
|
- |
| comctl32.dll | 0x74690000 | 0x74898fff | Memory Mapped File | rwx |
|
|
|
- |
| winmm.dll | 0x748a0000 | 0x748c3fff | Memory Mapped File | rwx |
|
|
|
- |
| wsock32.dll | 0x748d0000 | 0x748d7fff | Memory Mapped File | rwx |
|
|
|
- |
| version.dll | 0x748e0000 | 0x748e7fff | Memory Mapped File | rwx |
|
|
|
- |
| dwmapi.dll | 0x748f0000 | 0x7490cfff | Memory Mapped File | rwx |
|
|
|
- |
| uxtheme.dll | 0x74910000 | 0x74984fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x74a30000 | 0x74a88fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x74a90000 | 0x74a99fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x74aa0000 | 0x74abdfff | Memory Mapped File | rwx |
|
|
|
- |
| nsi.dll | 0x74ac0000 | 0x74ac6fff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x74ad0000 | 0x74c0ffff | Memory Mapped File | rwx |
|
|
|
- |
| shlwapi.dll | 0x74c10000 | 0x74c53fff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x74c60000 | 0x74cdafff | Memory Mapped File | rwx |
|
|
|
- |
| powrprof.dll | 0x74ce0000 | 0x74d23fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74d30000 | 0x74ea5fff | Memory Mapped File | rwx |
|
|
|
- |
| comdlg32.dll | 0x74eb0000 | 0x74f6dfff | Memory Mapped File | rwx |
|
|
|
- |
| combase.dll | 0x74f70000 | 0x75129fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75130000 | 0x7521ffff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x75220000 | 0x7524afff | Memory Mapped File | rwx |
|
|
|
- |
| kernel.appcore.dll | 0x752b0000 | 0x752bbfff | Memory Mapped File | rwx |
|
|
|
- |
| shell32.dll | 0x752c0000 | 0x7667efff | Memory Mapped File | rwx |
|
|
|
- |
| windows.storage.dll | 0x76800000 | 0x76cdcfff | Memory Mapped File | rwx |
|
|
|
- |
| oleaut32.dll | 0x76ce0000 | 0x76d71fff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x76da0000 | 0x76ebffff | Memory Mapped File | rwx |
|
|
|
- |
| psapi.dll | 0x76ec0000 | 0x76ec5fff | Memory Mapped File | rwx |
|
|
|
- |
| ws2_32.dll | 0x76ed0000 | 0x76f2bfff | Memory Mapped File | rwx |
|
|
|
- |
| ole32.dll | 0x76f30000 | 0x77019fff | Memory Mapped File | rwx |
|
|
|
- |
| cfgmgr32.dll | 0x77020000 | 0x77055fff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x770b0000 | 0x770f2fff | Memory Mapped File | rwx |
|
|
|
- |
| profapi.dll | 0x77100000 | 0x7710efff | Memory Mapped File | rwx |
|
|
|
- |
| shcore.dll | 0x771d0000 | 0x7725cfff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x772c0000 | 0x7736bfff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x77370000 | 0x774bcfff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x778d0000 | 0x7798dfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00000000fe300000 | 0xfe300000 | 0xfe3fffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000fe400000 | 0xfe400000 | 0xfe422fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000fe424000 | 0xfe424000 | 0xfe424fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000fe426000 | 0xfe426000 | 0xfe426fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000fe427000 | 0xfe427000 | 0xfe429fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000fe42a000 | 0xfe42a000 | 0xfe42cfff | Private Memory | rw |
|
|
|
- |
| private_0x00000000fe42d000 | 0xfe42d000 | 0xfe42ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000fffe0000 | 0xfffe0000 | 0x7ffaf7a0ffff | Private Memory | r |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (15)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\ProgramData\Safe.exe | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
2 | |
| Create | C:\ProgramData\EventLog.txt | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Get Info | C:\ProgramData\Safe.exe | type = file_type |
|
2 | |
| Get Info | C:\ProgramData\EventLog.txt | type = file_attributes |
|
1 | |
| Get Info | C:\Windows\SysWOW64\wevtutil.exe | type = file_attributes |
|
1 | |
| Get Info | C:\ProgramData\EventLog.txt | type = file_attributes |
|
2 | |
| Open | STD_INPUT_HANDLE | - |
|
2 | |
| Open | STD_OUTPUT_HANDLE | - |
|
1 | |
| Open | STD_ERROR_HANDLE | - |
|
1 | |
| Read | C:\ProgramData\EventLog.txt | size = 65536, size_out = 44942 |
|
1 | |
| Read | C:\ProgramData\EventLog.txt | size = 65536, size_out = 0 |
|
1 |
Registry (3)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Control Panel\Mouse | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\AutoIt v3\AutoIt | - |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Control Panel\Mouse | value_name = SwapMouseButtons, data = 48 |
|
1 |
Process (276)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\system32\cmd.exe /c wevtutil.exe enum-logs > "C:\ProgramData\EventLog.txt" | os_pid = 0xcb4, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE |
|
1 | |
| Create | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "AirSpaceChannel" | os_pid = 0xda8, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE |
|
1 | |
| Create | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Analytic" | os_pid = 0xd90, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE |
|
1 | |
| Create | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Application" | os_pid = 0xdec, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE |
|
1 | |
| Create | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "DirectShowFilterGraph" | os_pid = 0xdcc, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE |
|
1 | |
| Create | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "DirectShowPluginControl" | os_pid = 0xe5c, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE |
|
1 | |
| Create | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Els_Hyphenation/Analytic" | os_pid = 0xd08, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE |
|
1 | |
| Create | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "EndpointMapper" | os_pid = 0x2d0, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE |
|
1 | |
| Create | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "FirstUXPerf-Analytic" | os_pid = 0x380, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE |
|
1 | |
| Create | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "ForwardedEvents" | os_pid = 0xf10, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE |
|
1 | |
| Create | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "General Logging" | os_pid = 0xf4c, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE |
|
1 | |
| Create | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "HardwareEvents" | os_pid = 0x850, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE |
|
1 | |
| Create | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "IHM_DebugChannel" | os_pid = 0xef0, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE |
|
1 | |
| Create | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "InstallUXPerformance-Analytic" | os_pid = 0x7d8, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE |
|
1 | |
| Create | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Intel-iaLPSS-GPIO/Analytic" | os_pid = 0xee0, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE |
|
1 | |
| Create | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Intel-iaLPSS-I2C/Analytic" | os_pid = 0x700, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE |
|
1 | |
| Create | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Internet Explorer" | os_pid = 0xc60, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE |
|
1 | |
| Create | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Key Management Service" | os_pid = 0xd50, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE |
|
1 | |
| Create | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "MF_MediaFoundationDeviceProxy" | os_pid = 0xd1c, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE |
|
1 | |
| Create | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "MedaFoundationVideoProc" | os_pid = 0x360, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE |
|
1 | |
| Create | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "MedaFoundationVideoProcD3D" | os_pid = 0xe48, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE |
|
1 | |
| Create | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "MediaFoundationAsyncWrapper" | os_pid = 0xe1c, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE |
|
1 | |
| Create | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "MediaFoundationContentProtection" | os_pid = 0xdd8, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE |
|
1 | |
| Create | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "MediaFoundationDS" | os_pid = 0xe2c, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE |
|
1 | |
| Create | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "MediaFoundationDeviceProxy" | os_pid = 0x278, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE |
|
1 | |
| Create | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "MediaFoundationMediaEngine" | os_pid = 0xe68, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE |
|
1 | |
| Create | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "MediaFoundationPerformance" | os_pid = 0xa80, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE |
|
1 | |
| Create | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "MediaFoundationPerformanceCore" | os_pid = 0xf2c, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE |
|
1 | |
| Create | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "MediaFoundationPipeline" | os_pid = 0xe5c, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE |
|
1 | |
| Create | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "MediaFoundationPlatform" | os_pid = 0x8ec, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE |
|
1 | |
| Create | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "MediaFoundationSrcPrefetch" | os_pid = 0xb68, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE |
|
1 | |
| Create | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Client-Licensing-Platform/Admin" | os_pid = 0x34c, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE |
|
1 | |
| Create | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Client-Licensing-Platform/Debug" | os_pid = 0x968, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE |
|
1 | |
| Create | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Client-Licensing-Platform/Diagnostic" | os_pid = 0x954, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE |
|
1 | |
| Create | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-IE-ReadingView/Diagnostic" | os_pid = 0xffc, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE |
|
1 | |
| Create | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-IE/Diagnostic" | os_pid = 0x54c, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE |
|
1 | |
| Create | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-IEFRAME/Diagnostic" | os_pid = 0x7f0, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE |
|
1 | |
| Create | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-JSDumpHeap/Diagnostic" | os_pid = 0x768, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE |
|
1 | |
| Create | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-OneCore-Setup/Analytic" | os_pid = 0xcac, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE |
|
1 | |
| Create | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-PerfTrack-IEFRAME/Diagnostic" | os_pid = 0x5b8, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE |
|
1 | |
| Create | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-PerfTrack-MSHTML/Diagnostic" | os_pid = 0xd9c, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE |
|
1 | |
| Create | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-WS-Licensing/Admin" | os_pid = 0xe18, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE |
|
1 | |
| Create | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-WS-Licensing/Debug" | os_pid = 0xdd0, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE |
|
1 | |
| Create | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-WS-Licensing/Diagnostic" | os_pid = 0xe10, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE |
|
1 | |
| Create | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-AAD/Analytic" | os_pid = 0xe34, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE |
|
1 | |
| Create | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-AAD/Operational" | os_pid = 0xe38, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE |
|
1 | |
| Create | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-ADSI/Debug" | os_pid = 0x328, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE |
|
1 | |
| Create | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-ASN1/Operational" | os_pid = 0xc1c, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE |
|
1 | |
| Create | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-ATAPort/General" | os_pid = 0x830, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE |
|
1 | |
| Create | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-ATAPort/SATA-LPM" | os_pid = 0xa80, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE |
|
1 | |
| Create | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-ActionQueue/Analytic" | os_pid = 0xfac, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE |
|
1 | |
| Create | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-All-User-Install-Agent/Admin" | os_pid = 0xd44, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE |
|
1 | |
| Create | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-AllJoyn/Debug" | os_pid = 0xf7c, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE |
|
1 | |
| Create | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-AllJoyn/Operational" | os_pid = 0x2d0, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE |
|
1 | |
| Create | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-Anytime-Upgrade-Events/Operational" | os_pid = 0x59c, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE |
|
1 | |
| Create | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-Anytime-Upgrade/Analytic" | os_pid = 0xf4c, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE |
|
1 | |
| Create | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-AppHost/Admin" | os_pid = 0x5f0, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE |
|
1 | |
| Create | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-AppHost/ApplicationTracing" | os_pid = 0x994, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE |
|
1 | |
| Create | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-AppHost/Diagnostic" | os_pid = 0xf18, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE |
|
1 | |
| Create | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-AppHost/Internal" | os_pid = 0x7d8, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE |
|
1 | |
| Create | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-AppID/Operational" | os_pid = 0xc74, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE |
|
1 | |
| Create | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-AppLocker/EXE and DLL" | os_pid = 0xee8, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE |
|
1 | |
| Create | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-AppLocker/MSI and Script" | os_pid = 0x444, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE |
|
1 | |
| Create | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-AppLocker/Packaged app-Deployment" | os_pid = 0xdc8, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE |
|
1 | |
| Create | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-AppLocker/Packaged app-Execution" | os_pid = 0xddc, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE |
|
1 | |
| Create | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-AppModel-Runtime/Admin" | os_pid = 0xde0, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE |
|
1 | |
| Create | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-AppModel-Runtime/Analytic" | os_pid = 0x348, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE |
|
1 | |
| Create | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-AppModel-Runtime/Debug" | os_pid = 0xb48, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE |
|
1 | |
| Create | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-AppModel-Runtime/Diagnostics" | os_pid = 0x6fc, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE |
|
1 | |
| Create | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-AppModel-State/Debug" | os_pid = 0x4b0, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE |
|
1 | |
| Create | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-AppModel-State/Diagnostic" | os_pid = 0xfb4, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE |
|
1 | |
| Create | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-AppReadiness/Admin" | os_pid = 0x960, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE |
|
1 | |
| Create | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-AppReadiness/Debug" | os_pid = 0x278, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE |
|
1 | |
| Create | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-AppReadiness/Operational" | os_pid = 0xf2c, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE |
|
1 | |
| Create | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-AppSruProv" | os_pid = 0x3ec, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE |
|
1 | |
| Create | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-AppXDeployment/Diagnostic" | os_pid = 0x364, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE |
|
1 | |
| Create | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-AppXDeployment/Operational" | os_pid = 0xd3c, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE |
|
1 | |
| Create | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-AppXDeploymentServer/Debug" | os_pid = 0xc98, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE |
|
1 | |
| Create | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-AppXDeploymentServer/Diagnostic" | os_pid = 0x1b4, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE |
|
1 | |
| Create | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-AppXDeploymentServer/Operational" | os_pid = 0xc88, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE |
|
1 | |
| Create | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-AppXDeploymentServer/Restricted" | os_pid = 0xb68, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE |
|
1 | |
| Create | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-ApplicabilityEngine/Analytic" | os_pid = 0x34c, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE |
|
1 | |
| Create | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-ApplicabilityEngine/Operational" | os_pid = 0xad0, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE |
|
1 | |
| Create | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-Application Server-Applications/Admin" | os_pid = 0xc48, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE |
|
1 | |
| Create | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-Application Server-Applications/Analytic" | os_pid = 0xff8, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE |
|
1 | |
| Create | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-Application Server-Applications/Debug" | os_pid = 0xed8, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE |
|
1 | |
| Create | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-Application Server-Applications/Operational" | os_pid = 0xf88, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE |
|
1 | |
| Create | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-Application-Experience/Compatibility-Infrastructure-Debug" | os_pid = 0xdb8, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE |
|
1 | |
| Create | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-Application-Experience/Program-Compatibility-Assistant" | os_pid = 0x57c, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE |
|
1 | |
| Create | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-Application-Experience/Program-Compatibility-Assistant/Analytic" | os_pid = 0x93c, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE |
|
1 | |
| Create | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-Application-Experience/Program-Compatibility-Assistant/Trace" | os_pid = 0xe24, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE |
|
1 | |
| Create | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-Application-Experience/Program-Compatibility-Troubleshooter" | os_pid = 0xe30, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE |
|
1 | |
| Create | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-Application-Experience/Program-Inventory" | os_pid = 0x768, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE |
|
1 | |
| Create | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-Application-Experience/Program-Telemetry" | os_pid = 0xd8c, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE |
|
1 | |
| Create | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-Application-Experience/Steps-Recorder" | os_pid = 0xe1c, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE |
|
1 | |
| Create | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-ApplicationResourceManagementSystem/Diagnostic" | os_pid = 0xde4, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE |
|
1 | |
| Create | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-ApplicationResourceManagementSystem/Operational" | os_pid = 0x2b0, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE |
|
1 | |
| Create | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-AppxPackaging/Debug" | os_pid = 0x15c, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE |
|
1 | |
| Create | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-AppxPackaging/Operational" | os_pid = 0xe2c, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE |
|
1 | |
| Create | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-AppxPackaging/Performance" | os_pid = 0x468, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE |
|
1 | |
| Create | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-AssignedAccess/Admin" | os_pid = 0xc08, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE |
|
1 | |
| Create | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-AssignedAccess/Operational" | os_pid = 0x6e8, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE |
|
1 | |
| Create | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-AssignedAccessBroker/Admin" | os_pid = 0xd0c, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE |
|
1 | |
| Create | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-AssignedAccessBroker/Operational" | os_pid = 0xf14, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE |
|
1 | |
| Create | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-AsynchronousCausality/Causality" | os_pid = 0xb28, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE |
|
1 | |
| Create | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-Audio/CaptureMonitor" | os_pid = 0x6c8, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE |
|
1 | |
| Create | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-Audio/GlitchDetection" | os_pid = 0xf5c, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE |
|
1 | |
| Create | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-Audio/Informational" | os_pid = 0x724, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE |
|
1 | |
| Create | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-Audio/Operational" | os_pid = 0xe5c, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE |
|
1 | |
| Create | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-Audio/Performance" | os_pid = 0xb24, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE |
|
1 | |
| Create | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-Audio/PlaybackManager" | os_pid = 0xf08, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE |
|
1 | |
| Create | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-Audit/Analytic" | os_pid = 0xea4, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE |
|
1 | |
| Create | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-Authentication User Interface/Operational" | os_pid = 0xfa8, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE |
|
1 | |
| Create | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-Authentication/AuthenticationPolicyFailures-DomainController" | os_pid = 0xfcc, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE |
|
1 | |
| Create | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-Authentication/ProtectedUser-Client" | os_pid = 0x370, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE |
|
1 | |
| Create | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-Authentication/ProtectedUserFailures-DomainController" | os_pid = 0xc84, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE |
|
1 | |
| Create | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-Authentication/ProtectedUserSuccesses-DomainController" | os_pid = 0x458, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE |
|
1 | |
| Create | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-AxInstallService/Log" | os_pid = 0x2e8, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE |
|
1 | |
| Create | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-BackgroundTaskInfrastructure/Diagnostic" | os_pid = 0xe00, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE |
|
1 | |
| Create | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-BackgroundTaskInfrastructure/Operational" | os_pid = 0xca8, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE |
|
1 | |
| Create | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-BackgroundTransfer-ContentPrefetcher/Operational" | os_pid = 0xd9c, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE |
|
1 | |
| Create | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-Backup" | os_pid = 0xca4, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE |
|
1 | |
| Create | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-Base-Filtering-Engine-Connections/Operational" | os_pid = 0xd18, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE |
|
1 | |
| Create | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-Base-Filtering-Engine-Resource-Flows/Operational" | os_pid = 0x114, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE |
|
1 | |
| Create | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-Battery/Diagnostic" | os_pid = 0xdd0, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE |
|
1 | |
| Create | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-Biometrics/Analytic" | os_pid = 0x1a0, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE |
|
1 | |
| Create | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-Biometrics/Operational" | os_pid = 0x81c, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE |
|
1 | |
| Create | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-BitLocker-DrivePreparationTool/Admin" | os_pid = 0xf58, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE |
|
1 | |
| Create | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-BitLocker-DrivePreparationTool/Operational" | os_pid = 0xb44, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE |
|
1 | |
| Create | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-BitLocker-Driver-Performance/Operational" | os_pid = 0x48c, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE |
|
1 | |
| Create | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-BitLocker/BitLocker Management" | os_pid = 0x740, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE |
|
1 | |
| Create | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-BitLocker/BitLocker Operational" | os_pid = 0xe98, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE |
|
1 | |
| Create | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-BitLocker/Tracing" | os_pid = 0xd0c, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE |
|
1 | |
| Create | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-Bits-Client/Analytic" | os_pid = 0x844, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE |
|
1 | |
| Create | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-Bits-Client/Operational" | os_pid = 0xe4c, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE |
|
1 | |
| Create | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-Bluetooth-MTPEnum/Operational" | os_pid = 0x534, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE |
|
1 | |
| Create | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-BranchCache/Operational" | os_pid = 0xe58, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE |
|
1 | |
| Create | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-BranchCacheClientEventProvider/Diagnostic" | os_pid = 0xf78, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE |
|
1 | |
| Create | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-BranchCacheEventProvider/Diagnostic" | os_pid = 0xfbc, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE |
|
1 | |
| Create | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-BranchCacheMonitoring/Analytic" | os_pid = 0xc04, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE |
|
1 | |
| Create | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-BranchCacheSMB/Analytic" | os_pid = 0xa68, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE |
|
1 | |
| Create | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-BranchCacheSMB/Operational" | os_pid = 0xe90, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE |
|
1 | |
| Create | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-CAPI2/Catalog Database Debug" | os_pid = 0x994, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE |
|
1 | |
| Create | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-CAPI2/Operational" | os_pid = 0x34c, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE |
|
1 | |
| Create | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-CDROM/Operational" | os_pid = 0xff4, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE |
|
1 | |
| Create | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-COM/Analytic" | os_pid = 0xc3c, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE |
|
1 | |
| Create | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-COM/ApartmentInitialize" | os_pid = 0xed8, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE |
|
1 | |
| Create | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-COM/ApartmentUninitialize" | os_pid = 0xb20, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE |
|
1 | |
| Create | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-COM/Call" | os_pid = 0xc74, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE |
|
1 | |
| Create | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-COM/CreateInstance" | os_pid = 0xe08, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE |
|
1 | |
| Create | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-COM/ExtensionCatalog" | os_pid = 0x93c, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE |
|
1 | |
| Create | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-COM/FreeUnusedLibrary" | os_pid = 0x72c, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE |
|
1 | |
| Create | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-COMRuntime/Activations" | os_pid = 0xd7c, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE |
|
1 | |
| Create | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-COMRuntime/MessageProcessing" | os_pid = 0xf6c, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE |
|
1 | |
| Create | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-COMRuntime/Tracing" | os_pid = 0xd24, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE |
|
1 | |
| Create | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-CertPoleEng/Operational" | os_pid = 0xc64, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE |
|
1 | |
| Create | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-CertificateServicesClient-CredentialRoaming/Operational" | os_pid = 0x5f4, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE |
|
1 | |
| Create | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-CertificateServicesClient-Lifecycle-System/Operational" | os_pid = 0x7e8, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE |
|
1 | |
| Create | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-CertificateServicesClient-Lifecycle-User/Operational" | os_pid = 0xe60, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE |
|
1 | |
| Create | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-ClearTypeTextTuner/Diagnostic" | os_pid = 0xe9c, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE |
|
1 | |
| Create | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-CloudStorageWizard/Analytic" | os_pid = 0x6e0, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE |
|
1 | |
| Create | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-CloudStorageWizard/Operational" | os_pid = 0xbdc, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE |
|
1 | |
| Create | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-CmiSetup/Analytic" | os_pid = 0x6c0, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE |
|
1 | |
| Create | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-CodeIntegrity/Operational" | os_pid = 0xf84, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE |
|
1 | |
| Create | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-CodeIntegrity/Verbose" | os_pid = 0x3d4, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE |
|
1 | |
| Create | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-ComDlg32/Analytic" | os_pid = 0xe70, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE |
|
1 | |
| Create | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-ComDlg32/Debug" | os_pid = 0xefc, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE |
|
1 | |
| Create | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-Compat-Appraiser/Analytic" | os_pid = 0x818, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE |
|
1 | |
| Create | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-Compat-Appraiser/Operational" | os_pid = 0xb28, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE |
|
1 | |
| Create | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-Connected-Search/Analytic" | os_pid = 0xbd8, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE |
|
1 | |
| Create | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-Connected-Search/Debug" | os_pid = 0x544, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE |
|
1 | |
| Create | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-Connected-Search/Operational" | os_pid = 0xd38, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE |
|
1 | |
| Create | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-CoreApplication/Diagnostic" | os_pid = 0x94c, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE |
|
1 | |
| Create | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-CoreApplication/Operational" | os_pid = 0x850, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE |
|
1 | |
| Create | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-CoreApplication/Tracing" | os_pid = 0xb4c, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE |
|
1 | |
| Create | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-CoreSystem-SmsRouter-Events/Debug" | os_pid = 0xf94, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE |
|
1 | |
| Create | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-CoreSystem-SmsRouter-Events/Operational" | os_pid = 0xb58, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE |
|
1 | |
| Create | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-CoreWindow/Analytic" | os_pid = 0xf98, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE |
|
1 | |
| Create | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-CoreWindow/Debug" | os_pid = 0xc2c, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE |
|
1 | |
| Create | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-CorruptedFileRecovery-Client/Operational" | os_pid = 0xfe8, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE |
|
1 | |
| Create | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-CorruptedFileRecovery-Server/Operational" | os_pid = 0x828, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE |
|
1 | |
| Create | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-Crashdump/Operational" | os_pid = 0xee0, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE |
|
1 | |
| Create | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-CredProvHost/Debug" | os_pid = 0xa24, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE |
|
1 | |
| Create | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-CredUI/Diagnostic" | os_pid = 0xdd4, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE |
|
1 | |
| Create | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-CredentialProviders/Debug" | os_pid = 0x924, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE |
|
1 | |
| Create | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-Crypto-BCRYPT/Analytic" | os_pid = 0xdcc, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE |
|
1 | |
| Create | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-Crypto-CNG/Analytic" | os_pid = 0x674, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE |
|
1 | |
| Create | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-Crypto-DPAPI/BackUpKeySvc" | os_pid = 0x224, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE |
|
1 | |
| Create | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-Crypto-DPAPI/Debug" | os_pid = 0xd18, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE |
|
1 | |
| Create | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-Crypto-DPAPI/Operational" | os_pid = 0x114, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE |
|
1 | |
| Create | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-Crypto-DSSEnh/Analytic" | os_pid = 0xdd8, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE |
|
1 | |
| Create | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-Crypto-NCrypt/Operational" | os_pid = 0x1a0, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE |
|
1 | |
| Create | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-Crypto-RNG/Analytic" | os_pid = 0x304, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE |
|
1 | |
| Create | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-Crypto-RSAEnh/Analytic" | os_pid = 0x15c, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE |
|
1 | |
| Create | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-D3D10Level9/Analytic" | os_pid = 0x6e0, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE |
|
1 | |
| Create | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-D3D10Level9/PerfTiming" | os_pid = 0xbdc, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE |
|
1 | |
| Create | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-DAL-Provider/Analytic" | os_pid = 0xb44, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE |
|
1 | |
| Create | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-DAL-Provider/Operational" | os_pid = 0xf34, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE |
|
1 | |
| Create | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-DAMM/Diagnostic" | os_pid = 0x740, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE |
|
1 | |
| Create | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-DCLocator/Debug" | os_pid = 0xe98, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE |
|
1 | |
| Create | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-DLNA-Namespace/Analytic" | os_pid = 0xd0c, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE |
|
1 | |
| Create | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-DNS-Client/Operational" | os_pid = 0x844, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE |
|
1 | |
| Create | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-DSC/Admin" | os_pid = 0xe4c, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE |
|
1 | |
| Create | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-DSC/Analytic" | os_pid = 0x534, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE |
|
1 | |
| Create | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-DSC/Debug" | os_pid = 0xe58, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE |
|
1 | |
| Create | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-DSC/Operational" | os_pid = 0xf78, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE |
|
1 | |
| Create | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-DUI/Diagnostic" | os_pid = 0x848, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE |
|
1 | |
| Create | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-DUSER/Diagnostic" | os_pid = 0xf08, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE |
|
1 | |
| Create | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-DXGI/Analytic" | os_pid = 0xea4, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE |
|
1 | |
| Create | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-DXGI/Logging" | os_pid = 0xfa8, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE |
|
1 | |
| Create | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-DXP/Analytic" | os_pid = 0xfcc, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE |
|
1 | |
| Create | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-Data-Pdf/Debug" | os_pid = 0x370, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE |
|
1 | |
| Create | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-DataIntegrityScan/Admin" | os_pid = 0xf20, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE |
|
1 | |
| Create | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-DataIntegrityScan/CrashRecovery" | os_pid = 0xee8, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE |
|
1 | |
| Create | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-DateTimeControlPanel/Analytic" | os_pid = 0x444, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE |
|
1 | |
| Create | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-DateTimeControlPanel/Debug" | os_pid = 0x550, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE |
|
1 | |
| Create | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-DateTimeControlPanel/Operational" | os_pid = 0x638, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE |
|
1 | |
| Create | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-Deduplication/Diagnostic" | os_pid = 0x3f0, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE |
|
1 | |
| Create | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-Deduplication/Operational" | os_pid = 0xd1c, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE |
|
1 | |
| Create | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-Deduplication/Performance" | os_pid = 0x678, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE |
|
1 | |
| Create | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-Deduplication/Scrubbing" | os_pid = 0xf80, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE |
|
1 | |
| Create | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-Defrag-Core/Debug" | os_pid = 0x7f0, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE |
|
1 | |
| Create | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-Deplorch/Analytic" | os_pid = 0x700, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE |
|
1 | |
| Create | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-DesktopActivityModerator/Diagnostic" | os_pid = 0xcb0, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE |
|
1 | |
| Create | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-DesktopWindowManager-Diag/Diagnostic" | os_pid = 0x348, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE |
|
1 | |
| Create | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-DeviceAssociationService/Performance" | os_pid = 0xd30, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE |
|
1 | |
| Create | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-DeviceConfidence/Analytic" | os_pid = 0x6fc, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE |
|
1 | |
| Create | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-DeviceSetupManager/Admin" | os_pid = 0xa40, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE |
|
1 | |
| Create | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-DeviceSetupManager/Analytic" | os_pid = 0x2d0, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE |
|
1 | |
| Create | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-DeviceSetupManager/Debug" | os_pid = 0x4b0, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE |
|
1 | |
| Create | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-DeviceSetupManager/Operational" | os_pid = 0xb44, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE |
|
1 | |
| Create | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-DeviceSync/Analytic" | os_pid = 0xa80, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE |
|
1 | |
| Create | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-DeviceSync/Operational" | os_pid = 0x3ec, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE |
|
1 | |
| Create | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-DeviceUx/Informational" | os_pid = 0xf14, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE |
|
1 | |
| Create | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-DeviceUx/Performance" | os_pid = 0xf40, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE |
|
1 | |
| Create | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-Dhcp-Client/Admin" | os_pid = 0xd44, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE |
|
1 | |
| Create | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-Dhcp-Client/Operational" | os_pid = 0xb3c, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE |
|
1 | |
| Create | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-Dhcpv6-Client/Admin" | os_pid = 0xfc4, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE |
|
1 | |
| Create | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-Dhcpv6-Client/Operational" | os_pid = 0xe5c, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE |
|
1 | |
| Create | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-DiagCpl/Debug" | os_pid = 0xc60, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE |
|
1 | |
| Create | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-Diagnosis-AdvancedTaskManager/Analytic" | os_pid = 0xb24, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE |
|
1 | |
| Create | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-Diagnosis-DPS/Analytic" | os_pid = 0xf9c, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE |
|
1 | |
| Create | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-Diagnosis-DPS/Debug" | os_pid = 0xfb0, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE |
|
1 | |
| Create | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-Diagnosis-DPS/Operational" | os_pid = 0xc0c, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE |
|
1 | |
| Create | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-Diagnosis-MSDE/Debug" | os_pid = 0x908, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE |
|
1 | |
| Create | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-Diagnosis-PCW/Analytic" | os_pid = 0xc90, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE |
|
1 | |
| Create | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-Diagnosis-PCW/Debug" | os_pid = 0xfdc, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE |
|
1 | |
| Create | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-Diagnosis-PCW/Operational" | os_pid = 0xdb8, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE |
|
1 | |
| Create | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-Diagnosis-PLA/Debug" | os_pid = 0x57c, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE |
|
1 | |
| Create | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-Diagnosis-PLA/Operational" | os_pid = 0xdec, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE |
|
1 | |
| Create | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-Diagnosis-Perfhost/Analytic" | os_pid = 0x584, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE |
|
1 | |
| Create | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-Diagnosis-Scheduled/Operational" | os_pid = 0x924, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE |
|
1 | |
| Create | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-Diagnosis-Scripted/Admin" | os_pid = 0xdcc, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE |
|
1 | |
| Create | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-Diagnosis-Scripted/Analytic" | os_pid = 0xa70, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE |
|
1 | |
| Create | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-Diagnosis-Scripted/Debug" | os_pid = 0xddc, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE |
|
1 | |
| Create | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-Diagnosis-Scripted/Operational" | os_pid = 0xd18, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE |
|
1 | |
| Create | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-Diagnosis-ScriptedDiagnosticsProvider/Debug" | os_pid = 0xbe0, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE |
|
1 | |
| Create | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-Diagnosis-ScriptedDiagnosticsProvider/Operational" | os_pid = 0x5f4, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE |
|
1 | |
| Create | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-Diagnosis-WDC/Analytic" | os_pid = 0x554, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE |
|
1 | |
| Create | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-Diagnosis-WDI/Debug" | os_pid = 0xd50, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE |
|
1 | |
| Create | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-Diagnostics-Networking/Debug" | os_pid = 0xe3c, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE |
|
1 | |
| Create | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-Diagnostics-Networking/Operational" | os_pid = 0xe2c, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE |
|
1 | |
| Create | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-Diagnostics-PerfTrack-Counters/Diagnostic" | os_pid = 0xc34, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE |
|
1 | |
| Create | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-Diagnostics-PerfTrack/Diagnostic" | os_pid = 0x2c0, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE |
|
1 | |
| Create | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-Diagnostics-Performance/Diagnostic" | os_pid = 0xfe4, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE |
|
1 | |
| Create | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-Diagnostics-Performance/Diagnostic/Loopback" | os_pid = 0xf8c, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE |
|
1 | |
| Create | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-Diagnostics-Performance/Operational" | os_pid = 0xf64, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE |
|
1 | |
| Create | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-Direct3D10/Analytic" | os_pid = 0x510, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE |
|
1 | |
| Create | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-Direct3D10_1/Analytic" | os_pid = 0x364, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE |
|
1 | |
| Create | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-Direct3D11/Analytic" | os_pid = 0x950, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE |
|
1 | |
| Create | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-Direct3D11/Logging" | os_pid = 0xd08, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE |
|
1 | |
| Create | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-Direct3D11/PerfTiming" | os_pid = 0x438, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE |
|
1 | |
| Create | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-Direct3D12/Analytic" | os_pid = 0xd6c, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE |
|
1 | |
| Create | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-Direct3D12/Logging" | os_pid = 0xdb4, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE |
|
1 | |
| Create | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-Direct3D12/PerfTiming" | os_pid = 0xa68, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE |
|
1 | |
| Create | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-Direct3D9/Analytic" | os_pid = 0x990, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE |
|
1 |
Module (603)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | kernel32.dll | base_address = 0x75130000 |
|
282 | |
| Load | C:\ProgramData\Safe.exe | base_address = 0xa80000 |
|
2 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75130000 |
|
1 | |
| Get Filename | - | process_name = c:\programdata\safe.exe, file_name_orig = C:\ProgramData\Safe.exe, size = 260 |
|
1 | |
| Get Filename | - | process_name = c:\programdata\safe.exe, file_name_orig = C:\ProgramData\Safe.exe, size = 32767 |
|
2 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsAlloc, address_out = 0x7514a330 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsFree, address_out = 0x7514f400 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsGetValue, address_out = 0x75147580 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsSetValue, address_out = 0x75149910 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = InitializeCriticalSectionEx, address_out = 0x75156030 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateEventExW, address_out = 0x75155f90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateSemaphoreExW, address_out = 0x75155ff0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadStackGuarantee, address_out = 0x7514a5d0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateThreadpoolTimer, address_out = 0x7514a690 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadpoolTimer, address_out = 0x779c40f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WaitForThreadpoolTimerCallbacks, address_out = 0x779bd630 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CloseThreadpoolTimer, address_out = 0x779becf0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateThreadpoolWait, address_out = 0x75155720 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadpoolWait, address_out = 0x779be140 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CloseThreadpoolWait, address_out = 0x779beb60 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlushProcessWriteBuffers, address_out = 0x779f9990 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FreeLibraryWhenCallbackReturns, address_out = 0x779f5540 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentProcessorNumber, address_out = 0x779e9dc0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetLogicalProcessorInformation, address_out = 0x7514a550 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateSymbolicLinkW, address_out = 0x75170a40 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetDefaultDllDirectories, address_out = 0x74e60790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = EnumSystemLocalesEx, address_out = 0x7514f8a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CompareStringEx, address_out = 0x7514fa30 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetDateFormatEx, address_out = 0x75171030 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetLocaleInfoEx, address_out = 0x7514a000 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetTimeFormatEx, address_out = 0x751714b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetUserDefaultLocaleName, address_out = 0x7514a4f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsValidLocaleName, address_out = 0x751716f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LCMapStringEx, address_out = 0x75149970 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentPackageId, address_out = 0x74de3c90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetTickCount64, address_out = 0x75148710 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetFileInformationByHandleExW, address_out = 0x0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetFileInformationByHandleW, address_out = 0x0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetNativeSystemInfo, address_out = 0x7514a410 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | address_out = 0x7514ebb0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = Wow64RevertWow64FsRedirection, address_out = 0x7514eb90 |
|
2 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = Wow64DisableWow64FsRedirection, address_out = 0x7514ebb0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetSystemWow64DirectoryW, address_out = 0x751567a0 |
|
277 |
Window (2)
| Operation | Window Name | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | AutoIt v3 | class_name = AutoIt v3, wndproc_parameter = 0 |
|
1 | |
| Create | - | class_name = edit, wndproc_parameter = 0 |
|
1 |
System (2076)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Sleep | duration = 750 milliseconds (0.750 seconds) |
|
261 | |
| Sleep | duration = 10 milliseconds (0.010 seconds) |
|
1523 | |
| Get Time | type = System Time, time = 2018-09-14 09:46:59 (UTC) |
|
13 | |
| Get Info | type = Operating System |
|
1 | |
| Get Info | type = Hardware Information |
|
1 | |
| Get Info | type = Wow64 Directory, result_out = C:\Windows\SysWOW64 |
|
277 |
Environment (277)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
276 |
Debug (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Check for Presence | c:\programdata\safe.exe | - |
|
1 |
Process #3: tasklist.exe
0
0
| Information | Value |
|---|---|
| ID | #3 |
| File Name | c:\windows\system32\tasklist.exe |
| Command Line | "tasklist" /V /FO CSV |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:00:50, Reason: Child Process |
| Unmonitor | End Time: 00:01:04, Reason: Self Terminated |
| Monitor Duration | 00:00:14 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xc68 |
| Parent PID | 0xfdc (c:\users\ciihmnxmn6ps\desktop\kraken.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
724
0x
818
0x
A2C
0x
CDC
0x
CB0
0x
CB8
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x0000001b22140000 | 0x1b22140000 | 0x1b2215ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000001b22140000 | 0x1b22140000 | 0x1b2214ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000001b22150000 | 0x1b22150000 | 0x1b22156fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000001b22160000 | 0x1b22160000 | 0x1b22173fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000001b22180000 | 0x1b22180000 | 0x1b221fffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000001b22200000 | 0x1b22200000 | 0x1b22203fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000001b22210000 | 0x1b22210000 | 0x1b22210fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000001b22220000 | 0x1b22220000 | 0x1b22221fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x1b22230000 | 0x1b222edfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000001b222f0000 | 0x1b222f0000 | 0x1b222f6fff | Private Memory | rw |
|
|
|
- |
| tasklist.exe.mui | 0x1b22300000 | 0x1b22303fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000001b22310000 | 0x1b22310000 | 0x1b22310fff | Private Memory | rw |
|
|
|
- |
| private_0x0000001b22320000 | 0x1b22320000 | 0x1b22320fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000001b22330000 | 0x1b22330000 | 0x1b22330fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000001b22340000 | 0x1b22340000 | 0x1b2243ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000001b22440000 | 0x1b22440000 | 0x1b224bffff | Private Memory | rw |
|
|
|
- |
| private_0x0000001b224c0000 | 0x1b224c0000 | 0x1b2253ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000001b22540000 | 0x1b22540000 | 0x1b22540fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000001b22550000 | 0x1b22550000 | 0x1b225cffff | Private Memory | rw |
|
|
|
- |
| wmiutils.dll.mui | 0x1b225d0000 | 0x1b225d4fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000001b225f0000 | 0x1b225f0000 | 0x1b225fffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000001b22600000 | 0x1b22600000 | 0x1b22787fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000001b22790000 | 0x1b22790000 | 0x1b22910fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000001b22920000 | 0x1b22920000 | 0x1b23d1ffff | Pagefile Backed Memory | r |
|
|
|
- |
| sortdefault.nls | 0x1b23d20000 | 0x1b24056fff | Memory Mapped File | r |
|
|
|
- |
| kernelbase.dll.mui | 0x1b24060000 | 0x1b2413efff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000001b24140000 | 0x1b24140000 | 0x1b241bffff | Private Memory | rw |
|
|
|
- |
| private_0x0000001b241c0000 | 0x1b241c0000 | 0x1b2423ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00007df5ff680000 | 0x7df5ff680000 | 0x7ff5ff67ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x00007ff61e5ee000 | 0x7ff61e5ee000 | 0x7ff61e5effff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00007ff61e5f0000 | 0x7ff61e5f0000 | 0x7ff61e6effff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00007ff61e6f0000 | 0x7ff61e6f0000 | 0x7ff61e712fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00007ff61e714000 | 0x7ff61e714000 | 0x7ff61e715fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff61e716000 | 0x7ff61e716000 | 0x7ff61e717fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff61e718000 | 0x7ff61e718000 | 0x7ff61e718fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff61e71a000 | 0x7ff61e71a000 | 0x7ff61e71bfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff61e71c000 | 0x7ff61e71c000 | 0x7ff61e71dfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff61e71e000 | 0x7ff61e71e000 | 0x7ff61e71ffff | Private Memory | rw |
|
|
|
- |
| tasklist.exe | 0x7ff61f430000 | 0x7ff61f44cfff | Memory Mapped File | rwx |
|
|
|
- |
| dbghelp.dll | 0x7ffadaf10000 | 0x7ffadb099fff | Memory Mapped File | rwx |
|
|
|
- |
| framedynos.dll | 0x7ffae4200000 | 0x7ffae424dfff | Memory Mapped File | rwx |
|
|
|
- |
| wmiutils.dll | 0x7ffae9440000 | 0x7ffae9464fff | Memory Mapped File | rwx |
|
|
|
- |
| wbemsvc.dll | 0x7ffae9470000 | 0x7ffae9483fff | Memory Mapped File | rwx |
|
|
|
- |
| fastprox.dll | 0x7ffae9490000 | 0x7ffae9587fff | Memory Mapped File | rwx |
|
|
|
- |
| wbemprox.dll | 0x7ffae9fa0000 | 0x7ffae9fb0fff | Memory Mapped File | rwx |
|
|
|
- |
| version.dll | 0x7ffaeb6f0000 | 0x7ffaeb6f9fff | Memory Mapped File | rwx |
|
|
|
- |
| wbemcomn.dll | 0x7ffaef560000 | 0x7ffaef5defff | Memory Mapped File | rwx |
|
|
|
- |
| winsta.dll | 0x7ffaf35e0000 | 0x7ffaf3637fff | Memory Mapped File | rwx |
|
|
|
- |
| mpr.dll | 0x7ffaf36d0000 | 0x7ffaf36ebfff | Memory Mapped File | rwx |
|
|
|
- |
| netutils.dll | 0x7ffaf36f0000 | 0x7ffaf36fbfff | Memory Mapped File | rwx |
|
|
|
- |
| srvcli.dll | 0x7ffaf3700000 | 0x7ffaf3725fff | Memory Mapped File | rwx |
|
|
|
- |
| rsaenh.dll | 0x7ffaf3960000 | 0x7ffaf3992fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptsp.dll | 0x7ffaf3d00000 | 0x7ffaf3d16fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x7ffaf41b0000 | 0x7ffaf41dbfff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x7ffaf41e0000 | 0x7ffaf41eafff | Memory Mapped File | rwx |
|
|
|
- |
| bcrypt.dll | 0x7ffaf4260000 | 0x7ffaf4287fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x7ffaf4290000 | 0x7ffaf42fafff | Memory Mapped File | rwx |
|
|
|
- |
| kernel.appcore.dll | 0x7ffaf44d0000 | 0x7ffaf44defff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x7ffaf4e50000 | 0x7ffaf502cfff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x7ffaf5140000 | 0x7ffaf528dfff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x7ffaf5290000 | 0x7ffaf53b5fff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x7ffaf53c0000 | 0x7ffaf53f5fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x7ffaf5700000 | 0x7ffaf579cfff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x7ffaf57a0000 | 0x7ffaf57fafff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x7ffaf5800000 | 0x7ffaf5984fff | Memory Mapped File | rwx |
|
|
|
- |
| clbcatq.dll | 0x7ffaf6ec0000 | 0x7ffaf6f64fff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x7ffaf6f70000 | 0x7ffaf70cbfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x7ffaf70d0000 | 0x7ffaf717cfff | Memory Mapped File | rwx |
|
|
|
- |
| oleaut32.dll | 0x7ffaf7190000 | 0x7ffaf724dfff | Memory Mapped File | rwx |
|
|
|
- |
| combase.dll | 0x7ffaf72e0000 | 0x7ffaf755bfff | Memory Mapped File | rwx |
|
|
|
- |
| ws2_32.dll | 0x7ffaf7560000 | 0x7ffaf75c8fff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x7ffaf75d0000 | 0x7ffaf7675fff | Memory Mapped File | rwx |
|
|
|
- |
| nsi.dll | 0x7ffaf7680000 | 0x7ffaf7687fff | Memory Mapped File | rwx |
|
|
|
- |
| shlwapi.dll | 0x7ffaf7860000 | 0x7ffaf78b0fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
Process #5: cmd.exe
64
0
| Information | Value |
|---|---|
| ID | #5 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c wevtutil.exe enum-logs > "C:\ProgramData\EventLog.txt" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:00:56, Reason: Child Process |
| Unmonitor | End Time: 00:00:59, Reason: Self Terminated |
| Monitor Duration | 00:00:03 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xcb4 |
| Parent PID | 0x8dc (c:\programdata\safe.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
6D8
0x
5B8
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000bf0000 | 0x00bf0000 | 0x00c0ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000bf0000 | 0x00bf0000 | 0x00bfffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000c00000 | 0x00c00000 | 0x00c03fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000c10000 | 0x00c10000 | 0x00c11fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000c10000 | 0x00c10000 | 0x00c13fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000c20000 | 0x00c20000 | 0x00c33fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000c40000 | 0x00c40000 | 0x00c7ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000c80000 | 0x00c80000 | 0x00d7ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000d80000 | 0x00d80000 | 0x00d83fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000d90000 | 0x00d90000 | 0x00d90fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000da0000 | 0x00da0000 | 0x00da1fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00db0000 | 0x00e6dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000e80000 | 0x00e80000 | 0x00e8ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000e90000 | 0x00e90000 | 0x00ecffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000f70000 | 0x00f70000 | 0x0106ffff | Private Memory | rw |
|
|
|
- |
| cmd.exe | 0x01140000 | 0x0118ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000001190000 | 0x01190000 | 0x0518ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000005190000 | 0x05190000 | 0x0528ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000053f0000 | 0x053f0000 | 0x053fffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x05400000 | 0x05736fff | Memory Mapped File | r |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74d30000 | 0x74ea5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75130000 | 0x7521ffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x778d0000 | 0x7798dfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007e540000 | 0x7e540000 | 0x7e63ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007e640000 | 0x7e640000 | 0x7e662fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007e668000 | 0x7e668000 | 0x7e66afff | Private Memory | rw |
|
|
|
- |
| private_0x000000007e66b000 | 0x7e66b000 | 0x7e66bfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007e66c000 | 0x7e66c000 | 0x7e66efff | Private Memory | rw |
|
|
|
- |
| private_0x000000007e66f000 | 0x7e66f000 | 0x7e66ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Created Files
| Filename | File Size | Hash Values | YARA Match | Actions |
|---|---|---|---|---|
| C:\ProgramData\EventLog.txt | 43.89 KB |
MD5:
1b0a6a1baaf925bbc5faaf46aba3204a
SHA1: 3066f360ea1d9f83a878eed713f4fb44c19791e7 SHA256: 3f5bf8857903b23c1b4df4fe67a701cb5e01e8c0bab6c287f036d27a14ecbe0c SSDeep: 768:D+xRjXmjx4nTqhKFGNqefhERl//Kx90KI87aHtQB0b9QPwUzXhWLmjLHHQQWGuma:D+xRbmjx4nTqhKFGNqefhERl//Kx90KG |
|
|
Host Behavior
File (17)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\ProgramData\EventLog.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Get Info | C:\Windows\SysWOW64 | type = file_attributes |
|
2 | |
| Get Info | STD_OUTPUT_HANDLE | type = file_type |
|
1 | |
| Get Info | wevtutil.exe | type = file_attributes |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
9 | |
| Open | STD_INPUT_HANDLE | - |
|
3 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 200, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\SysWOW64\wevtutil.exe | os_pid = 0x67c, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x1140000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75130000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x75172780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x7514fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7514a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x74e435c0 |
|
1 |
Environment (19)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
2 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Windows\SysWOW64 |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000000 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #8: wevtutil.exe
0
0
| Information | Value |
|---|---|
| ID | #8 |
| File Name | c:\windows\syswow64\wevtutil.exe |
| Command Line | wevtutil.exe enum-logs |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:00:57, Reason: Child Process |
| Unmonitor | End Time: 00:00:58, Reason: Self Terminated |
| Monitor Duration | 00:00:01 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x67c |
| Parent PID | 0xcb4 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
578
0x
D50
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| wevtutil.exe | 0x00b40000 | 0x00b6efff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000b70000 | 0x00b70000 | 0x04b6ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000004b70000 | 0x04b70000 | 0x04b8ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004b70000 | 0x04b70000 | 0x04b7ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000004b80000 | 0x04b80000 | 0x04b83fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004b90000 | 0x04b90000 | 0x04b91fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004ba0000 | 0x04ba0000 | 0x04bb3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000004bc0000 | 0x04bc0000 | 0x04bfffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004c00000 | 0x04c00000 | 0x04c3ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004c40000 | 0x04c40000 | 0x04c43fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000004c50000 | 0x04c50000 | 0x04c50fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000004c60000 | 0x04c60000 | 0x04c61fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x04c70000 | 0x04d2dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000004d30000 | 0x04d30000 | 0x04d6ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004da0000 | 0x04da0000 | 0x04daffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004db0000 | 0x04db0000 | 0x04deffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004e00000 | 0x04e00000 | 0x04efffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000050b0000 | 0x050b0000 | 0x050bffff | Private Memory | rw |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| wevtapi.dll | 0x74310000 | 0x7435dfff | Memory Mapped File | rwx |
|
|
|
- |
| bcrypt.dll | 0x74360000 | 0x7437afff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x74a30000 | 0x74a88fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x74a90000 | 0x74a99fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x74aa0000 | 0x74abdfff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x74c60000 | 0x74cdafff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74d30000 | 0x74ea5fff | Memory Mapped File | rwx |
|
|
|
- |
| combase.dll | 0x74f70000 | 0x75129fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75130000 | 0x7521ffff | Memory Mapped File | rwx |
|
|
|
- |
| oleaut32.dll | 0x76ce0000 | 0x76d71fff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x770b0000 | 0x770f2fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x772c0000 | 0x7736bfff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x778d0000 | 0x7798dfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007eab0000 | 0x7eab0000 | 0x7ebaffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007ebb0000 | 0x7ebb0000 | 0x7ebd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007ebd7000 | 0x7ebd7000 | 0x7ebd9fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ebda000 | 0x7ebda000 | 0x7ebdcfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ebdd000 | 0x7ebdd000 | 0x7ebddfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ebdf000 | 0x7ebdf000 | 0x7ebdffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Process #10: cmd.exe
58
0
| Information | Value |
|---|---|
| ID | #10 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "AirSpaceChannel" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:00:58, Reason: Child Process |
| Unmonitor | End Time: 00:00:59, Reason: Self Terminated |
| Monitor Duration | 00:00:01 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xda8 |
| Parent PID | 0x8dc (c:\programdata\safe.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
DA0
0x
D9C
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x00000000006d0000 | 0x006d0000 | 0x006effff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000006d0000 | 0x006d0000 | 0x006dffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x00000000006e0000 | 0x006e0000 | 0x006e3fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000006f0000 | 0x006f0000 | 0x006f1fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000006f0000 | 0x006f0000 | 0x006f3fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000700000 | 0x00700000 | 0x00713fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000720000 | 0x00720000 | 0x0075ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000760000 | 0x00760000 | 0x0085ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000860000 | 0x00860000 | 0x00863fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000870000 | 0x00870000 | 0x00870fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000880000 | 0x00880000 | 0x00881fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000890000 | 0x00890000 | 0x008cffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000900000 | 0x00900000 | 0x009fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000a40000 | 0x00a40000 | 0x00a4ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000a70000 | 0x00a70000 | 0x00a7ffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00a80000 | 0x00b3dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000b40000 | 0x00b40000 | 0x00c3ffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x00c40000 | 0x00f76fff | Memory Mapped File | r |
|
|
|
- |
| cmd.exe | 0x01140000 | 0x0118ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000001190000 | 0x01190000 | 0x0518ffff | Pagefile Backed Memory | - |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74d30000 | 0x74ea5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75130000 | 0x7521ffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x778d0000 | 0x7798dfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007e720000 | 0x7e720000 | 0x7e81ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007e820000 | 0x7e820000 | 0x7e842fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007e846000 | 0x7e846000 | 0x7e848fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007e849000 | 0x7e849000 | 0x7e84bfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007e84c000 | 0x7e84c000 | 0x7e84cfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007e84d000 | 0x7e84d000 | 0x7e84dfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (11)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Windows\SysWOW64 | type = file_attributes |
|
2 | |
| Get Info | wevtutil.exe | type = file_attributes |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
5 | |
| Open | STD_INPUT_HANDLE | - |
|
3 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 139, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\SysWOW64\wevtutil.exe | os_pid = 0xd84, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x1140000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75130000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x75172780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x7514fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7514a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x74e435c0 |
|
1 |
Environment (19)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
2 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Windows\SysWOW64 |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000000 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #12: wevtutil.exe
0
0
| Information | Value |
|---|---|
| ID | #12 |
| File Name | c:\windows\syswow64\wevtutil.exe |
| Command Line | wevtutil.exe clear-log "AirSpaceChannel" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:00:59, Reason: Child Process |
| Unmonitor | End Time: 00:00:59, Reason: Self Terminated |
| Monitor Duration | 00:00:00 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xd84 |
| Parent PID | 0xda8 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
DAC
0x
DA4
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x00000000000b0000 | 0x000b0000 | 0x000cffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000000b0000 | 0x000b0000 | 0x000bffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x00000000000c0000 | 0x000c0000 | 0x000c3fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000000d0000 | 0x000d0000 | 0x000d1fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000000e0000 | 0x000e0000 | 0x000f3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000100000 | 0x00100000 | 0x0013ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000140000 | 0x00140000 | 0x0017ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000180000 | 0x00180000 | 0x00183fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000190000 | 0x00190000 | 0x00190fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000001a0000 | 0x001a0000 | 0x001a1fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x001b0000 | 0x0026dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000270000 | 0x00270000 | 0x002affff | Private Memory | rw |
|
|
|
- |
| private_0x00000000002b0000 | 0x002b0000 | 0x002effff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000350000 | 0x00350000 | 0x0035ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000370000 | 0x00370000 | 0x0037ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000004b0000 | 0x004b0000 | 0x005affff | Private Memory | rw |
|
|
|
- |
| wevtutil.exe | 0x00b40000 | 0x00b6efff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000b70000 | 0x00b70000 | 0x04b6ffff | Pagefile Backed Memory | - |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| bcrypt.dll | 0x74310000 | 0x7432afff | Memory Mapped File | rwx |
|
|
|
- |
| wevtapi.dll | 0x74330000 | 0x7437dfff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x74a30000 | 0x74a88fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x74a90000 | 0x74a99fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x74aa0000 | 0x74abdfff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x74c60000 | 0x74cdafff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74d30000 | 0x74ea5fff | Memory Mapped File | rwx |
|
|
|
- |
| combase.dll | 0x74f70000 | 0x75129fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75130000 | 0x7521ffff | Memory Mapped File | rwx |
|
|
|
- |
| oleaut32.dll | 0x76ce0000 | 0x76d71fff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x770b0000 | 0x770f2fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x772c0000 | 0x7736bfff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x778d0000 | 0x7798dfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007e900000 | 0x7e900000 | 0x7e9fffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007ea00000 | 0x7ea00000 | 0x7ea22fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007ea26000 | 0x7ea26000 | 0x7ea26fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ea28000 | 0x7ea28000 | 0x7ea2afff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ea2b000 | 0x7ea2b000 | 0x7ea2bfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ea2d000 | 0x7ea2d000 | 0x7ea2ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Process #13: cmd.exe
58
0
| Information | Value |
|---|---|
| ID | #13 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Analytic" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:00:59, Reason: Child Process |
| Unmonitor | End Time: 00:01:00, Reason: Self Terminated |
| Monitor Duration | 00:00:01 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xd90 |
| Parent PID | 0x8dc (c:\programdata\safe.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
D94
0x
E08
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000210000 | 0x00210000 | 0x0022ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000210000 | 0x00210000 | 0x0021ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000220000 | 0x00220000 | 0x00223fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000230000 | 0x00230000 | 0x00231fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000230000 | 0x00230000 | 0x00233fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000240000 | 0x00240000 | 0x00253fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000260000 | 0x00260000 | 0x0029ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000002a0000 | 0x002a0000 | 0x0039ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000003a0000 | 0x003a0000 | 0x003a3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000003b0000 | 0x003b0000 | 0x003b0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000003c0000 | 0x003c0000 | 0x003c1fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x003d0000 | 0x0048dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000490000 | 0x00490000 | 0x0049ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000004a0000 | 0x004a0000 | 0x004dffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000004e0000 | 0x004e0000 | 0x005dffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000630000 | 0x00630000 | 0x0072ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000830000 | 0x00830000 | 0x0083ffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x00840000 | 0x00b76fff | Memory Mapped File | r |
|
|
|
- |
| cmd.exe | 0x01140000 | 0x0118ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000001190000 | 0x01190000 | 0x0518ffff | Pagefile Backed Memory | - |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74d30000 | 0x74ea5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75130000 | 0x7521ffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x778d0000 | 0x7798dfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007e5b0000 | 0x7e5b0000 | 0x7e6affff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007e6b0000 | 0x7e6b0000 | 0x7e6d2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007e6d4000 | 0x7e6d4000 | 0x7e6d6fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007e6d7000 | 0x7e6d7000 | 0x7e6d7fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007e6da000 | 0x7e6da000 | 0x7e6dafff | Private Memory | rw |
|
|
|
- |
| private_0x000000007e6dd000 | 0x7e6dd000 | 0x7e6dffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (11)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Windows\SysWOW64 | type = file_attributes |
|
2 | |
| Get Info | wevtutil.exe | type = file_attributes |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
5 | |
| Open | STD_INPUT_HANDLE | - |
|
3 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 40, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\SysWOW64\wevtutil.exe | os_pid = 0xe00, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x1140000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75130000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x75172780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x7514fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7514a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x74e435c0 |
|
1 |
Environment (19)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
2 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Windows\SysWOW64 |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000000 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #15: wevtutil.exe
0
0
| Information | Value |
|---|---|
| ID | #15 |
| File Name | c:\windows\syswow64\wevtutil.exe |
| Command Line | wevtutil.exe clear-log "Analytic" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:00:59, Reason: Child Process |
| Unmonitor | End Time: 00:00:59, Reason: Self Terminated |
| Monitor Duration | 00:00:00 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xe00 |
| Parent PID | 0xd90 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
E0C
0x
DFC
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000930000 | 0x00930000 | 0x0094ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000950000 | 0x00950000 | 0x00951fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000960000 | 0x00960000 | 0x00973fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000980000 | 0x00980000 | 0x009bffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000009c0000 | 0x009c0000 | 0x009fffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000a00000 | 0x00a00000 | 0x00a03fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000a10000 | 0x00a10000 | 0x00a10fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000a20000 | 0x00a20000 | 0x00a21fff | Private Memory | rw |
|
|
|
- |
| wevtutil.exe | 0x00b40000 | 0x00b6efff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000b70000 | 0x00b70000 | 0x04b6ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000004cd0000 | 0x04cd0000 | 0x04cdffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004df0000 | 0x04df0000 | 0x04eeffff | Private Memory | rw |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007f6b0000 | 0x7f6b0000 | 0x7f6d2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f6d4000 | 0x7f6d4000 | 0x7f6d4fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f6da000 | 0x7f6da000 | 0x7f6dcfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f6dd000 | 0x7f6dd000 | 0x7f6ddfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Process #16: cmd.exe
58
0
| Information | Value |
|---|---|
| ID | #16 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Application" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:00:59, Reason: Child Process |
| Unmonitor | End Time: 00:01:00, Reason: Self Terminated |
| Monitor Duration | 00:00:01 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xdec |
| Parent PID | 0x8dc (c:\programdata\safe.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
E20
0x
DF4
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000790000 | 0x00790000 | 0x007affff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000790000 | 0x00790000 | 0x0079ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x00000000007a0000 | 0x007a0000 | 0x007a3fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000007b0000 | 0x007b0000 | 0x007b1fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000007b0000 | 0x007b0000 | 0x007b3fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000007c0000 | 0x007c0000 | 0x007d3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000007e0000 | 0x007e0000 | 0x0081ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000820000 | 0x00820000 | 0x0091ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000920000 | 0x00920000 | 0x00923fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000930000 | 0x00930000 | 0x00930fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000940000 | 0x00940000 | 0x00941fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00950000 | 0x00a0dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000a40000 | 0x00a40000 | 0x00a4ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000a50000 | 0x00a50000 | 0x00a8ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000a90000 | 0x00a90000 | 0x00b8ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000b90000 | 0x00b90000 | 0x00c8ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000d10000 | 0x00d10000 | 0x00d1ffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x00d20000 | 0x01056fff | Memory Mapped File | r |
|
|
|
- |
| cmd.exe | 0x01140000 | 0x0118ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000001190000 | 0x01190000 | 0x0518ffff | Pagefile Backed Memory | - |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74d30000 | 0x74ea5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75130000 | 0x7521ffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x778d0000 | 0x7798dfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007eb60000 | 0x7eb60000 | 0x7ec5ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007ec60000 | 0x7ec60000 | 0x7ec82fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007ec86000 | 0x7ec86000 | 0x7ec86fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ec88000 | 0x7ec88000 | 0x7ec8afff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ec8b000 | 0x7ec8b000 | 0x7ec8dfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ec8e000 | 0x7ec8e000 | 0x7ec8efff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (11)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Windows\SysWOW64 | type = file_attributes |
|
2 | |
| Get Info | wevtutil.exe | type = file_attributes |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
5 | |
| Open | STD_INPUT_HANDLE | - |
|
3 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 40, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\SysWOW64\wevtutil.exe | os_pid = 0xdc8, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x1140000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75130000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x75172780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x7514fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7514a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x74e435c0 |
|
1 |
Environment (19)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
2 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Windows\SysWOW64 |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000000 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #18: wevtutil.exe
0
0
| Information | Value |
|---|---|
| ID | #18 |
| File Name | c:\windows\syswow64\wevtutil.exe |
| Command Line | wevtutil.exe clear-log "Application" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:01:00, Reason: Child Process |
| Unmonitor | End Time: 00:01:00, Reason: Self Terminated |
| Monitor Duration | 00:00:00 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xdc8 |
| Parent PID | 0xdec (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
DD4
0x
DD0
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000390000 | 0x00390000 | 0x003affff | Private Memory | rw |
|
|
|
- |
| private_0x00000000003b0000 | 0x003b0000 | 0x003b1fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000003c0000 | 0x003c0000 | 0x003d3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000003e0000 | 0x003e0000 | 0x0041ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000420000 | 0x00420000 | 0x0045ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000460000 | 0x00460000 | 0x00463fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000470000 | 0x00470000 | 0x00470fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000480000 | 0x00480000 | 0x00481fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000005e0000 | 0x005e0000 | 0x005effff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000760000 | 0x00760000 | 0x0085ffff | Private Memory | rw |
|
|
|
- |
| wevtutil.exe | 0x00b40000 | 0x00b6efff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000b70000 | 0x00b70000 | 0x04b6ffff | Pagefile Backed Memory | - |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007f6e0000 | 0x7f6e0000 | 0x7f702fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f703000 | 0x7f703000 | 0x7f703fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f70c000 | 0x7f70c000 | 0x7f70efff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f70f000 | 0x7f70f000 | 0x7f70ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Process #19: cmd.exe
58
0
| Information | Value |
|---|---|
| ID | #19 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "DirectShowFilterGraph" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:01:00, Reason: Child Process |
| Unmonitor | End Time: 00:01:01, Reason: Self Terminated |
| Monitor Duration | 00:00:01 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xdcc |
| Parent PID | 0x8dc (c:\programdata\safe.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
DE8
0x
D78
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x00000000007a0000 | 0x007a0000 | 0x007bffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000007a0000 | 0x007a0000 | 0x007affff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x00000000007b0000 | 0x007b0000 | 0x007b3fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000007c0000 | 0x007c0000 | 0x007c1fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000007c0000 | 0x007c0000 | 0x007c3fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000007d0000 | 0x007d0000 | 0x007e3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000007f0000 | 0x007f0000 | 0x0082ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000830000 | 0x00830000 | 0x0092ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000930000 | 0x00930000 | 0x00933fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000940000 | 0x00940000 | 0x00940fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000950000 | 0x00950000 | 0x00951fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00960000 | 0x00a1dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000a20000 | 0x00a20000 | 0x00a2ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000a30000 | 0x00a30000 | 0x00a6ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000a70000 | 0x00a70000 | 0x00b6ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000bc0000 | 0x00bc0000 | 0x00bcffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000c20000 | 0x00c20000 | 0x00d1ffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x00d20000 | 0x01056fff | Memory Mapped File | r |
|
|
|
- |
| cmd.exe | 0x01140000 | 0x0118ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000001190000 | 0x01190000 | 0x0518ffff | Pagefile Backed Memory | - |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74d30000 | 0x74ea5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75130000 | 0x7521ffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x778d0000 | 0x7798dfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007e660000 | 0x7e660000 | 0x7e75ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007e760000 | 0x7e760000 | 0x7e782fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007e784000 | 0x7e784000 | 0x7e786fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007e787000 | 0x7e787000 | 0x7e787fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007e78a000 | 0x7e78a000 | 0x7e78afff | Private Memory | rw |
|
|
|
- |
| private_0x000000007e78d000 | 0x7e78d000 | 0x7e78ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (11)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Windows\SysWOW64 | type = file_attributes |
|
2 | |
| Get Info | wevtutil.exe | type = file_attributes |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
5 | |
| Open | STD_INPUT_HANDLE | - |
|
3 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 40, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\SysWOW64\wevtutil.exe | os_pid = 0xd7c, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x1140000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75130000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x75172780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x7514fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7514a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x74e435c0 |
|
1 |
Environment (19)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
2 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Windows\SysWOW64 |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000000 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #21: wevtutil.exe
0
0
| Information | Value |
|---|---|
| ID | #21 |
| File Name | c:\windows\syswow64\wevtutil.exe |
| Command Line | wevtutil.exe clear-log "DirectShowFilterGraph" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:01:00, Reason: Child Process |
| Unmonitor | End Time: 00:01:00, Reason: Self Terminated |
| Monitor Duration | 00:00:00 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xd7c |
| Parent PID | 0xdcc (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
D8C
0x
E10
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| wevtutil.exe | 0x00b40000 | 0x00b6efff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000c80000 | 0x00c80000 | 0x04c7ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000004c80000 | 0x04c80000 | 0x04c9ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004ca0000 | 0x04ca0000 | 0x04ca1fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004cb0000 | 0x04cb0000 | 0x04cc3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000004cd0000 | 0x04cd0000 | 0x04d0ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004d10000 | 0x04d10000 | 0x04d4ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004d50000 | 0x04d50000 | 0x04d53fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000004d60000 | 0x04d60000 | 0x04d60fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000004d70000 | 0x04d70000 | 0x04d71fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004d80000 | 0x04d80000 | 0x04d8ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004dd0000 | 0x04dd0000 | 0x04ecffff | Private Memory | rw |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007f1d0000 | 0x7f1d0000 | 0x7f1f2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f1f5000 | 0x7f1f5000 | 0x7f1f5fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f1fc000 | 0x7f1fc000 | 0x7f1fefff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f1ff000 | 0x7f1ff000 | 0x7f1fffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Process #22: cmd.exe
58
0
| Information | Value |
|---|---|
| ID | #22 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "DirectShowPluginControl" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:01:00, Reason: Child Process |
| Unmonitor | End Time: 00:01:02, Reason: Self Terminated |
| Monitor Duration | 00:00:02 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xe5c |
| Parent PID | 0x8dc (c:\programdata\safe.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
E50
0x
D04
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000e20000 | 0x00e20000 | 0x00e3ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000e20000 | 0x00e20000 | 0x00e2ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000e30000 | 0x00e30000 | 0x00e33fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000e40000 | 0x00e40000 | 0x00e41fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000e40000 | 0x00e40000 | 0x00e43fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000e50000 | 0x00e50000 | 0x00e63fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000e70000 | 0x00e70000 | 0x00eaffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000eb0000 | 0x00eb0000 | 0x00faffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000fb0000 | 0x00fb0000 | 0x00fb3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000fc0000 | 0x00fc0000 | 0x00fc0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000fd0000 | 0x00fd0000 | 0x00fd1fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00fe0000 | 0x0109dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000010c0000 | 0x010c0000 | 0x010cffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000010d0000 | 0x010d0000 | 0x0110ffff | Private Memory | rw |
|
|
|
- |
| cmd.exe | 0x01140000 | 0x0118ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000001190000 | 0x01190000 | 0x0518ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000005190000 | 0x05190000 | 0x0528ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000052d0000 | 0x052d0000 | 0x052dffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005370000 | 0x05370000 | 0x0546ffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x05470000 | 0x057a6fff | Memory Mapped File | r |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74d30000 | 0x74ea5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75130000 | 0x7521ffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x778d0000 | 0x7798dfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007f170000 | 0x7f170000 | 0x7f26ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007f270000 | 0x7f270000 | 0x7f292fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f297000 | 0x7f297000 | 0x7f299fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f29a000 | 0x7f29a000 | 0x7f29cfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f29d000 | 0x7f29d000 | 0x7f29dfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f29f000 | 0x7f29f000 | 0x7f29ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (11)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Windows\SysWOW64 | type = file_attributes |
|
2 | |
| Get Info | wevtutil.exe | type = file_attributes |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
5 | |
| Open | STD_INPUT_HANDLE | - |
|
3 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 248, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\SysWOW64\wevtutil.exe | os_pid = 0xd0c, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x1140000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75130000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x75172780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x7514fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7514a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x74e435c0 |
|
1 |
Environment (19)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
2 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Windows\SysWOW64 |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000000 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #24: wevtutil.exe
0
0
| Information | Value |
|---|---|
| ID | #24 |
| File Name | c:\windows\syswow64\wevtutil.exe |
| Command Line | wevtutil.exe clear-log "DirectShowPluginControl" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:01:01, Reason: Child Process |
| Unmonitor | End Time: 00:01:02, Reason: Self Terminated |
| Monitor Duration | 00:00:01 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xd0c |
| Parent PID | 0xe5c (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
D10
0x
D20
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| wevtutil.exe | 0x00b40000 | 0x00b6efff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000fb0000 | 0x00fb0000 | 0x04faffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000004fb0000 | 0x04fb0000 | 0x04fcffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004fd0000 | 0x04fd0000 | 0x04fd1fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004fe0000 | 0x04fe0000 | 0x04ff3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000005000000 | 0x05000000 | 0x0503ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005040000 | 0x05040000 | 0x0507ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000005080000 | 0x05080000 | 0x05083fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000005090000 | 0x05090000 | 0x05090fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000050a0000 | 0x050a0000 | 0x050a1fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000050d0000 | 0x050d0000 | 0x050dffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005200000 | 0x05200000 | 0x052fffff | Private Memory | rw |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007eb10000 | 0x7eb10000 | 0x7eb32fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007eb33000 | 0x7eb33000 | 0x7eb33fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007eb34000 | 0x7eb34000 | 0x7eb34fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007eb3d000 | 0x7eb3d000 | 0x7eb3ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Process #25: cmd.exe
58
0
| Information | Value |
|---|---|
| ID | #25 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Els_Hyphenation/Analytic" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:01:01, Reason: Child Process |
| Unmonitor | End Time: 00:01:02, Reason: Self Terminated |
| Monitor Duration | 00:00:01 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xd08 |
| Parent PID | 0x8dc (c:\programdata\safe.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
E74
0x
E3C
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000a70000 | 0x00a70000 | 0x00a8ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000a70000 | 0x00a70000 | 0x00a7ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000a80000 | 0x00a80000 | 0x00a83fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000a90000 | 0x00a90000 | 0x00a91fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000a90000 | 0x00a90000 | 0x00a93fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000aa0000 | 0x00aa0000 | 0x00ab3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000ac0000 | 0x00ac0000 | 0x00afffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000b00000 | 0x00b00000 | 0x00bfffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000c00000 | 0x00c00000 | 0x00c03fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000c10000 | 0x00c10000 | 0x00c10fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000c20000 | 0x00c20000 | 0x00c21fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000c30000 | 0x00c30000 | 0x00c6ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000cb0000 | 0x00cb0000 | 0x00daffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000de0000 | 0x00de0000 | 0x00deffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00df0000 | 0x00eadfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000eb0000 | 0x00eb0000 | 0x00faffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000ff0000 | 0x00ff0000 | 0x00ffffff | Private Memory | rw |
|
|
|
- |
| cmd.exe | 0x01140000 | 0x0118ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000001190000 | 0x01190000 | 0x0518ffff | Pagefile Backed Memory | - |
|
|
|
- |
| sortdefault.nls | 0x05190000 | 0x054c6fff | Memory Mapped File | r |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74d30000 | 0x74ea5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75130000 | 0x7521ffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x778d0000 | 0x7798dfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007f980000 | 0x7f980000 | 0x7fa7ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007fa80000 | 0x7fa80000 | 0x7faa2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007faa8000 | 0x7faa8000 | 0x7faa8fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007faa9000 | 0x7faa9000 | 0x7faa9fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007faaa000 | 0x7faaa000 | 0x7faacfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007faad000 | 0x7faad000 | 0x7faaffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (11)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Windows\SysWOW64 | type = file_attributes |
|
2 | |
| Get Info | wevtutil.exe | type = file_attributes |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
5 | |
| Open | STD_INPUT_HANDLE | - |
|
3 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 123, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\SysWOW64\wevtutil.exe | os_pid = 0xe4c, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x1140000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75130000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x75172780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x7514fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7514a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x74e435c0 |
|
1 |
Environment (19)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
2 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Windows\SysWOW64 |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000000 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #27: wevtutil.exe
0
0
| Information | Value |
|---|---|
| ID | #27 |
| File Name | c:\windows\syswow64\wevtutil.exe |
| Command Line | wevtutil.exe clear-log "Els_Hyphenation/Analytic" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:01:01, Reason: Child Process |
| Unmonitor | End Time: 00:01:02, Reason: Self Terminated |
| Monitor Duration | 00:00:01 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xe4c |
| Parent PID | 0xd08 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
E34
0x
C40
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| wevtutil.exe | 0x00b40000 | 0x00b6efff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000e40000 | 0x00e40000 | 0x04e3ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000004e40000 | 0x04e40000 | 0x04e5ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004e60000 | 0x04e60000 | 0x04e61fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004e70000 | 0x04e70000 | 0x04e83fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000004e90000 | 0x04e90000 | 0x04ecffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004ed0000 | 0x04ed0000 | 0x04f0ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004f10000 | 0x04f10000 | 0x04f13fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000004f20000 | 0x04f20000 | 0x04f20fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000004f30000 | 0x04f30000 | 0x04f31fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005080000 | 0x05080000 | 0x0508ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000050f0000 | 0x050f0000 | 0x051effff | Private Memory | rw |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007eb30000 | 0x7eb30000 | 0x7eb52fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007eb57000 | 0x7eb57000 | 0x7eb57fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007eb5c000 | 0x7eb5c000 | 0x7eb5efff | Private Memory | rw |
|
|
|
- |
| private_0x000000007eb5f000 | 0x7eb5f000 | 0x7eb5ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Process #28: cmd.exe
58
0
| Information | Value |
|---|---|
| ID | #28 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "EndpointMapper" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:01:01, Reason: Child Process |
| Unmonitor | End Time: 00:01:03, Reason: Self Terminated |
| Monitor Duration | 00:00:02 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x2d0 |
| Parent PID | 0x8dc (c:\programdata\safe.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
2E4
0x
328
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x00000000008f0000 | 0x008f0000 | 0x0090ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000008f0000 | 0x008f0000 | 0x008fffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000900000 | 0x00900000 | 0x00903fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000910000 | 0x00910000 | 0x00911fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000910000 | 0x00910000 | 0x00913fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000920000 | 0x00920000 | 0x00933fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000940000 | 0x00940000 | 0x0097ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000980000 | 0x00980000 | 0x00a7ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000a80000 | 0x00a80000 | 0x00a83fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000a90000 | 0x00a90000 | 0x00a90fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000aa0000 | 0x00aa0000 | 0x00aa1fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00ab0000 | 0x00b6dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000b70000 | 0x00b70000 | 0x00baffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000bb0000 | 0x00bb0000 | 0x00bbffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000bc0000 | 0x00bc0000 | 0x00cbffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000db0000 | 0x00db0000 | 0x00eaffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001000000 | 0x01000000 | 0x0100ffff | Private Memory | rw |
|
|
|
- |
| cmd.exe | 0x01140000 | 0x0118ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000001190000 | 0x01190000 | 0x0518ffff | Pagefile Backed Memory | - |
|
|
|
- |
| sortdefault.nls | 0x05190000 | 0x054c6fff | Memory Mapped File | r |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74d30000 | 0x74ea5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75130000 | 0x7521ffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x778d0000 | 0x7798dfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007e310000 | 0x7e310000 | 0x7e40ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007e410000 | 0x7e410000 | 0x7e432fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007e434000 | 0x7e434000 | 0x7e434fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007e439000 | 0x7e439000 | 0x7e43bfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007e43c000 | 0x7e43c000 | 0x7e43efff | Private Memory | rw |
|
|
|
- |
| private_0x000000007e43f000 | 0x7e43f000 | 0x7e43ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (11)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Windows\SysWOW64 | type = file_attributes |
|
2 | |
| Get Info | wevtutil.exe | type = file_attributes |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
5 | |
| Open | STD_INPUT_HANDLE | - |
|
3 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 56, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\SysWOW64\wevtutil.exe | os_pid = 0x404, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x1140000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75130000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x75172780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x7514fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7514a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x74e435c0 |
|
1 |
Environment (19)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
2 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Windows\SysWOW64 |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000000 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #30: wevtutil.exe
0
0
| Information | Value |
|---|---|
| ID | #30 |
| File Name | c:\windows\syswow64\wevtutil.exe |
| Command Line | wevtutil.exe clear-log "EndpointMapper" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:01:02, Reason: Child Process |
| Unmonitor | End Time: 00:01:03, Reason: Self Terminated |
| Monitor Duration | 00:00:01 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x404 |
| Parent PID | 0x2d0 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
520
0x
268
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x00000000002b0000 | 0x002b0000 | 0x002cffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000002d0000 | 0x002d0000 | 0x002d1fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000002e0000 | 0x002e0000 | 0x002f3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000300000 | 0x00300000 | 0x0033ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000340000 | 0x00340000 | 0x0037ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000380000 | 0x00380000 | 0x00383fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000390000 | 0x00390000 | 0x00390fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000003a0000 | 0x003a0000 | 0x003a1fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000460000 | 0x00460000 | 0x0046ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000570000 | 0x00570000 | 0x0066ffff | Private Memory | rw |
|
|
|
- |
| wevtutil.exe | 0x00b40000 | 0x00b6efff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000b70000 | 0x00b70000 | 0x04b6ffff | Pagefile Backed Memory | - |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007f800000 | 0x7f800000 | 0x7f822fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f826000 | 0x7f826000 | 0x7f826fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f82c000 | 0x7f82c000 | 0x7f82efff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f82f000 | 0x7f82f000 | 0x7f82ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Process #31: cmd.exe
58
0
| Information | Value |
|---|---|
| ID | #31 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "FirstUXPerf-Analytic" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:01:02, Reason: Child Process |
| Unmonitor | End Time: 00:01:03, Reason: Self Terminated |
| Monitor Duration | 00:00:01 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x380 |
| Parent PID | 0x8dc (c:\programdata\safe.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
A80
0x
ECC
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000740000 | 0x00740000 | 0x0075ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000740000 | 0x00740000 | 0x0074ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000750000 | 0x00750000 | 0x00753fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000760000 | 0x00760000 | 0x00761fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000760000 | 0x00760000 | 0x00763fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000770000 | 0x00770000 | 0x00783fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000790000 | 0x00790000 | 0x007cffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000007d0000 | 0x007d0000 | 0x008cffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000008d0000 | 0x008d0000 | 0x008d3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000008e0000 | 0x008e0000 | 0x008e0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000008f0000 | 0x008f0000 | 0x008f1fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000900000 | 0x00900000 | 0x0093ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000980000 | 0x00980000 | 0x0098ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000a40000 | 0x00a40000 | 0x00b3ffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00b40000 | 0x00bfdfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000c00000 | 0x00c00000 | 0x00cfffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000ea0000 | 0x00ea0000 | 0x00eaffff | Private Memory | rw |
|
|
|
- |
| cmd.exe | 0x01140000 | 0x0118ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000001190000 | 0x01190000 | 0x0518ffff | Pagefile Backed Memory | - |
|
|
|
- |
| sortdefault.nls | 0x05190000 | 0x054c6fff | Memory Mapped File | r |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74d30000 | 0x74ea5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75130000 | 0x7521ffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x778d0000 | 0x7798dfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007f850000 | 0x7f850000 | 0x7f94ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007f950000 | 0x7f950000 | 0x7f972fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f974000 | 0x7f974000 | 0x7f974fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f979000 | 0x7f979000 | 0x7f97bfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f97c000 | 0x7f97c000 | 0x7f97cfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f97d000 | 0x7f97d000 | 0x7f97ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (11)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Windows\SysWOW64 | type = file_attributes |
|
2 | |
| Get Info | wevtutil.exe | type = file_attributes |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
5 | |
| Open | STD_INPUT_HANDLE | - |
|
3 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 8, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\SysWOW64\wevtutil.exe | os_pid = 0xb44, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x1140000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75130000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x75172780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x7514fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7514a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x74e435c0 |
|
1 |
Environment (19)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
2 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Windows\SysWOW64 |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000000 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #33: wevtutil.exe
0
0
| Information | Value |
|---|---|
| ID | #33 |
| File Name | c:\windows\syswow64\wevtutil.exe |
| Command Line | wevtutil.exe clear-log "FirstUXPerf-Analytic" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:01:02, Reason: Child Process |
| Unmonitor | End Time: 00:01:03, Reason: Self Terminated |
| Monitor Duration | 00:00:01 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xb44 |
| Parent PID | 0x380 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
B04
0x
E28
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| wevtutil.exe | 0x00b40000 | 0x00b6efff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000f90000 | 0x00f90000 | 0x04f8ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000004f90000 | 0x04f90000 | 0x04faffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004fb0000 | 0x04fb0000 | 0x04fb1fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004fc0000 | 0x04fc0000 | 0x04fd3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000004fe0000 | 0x04fe0000 | 0x0501ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005020000 | 0x05020000 | 0x0505ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000005060000 | 0x05060000 | 0x05063fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000005070000 | 0x05070000 | 0x05070fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000005080000 | 0x05080000 | 0x05081fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005270000 | 0x05270000 | 0x0527ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000053f0000 | 0x053f0000 | 0x054effff | Private Memory | rw |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007ee70000 | 0x7ee70000 | 0x7ee92fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007ee9b000 | 0x7ee9b000 | 0x7ee9dfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ee9e000 | 0x7ee9e000 | 0x7ee9efff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ee9f000 | 0x7ee9f000 | 0x7ee9ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Process #34: cmd.exe
58
0
| Information | Value |
|---|---|
| ID | #34 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "ForwardedEvents" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:01:03, Reason: Child Process |
| Unmonitor | End Time: 00:01:04, Reason: Self Terminated |
| Monitor Duration | 00:00:01 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xf10 |
| Parent PID | 0x8dc (c:\programdata\safe.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
F00
0x
F34
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000980000 | 0x00980000 | 0x0099ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000980000 | 0x00980000 | 0x0098ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000990000 | 0x00990000 | 0x00993fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000009a0000 | 0x009a0000 | 0x009a1fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000009a0000 | 0x009a0000 | 0x009a3fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000009b0000 | 0x009b0000 | 0x009c3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000009d0000 | 0x009d0000 | 0x00a0ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000a10000 | 0x00a10000 | 0x00b0ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000b10000 | 0x00b10000 | 0x00b13fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000b20000 | 0x00b20000 | 0x00b20fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000b30000 | 0x00b30000 | 0x00b31fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00b40000 | 0x00bfdfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000c00000 | 0x00c00000 | 0x00c3ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000c60000 | 0x00c60000 | 0x00c6ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000c80000 | 0x00c80000 | 0x00c8ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000d10000 | 0x00d10000 | 0x00e0ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000e10000 | 0x00e10000 | 0x00f0ffff | Private Memory | rw |
|
|
|
- |
| cmd.exe | 0x01140000 | 0x0118ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000001190000 | 0x01190000 | 0x0518ffff | Pagefile Backed Memory | - |
|
|
|
- |
| sortdefault.nls | 0x05190000 | 0x054c6fff | Memory Mapped File | r |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74d30000 | 0x74ea5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75130000 | 0x7521ffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x778d0000 | 0x7798dfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007eff0000 | 0x7eff0000 | 0x7f0effff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007f0f0000 | 0x7f0f0000 | 0x7f112fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f113000 | 0x7f113000 | 0x7f113fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f118000 | 0x7f118000 | 0x7f118fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f11a000 | 0x7f11a000 | 0x7f11cfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f11d000 | 0x7f11d000 | 0x7f11ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (11)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Windows\SysWOW64 | type = file_attributes |
|
2 | |
| Get Info | wevtutil.exe | type = file_attributes |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
5 | |
| Open | STD_INPUT_HANDLE | - |
|
3 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 56, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\SysWOW64\wevtutil.exe | os_pid = 0xf3c, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x1140000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75130000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x75172780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x7514fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7514a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x74e435c0 |
|
1 |
Environment (19)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
2 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Windows\SysWOW64 |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000000 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #36: wevtutil.exe
0
0
| Information | Value |
|---|---|
| ID | #36 |
| File Name | c:\windows\syswow64\wevtutil.exe |
| Command Line | wevtutil.exe clear-log "ForwardedEvents" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:01:03, Reason: Child Process |
| Unmonitor | End Time: 00:01:03, Reason: Self Terminated |
| Monitor Duration | 00:00:00 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xf3c |
| Parent PID | 0xf10 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
F38
0x
F2C
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| wevtutil.exe | 0x00b40000 | 0x00b6efff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000ec0000 | 0x00ec0000 | 0x04ebffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000004ec0000 | 0x04ec0000 | 0x04edffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004ee0000 | 0x04ee0000 | 0x04ee1fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004ef0000 | 0x04ef0000 | 0x04f03fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000004f10000 | 0x04f10000 | 0x04f4ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004f50000 | 0x04f50000 | 0x04f8ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004f90000 | 0x04f90000 | 0x04f93fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000004fa0000 | 0x04fa0000 | 0x04fa0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000004fb0000 | 0x04fb0000 | 0x04fb1fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004fd0000 | 0x04fd0000 | 0x050cffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005120000 | 0x05120000 | 0x0512ffff | Private Memory | rw |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007ebf0000 | 0x7ebf0000 | 0x7ec12fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007ec14000 | 0x7ec14000 | 0x7ec14fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ec1c000 | 0x7ec1c000 | 0x7ec1efff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ec1f000 | 0x7ec1f000 | 0x7ec1ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Process #37: cmd.exe
58
0
| Information | Value |
|---|---|
| ID | #37 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "General Logging" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:01:03, Reason: Child Process |
| Unmonitor | End Time: 00:01:06, Reason: Self Terminated |
| Monitor Duration | 00:00:03 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xf4c |
| Parent PID | 0x8dc (c:\programdata\safe.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
F44
0x
EE8
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x00000000005d0000 | 0x005d0000 | 0x005effff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000005d0000 | 0x005d0000 | 0x005dffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x00000000005e0000 | 0x005e0000 | 0x005e3fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000005f0000 | 0x005f0000 | 0x005f1fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000005f0000 | 0x005f0000 | 0x005f3fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000600000 | 0x00600000 | 0x00613fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000620000 | 0x00620000 | 0x0065ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000660000 | 0x00660000 | 0x0075ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000760000 | 0x00760000 | 0x00763fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000770000 | 0x00770000 | 0x00770fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000780000 | 0x00780000 | 0x00781fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000790000 | 0x00790000 | 0x007cffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000840000 | 0x00840000 | 0x0084ffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00850000 | 0x0090dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000930000 | 0x00930000 | 0x00a2ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000a30000 | 0x00a30000 | 0x00b2ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000c30000 | 0x00c30000 | 0x00c3ffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x00c40000 | 0x00f76fff | Memory Mapped File | r |
|
|
|
- |
| cmd.exe | 0x01140000 | 0x0118ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000001190000 | 0x01190000 | 0x0518ffff | Pagefile Backed Memory | - |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74d30000 | 0x74ea5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75130000 | 0x7521ffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x778d0000 | 0x7798dfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007eac0000 | 0x7eac0000 | 0x7ebbffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007ebc0000 | 0x7ebc0000 | 0x7ebe2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007ebe4000 | 0x7ebe4000 | 0x7ebe4fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ebe9000 | 0x7ebe9000 | 0x7ebebfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ebec000 | 0x7ebec000 | 0x7ebeefff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ebef000 | 0x7ebef000 | 0x7ebeffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (11)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Windows\SysWOW64 | type = file_attributes |
|
2 | |
| Get Info | wevtutil.exe | type = file_attributes |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
5 | |
| Open | STD_INPUT_HANDLE | - |
|
3 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 120, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\SysWOW64\wevtutil.exe | os_pid = 0xb68, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x1140000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75130000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x75172780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x7514fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7514a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x74e435c0 |
|
1 |
Environment (19)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
2 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Windows\SysWOW64 |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000000 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #39: wevtutil.exe
0
0
| Information | Value |
|---|---|
| ID | #39 |
| File Name | c:\windows\syswow64\wevtutil.exe |
| Command Line | wevtutil.exe clear-log "General Logging" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:01:05, Reason: Child Process |
| Unmonitor | End Time: 00:01:06, Reason: Self Terminated |
| Monitor Duration | 00:00:01 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xb68 |
| Parent PID | 0xf4c (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
BDC
0x
B3C
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000ac0000 | 0x00ac0000 | 0x00adffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000ae0000 | 0x00ae0000 | 0x00ae1fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000af0000 | 0x00af0000 | 0x00b03fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000b10000 | 0x00b10000 | 0x00b13fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000b20000 | 0x00b20000 | 0x00b20fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000b30000 | 0x00b30000 | 0x00b31fff | Private Memory | rw |
|
|
|
- |
| wevtutil.exe | 0x00b40000 | 0x00b6efff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000b70000 | 0x00b70000 | 0x04b6ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000004b70000 | 0x04b70000 | 0x04baffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004bb0000 | 0x04bb0000 | 0x04beffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004d80000 | 0x04d80000 | 0x04d8ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004f80000 | 0x04f80000 | 0x0507ffff | Private Memory | rw |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007eaa0000 | 0x7eaa0000 | 0x7eac2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007eac4000 | 0x7eac4000 | 0x7eac4fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007eacc000 | 0x7eacc000 | 0x7eaccfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007eacd000 | 0x7eacd000 | 0x7eacffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Process #40: cmd.exe
58
0
| Information | Value |
|---|---|
| ID | #40 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "HardwareEvents" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:01:06, Reason: Child Process |
| Unmonitor | End Time: 00:01:07, Reason: Self Terminated |
| Monitor Duration | 00:00:01 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x850 |
| Parent PID | 0x8dc (c:\programdata\safe.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
848
0x
200
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x00000000006e0000 | 0x006e0000 | 0x006fffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000006e0000 | 0x006e0000 | 0x006effff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x00000000006f0000 | 0x006f0000 | 0x006f3fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000700000 | 0x00700000 | 0x00701fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000700000 | 0x00700000 | 0x00703fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000710000 | 0x00710000 | 0x00723fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000730000 | 0x00730000 | 0x0076ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000770000 | 0x00770000 | 0x0086ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000870000 | 0x00870000 | 0x00873fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000880000 | 0x00880000 | 0x00880fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000890000 | 0x00890000 | 0x00891fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x008a0000 | 0x0095dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000960000 | 0x00960000 | 0x0099ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000a20000 | 0x00a20000 | 0x00a2ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000b10000 | 0x00b10000 | 0x00c0ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000c10000 | 0x00c10000 | 0x00d0ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000e70000 | 0x00e70000 | 0x00e7ffff | Private Memory | rw |
|
|
|
- |
| cmd.exe | 0x01140000 | 0x0118ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000001190000 | 0x01190000 | 0x0518ffff | Pagefile Backed Memory | - |
|
|
|
- |
| sortdefault.nls | 0x05190000 | 0x054c6fff | Memory Mapped File | r |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74d30000 | 0x74ea5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75130000 | 0x7521ffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x778d0000 | 0x7798dfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007f3a0000 | 0x7f3a0000 | 0x7f49ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007f4a0000 | 0x7f4a0000 | 0x7f4c2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f4c8000 | 0x7f4c8000 | 0x7f4cafff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f4cb000 | 0x7f4cb000 | 0x7f4cbfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f4cc000 | 0x7f4cc000 | 0x7f4cefff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f4cf000 | 0x7f4cf000 | 0x7f4cffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (11)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Windows\SysWOW64 | type = file_attributes |
|
2 | |
| Get Info | wevtutil.exe | type = file_attributes |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
5 | |
| Open | STD_INPUT_HANDLE | - |
|
3 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 168, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\SysWOW64\wevtutil.exe | os_pid = 0xf0c, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x1140000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75130000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x75172780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x7514fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7514a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x74e435c0 |
|
1 |
Environment (19)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
2 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Windows\SysWOW64 |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000000 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #42: wevtutil.exe
0
0
| Information | Value |
|---|---|
| ID | #42 |
| File Name | c:\windows\syswow64\wevtutil.exe |
| Command Line | wevtutil.exe clear-log "HardwareEvents" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:01:06, Reason: Child Process |
| Unmonitor | End Time: 00:01:07, Reason: Self Terminated |
| Monitor Duration | 00:00:01 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xf0c |
| Parent PID | 0x850 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
F08
0x
EF4
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| wevtutil.exe | 0x00b40000 | 0x00b6efff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000c60000 | 0x00c60000 | 0x04c5ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000004c60000 | 0x04c60000 | 0x04c7ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004c60000 | 0x04c60000 | 0x04c6ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000004c70000 | 0x04c70000 | 0x04c73fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004c80000 | 0x04c80000 | 0x04c81fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004c80000 | 0x04c80000 | 0x04c83fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004c90000 | 0x04c90000 | 0x04ca3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000004cb0000 | 0x04cb0000 | 0x04ceffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004cf0000 | 0x04cf0000 | 0x04d2ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004d30000 | 0x04d30000 | 0x04d33fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000004d40000 | 0x04d40000 | 0x04d40fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000004d50000 | 0x04d50000 | 0x04d51fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004d60000 | 0x04d60000 | 0x04d9ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004da0000 | 0x04da0000 | 0x04ddffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004e00000 | 0x04e00000 | 0x04e0ffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x04e10000 | 0x04ecdfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000004f10000 | 0x04f10000 | 0x0500ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000050f0000 | 0x050f0000 | 0x050fffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x05100000 | 0x05436fff | Memory Mapped File | r |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| bcrypt.dll | 0x74310000 | 0x7432afff | Memory Mapped File | rwx |
|
|
|
- |
| wevtapi.dll | 0x74330000 | 0x7437dfff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x74a30000 | 0x74a88fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x74a90000 | 0x74a99fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x74aa0000 | 0x74abdfff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x74c60000 | 0x74cdafff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74d30000 | 0x74ea5fff | Memory Mapped File | rwx |
|
|
|
- |
| combase.dll | 0x74f70000 | 0x75129fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75130000 | 0x7521ffff | Memory Mapped File | rwx |
|
|
|
- |
| oleaut32.dll | 0x76ce0000 | 0x76d71fff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x770b0000 | 0x770f2fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x772c0000 | 0x7736bfff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x778d0000 | 0x7798dfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007f780000 | 0x7f780000 | 0x7f87ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007f880000 | 0x7f880000 | 0x7f8a2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f8a6000 | 0x7f8a6000 | 0x7f8a6fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f8a9000 | 0x7f8a9000 | 0x7f8abfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f8ac000 | 0x7f8ac000 | 0x7f8aefff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f8af000 | 0x7f8af000 | 0x7f8affff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Process #43: cmd.exe
58
0
| Information | Value |
|---|---|
| ID | #43 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "IHM_DebugChannel" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:01:08, Reason: Child Process |
| Unmonitor | End Time: 00:01:10, Reason: Self Terminated |
| Monitor Duration | 00:00:02 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xef0 |
| Parent PID | 0x8dc (c:\programdata\safe.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
FA8
0x
F98
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000190000 | 0x00190000 | 0x001affff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000190000 | 0x00190000 | 0x0019ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x00000000001a0000 | 0x001a0000 | 0x001a3fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000001b0000 | 0x001b0000 | 0x001b1fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000001b0000 | 0x001b0000 | 0x001b3fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000001c0000 | 0x001c0000 | 0x001d3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000001e0000 | 0x001e0000 | 0x0021ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000220000 | 0x00220000 | 0x0031ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000320000 | 0x00320000 | 0x00323fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000330000 | 0x00330000 | 0x00330fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000340000 | 0x00340000 | 0x00341fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00350000 | 0x0040dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000410000 | 0x00410000 | 0x0044ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000460000 | 0x00460000 | 0x0046ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000470000 | 0x00470000 | 0x0056ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000005e0000 | 0x005e0000 | 0x006dffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000008b0000 | 0x008b0000 | 0x008bffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x008c0000 | 0x00bf6fff | Memory Mapped File | r |
|
|
|
- |
| cmd.exe | 0x01140000 | 0x0118ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000001190000 | 0x01190000 | 0x0518ffff | Pagefile Backed Memory | - |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74d30000 | 0x74ea5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75130000 | 0x7521ffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x778d0000 | 0x7798dfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007ebe0000 | 0x7ebe0000 | 0x7ecdffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007ece0000 | 0x7ece0000 | 0x7ed02fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007ed07000 | 0x7ed07000 | 0x7ed07fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ed09000 | 0x7ed09000 | 0x7ed0bfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ed0c000 | 0x7ed0c000 | 0x7ed0efff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ed0f000 | 0x7ed0f000 | 0x7ed0ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (11)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Windows\SysWOW64 | type = file_attributes |
|
2 | |
| Get Info | wevtutil.exe | type = file_attributes |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
5 | |
| Open | STD_INPUT_HANDLE | - |
|
3 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 196, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\SysWOW64\wevtutil.exe | os_pid = 0xfd0, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x1140000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75130000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x75172780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x7514fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7514a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x74e435c0 |
|
1 |
Environment (19)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
2 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Windows\SysWOW64 |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000000 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #45: wevtutil.exe
0
0
| Information | Value |
|---|---|
| ID | #45 |
| File Name | c:\windows\syswow64\wevtutil.exe |
| Command Line | wevtutil.exe clear-log "IHM_DebugChannel" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:01:09, Reason: Child Process |
| Unmonitor | End Time: 00:01:10, Reason: Self Terminated |
| Monitor Duration | 00:00:01 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xfd0 |
| Parent PID | 0xef0 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
FCC
0x
F90
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000740000 | 0x00740000 | 0x0075ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000760000 | 0x00760000 | 0x00761fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000770000 | 0x00770000 | 0x00783fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000790000 | 0x00790000 | 0x007cffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000007d0000 | 0x007d0000 | 0x0080ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000810000 | 0x00810000 | 0x00813fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000820000 | 0x00820000 | 0x00820fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000830000 | 0x00830000 | 0x00831fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000990000 | 0x00990000 | 0x0099ffff | Private Memory | rw |
|
|
|
- |
| wevtutil.exe | 0x00b40000 | 0x00b6efff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000b70000 | 0x00b70000 | 0x04b6ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000004d60000 | 0x04d60000 | 0x04e5ffff | Private Memory | rw |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007f4f0000 | 0x7f4f0000 | 0x7f512fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f518000 | 0x7f518000 | 0x7f518fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f51a000 | 0x7f51a000 | 0x7f51afff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f51d000 | 0x7f51d000 | 0x7f51ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Process #46: cmd.exe
58
0
| Information | Value |
|---|---|
| ID | #46 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "InstallUXPerformance-Analytic" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:01:10, Reason: Child Process |
| Unmonitor | End Time: 00:01:12, Reason: Self Terminated |
| Monitor Duration | 00:00:02 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x7d8 |
| Parent PID | 0x8dc (c:\programdata\safe.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
C2C
0x
FF8
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000d60000 | 0x00d60000 | 0x00d7ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000d60000 | 0x00d60000 | 0x00d6ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000d70000 | 0x00d70000 | 0x00d73fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000d80000 | 0x00d80000 | 0x00d81fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000d80000 | 0x00d80000 | 0x00d83fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000d90000 | 0x00d90000 | 0x00da3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000db0000 | 0x00db0000 | 0x00deffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000df0000 | 0x00df0000 | 0x00eeffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000ef0000 | 0x00ef0000 | 0x00ef3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000f00000 | 0x00f00000 | 0x00f00fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000f10000 | 0x00f10000 | 0x00f11fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000f50000 | 0x00f50000 | 0x0104ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001050000 | 0x01050000 | 0x0108ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000010d0000 | 0x010d0000 | 0x010dffff | Private Memory | rw |
|
|
|
- |
| cmd.exe | 0x01140000 | 0x0118ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000001190000 | 0x01190000 | 0x0518ffff | Pagefile Backed Memory | - |
|
|
|
- |
| locale.nls | 0x05190000 | 0x0524dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000005250000 | 0x05250000 | 0x0534ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005410000 | 0x05410000 | 0x0541ffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x05420000 | 0x05756fff | Memory Mapped File | r |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74d30000 | 0x74ea5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75130000 | 0x7521ffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x778d0000 | 0x7798dfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007e850000 | 0x7e850000 | 0x7e94ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007e950000 | 0x7e950000 | 0x7e972fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007e975000 | 0x7e975000 | 0x7e977fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007e978000 | 0x7e978000 | 0x7e978fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007e97b000 | 0x7e97b000 | 0x7e97dfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007e97e000 | 0x7e97e000 | 0x7e97efff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (11)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Windows\SysWOW64 | type = file_attributes |
|
2 | |
| Get Info | wevtutil.exe | type = file_attributes |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
5 | |
| Open | STD_INPUT_HANDLE | - |
|
3 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 8, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\SysWOW64\wevtutil.exe | os_pid = 0xff4, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x1140000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75130000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x75172780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x7514fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7514a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x74e435c0 |
|
1 |
Environment (19)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
2 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Windows\SysWOW64 |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000000 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #48: wevtutil.exe
0
0
| Information | Value |
|---|---|
| ID | #48 |
| File Name | c:\windows\syswow64\wevtutil.exe |
| Command Line | wevtutil.exe clear-log "InstallUXPerformance-Analytic" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:01:10, Reason: Child Process |
| Unmonitor | End Time: 00:01:12, Reason: Self Terminated |
| Monitor Duration | 00:00:02 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xff4 |
| Parent PID | 0x7d8 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
C20
0x
EE4
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000650000 | 0x00650000 | 0x0066ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000670000 | 0x00670000 | 0x00671fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000680000 | 0x00680000 | 0x00693fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000006a0000 | 0x006a0000 | 0x006dffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000006e0000 | 0x006e0000 | 0x0071ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000720000 | 0x00720000 | 0x00723fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000730000 | 0x00730000 | 0x00730fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000740000 | 0x00740000 | 0x00741fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000780000 | 0x00780000 | 0x0078ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000007d0000 | 0x007d0000 | 0x008cffff | Private Memory | rw |
|
|
|
- |
| wevtutil.exe | 0x00b40000 | 0x00b6efff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000b70000 | 0x00b70000 | 0x04b6ffff | Pagefile Backed Memory | - |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007e500000 | 0x7e500000 | 0x7e522fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007e52a000 | 0x7e52a000 | 0x7e52afff | Private Memory | rw |
|
|
|
- |
| private_0x000000007e52b000 | 0x7e52b000 | 0x7e52bfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007e52d000 | 0x7e52d000 | 0x7e52ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Process #49: cmd.exe
58
0
| Information | Value |
|---|---|
| ID | #49 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Intel-iaLPSS-GPIO/Analytic" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:01:11, Reason: Child Process |
| Unmonitor | End Time: 00:01:15, Reason: Self Terminated |
| Monitor Duration | 00:00:04 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xee0 |
| Parent PID | 0x8dc (c:\programdata\safe.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
EDC
0x
3D0
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x00000000000a0000 | 0x000a0000 | 0x000bffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000000a0000 | 0x000a0000 | 0x000affff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x00000000000b0000 | 0x000b0000 | 0x000b3fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000000c0000 | 0x000c0000 | 0x000c1fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000000c0000 | 0x000c0000 | 0x000c3fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000000d0000 | 0x000d0000 | 0x000e3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000000f0000 | 0x000f0000 | 0x0012ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000130000 | 0x00130000 | 0x0022ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000230000 | 0x00230000 | 0x00233fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000240000 | 0x00240000 | 0x00240fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000250000 | 0x00250000 | 0x00251fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000280000 | 0x00280000 | 0x0028ffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00290000 | 0x0034dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000350000 | 0x00350000 | 0x0038ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000003b0000 | 0x003b0000 | 0x004affff | Private Memory | rw |
|
|
|
- |
| private_0x00000000004b0000 | 0x004b0000 | 0x005affff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000690000 | 0x00690000 | 0x0069ffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x006a0000 | 0x009d6fff | Memory Mapped File | r |
|
|
|
- |
| cmd.exe | 0x01140000 | 0x0118ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000001190000 | 0x01190000 | 0x0518ffff | Pagefile Backed Memory | - |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74d30000 | 0x74ea5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75130000 | 0x7521ffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x778d0000 | 0x7798dfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007ee60000 | 0x7ee60000 | 0x7ef5ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007ef60000 | 0x7ef60000 | 0x7ef82fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007ef84000 | 0x7ef84000 | 0x7ef84fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ef89000 | 0x7ef89000 | 0x7ef8bfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ef8c000 | 0x7ef8c000 | 0x7ef8efff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ef8f000 | 0x7ef8f000 | 0x7ef8ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (11)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Windows\SysWOW64 | type = file_attributes |
|
2 | |
| Get Info | wevtutil.exe | type = file_attributes |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
5 | |
| Open | STD_INPUT_HANDLE | - |
|
3 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 120, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\SysWOW64\wevtutil.exe | os_pid = 0xc50, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x1140000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75130000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x75172780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x7514fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7514a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x74e435c0 |
|
1 |
Environment (19)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
2 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Windows\SysWOW64 |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000000 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #51: wevtutil.exe
0
0
| Information | Value |
|---|---|
| ID | #51 |
| File Name | c:\windows\syswow64\wevtutil.exe |
| Command Line | wevtutil.exe clear-log "Intel-iaLPSS-GPIO/Analytic" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:01:12, Reason: Child Process |
| Unmonitor | End Time: 00:01:14, Reason: Self Terminated |
| Monitor Duration | 00:00:02 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xc50 |
| Parent PID | 0xee0 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
C74
0x
708
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x00000000001b0000 | 0x001b0000 | 0x001cffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000001d0000 | 0x001d0000 | 0x001d1fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000001e0000 | 0x001e0000 | 0x001f3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000200000 | 0x00200000 | 0x0023ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000240000 | 0x00240000 | 0x0027ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000280000 | 0x00280000 | 0x00283fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000290000 | 0x00290000 | 0x00290fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000002a0000 | 0x002a0000 | 0x002a1fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000002c0000 | 0x002c0000 | 0x002cffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000003b0000 | 0x003b0000 | 0x004affff | Private Memory | rw |
|
|
|
- |
| wevtutil.exe | 0x00b40000 | 0x00b6efff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000b70000 | 0x00b70000 | 0x04b6ffff | Pagefile Backed Memory | - |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007ef70000 | 0x7ef70000 | 0x7ef92fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007ef93000 | 0x7ef93000 | 0x7ef93fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ef94000 | 0x7ef94000 | 0x7ef94fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ef9d000 | 0x7ef9d000 | 0x7ef9ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Process #52: cmd.exe
58
0
| Information | Value |
|---|---|
| ID | #52 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Intel-iaLPSS-I2C/Analytic" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:01:14, Reason: Child Process |
| Unmonitor | End Time: 00:01:16, Reason: Self Terminated |
| Monitor Duration | 00:00:02 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x700 |
| Parent PID | 0x8dc (c:\programdata\safe.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
6D4
0x
8A4
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000da0000 | 0x00da0000 | 0x00dbffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000da0000 | 0x00da0000 | 0x00daffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000db0000 | 0x00db0000 | 0x00db3fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000dc0000 | 0x00dc0000 | 0x00dc1fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000dc0000 | 0x00dc0000 | 0x00dc3fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000dd0000 | 0x00dd0000 | 0x00de3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000df0000 | 0x00df0000 | 0x00e2ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000e30000 | 0x00e30000 | 0x00f2ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000f30000 | 0x00f30000 | 0x00f33fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000f40000 | 0x00f40000 | 0x00f40fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000f50000 | 0x00f50000 | 0x00f51fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000f60000 | 0x00f60000 | 0x00f9ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000fd0000 | 0x00fd0000 | 0x00fdffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00fe0000 | 0x0109dfff | Memory Mapped File | r |
|
|
|
- |
| cmd.exe | 0x01140000 | 0x0118ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000001190000 | 0x01190000 | 0x0518ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000005280000 | 0x05280000 | 0x0537ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005380000 | 0x05380000 | 0x0547ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000055c0000 | 0x055c0000 | 0x055cffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x055d0000 | 0x05906fff | Memory Mapped File | r |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74d30000 | 0x74ea5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75130000 | 0x7521ffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x778d0000 | 0x7798dfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007ee50000 | 0x7ee50000 | 0x7ef4ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007ef50000 | 0x7ef50000 | 0x7ef72fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007ef78000 | 0x7ef78000 | 0x7ef7afff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ef7b000 | 0x7ef7b000 | 0x7ef7dfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ef7e000 | 0x7ef7e000 | 0x7ef7efff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ef7f000 | 0x7ef7f000 | 0x7ef7ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (11)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Windows\SysWOW64 | type = file_attributes |
|
2 | |
| Get Info | wevtutil.exe | type = file_attributes |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
5 | |
| Open | STD_INPUT_HANDLE | - |
|
3 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 35, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\SysWOW64\wevtutil.exe | os_pid = 0x768, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x1140000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75130000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x75172780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x7514fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7514a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x74e435c0 |
|
1 |
Environment (19)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
2 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Windows\SysWOW64 |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000000 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #54: wevtutil.exe
0
0
| Information | Value |
|---|---|
| ID | #54 |
| File Name | c:\windows\syswow64\wevtutil.exe |
| Command Line | wevtutil.exe clear-log "Intel-iaLPSS-I2C/Analytic" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:01:15, Reason: Child Process |
| Unmonitor | End Time: 00:01:16, Reason: Self Terminated |
| Monitor Duration | 00:00:01 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x768 |
| Parent PID | 0x700 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
BE4
0x
6EC
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| wevtutil.exe | 0x00b40000 | 0x00b6efff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000f10000 | 0x00f10000 | 0x04f0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000004f10000 | 0x04f10000 | 0x04f2ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004f30000 | 0x04f30000 | 0x04f31fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004f40000 | 0x04f40000 | 0x04f53fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000004f60000 | 0x04f60000 | 0x04f9ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004fa0000 | 0x04fa0000 | 0x04fdffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004fe0000 | 0x04fe0000 | 0x04fe3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000004ff0000 | 0x04ff0000 | 0x04ff0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000005000000 | 0x05000000 | 0x05001fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000051e0000 | 0x051e0000 | 0x051effff | Private Memory | rw |
|
|
|
- |
| private_0x00000000052f0000 | 0x052f0000 | 0x053effff | Private Memory | rw |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007eb80000 | 0x7eb80000 | 0x7eba2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007eba4000 | 0x7eba4000 | 0x7eba4fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007eba9000 | 0x7eba9000 | 0x7eba9fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ebad000 | 0x7ebad000 | 0x7ebaffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Process #55: cmd.exe
58
0
| Information | Value |
|---|---|
| ID | #55 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Internet Explorer" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:01:16, Reason: Child Process |
| Unmonitor | End Time: 00:01:18, Reason: Self Terminated |
| Monitor Duration | 00:00:02 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xc60 |
| Parent PID | 0x8dc (c:\programdata\safe.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
CF0
0x
B20
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000680000 | 0x00680000 | 0x0069ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000680000 | 0x00680000 | 0x0068ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000690000 | 0x00690000 | 0x00693fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000006a0000 | 0x006a0000 | 0x006a1fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000006a0000 | 0x006a0000 | 0x006a3fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000006b0000 | 0x006b0000 | 0x006c3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000006d0000 | 0x006d0000 | 0x0070ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000710000 | 0x00710000 | 0x0080ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000810000 | 0x00810000 | 0x00813fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000820000 | 0x00820000 | 0x00820fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000830000 | 0x00830000 | 0x00831fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00840000 | 0x008fdfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000920000 | 0x00920000 | 0x0092ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000930000 | 0x00930000 | 0x0096ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000009b0000 | 0x009b0000 | 0x00aaffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000ab0000 | 0x00ab0000 | 0x00baffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000d10000 | 0x00d10000 | 0x00d1ffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x00d20000 | 0x01056fff | Memory Mapped File | r |
|
|
|
- |
| cmd.exe | 0x01140000 | 0x0118ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000001190000 | 0x01190000 | 0x0518ffff | Pagefile Backed Memory | - |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74d30000 | 0x74ea5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75130000 | 0x7521ffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x778d0000 | 0x7798dfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007e550000 | 0x7e550000 | 0x7e64ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007e650000 | 0x7e650000 | 0x7e672fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007e675000 | 0x7e675000 | 0x7e675fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007e679000 | 0x7e679000 | 0x7e67bfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007e67c000 | 0x7e67c000 | 0x7e67efff | Private Memory | rw |
|
|
|
- |
| private_0x000000007e67f000 | 0x7e67f000 | 0x7e67ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (11)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Windows\SysWOW64 | type = file_attributes |
|
2 | |
| Get Info | wevtutil.exe | type = file_attributes |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
5 | |
| Open | STD_INPUT_HANDLE | - |
|
3 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 56, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\SysWOW64\wevtutil.exe | os_pid = 0x538, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x1140000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75130000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x75172780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x7514fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7514a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x74e435c0 |
|
1 |
Environment (19)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
2 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Windows\SysWOW64 |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000000 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #57: wevtutil.exe
0
0
| Information | Value |
|---|---|
| ID | #57 |
| File Name | c:\windows\syswow64\wevtutil.exe |
| Command Line | wevtutil.exe clear-log "Internet Explorer" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:01:17, Reason: Child Process |
| Unmonitor | End Time: 00:01:18, Reason: Self Terminated |
| Monitor Duration | 00:00:01 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x538 |
| Parent PID | 0xc60 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
CEC
0x
578
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x00000000004e0000 | 0x004e0000 | 0x004fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000500000 | 0x00500000 | 0x00501fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000510000 | 0x00510000 | 0x00523fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000530000 | 0x00530000 | 0x0056ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000570000 | 0x00570000 | 0x005affff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000005b0000 | 0x005b0000 | 0x005b3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000005c0000 | 0x005c0000 | 0x005c0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000005d0000 | 0x005d0000 | 0x005d1fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000740000 | 0x00740000 | 0x0074ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000880000 | 0x00880000 | 0x0097ffff | Private Memory | rw |
|
|
|
- |
| wevtutil.exe | 0x00b40000 | 0x00b6efff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000b70000 | 0x00b70000 | 0x04b6ffff | Pagefile Backed Memory | - |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007f080000 | 0x7f080000 | 0x7f0a2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f0aa000 | 0x7f0aa000 | 0x7f0acfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f0ad000 | 0x7f0ad000 | 0x7f0adfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f0af000 | 0x7f0af000 | 0x7f0affff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Process #58: cmd.exe
58
0
| Information | Value |
|---|---|
| ID | #58 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Key Management Service" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:01:17, Reason: Child Process |
| Unmonitor | End Time: 00:01:19, Reason: Self Terminated |
| Monitor Duration | 00:00:02 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xd50 |
| Parent PID | 0x8dc (c:\programdata\safe.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
67C
0x
CB4
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000da0000 | 0x00da0000 | 0x00dbffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000da0000 | 0x00da0000 | 0x00daffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000db0000 | 0x00db0000 | 0x00db3fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000dc0000 | 0x00dc0000 | 0x00dc1fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000dc0000 | 0x00dc0000 | 0x00dc3fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000dd0000 | 0x00dd0000 | 0x00de3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000df0000 | 0x00df0000 | 0x00e2ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000e30000 | 0x00e30000 | 0x00f2ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000f30000 | 0x00f30000 | 0x00f33fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000f40000 | 0x00f40000 | 0x00f40fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000f50000 | 0x00f50000 | 0x00f51fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00f60000 | 0x0101dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000001020000 | 0x01020000 | 0x0105ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001080000 | 0x01080000 | 0x0108ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001130000 | 0x01130000 | 0x0113ffff | Private Memory | rw |
|
|
|
- |
| cmd.exe | 0x01140000 | 0x0118ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000001190000 | 0x01190000 | 0x0518ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000005190000 | 0x05190000 | 0x0528ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005340000 | 0x05340000 | 0x0543ffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x05440000 | 0x05776fff | Memory Mapped File | r |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74d30000 | 0x74ea5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75130000 | 0x7521ffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x778d0000 | 0x7798dfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007e900000 | 0x7e900000 | 0x7e9fffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007ea00000 | 0x7ea00000 | 0x7ea22fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007ea27000 | 0x7ea27000 | 0x7ea29fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ea2a000 | 0x7ea2a000 | 0x7ea2afff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ea2c000 | 0x7ea2c000 | 0x7ea2efff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ea2f000 | 0x7ea2f000 | 0x7ea2ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (11)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Windows\SysWOW64 | type = file_attributes |
|
2 | |
| Get Info | wevtutil.exe | type = file_attributes |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
5 | |
| Open | STD_INPUT_HANDLE | - |
|
3 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 80, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\SysWOW64\wevtutil.exe | os_pid = 0x444, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x1140000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75130000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x75172780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x7514fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7514a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x74e435c0 |
|
1 |
Environment (19)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
2 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Windows\SysWOW64 |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000000 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #60: wevtutil.exe
0
0
| Information | Value |
|---|---|
| ID | #60 |
| File Name | c:\windows\syswow64\wevtutil.exe |
| Command Line | wevtutil.exe clear-log "Key Management Service" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:01:18, Reason: Child Process |
| Unmonitor | End Time: 00:01:19, Reason: Self Terminated |
| Monitor Duration | 00:00:01 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x444 |
| Parent PID | 0xd50 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
C90
0x
DB8
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| wevtutil.exe | 0x00b40000 | 0x00b6efff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000b70000 | 0x00b70000 | 0x04b6ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000004b70000 | 0x04b70000 | 0x04b8ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004b90000 | 0x04b90000 | 0x04b91fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004ba0000 | 0x04ba0000 | 0x04bb3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000004bc0000 | 0x04bc0000 | 0x04bfffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004c00000 | 0x04c00000 | 0x04c3ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004c40000 | 0x04c40000 | 0x04c43fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000004c50000 | 0x04c50000 | 0x04c50fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000004c60000 | 0x04c60000 | 0x04c61fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004d40000 | 0x04d40000 | 0x04d4ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004e50000 | 0x04e50000 | 0x04f4ffff | Private Memory | rw |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007f4b0000 | 0x7f4b0000 | 0x7f4d2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f4d7000 | 0x7f4d7000 | 0x7f4d7fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f4d9000 | 0x7f4d9000 | 0x7f4d9fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f4dd000 | 0x7f4dd000 | 0x7f4dffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Process #61: cmd.exe
58
0
| Information | Value |
|---|---|
| ID | #61 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "MF_MediaFoundationDeviceProxy" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:01:19, Reason: Child Process |
| Unmonitor | End Time: 00:01:20, Reason: Self Terminated |
| Monitor Duration | 00:00:01 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xd1c |
| Parent PID | 0x8dc (c:\programdata\safe.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
DAC
0x
DB4
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x00000000008a0000 | 0x008a0000 | 0x008bffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000008a0000 | 0x008a0000 | 0x008affff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x00000000008b0000 | 0x008b0000 | 0x008b3fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000008c0000 | 0x008c0000 | 0x008c1fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000008c0000 | 0x008c0000 | 0x008c3fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000008d0000 | 0x008d0000 | 0x008e3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000008f0000 | 0x008f0000 | 0x0092ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000930000 | 0x00930000 | 0x00a2ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000a30000 | 0x00a30000 | 0x00a33fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000a40000 | 0x00a40000 | 0x00a40fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000a50000 | 0x00a50000 | 0x00a51fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00a60000 | 0x00b1dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000b20000 | 0x00b20000 | 0x00b5ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000b90000 | 0x00b90000 | 0x00b9ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000ba0000 | 0x00ba0000 | 0x00baffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000c60000 | 0x00c60000 | 0x00d5ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000d60000 | 0x00d60000 | 0x00e5ffff | Private Memory | rw |
|
|
|
- |
| cmd.exe | 0x01140000 | 0x0118ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000001190000 | 0x01190000 | 0x0518ffff | Pagefile Backed Memory | - |
|
|
|
- |
| sortdefault.nls | 0x05190000 | 0x054c6fff | Memory Mapped File | r |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74d30000 | 0x74ea5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75130000 | 0x7521ffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x778d0000 | 0x7798dfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007fbd0000 | 0x7fbd0000 | 0x7fccffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007fcd0000 | 0x7fcd0000 | 0x7fcf2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007fcf4000 | 0x7fcf4000 | 0x7fcf4fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007fcf9000 | 0x7fcf9000 | 0x7fcfbfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007fcfc000 | 0x7fcfc000 | 0x7fcfefff | Private Memory | rw |
|
|
|
- |
| private_0x000000007fcff000 | 0x7fcff000 | 0x7fcfffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (11)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Windows\SysWOW64 | type = file_attributes |
|
2 | |
| Get Info | wevtutil.exe | type = file_attributes |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
5 | |
| Open | STD_INPUT_HANDLE | - |
|
3 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 120, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\SysWOW64\wevtutil.exe | os_pid = 0xda8, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x1140000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75130000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x75172780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x7514fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7514a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x74e435c0 |
|
1 |
Environment (19)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
2 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Windows\SysWOW64 |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000000 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #63: wevtutil.exe
0
0
| Information | Value |
|---|---|
| ID | #63 |
| File Name | c:\windows\syswow64\wevtutil.exe |
| Command Line | wevtutil.exe clear-log "MF_MediaFoundationDeviceProxy" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:01:19, Reason: Child Process |
| Unmonitor | End Time: 00:01:20, Reason: Self Terminated |
| Monitor Duration | 00:00:01 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xda8 |
| Parent PID | 0xd1c (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
D98
0x
DC0
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| wevtutil.exe | 0x00b40000 | 0x00b6efff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000e70000 | 0x00e70000 | 0x04e6ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000004e70000 | 0x04e70000 | 0x04e8ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004e90000 | 0x04e90000 | 0x04e91fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004ea0000 | 0x04ea0000 | 0x04eb3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000004ec0000 | 0x04ec0000 | 0x04efffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004f00000 | 0x04f00000 | 0x04f3ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004f40000 | 0x04f40000 | 0x04f43fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000004f50000 | 0x04f50000 | 0x04f50fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000004f60000 | 0x04f60000 | 0x04f61fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005020000 | 0x05020000 | 0x0502ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000051a0000 | 0x051a0000 | 0x0529ffff | Private Memory | rw |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007ef50000 | 0x7ef50000 | 0x7ef72fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007ef7a000 | 0x7ef7a000 | 0x7ef7afff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ef7c000 | 0x7ef7c000 | 0x7ef7efff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ef7f000 | 0x7ef7f000 | 0x7ef7ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Process #64: cmd.exe
58
0
| Information | Value |
|---|---|
| ID | #64 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "MedaFoundationVideoProc" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:01:19, Reason: Child Process |
| Unmonitor | End Time: 00:01:20, Reason: Self Terminated |
| Monitor Duration | 00:00:01 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x360 |
| Parent PID | 0x8dc (c:\programdata\safe.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
E0C
0x
D90
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000310000 | 0x00310000 | 0x0032ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000310000 | 0x00310000 | 0x0031ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000320000 | 0x00320000 | 0x00323fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000330000 | 0x00330000 | 0x00331fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000330000 | 0x00330000 | 0x00333fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000340000 | 0x00340000 | 0x00353fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000360000 | 0x00360000 | 0x0039ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000003a0000 | 0x003a0000 | 0x0049ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000004a0000 | 0x004a0000 | 0x004a3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000004b0000 | 0x004b0000 | 0x004b0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000004c0000 | 0x004c0000 | 0x004c1fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000004f0000 | 0x004f0000 | 0x004fffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00500000 | 0x005bdfff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000005c0000 | 0x005c0000 | 0x005fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000680000 | 0x00680000 | 0x0077ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000780000 | 0x00780000 | 0x0087ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000910000 | 0x00910000 | 0x0091ffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x00920000 | 0x00c56fff | Memory Mapped File | r |
|
|
|
- |
| cmd.exe | 0x01140000 | 0x0118ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000001190000 | 0x01190000 | 0x0518ffff | Pagefile Backed Memory | - |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74d30000 | 0x74ea5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75130000 | 0x7521ffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x778d0000 | 0x7798dfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007eb90000 | 0x7eb90000 | 0x7ec8ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007ec90000 | 0x7ec90000 | 0x7ecb2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007ecb5000 | 0x7ecb5000 | 0x7ecb5fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ecb9000 | 0x7ecb9000 | 0x7ecbbfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ecbc000 | 0x7ecbc000 | 0x7ecbcfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ecbd000 | 0x7ecbd000 | 0x7ecbffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (11)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Windows\SysWOW64 | type = file_attributes |
|
2 | |
| Get Info | wevtutil.exe | type = file_attributes |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
5 | |
| Open | STD_INPUT_HANDLE | - |
|
3 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 200, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\SysWOW64\wevtutil.exe | os_pid = 0xdf0, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x1140000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75130000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x75172780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x7514fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7514a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x74e435c0 |
|
1 |
Environment (19)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
2 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Windows\SysWOW64 |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000000 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #66: wevtutil.exe
0
0
| Information | Value |
|---|---|
| ID | #66 |
| File Name | c:\windows\syswow64\wevtutil.exe |
| Command Line | wevtutil.exe clear-log "MedaFoundationVideoProc" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:01:20, Reason: Child Process |
| Unmonitor | End Time: 00:01:20, Reason: Self Terminated |
| Monitor Duration | 00:00:00 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xdf0 |
| Parent PID | 0x360 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
D70
0x
E04
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x00000000003e0000 | 0x003e0000 | 0x003fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000400000 | 0x00400000 | 0x00401fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000410000 | 0x00410000 | 0x00423fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000430000 | 0x00430000 | 0x0046ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000470000 | 0x00470000 | 0x004affff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000004b0000 | 0x004b0000 | 0x004b3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000004c0000 | 0x004c0000 | 0x004c0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000004d0000 | 0x004d0000 | 0x004d1fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000550000 | 0x00550000 | 0x0055ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000005c0000 | 0x005c0000 | 0x006bffff | Private Memory | rw |
|
|
|
- |
| wevtutil.exe | 0x00b40000 | 0x00b6efff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000b70000 | 0x00b70000 | 0x04b6ffff | Pagefile Backed Memory | - |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007ef50000 | 0x7ef50000 | 0x7ef72fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007ef76000 | 0x7ef76000 | 0x7ef76fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ef79000 | 0x7ef79000 | 0x7ef79fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ef7d000 | 0x7ef7d000 | 0x7ef7ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Process #67: cmd.exe
58
0
| Information | Value |
|---|---|
| ID | #67 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "MedaFoundationVideoProcD3D" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:01:20, Reason: Child Process |
| Unmonitor | End Time: 00:01:22, Reason: Self Terminated |
| Monitor Duration | 00:00:02 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xe48 |
| Parent PID | 0x8dc (c:\programdata\safe.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
E24
0x
E20
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000100000 | 0x00100000 | 0x0011ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000100000 | 0x00100000 | 0x0010ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000110000 | 0x00110000 | 0x00113fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000120000 | 0x00120000 | 0x00121fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000120000 | 0x00120000 | 0x00123fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000130000 | 0x00130000 | 0x00143fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000150000 | 0x00150000 | 0x0018ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000190000 | 0x00190000 | 0x0028ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000290000 | 0x00290000 | 0x00293fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000002a0000 | 0x002a0000 | 0x002a0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000002b0000 | 0x002b0000 | 0x002b1fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000002c0000 | 0x002c0000 | 0x002fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000300000 | 0x00300000 | 0x0030ffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00310000 | 0x003cdfff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000003f0000 | 0x003f0000 | 0x003fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000460000 | 0x00460000 | 0x0055ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000560000 | 0x00560000 | 0x0065ffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x00660000 | 0x00996fff | Memory Mapped File | r |
|
|
|
- |
| cmd.exe | 0x01140000 | 0x0118ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000001190000 | 0x01190000 | 0x0518ffff | Pagefile Backed Memory | - |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74d30000 | 0x74ea5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75130000 | 0x7521ffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x778d0000 | 0x7798dfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007ece0000 | 0x7ece0000 | 0x7eddffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007ede0000 | 0x7ede0000 | 0x7ee02fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007ee04000 | 0x7ee04000 | 0x7ee04fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ee08000 | 0x7ee08000 | 0x7ee0afff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ee0b000 | 0x7ee0b000 | 0x7ee0bfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ee0d000 | 0x7ee0d000 | 0x7ee0ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (11)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Windows\SysWOW64 | type = file_attributes |
|
2 | |
| Get Info | wevtutil.exe | type = file_attributes |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
5 | |
| Open | STD_INPUT_HANDLE | - |
|
3 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 96, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\SysWOW64\wevtutil.exe | os_pid = 0xdf4, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x1140000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75130000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x75172780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x7514fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7514a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x74e435c0 |
|
1 |
Environment (19)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
2 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Windows\SysWOW64 |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000000 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #69: wevtutil.exe
0
0
| Information | Value |
|---|---|
| ID | #69 |
| File Name | c:\windows\syswow64\wevtutil.exe |
| Command Line | wevtutil.exe clear-log "MedaFoundationVideoProcD3D" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:01:21, Reason: Child Process |
| Unmonitor | End Time: 00:01:22, Reason: Self Terminated |
| Monitor Duration | 00:00:01 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xdf4 |
| Parent PID | 0xe48 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
DEC
0x
DF8
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| wevtutil.exe | 0x00b40000 | 0x00b6efff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000e70000 | 0x00e70000 | 0x04e6ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000004e70000 | 0x04e70000 | 0x04e8ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004e90000 | 0x04e90000 | 0x04e91fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004ea0000 | 0x04ea0000 | 0x04eb3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000004ec0000 | 0x04ec0000 | 0x04efffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004f00000 | 0x04f00000 | 0x04f3ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004f40000 | 0x04f40000 | 0x04f43fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000004f50000 | 0x04f50000 | 0x04f50fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000004f60000 | 0x04f60000 | 0x04f61fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005130000 | 0x05130000 | 0x0513ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005260000 | 0x05260000 | 0x0535ffff | Private Memory | rw |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007ec10000 | 0x7ec10000 | 0x7ec32fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007ec38000 | 0x7ec38000 | 0x7ec3afff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ec3b000 | 0x7ec3b000 | 0x7ec3bfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ec3e000 | 0x7ec3e000 | 0x7ec3efff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Process #70: cmd.exe
58
0
| Information | Value |
|---|---|
| ID | #70 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "MediaFoundationAsyncWrapper" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:01:21, Reason: Child Process |
| Unmonitor | End Time: 00:01:23, Reason: Self Terminated |
| Monitor Duration | 00:00:02 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xe1c |
| Parent PID | 0x8dc (c:\programdata\safe.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
DE0
0x
D7C
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000ae0000 | 0x00ae0000 | 0x00afffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000ae0000 | 0x00ae0000 | 0x00aeffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000af0000 | 0x00af0000 | 0x00af3fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000b00000 | 0x00b00000 | 0x00b01fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000b00000 | 0x00b00000 | 0x00b03fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000b10000 | 0x00b10000 | 0x00b23fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000b30000 | 0x00b30000 | 0x00b6ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000b70000 | 0x00b70000 | 0x00c6ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000c70000 | 0x00c70000 | 0x00c73fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000c80000 | 0x00c80000 | 0x00c80fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000c90000 | 0x00c90000 | 0x00c91fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00ca0000 | 0x00d5dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000d80000 | 0x00d80000 | 0x00d8ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000d90000 | 0x00d90000 | 0x00dcffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000df0000 | 0x00df0000 | 0x00eeffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000ef0000 | 0x00ef0000 | 0x00feffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000010a0000 | 0x010a0000 | 0x010affff | Private Memory | rw |
|
|
|
- |
| cmd.exe | 0x01140000 | 0x0118ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000001190000 | 0x01190000 | 0x0518ffff | Pagefile Backed Memory | - |
|
|
|
- |
| sortdefault.nls | 0x05190000 | 0x054c6fff | Memory Mapped File | r |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74d30000 | 0x74ea5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75130000 | 0x7521ffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x778d0000 | 0x7798dfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007e680000 | 0x7e680000 | 0x7e77ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007e780000 | 0x7e780000 | 0x7e7a2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007e7a6000 | 0x7e7a6000 | 0x7e7a8fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007e7a9000 | 0x7e7a9000 | 0x7e7a9fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007e7aa000 | 0x7e7aa000 | 0x7e7acfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007e7ad000 | 0x7e7ad000 | 0x7e7adfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (11)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Windows\SysWOW64 | type = file_attributes |
|
2 | |
| Get Info | wevtutil.exe | type = file_attributes |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
5 | |
| Open | STD_INPUT_HANDLE | - |
|
3 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 136, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\SysWOW64\wevtutil.exe | os_pid = 0xd78, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x1140000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75130000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x75172780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x7514fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7514a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x74e435c0 |
|
1 |
Environment (19)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
2 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Windows\SysWOW64 |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000000 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #72: wevtutil.exe
0
0
| Information | Value |
|---|---|
| ID | #72 |
| File Name | c:\windows\syswow64\wevtutil.exe |
| Command Line | wevtutil.exe clear-log "MediaFoundationAsyncWrapper" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:01:22, Reason: Child Process |
| Unmonitor | End Time: 00:01:23, Reason: Self Terminated |
| Monitor Duration | 00:00:01 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xd78 |
| Parent PID | 0xe1c (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
DCC
0x
DC4
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000ad0000 | 0x00ad0000 | 0x00aeffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000af0000 | 0x00af0000 | 0x00af1fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000b00000 | 0x00b00000 | 0x00b13fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000b20000 | 0x00b20000 | 0x00b23fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000b30000 | 0x00b30000 | 0x00b30fff | Pagefile Backed Memory | r |
|
|
|
- |
| wevtutil.exe | 0x00b40000 | 0x00b6efff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000b70000 | 0x00b70000 | 0x04b6ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000004b70000 | 0x04b70000 | 0x04baffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004bb0000 | 0x04bb0000 | 0x04beffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004bf0000 | 0x04bf0000 | 0x04bf1fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004d40000 | 0x04d40000 | 0x04d4ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004f00000 | 0x04f00000 | 0x04ffffff | Private Memory | rw |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007ef90000 | 0x7ef90000 | 0x7efb2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007efb8000 | 0x7efb8000 | 0x7efb8fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efb9000 | 0x7efb9000 | 0x7efb9fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efbd000 | 0x7efbd000 | 0x7efbffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Process #73: cmd.exe
58
0
| Information | Value |
|---|---|
| ID | #73 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "MediaFoundationContentProtection" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:01:22, Reason: Child Process |
| Unmonitor | End Time: 00:01:27, Reason: Self Terminated |
| Monitor Duration | 00:00:05 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xdd8 |
| Parent PID | 0x8dc (c:\programdata\safe.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
DE4
0x
324
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000f10000 | 0x00f10000 | 0x00f2ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000f10000 | 0x00f10000 | 0x00f1ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000f20000 | 0x00f20000 | 0x00f23fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000f30000 | 0x00f30000 | 0x00f31fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000f30000 | 0x00f30000 | 0x00f33fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000f40000 | 0x00f40000 | 0x00f53fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000f60000 | 0x00f60000 | 0x00f9ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000fa0000 | 0x00fa0000 | 0x0109ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000010a0000 | 0x010a0000 | 0x010a3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000010b0000 | 0x010b0000 | 0x010b0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000010c0000 | 0x010c0000 | 0x010c1fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000010d0000 | 0x010d0000 | 0x0110ffff | Private Memory | rw |
|
|
|
- |
| cmd.exe | 0x01140000 | 0x0118ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000001190000 | 0x01190000 | 0x0518ffff | Pagefile Backed Memory | - |
|
|
|
- |
| locale.nls | 0x05190000 | 0x0524dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000005310000 | 0x05310000 | 0x0531ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000053d0000 | 0x053d0000 | 0x054cffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000054d0000 | 0x054d0000 | 0x055cffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000056d0000 | 0x056d0000 | 0x056dffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x056e0000 | 0x05a16fff | Memory Mapped File | r |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74d30000 | 0x74ea5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75130000 | 0x7521ffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x778d0000 | 0x7798dfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007ed10000 | 0x7ed10000 | 0x7ee0ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007ee10000 | 0x7ee10000 | 0x7ee32fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007ee37000 | 0x7ee37000 | 0x7ee39fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ee3a000 | 0x7ee3a000 | 0x7ee3afff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ee3c000 | 0x7ee3c000 | 0x7ee3efff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ee3f000 | 0x7ee3f000 | 0x7ee3ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (11)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Windows\SysWOW64 | type = file_attributes |
|
2 | |
| Get Info | wevtutil.exe | type = file_attributes |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
5 | |
| Open | STD_INPUT_HANDLE | - |
|
3 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 227, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\SysWOW64\wevtutil.exe | os_pid = 0x348, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x1140000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75130000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x75172780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x7514fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7514a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x74e435c0 |
|
1 |
Environment (19)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
2 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Windows\SysWOW64 |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000000 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #75: wevtutil.exe
0
0
| Information | Value |
|---|---|
| ID | #75 |
| File Name | c:\windows\syswow64\wevtutil.exe |
| Command Line | wevtutil.exe clear-log "MediaFoundationContentProtection" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:01:24, Reason: Child Process |
| Unmonitor | End Time: 00:01:27, Reason: Self Terminated |
| Monitor Duration | 00:00:03 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x348 |
| Parent PID | 0xdd8 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
350
0x
E34
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x00000000002c0000 | 0x002c0000 | 0x002dffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000002e0000 | 0x002e0000 | 0x002e1fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000002f0000 | 0x002f0000 | 0x00303fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000310000 | 0x00310000 | 0x0034ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000350000 | 0x00350000 | 0x0038ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000390000 | 0x00390000 | 0x00393fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000003a0000 | 0x003a0000 | 0x003a0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000003b0000 | 0x003b0000 | 0x003b1fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000004b0000 | 0x004b0000 | 0x004bffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000005c0000 | 0x005c0000 | 0x006bffff | Private Memory | rw |
|
|
|
- |
| wevtutil.exe | 0x00b40000 | 0x00b6efff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000b70000 | 0x00b70000 | 0x04b6ffff | Pagefile Backed Memory | - |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007ec70000 | 0x7ec70000 | 0x7ec92fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007ec93000 | 0x7ec93000 | 0x7ec93fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ec9c000 | 0x7ec9c000 | 0x7ec9efff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ec9f000 | 0x7ec9f000 | 0x7ec9ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Process #76: cmd.exe
58
0
| Information | Value |
|---|---|
| ID | #76 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "MediaFoundationDS" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:01:26, Reason: Child Process |
| Unmonitor | End Time: 00:01:28, Reason: Self Terminated |
| Monitor Duration | 00:00:02 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xe2c |
| Parent PID | 0x8dc (c:\programdata\safe.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
E74
0x
81C
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000b30000 | 0x00b30000 | 0x00b4ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000b30000 | 0x00b30000 | 0x00b3ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000b40000 | 0x00b40000 | 0x00b43fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000b50000 | 0x00b50000 | 0x00b51fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000b50000 | 0x00b50000 | 0x00b53fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000b60000 | 0x00b60000 | 0x00b73fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000b80000 | 0x00b80000 | 0x00bbffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000bc0000 | 0x00bc0000 | 0x00cbffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000cc0000 | 0x00cc0000 | 0x00cc3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000cd0000 | 0x00cd0000 | 0x00cd0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000ce0000 | 0x00ce0000 | 0x00ce1fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000cf0000 | 0x00cf0000 | 0x00cfffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00d00000 | 0x00dbdfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000dc0000 | 0x00dc0000 | 0x00dfffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000e20000 | 0x00e20000 | 0x00f1ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000f20000 | 0x00f20000 | 0x0101ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001080000 | 0x01080000 | 0x0108ffff | Private Memory | rw |
|
|
|
- |
| cmd.exe | 0x01140000 | 0x0118ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000001190000 | 0x01190000 | 0x0518ffff | Pagefile Backed Memory | - |
|
|
|
- |
| sortdefault.nls | 0x05190000 | 0x054c6fff | Memory Mapped File | r |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74d30000 | 0x74ea5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75130000 | 0x7521ffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x778d0000 | 0x7798dfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007ea70000 | 0x7ea70000 | 0x7eb6ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007eb70000 | 0x7eb70000 | 0x7eb92fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007eb96000 | 0x7eb96000 | 0x7eb96fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007eb97000 | 0x7eb97000 | 0x7eb97fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007eb9a000 | 0x7eb9a000 | 0x7eb9cfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007eb9d000 | 0x7eb9d000 | 0x7eb9ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (11)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Windows\SysWOW64 | type = file_attributes |
|
2 | |
| Get Info | wevtutil.exe | type = file_attributes |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
5 | |
| Open | STD_INPUT_HANDLE | - |
|
3 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 248, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\SysWOW64\wevtutil.exe | os_pid = 0x804, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x1140000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75130000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x75172780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x7514fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7514a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x74e435c0 |
|
1 |
Environment (19)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
2 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Windows\SysWOW64 |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000000 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #78: wevtutil.exe
0
0
| Information | Value |
|---|---|
| ID | #78 |
| File Name | c:\windows\syswow64\wevtutil.exe |
| Command Line | wevtutil.exe clear-log "MediaFoundationDS" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:01:27, Reason: Child Process |
| Unmonitor | End Time: 00:01:28, Reason: Self Terminated |
| Monitor Duration | 00:00:01 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x804 |
| Parent PID | 0xe2c (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
2B0
0x
CE0
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x00000000003f0000 | 0x003f0000 | 0x0040ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000410000 | 0x00410000 | 0x00411fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000420000 | 0x00420000 | 0x00433fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000440000 | 0x00440000 | 0x0047ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000480000 | 0x00480000 | 0x004bffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000004c0000 | 0x004c0000 | 0x004c3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000004d0000 | 0x004d0000 | 0x004d0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000004e0000 | 0x004e0000 | 0x004e1fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000530000 | 0x00530000 | 0x0053ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000610000 | 0x00610000 | 0x0070ffff | Private Memory | rw |
|
|
|
- |
| wevtutil.exe | 0x00b40000 | 0x00b6efff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000b70000 | 0x00b70000 | 0x04b6ffff | Pagefile Backed Memory | - |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007ed20000 | 0x7ed20000 | 0x7ed42fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007ed45000 | 0x7ed45000 | 0x7ed45fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ed48000 | 0x7ed48000 | 0x7ed48fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ed4d000 | 0x7ed4d000 | 0x7ed4ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Process #79: cmd.exe
58
0
| Information | Value |
|---|---|
| ID | #79 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "MediaFoundationDeviceProxy" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:01:27, Reason: Child Process |
| Unmonitor | End Time: 00:01:32, Reason: Self Terminated |
| Monitor Duration | 00:00:05 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x278 |
| Parent PID | 0x8dc (c:\programdata\safe.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
604
0x
15C
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000240000 | 0x00240000 | 0x0025ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000240000 | 0x00240000 | 0x0024ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000250000 | 0x00250000 | 0x00253fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000260000 | 0x00260000 | 0x00261fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000260000 | 0x00260000 | 0x00263fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000270000 | 0x00270000 | 0x00283fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000290000 | 0x00290000 | 0x002cffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000002d0000 | 0x002d0000 | 0x003cffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000003d0000 | 0x003d0000 | 0x003d3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000003e0000 | 0x003e0000 | 0x003e0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000003f0000 | 0x003f0000 | 0x003f1fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00400000 | 0x004bdfff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000004e0000 | 0x004e0000 | 0x004effff | Private Memory | rw |
|
|
|
- |
| private_0x00000000004f0000 | 0x004f0000 | 0x0052ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000005a0000 | 0x005a0000 | 0x0069ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000006a0000 | 0x006a0000 | 0x0079ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000870000 | 0x00870000 | 0x0087ffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x00880000 | 0x00bb6fff | Memory Mapped File | r |
|
|
|
- |
| cmd.exe | 0x01140000 | 0x0118ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000001190000 | 0x01190000 | 0x0518ffff | Pagefile Backed Memory | - |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74d30000 | 0x74ea5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75130000 | 0x7521ffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x778d0000 | 0x7798dfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007e8b0000 | 0x7e8b0000 | 0x7e9affff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007e9b0000 | 0x7e9b0000 | 0x7e9d2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007e9d7000 | 0x7e9d7000 | 0x7e9d9fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007e9da000 | 0x7e9da000 | 0x7e9dafff | Private Memory | rw |
|
|
|
- |
| private_0x000000007e9dc000 | 0x7e9dc000 | 0x7e9defff | Private Memory | rw |
|
|
|
- |
| private_0x000000007e9df000 | 0x7e9df000 | 0x7e9dffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (11)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Windows\SysWOW64 | type = file_attributes |
|
2 | |
| Get Info | wevtutil.exe | type = file_attributes |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
5 | |
| Open | STD_INPUT_HANDLE | - |
|
3 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 168, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\SysWOW64\wevtutil.exe | os_pid = 0x2e4, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x1140000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75130000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x75172780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x7514fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7514a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x74e435c0 |
|
1 |
Environment (19)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
2 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Windows\SysWOW64 |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000000 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #81: wevtutil.exe
0
0
| Information | Value |
|---|---|
| ID | #81 |
| File Name | c:\windows\syswow64\wevtutil.exe |
| Command Line | wevtutil.exe clear-log "MediaFoundationDeviceProxy" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:01:29, Reason: Child Process |
| Unmonitor | End Time: 00:01:31, Reason: Self Terminated |
| Monitor Duration | 00:00:02 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x2e4 |
| Parent PID | 0x278 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
328
0x
304
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| wevtutil.exe | 0x00b40000 | 0x00b6efff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000e10000 | 0x00e10000 | 0x04e0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000004e10000 | 0x04e10000 | 0x04e2ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004e10000 | 0x04e10000 | 0x04e1ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000004e20000 | 0x04e20000 | 0x04e23fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004e30000 | 0x04e30000 | 0x04e31fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004e40000 | 0x04e40000 | 0x04e53fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000004e60000 | 0x04e60000 | 0x04e9ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004ea0000 | 0x04ea0000 | 0x04edffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004ee0000 | 0x04ee0000 | 0x04ee3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000004ef0000 | 0x04ef0000 | 0x04ef0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000004f00000 | 0x04f00000 | 0x04f01fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x04f10000 | 0x04fcdfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000004fd0000 | 0x04fd0000 | 0x0500ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005010000 | 0x05010000 | 0x0501ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005020000 | 0x05020000 | 0x0505ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005120000 | 0x05120000 | 0x0521ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000053a0000 | 0x053a0000 | 0x053affff | Private Memory | rw |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| wevtapi.dll | 0x74310000 | 0x7435dfff | Memory Mapped File | rwx |
|
|
|
- |
| bcrypt.dll | 0x74360000 | 0x7437afff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x74a30000 | 0x74a88fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x74a90000 | 0x74a99fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x74aa0000 | 0x74abdfff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x74c60000 | 0x74cdafff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74d30000 | 0x74ea5fff | Memory Mapped File | rwx |
|
|
|
- |
| combase.dll | 0x74f70000 | 0x75129fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75130000 | 0x7521ffff | Memory Mapped File | rwx |
|
|
|
- |
| oleaut32.dll | 0x76ce0000 | 0x76d71fff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x770b0000 | 0x770f2fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x772c0000 | 0x7736bfff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x778d0000 | 0x7798dfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007f540000 | 0x7f540000 | 0x7f63ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007f640000 | 0x7f640000 | 0x7f662fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f666000 | 0x7f666000 | 0x7f666fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f669000 | 0x7f669000 | 0x7f669fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f66a000 | 0x7f66a000 | 0x7f66cfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f66d000 | 0x7f66d000 | 0x7f66ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Process #82: cmd.exe
58
0
| Information | Value |
|---|---|
| ID | #82 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "MediaFoundationMediaEngine" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:01:30, Reason: Child Process |
| Unmonitor | End Time: 00:01:32, Reason: Self Terminated |
| Monitor Duration | 00:00:02 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xe68 |
| Parent PID | 0x8dc (c:\programdata\safe.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
E60
0x
E28
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000270000 | 0x00270000 | 0x0028ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000270000 | 0x00270000 | 0x0027ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000280000 | 0x00280000 | 0x00283fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000290000 | 0x00290000 | 0x00291fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000290000 | 0x00290000 | 0x00293fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000002a0000 | 0x002a0000 | 0x002b3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000002c0000 | 0x002c0000 | 0x002fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000300000 | 0x00300000 | 0x003fffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000400000 | 0x00400000 | 0x00403fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000410000 | 0x00410000 | 0x00410fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000420000 | 0x00420000 | 0x00421fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000430000 | 0x00430000 | 0x0046ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000004e0000 | 0x004e0000 | 0x004effff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x004f0000 | 0x005adfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000650000 | 0x00650000 | 0x0074ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000750000 | 0x00750000 | 0x0084ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000009d0000 | 0x009d0000 | 0x009dffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x009e0000 | 0x00d16fff | Memory Mapped File | r |
|
|
|
- |
| cmd.exe | 0x01140000 | 0x0118ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000001190000 | 0x01190000 | 0x0518ffff | Pagefile Backed Memory | - |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74d30000 | 0x74ea5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75130000 | 0x7521ffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x778d0000 | 0x7798dfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007ee90000 | 0x7ee90000 | 0x7ef8ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007ef90000 | 0x7ef90000 | 0x7efb2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007efb8000 | 0x7efb8000 | 0x7efbafff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efbb000 | 0x7efbb000 | 0x7efbbfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efbc000 | 0x7efbc000 | 0x7efbefff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efbf000 | 0x7efbf000 | 0x7efbffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (11)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Windows\SysWOW64 | type = file_attributes |
|
2 | |
| Get Info | wevtutil.exe | type = file_attributes |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
5 | |
| Open | STD_INPUT_HANDLE | - |
|
3 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 96, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\SysWOW64\wevtutil.exe | os_pid = 0xb44, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x1140000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75130000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x75172780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x7514fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7514a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x74e435c0 |
|
1 |
Environment (19)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
2 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Windows\SysWOW64 |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000000 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #84: wevtutil.exe
0
0
| Information | Value |
|---|---|
| ID | #84 |
| File Name | c:\windows\syswow64\wevtutil.exe |
| Command Line | wevtutil.exe clear-log "MediaFoundationMediaEngine" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:01:31, Reason: Child Process |
| Unmonitor | End Time: 00:01:32, Reason: Self Terminated |
| Monitor Duration | 00:00:01 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xb44 |
| Parent PID | 0xe68 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
6FC
0x
C1C
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| wevtutil.exe | 0x00b40000 | 0x00b6efff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000b70000 | 0x00b70000 | 0x04b6ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000004b70000 | 0x04b70000 | 0x04b8ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004b70000 | 0x04b70000 | 0x04b7ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000004b80000 | 0x04b80000 | 0x04b83fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004b90000 | 0x04b90000 | 0x04b91fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004ba0000 | 0x04ba0000 | 0x04bb3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000004bc0000 | 0x04bc0000 | 0x04bfffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004c00000 | 0x04c00000 | 0x04c3ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004c40000 | 0x04c40000 | 0x04c43fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000004c50000 | 0x04c50000 | 0x04c50fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000004c60000 | 0x04c60000 | 0x04c61fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004c70000 | 0x04c70000 | 0x04caffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004cb0000 | 0x04cb0000 | 0x04ceffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004d20000 | 0x04d20000 | 0x04e1ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004e30000 | 0x04e30000 | 0x04e3ffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x04e40000 | 0x04efdfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000004f80000 | 0x04f80000 | 0x04f8ffff | Private Memory | rw |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| bcrypt.dll | 0x74310000 | 0x7432afff | Memory Mapped File | rwx |
|
|
|
- |
| wevtapi.dll | 0x74330000 | 0x7437dfff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x74a30000 | 0x74a88fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x74a90000 | 0x74a99fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x74aa0000 | 0x74abdfff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x74c60000 | 0x74cdafff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74d30000 | 0x74ea5fff | Memory Mapped File | rwx |
|
|
|
- |
| combase.dll | 0x74f70000 | 0x75129fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75130000 | 0x7521ffff | Memory Mapped File | rwx |
|
|
|
- |
| oleaut32.dll | 0x76ce0000 | 0x76d71fff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x770b0000 | 0x770f2fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x772c0000 | 0x7736bfff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x778d0000 | 0x7798dfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007f590000 | 0x7f590000 | 0x7f68ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007f690000 | 0x7f690000 | 0x7f6b2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f6b4000 | 0x7f6b4000 | 0x7f6b6fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f6b7000 | 0x7f6b7000 | 0x7f6b7fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f6ba000 | 0x7f6ba000 | 0x7f6bafff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f6bd000 | 0x7f6bd000 | 0x7f6bffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Process #85: cmd.exe
58
0
| Information | Value |
|---|---|
| ID | #85 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "MediaFoundationPerformance" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:01:32, Reason: Child Process |
| Unmonitor | End Time: 00:01:32, Reason: Self Terminated |
| Monitor Duration | 00:00:00 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xa80 |
| Parent PID | 0x8dc (c:\programdata\safe.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
ECC
0x
7AC
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x00000000001a0000 | 0x001a0000 | 0x001bffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000001a0000 | 0x001a0000 | 0x001affff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x00000000001b0000 | 0x001b0000 | 0x001b3fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000001c0000 | 0x001c0000 | 0x001c1fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000001c0000 | 0x001c0000 | 0x001c3fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000001d0000 | 0x001d0000 | 0x001e3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000001f0000 | 0x001f0000 | 0x0022ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000230000 | 0x00230000 | 0x0032ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000330000 | 0x00330000 | 0x00333fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000340000 | 0x00340000 | 0x00340fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000350000 | 0x00350000 | 0x00351fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00360000 | 0x0041dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000420000 | 0x00420000 | 0x0045ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000004c0000 | 0x004c0000 | 0x004cffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000004d0000 | 0x004d0000 | 0x005cffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000670000 | 0x00670000 | 0x0076ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000930000 | 0x00930000 | 0x0093ffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x00940000 | 0x00c76fff | Memory Mapped File | r |
|
|
|
- |
| cmd.exe | 0x01140000 | 0x0118ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000001190000 | 0x01190000 | 0x0518ffff | Pagefile Backed Memory | - |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74d30000 | 0x74ea5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75130000 | 0x7521ffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x778d0000 | 0x7798dfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007e840000 | 0x7e840000 | 0x7e93ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007e940000 | 0x7e940000 | 0x7e962fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007e967000 | 0x7e967000 | 0x7e967fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007e969000 | 0x7e969000 | 0x7e96bfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007e96c000 | 0x7e96c000 | 0x7e96cfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007e96d000 | 0x7e96d000 | 0x7e96ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (11)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Windows\SysWOW64 | type = file_attributes |
|
2 | |
| Get Info | wevtutil.exe | type = file_attributes |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
5 | |
| Open | STD_INPUT_HANDLE | - |
|
3 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 255, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\SysWOW64\wevtutil.exe | os_pid = 0xf84, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x1140000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75130000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x75172780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x7514fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7514a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x74e435c0 |
|
1 |
Environment (19)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
2 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Windows\SysWOW64 |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000000 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #87: wevtutil.exe
0
0
| Information | Value |
|---|---|
| ID | #87 |
| File Name | c:\windows\syswow64\wevtutil.exe |
| Command Line | wevtutil.exe clear-log "MediaFoundationPerformance" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:01:32, Reason: Child Process |
| Unmonitor | End Time: 00:01:32, Reason: Self Terminated |
| Monitor Duration | 00:00:00 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xf84 |
| Parent PID | 0xa80 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
5C0
0x
48C
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000500000 | 0x00500000 | 0x0051ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000520000 | 0x00520000 | 0x00521fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000530000 | 0x00530000 | 0x00543fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000550000 | 0x00550000 | 0x0058ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000590000 | 0x00590000 | 0x005cffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000005d0000 | 0x005d0000 | 0x005d3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000005e0000 | 0x005e0000 | 0x005e0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000005f0000 | 0x005f0000 | 0x005f1fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000750000 | 0x00750000 | 0x0075ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000008f0000 | 0x008f0000 | 0x009effff | Private Memory | rw |
|
|
|
- |
| wevtutil.exe | 0x00b40000 | 0x00b6efff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000b70000 | 0x00b70000 | 0x04b6ffff | Pagefile Backed Memory | - |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007f320000 | 0x7f320000 | 0x7f342fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f34a000 | 0x7f34a000 | 0x7f34afff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f34c000 | 0x7f34c000 | 0x7f34efff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f34f000 | 0x7f34f000 | 0x7f34ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Process #88: cmd.exe
58
0
| Information | Value |
|---|---|
| ID | #88 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "MediaFoundationPerformanceCore" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:01:32, Reason: Child Process |
| Unmonitor | End Time: 00:01:33, Reason: Self Terminated |
| Monitor Duration | 00:00:01 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xf2c |
| Parent PID | 0x8dc (c:\programdata\safe.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
F3C
0x
F48
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000970000 | 0x00970000 | 0x0098ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000970000 | 0x00970000 | 0x0097ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000980000 | 0x00980000 | 0x00983fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000990000 | 0x00990000 | 0x00991fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000990000 | 0x00990000 | 0x00993fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000009a0000 | 0x009a0000 | 0x009b3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000009c0000 | 0x009c0000 | 0x009fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000a00000 | 0x00a00000 | 0x00afffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000b00000 | 0x00b00000 | 0x00b03fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000b10000 | 0x00b10000 | 0x00b10fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000b20000 | 0x00b20000 | 0x00b21fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000b30000 | 0x00b30000 | 0x00b6ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000b70000 | 0x00b70000 | 0x00b7ffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00b80000 | 0x00c3dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000cf0000 | 0x00cf0000 | 0x00cfffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000d30000 | 0x00d30000 | 0x00e2ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000e30000 | 0x00e30000 | 0x00f2ffff | Private Memory | rw |
|
|
|
- |
| cmd.exe | 0x01140000 | 0x0118ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000001190000 | 0x01190000 | 0x0518ffff | Pagefile Backed Memory | - |
|
|
|
- |
| sortdefault.nls | 0x05190000 | 0x054c6fff | Memory Mapped File | r |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74d30000 | 0x74ea5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75130000 | 0x7521ffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x778d0000 | 0x7798dfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007ec20000 | 0x7ec20000 | 0x7ed1ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007ed20000 | 0x7ed20000 | 0x7ed42fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007ed44000 | 0x7ed44000 | 0x7ed44fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ed48000 | 0x7ed48000 | 0x7ed4afff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ed4b000 | 0x7ed4b000 | 0x7ed4dfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ed4e000 | 0x7ed4e000 | 0x7ed4efff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (11)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Windows\SysWOW64 | type = file_attributes |
|
2 | |
| Get Info | wevtutil.exe | type = file_attributes |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
5 | |
| Open | STD_INPUT_HANDLE | - |
|
3 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 5, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\SysWOW64\wevtutil.exe | os_pid = 0xf8c, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x1140000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75130000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x75172780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x7514fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7514a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x74e435c0 |
|
1 |
Environment (19)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
2 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Windows\SysWOW64 |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000000 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #90: wevtutil.exe
0
0
| Information | Value |
|---|---|
| ID | #90 |
| File Name | c:\windows\syswow64\wevtutil.exe |
| Command Line | wevtutil.exe clear-log "MediaFoundationPerformanceCore" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:01:32, Reason: Child Process |
| Unmonitor | End Time: 00:01:33, Reason: Self Terminated |
| Monitor Duration | 00:00:01 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xf8c |
| Parent PID | 0xf2c (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
CB8
0x
D0C
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000240000 | 0x00240000 | 0x0025ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000260000 | 0x00260000 | 0x00261fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000270000 | 0x00270000 | 0x00283fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000290000 | 0x00290000 | 0x002cffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000002d0000 | 0x002d0000 | 0x0030ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000310000 | 0x00310000 | 0x00313fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000320000 | 0x00320000 | 0x00320fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000330000 | 0x00330000 | 0x00331fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000004e0000 | 0x004e0000 | 0x004effff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000690000 | 0x00690000 | 0x0078ffff | Private Memory | rw |
|
|
|
- |
| wevtutil.exe | 0x00b40000 | 0x00b6efff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000b70000 | 0x00b70000 | 0x04b6ffff | Pagefile Backed Memory | - |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007fa40000 | 0x7fa40000 | 0x7fa62fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007fa6a000 | 0x7fa6a000 | 0x7fa6cfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007fa6d000 | 0x7fa6d000 | 0x7fa6dfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007fa6f000 | 0x7fa6f000 | 0x7fa6ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Process #91: cmd.exe
58
0
| Information | Value |
|---|---|
| ID | #91 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "MediaFoundationPipeline" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:01:32, Reason: Child Process |
| Unmonitor | End Time: 00:01:44, Reason: Self Terminated |
| Monitor Duration | 00:00:12 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xe5c |
| Parent PID | 0x8dc (c:\programdata\safe.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
E58
0x
510
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000200000 | 0x00200000 | 0x0021ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000200000 | 0x00200000 | 0x0020ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000210000 | 0x00210000 | 0x0021ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000220000 | 0x00220000 | 0x00221fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000220000 | 0x00220000 | 0x00223fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000230000 | 0x00230000 | 0x00243fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000250000 | 0x00250000 | 0x0028ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000290000 | 0x00290000 | 0x0038ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000390000 | 0x00390000 | 0x00393fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000003a0000 | 0x003a0000 | 0x003a0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000003b0000 | 0x003b0000 | 0x003b1fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000003c0000 | 0x003c0000 | 0x003c3fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000003d0000 | 0x003d0000 | 0x003dffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x003e0000 | 0x0049dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000004a0000 | 0x004a0000 | 0x004dffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000500000 | 0x00500000 | 0x005fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000600000 | 0x00600000 | 0x006fffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x00700000 | 0x00a36fff | Memory Mapped File | r |
|
|
|
- |
| cmd.exe | 0x01140000 | 0x0118ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000001190000 | 0x01190000 | 0x0518ffff | Pagefile Backed Memory | - |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74d30000 | 0x74ea5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75130000 | 0x7521ffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x778d0000 | 0x7798dfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007f080000 | 0x7f080000 | 0x7f17ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007f180000 | 0x7f180000 | 0x7f1a2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f1a6000 | 0x7f1a6000 | 0x7f1a6fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f1a7000 | 0x7f1a7000 | 0x7f1a7fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f1aa000 | 0x7f1aa000 | 0x7f1acfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f1ad000 | 0x7f1ad000 | 0x7f1affff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (11)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Windows\SysWOW64 | type = file_attributes |
|
2 | |
| Get Info | wevtutil.exe | type = file_attributes |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
5 | |
| Open | STD_INPUT_HANDLE | - |
|
3 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 210, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\SysWOW64\wevtutil.exe | os_pid = 0x404, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x1140000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75130000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x75172780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x7514fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7514a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x74e435c0 |
|
1 |
Environment (19)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
2 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Windows\SysWOW64 |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000000 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #93: wevtutil.exe
0
0
| Information | Value |
|---|---|
| ID | #93 |
| File Name | c:\windows\syswow64\wevtutil.exe |
| Command Line | wevtutil.exe clear-log "MediaFoundationPipeline" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:01:33, Reason: Child Process |
| Unmonitor | End Time: 00:01:44, Reason: Self Terminated |
| Monitor Duration | 00:00:11 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x404 |
| Parent PID | 0xe5c (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
BD8
0x
A2C
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000850000 | 0x00850000 | 0x0086ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000870000 | 0x00870000 | 0x00871fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000880000 | 0x00880000 | 0x00893fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000008a0000 | 0x008a0000 | 0x008dffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000008e0000 | 0x008e0000 | 0x0091ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000920000 | 0x00920000 | 0x00923fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000930000 | 0x00930000 | 0x00930fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000940000 | 0x00940000 | 0x00941fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000b30000 | 0x00b30000 | 0x00b3ffff | Private Memory | rw |
|
|
|
- |
| wevtutil.exe | 0x00b40000 | 0x00b6efff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000b70000 | 0x00b70000 | 0x04b6ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000004cd0000 | 0x04cd0000 | 0x04dcffff | Private Memory | rw |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007eed0000 | 0x7eed0000 | 0x7eef2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007eef4000 | 0x7eef4000 | 0x7eef4fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007eefa000 | 0x7eefa000 | 0x7eefafff | Private Memory | rw |
|
|
|
- |
| private_0x000000007eefd000 | 0x7eefd000 | 0x7eefffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Process #94: cmd.exe
58
0
| Information | Value |
|---|---|
| ID | #94 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "MediaFoundationPlatform" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:01:43, Reason: Child Process |
| Unmonitor | End Time: 00:01:45, Reason: Self Terminated |
| Monitor Duration | 00:00:02 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x8ec |
| Parent PID | 0x8dc (c:\programdata\safe.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
63C
0x
C98
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000bc0000 | 0x00bc0000 | 0x00bdffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000bc0000 | 0x00bc0000 | 0x00bcffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000bd0000 | 0x00bd0000 | 0x00bd3fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000be0000 | 0x00be0000 | 0x00be1fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000be0000 | 0x00be0000 | 0x00be3fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000bf0000 | 0x00bf0000 | 0x00c03fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000c10000 | 0x00c10000 | 0x00c4ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000c50000 | 0x00c50000 | 0x00d4ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000d50000 | 0x00d50000 | 0x00d53fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000d60000 | 0x00d60000 | 0x00d60fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000d70000 | 0x00d70000 | 0x00d71fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00d80000 | 0x00e3dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000e40000 | 0x00e40000 | 0x00e7ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000e80000 | 0x00e80000 | 0x00e8ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000f80000 | 0x00f80000 | 0x0107ffff | Private Memory | rw |
|
|
|
- |
| cmd.exe | 0x01140000 | 0x0118ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000001190000 | 0x01190000 | 0x0518ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000005190000 | 0x05190000 | 0x0528ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000053d0000 | 0x053d0000 | 0x053dffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x053e0000 | 0x05716fff | Memory Mapped File | r |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74d30000 | 0x74ea5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75130000 | 0x7521ffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x778d0000 | 0x7798dfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007e4b0000 | 0x7e4b0000 | 0x7e5affff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007e5b0000 | 0x7e5b0000 | 0x7e5d2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007e5d8000 | 0x7e5d8000 | 0x7e5d8fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007e5d9000 | 0x7e5d9000 | 0x7e5dbfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007e5dc000 | 0x7e5dc000 | 0x7e5dcfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007e5dd000 | 0x7e5dd000 | 0x7e5dffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (11)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Windows\SysWOW64 | type = file_attributes |
|
2 | |
| Get Info | wevtutil.exe | type = file_attributes |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
5 | |
| Open | STD_INPUT_HANDLE | - |
|
3 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 81, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\SysWOW64\wevtutil.exe | os_pid = 0x1a4, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x1140000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75130000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x75172780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x7514fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7514a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x74e435c0 |
|
1 |
Environment (19)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
2 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Windows\SysWOW64 |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000000 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #96: wevtutil.exe
0
0
| Information | Value |
|---|---|
| ID | #96 |
| File Name | c:\windows\syswow64\wevtutil.exe |
| Command Line | wevtutil.exe clear-log "MediaFoundationPlatform" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:01:45, Reason: Child Process |
| Unmonitor | End Time: 00:01:45, Reason: Self Terminated |
| Monitor Duration | 00:00:00 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x1a4 |
| Parent PID | 0x8ec (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
BDC
0x
B3C
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00031fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000040000 | 0x00040000 | 0x00053fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000060000 | 0x00060000 | 0x0009ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000000a0000 | 0x000a0000 | 0x000dffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000000e0000 | 0x000e0000 | 0x000e3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000000f0000 | 0x000f0000 | 0x000f0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000100000 | 0x00100000 | 0x00101fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000200000 | 0x00200000 | 0x0020ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000002e0000 | 0x002e0000 | 0x003dffff | Private Memory | rw |
|
|
|
- |
| wevtutil.exe | 0x00b40000 | 0x00b6efff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000b70000 | 0x00b70000 | 0x04b6ffff | Pagefile Backed Memory | - |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007fd20000 | 0x7fd20000 | 0x7fd42fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007fd43000 | 0x7fd43000 | 0x7fd43fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007fd46000 | 0x7fd46000 | 0x7fd46fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007fd4d000 | 0x7fd4d000 | 0x7fd4ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Process #97: cmd.exe
58
0
| Information | Value |
|---|---|
| ID | #97 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "MediaFoundationSrcPrefetch" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:01:45, Reason: Child Process |
| Unmonitor | End Time: 00:01:46, Reason: Self Terminated |
| Monitor Duration | 00:00:01 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xb68 |
| Parent PID | 0x8dc (c:\programdata\safe.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
F4C
0x
EF4
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000ce0000 | 0x00ce0000 | 0x00cfffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000ce0000 | 0x00ce0000 | 0x00ceffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000cf0000 | 0x00cf0000 | 0x00cf3fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000d00000 | 0x00d00000 | 0x00d01fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000d00000 | 0x00d00000 | 0x00d03fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000d10000 | 0x00d10000 | 0x00d23fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000d30000 | 0x00d30000 | 0x00d6ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000d70000 | 0x00d70000 | 0x00e6ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000e70000 | 0x00e70000 | 0x00e73fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000e80000 | 0x00e80000 | 0x00e80fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000e90000 | 0x00e90000 | 0x00e91fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00ea0000 | 0x00f5dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000f60000 | 0x00f60000 | 0x00f9ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001050000 | 0x01050000 | 0x0105ffff | Private Memory | rw |
|
|
|
- |
| cmd.exe | 0x01140000 | 0x0118ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000001190000 | 0x01190000 | 0x0518ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000005190000 | 0x05190000 | 0x0528ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000052e0000 | 0x052e0000 | 0x053dffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000054f0000 | 0x054f0000 | 0x054fffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x05500000 | 0x05836fff | Memory Mapped File | r |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74d30000 | 0x74ea5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75130000 | 0x7521ffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x778d0000 | 0x7798dfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007eaa0000 | 0x7eaa0000 | 0x7eb9ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007eba0000 | 0x7eba0000 | 0x7ebc2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007ebc6000 | 0x7ebc6000 | 0x7ebc8fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ebc9000 | 0x7ebc9000 | 0x7ebc9fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ebcc000 | 0x7ebcc000 | 0x7ebcefff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ebcf000 | 0x7ebcf000 | 0x7ebcffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (11)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Windows\SysWOW64 | type = file_attributes |
|
2 | |
| Get Info | wevtutil.exe | type = file_attributes |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
5 | |
| Open | STD_INPUT_HANDLE | - |
|
3 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 56, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\SysWOW64\wevtutil.exe | os_pid = 0xc18, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x1140000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75130000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x75172780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x7514fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7514a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x74e435c0 |
|
1 |
Environment (19)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
2 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Windows\SysWOW64 |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000000 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #99: wevtutil.exe
0
0
| Information | Value |
|---|---|
| ID | #99 |
| File Name | c:\windows\syswow64\wevtutil.exe |
| Command Line | wevtutil.exe clear-log "MediaFoundationSrcPrefetch" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:01:46, Reason: Child Process |
| Unmonitor | End Time: 00:01:46, Reason: Self Terminated |
| Monitor Duration | 00:00:00 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xc18 |
| Parent PID | 0xb68 (c:\windows\syswow64\wevtutil.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
438
0x
848
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x00000000006a0000 | 0x006a0000 | 0x006bffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000006c0000 | 0x006c0000 | 0x006c1fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000006d0000 | 0x006d0000 | 0x006e3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000006f0000 | 0x006f0000 | 0x0072ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000730000 | 0x00730000 | 0x0076ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000770000 | 0x00770000 | 0x00773fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000780000 | 0x00780000 | 0x00780fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000790000 | 0x00790000 | 0x00791fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000840000 | 0x00840000 | 0x0084ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000a10000 | 0x00a10000 | 0x00b0ffff | Private Memory | rw |
|
|
|
- |
| wevtutil.exe | 0x00b40000 | 0x00b6efff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000b70000 | 0x00b70000 | 0x04b6ffff | Pagefile Backed Memory | - |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007f1e0000 | 0x7f1e0000 | 0x7f202fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f207000 | 0x7f207000 | 0x7f207fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f20c000 | 0x7f20c000 | 0x7f20efff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f20f000 | 0x7f20f000 | 0x7f20ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Process #100: cmd.exe
58
0
| Information | Value |
|---|---|
| ID | #100 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Client-Licensing-Platform/Admin" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:01:46, Reason: Child Process |
| Unmonitor | End Time: 00:01:48, Reason: Self Terminated |
| Monitor Duration | 00:00:02 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x34c |
| Parent PID | 0x8dc (c:\programdata\safe.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
5F0
0x
B4C
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000f90000 | 0x00f90000 | 0x00faffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000f90000 | 0x00f90000 | 0x00f9ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000fa0000 | 0x00fa0000 | 0x00fa3fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000fb0000 | 0x00fb0000 | 0x00fb1fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000fb0000 | 0x00fb0000 | 0x00fb3fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000fc0000 | 0x00fc0000 | 0x00fd3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000fe0000 | 0x00fe0000 | 0x0101ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001020000 | 0x01020000 | 0x0111ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000001120000 | 0x01120000 | 0x01123fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000001130000 | 0x01130000 | 0x01130fff | Pagefile Backed Memory | r |
|
|
|
- |
| cmd.exe | 0x01140000 | 0x0118ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000001190000 | 0x01190000 | 0x0518ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000005190000 | 0x05190000 | 0x05191fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x051a0000 | 0x0525dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000005260000 | 0x05260000 | 0x0529ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000052f0000 | 0x052f0000 | 0x052fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005300000 | 0x05300000 | 0x053fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005450000 | 0x05450000 | 0x0545ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005480000 | 0x05480000 | 0x0557ffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x05580000 | 0x058b6fff | Memory Mapped File | r |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74d30000 | 0x74ea5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75130000 | 0x7521ffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x778d0000 | 0x7798dfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007f210000 | 0x7f210000 | 0x7f30ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007f310000 | 0x7f310000 | 0x7f332fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f336000 | 0x7f336000 | 0x7f338fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f339000 | 0x7f339000 | 0x7f339fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f33b000 | 0x7f33b000 | 0x7f33dfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f33e000 | 0x7f33e000 | 0x7f33efff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (11)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Windows\SysWOW64 | type = file_attributes |
|
2 | |
| Get Info | wevtutil.exe | type = file_attributes |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
5 | |
| Open | STD_INPUT_HANDLE | - |
|
3 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 40, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\SysWOW64\wevtutil.exe | os_pid = 0x9e8, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x1140000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75130000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x75172780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x7514fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7514a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x74e435c0 |
|
1 |
Environment (19)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
2 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Windows\SysWOW64 |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000000 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #102: wevtutil.exe
0
0
| Information | Value |
|---|---|
| ID | #102 |
| File Name | c:\windows\syswow64\wevtutil.exe |
| Command Line | wevtutil.exe clear-log "Microsoft-Client-Licensing-Platform/Admin" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:01:47, Reason: Child Process |
| Unmonitor | End Time: 00:01:48, Reason: Self Terminated |
| Monitor Duration | 00:00:01 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x9e8 |
| Parent PID | 0x34c (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
788
0x
94C
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| wevtutil.exe | 0x00b40000 | 0x00b6efff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000c10000 | 0x00c10000 | 0x04c0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000004c10000 | 0x04c10000 | 0x04c2ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004c30000 | 0x04c30000 | 0x04c31fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004c40000 | 0x04c40000 | 0x04c53fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000004c60000 | 0x04c60000 | 0x04c9ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004ca0000 | 0x04ca0000 | 0x04cdffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004ce0000 | 0x04ce0000 | 0x04ce3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000004cf0000 | 0x04cf0000 | 0x04cf0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000004d00000 | 0x04d00000 | 0x04d01fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004e20000 | 0x04e20000 | 0x04e2ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004e80000 | 0x04e80000 | 0x04f7ffff | Private Memory | rw |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007e910000 | 0x7e910000 | 0x7e932fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007e93b000 | 0x7e93b000 | 0x7e93dfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007e93e000 | 0x7e93e000 | 0x7e93efff | Private Memory | rw |
|
|
|
- |
| private_0x000000007e93f000 | 0x7e93f000 | 0x7e93ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Process #103: cmd.exe
58
0
| Information | Value |
|---|---|
| ID | #103 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Client-Licensing-Platform/Debug" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:01:47, Reason: Child Process |
| Unmonitor | End Time: 00:01:48, Reason: Self Terminated |
| Monitor Duration | 00:00:01 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x968 |
| Parent PID | 0x8dc (c:\programdata\safe.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
994
0x
B74
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000ad0000 | 0x00ad0000 | 0x00aeffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000ad0000 | 0x00ad0000 | 0x00adffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000ae0000 | 0x00ae0000 | 0x00ae3fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000af0000 | 0x00af0000 | 0x00af1fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000af0000 | 0x00af0000 | 0x00af3fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000b00000 | 0x00b00000 | 0x00b13fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000b20000 | 0x00b20000 | 0x00b5ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000b60000 | 0x00b60000 | 0x00c5ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000c60000 | 0x00c60000 | 0x00c63fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000c70000 | 0x00c70000 | 0x00c70fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000c80000 | 0x00c80000 | 0x00c81fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000c90000 | 0x00c90000 | 0x00ccffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000d10000 | 0x00d10000 | 0x00d1ffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00d20000 | 0x00dddfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000e50000 | 0x00e50000 | 0x00e5ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000e70000 | 0x00e70000 | 0x00f6ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000f70000 | 0x00f70000 | 0x0106ffff | Private Memory | rw |
|
|
|
- |
| cmd.exe | 0x01140000 | 0x0118ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000001190000 | 0x01190000 | 0x0518ffff | Pagefile Backed Memory | - |
|
|
|
- |
| sortdefault.nls | 0x05190000 | 0x054c6fff | Memory Mapped File | r |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74d30000 | 0x74ea5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75130000 | 0x7521ffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x778d0000 | 0x7798dfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007ecb0000 | 0x7ecb0000 | 0x7edaffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007edb0000 | 0x7edb0000 | 0x7edd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007edd7000 | 0x7edd7000 | 0x7edd7fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007edd9000 | 0x7edd9000 | 0x7eddbfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007eddc000 | 0x7eddc000 | 0x7eddefff | Private Memory | rw |
|
|
|
- |
| private_0x000000007eddf000 | 0x7eddf000 | 0x7eddffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (11)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Windows\SysWOW64 | type = file_attributes |
|
2 | |
| Get Info | wevtutil.exe | type = file_attributes |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
5 | |
| Open | STD_INPUT_HANDLE | - |
|
3 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 136, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\SysWOW64\wevtutil.exe | os_pid = 0xb58, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x1140000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75130000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x75172780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x7514fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7514a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x74e435c0 |
|
1 |
Environment (19)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
2 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Windows\SysWOW64 |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000000 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #105: wevtutil.exe
0
0
| Information | Value |
|---|---|
| ID | #105 |
| File Name | c:\windows\syswow64\wevtutil.exe |
| Command Line | wevtutil.exe clear-log "Microsoft-Client-Licensing-Platform/Debug" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:01:48, Reason: Child Process |
| Unmonitor | End Time: 00:01:48, Reason: Self Terminated |
| Monitor Duration | 00:00:00 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xb58 |
| Parent PID | 0x968 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
B60
0x
998
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| wevtutil.exe | 0x00b40000 | 0x00b6efff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000ec0000 | 0x00ec0000 | 0x04ebffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000004ec0000 | 0x04ec0000 | 0x04edffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004ee0000 | 0x04ee0000 | 0x04ee1fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004ef0000 | 0x04ef0000 | 0x04f03fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000004f10000 | 0x04f10000 | 0x04f4ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004f50000 | 0x04f50000 | 0x04f8ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004f90000 | 0x04f90000 | 0x04f93fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000004fa0000 | 0x04fa0000 | 0x04fa0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000004fb0000 | 0x04fb0000 | 0x04fb1fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005010000 | 0x05010000 | 0x0501ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000050e0000 | 0x050e0000 | 0x051dffff | Private Memory | rw |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007fb40000 | 0x7fb40000 | 0x7fb62fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007fb6b000 | 0x7fb6b000 | 0x7fb6bfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007fb6c000 | 0x7fb6c000 | 0x7fb6efff | Private Memory | rw |
|
|
|
- |
| private_0x000000007fb6f000 | 0x7fb6f000 | 0x7fb6ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Process #106: cmd.exe
58
0
| Information | Value |
|---|---|
| ID | #106 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Client-Licensing-Platform/Diagnostic" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:01:48, Reason: Child Process |
| Unmonitor | End Time: 00:01:49, Reason: Self Terminated |
| Monitor Duration | 00:00:01 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x954 |
| Parent PID | 0x8dc (c:\programdata\safe.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
FCC
0x
F94
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000060000 | 0x00060000 | 0x0007ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000060000 | 0x00060000 | 0x0006ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000070000 | 0x00070000 | 0x00073fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000080000 | 0x00080000 | 0x00081fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000080000 | 0x00080000 | 0x00083fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000090000 | 0x00090000 | 0x000a3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000000b0000 | 0x000b0000 | 0x000effff | Private Memory | rw |
|
|
|
- |
| private_0x00000000000f0000 | 0x000f0000 | 0x001effff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000001f0000 | 0x001f0000 | 0x001f3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000200000 | 0x00200000 | 0x00200fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000210000 | 0x00210000 | 0x00211fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00220000 | 0x002ddfff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000002e0000 | 0x002e0000 | 0x0031ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000370000 | 0x00370000 | 0x0037ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000003b0000 | 0x003b0000 | 0x003bffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000460000 | 0x00460000 | 0x0055ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000560000 | 0x00560000 | 0x0065ffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x00660000 | 0x00996fff | Memory Mapped File | r |
|
|
|
- |
| cmd.exe | 0x01140000 | 0x0118ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000001190000 | 0x01190000 | 0x0518ffff | Pagefile Backed Memory | - |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74d30000 | 0x74ea5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75130000 | 0x7521ffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x778d0000 | 0x7798dfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007ef20000 | 0x7ef20000 | 0x7f01ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007f020000 | 0x7f020000 | 0x7f042fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f045000 | 0x7f045000 | 0x7f045fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f049000 | 0x7f049000 | 0x7f04bfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f04c000 | 0x7f04c000 | 0x7f04cfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f04d000 | 0x7f04d000 | 0x7f04ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (11)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Windows\SysWOW64 | type = file_attributes |
|
2 | |
| Get Info | wevtutil.exe | type = file_attributes |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
5 | |
| Open | STD_INPUT_HANDLE | - |
|
3 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 200, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\SysWOW64\wevtutil.exe | os_pid = 0xfd0, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x1140000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75130000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x75172780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x7514fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7514a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x74e435c0 |
|
1 |
Environment (19)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
2 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Windows\SysWOW64 |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000000 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #108: wevtutil.exe
0
0
| Information | Value |
|---|---|
| ID | #108 |
| File Name | c:\windows\syswow64\wevtutil.exe |
| Command Line | wevtutil.exe clear-log "Microsoft-Client-Licensing-Platform/Diagnostic" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:01:49, Reason: Child Process |
| Unmonitor | End Time: 00:01:49, Reason: Self Terminated |
| Monitor Duration | 00:00:00 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xfd0 |
| Parent PID | 0x954 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
EF0
0x
F18
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000030000 | 0x00030000 | 0x0004ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000050000 | 0x00050000 | 0x00051fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000060000 | 0x00060000 | 0x00073fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000080000 | 0x00080000 | 0x000bffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000000c0000 | 0x000c0000 | 0x000fffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000100000 | 0x00100000 | 0x00103fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000110000 | 0x00110000 | 0x00110fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000120000 | 0x00120000 | 0x00121fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000002a0000 | 0x002a0000 | 0x002affff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000340000 | 0x00340000 | 0x0043ffff | Private Memory | rw |
|
|
|
- |
| wevtutil.exe | 0x00b40000 | 0x00b6efff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000b70000 | 0x00b70000 | 0x04b6ffff | Pagefile Backed Memory | - |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007e440000 | 0x7e440000 | 0x7e462fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007e469000 | 0x7e469000 | 0x7e469fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007e46c000 | 0x7e46c000 | 0x7e46cfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007e46d000 | 0x7e46d000 | 0x7e46ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Process #109: cmd.exe
58
0
| Information | Value |
|---|---|
| ID | #109 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-IE-ReadingView/Diagnostic" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:01:49, Reason: Child Process |
| Unmonitor | End Time: 00:01:51, Reason: Self Terminated |
| Monitor Duration | 00:00:02 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xffc |
| Parent PID | 0x8dc (c:\programdata\safe.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
D88
0x
370
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000230000 | 0x00230000 | 0x0024ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000230000 | 0x00230000 | 0x0023ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000240000 | 0x00240000 | 0x00243fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000250000 | 0x00250000 | 0x00251fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000250000 | 0x00250000 | 0x00253fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000260000 | 0x00260000 | 0x00273fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000280000 | 0x00280000 | 0x002bffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000002c0000 | 0x002c0000 | 0x003bffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000003c0000 | 0x003c0000 | 0x003c3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000003d0000 | 0x003d0000 | 0x003d0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000003e0000 | 0x003e0000 | 0x003e1fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x003f0000 | 0x004adfff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000004b0000 | 0x004b0000 | 0x004effff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000530000 | 0x00530000 | 0x0053ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000540000 | 0x00540000 | 0x0063ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000006a0000 | 0x006a0000 | 0x0079ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000810000 | 0x00810000 | 0x0081ffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x00820000 | 0x00b56fff | Memory Mapped File | r |
|
|
|
- |
| cmd.exe | 0x01140000 | 0x0118ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000001190000 | 0x01190000 | 0x0518ffff | Pagefile Backed Memory | - |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74d30000 | 0x74ea5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75130000 | 0x7521ffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x778d0000 | 0x7798dfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007ea60000 | 0x7ea60000 | 0x7eb5ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007eb60000 | 0x7eb60000 | 0x7eb82fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007eb86000 | 0x7eb86000 | 0x7eb88fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007eb89000 | 0x7eb89000 | 0x7eb8bfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007eb8c000 | 0x7eb8c000 | 0x7eb8cfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007eb8e000 | 0x7eb8e000 | 0x7eb8efff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (11)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Windows\SysWOW64 | type = file_attributes |
|
2 | |
| Get Info | wevtutil.exe | type = file_attributes |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
5 | |
| Open | STD_INPUT_HANDLE | - |
|
3 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 56, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\SysWOW64\wevtutil.exe | os_pid = 0xff0, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x1140000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75130000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x75172780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x7514fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7514a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x74e435c0 |
|
1 |
Environment (19)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
2 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Windows\SysWOW64 |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000000 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #111: wevtutil.exe
0
0
| Information | Value |
|---|---|
| ID | #111 |
| File Name | c:\windows\syswow64\wevtutil.exe |
| Command Line | wevtutil.exe clear-log "Microsoft-IE-ReadingView/Diagnostic" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:01:50, Reason: Child Process |
| Unmonitor | End Time: 00:01:51, Reason: Self Terminated |
| Monitor Duration | 00:00:01 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xff0 |
| Parent PID | 0xffc (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
FF4
0x
7D8
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000950000 | 0x00950000 | 0x0096ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000970000 | 0x00970000 | 0x00971fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000980000 | 0x00980000 | 0x00993fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000009a0000 | 0x009a0000 | 0x009dffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000009e0000 | 0x009e0000 | 0x00a1ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000a20000 | 0x00a20000 | 0x00a23fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000a30000 | 0x00a30000 | 0x00a30fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000a40000 | 0x00a40000 | 0x00a41fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000aa0000 | 0x00aa0000 | 0x00aaffff | Private Memory | rw |
|
|
|
- |
| wevtutil.exe | 0x00b40000 | 0x00b6efff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000b70000 | 0x00b70000 | 0x04b6ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000004ba0000 | 0x04ba0000 | 0x04c9ffff | Private Memory | rw |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007eb90000 | 0x7eb90000 | 0x7ebb2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007ebbb000 | 0x7ebbb000 | 0x7ebbdfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ebbe000 | 0x7ebbe000 | 0x7ebbefff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ebbf000 | 0x7ebbf000 | 0x7ebbffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Process #112: cmd.exe
58
0
| Information | Value |
|---|---|
| ID | #112 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-IE/Diagnostic" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:01:50, Reason: Child Process |
| Unmonitor | End Time: 00:01:52, Reason: Self Terminated |
| Monitor Duration | 00:00:02 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x54c |
| Parent PID | 0x8dc (c:\programdata\safe.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
ED0
0x
7F4
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000970000 | 0x00970000 | 0x0098ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000970000 | 0x00970000 | 0x0097ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000980000 | 0x00980000 | 0x00983fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000990000 | 0x00990000 | 0x00991fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000990000 | 0x00990000 | 0x00993fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000009a0000 | 0x009a0000 | 0x009b3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000009c0000 | 0x009c0000 | 0x009fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000a00000 | 0x00a00000 | 0x00afffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000b00000 | 0x00b00000 | 0x00b03fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000b10000 | 0x00b10000 | 0x00b10fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000b20000 | 0x00b20000 | 0x00b21fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000b30000 | 0x00b30000 | 0x00b6ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000b90000 | 0x00b90000 | 0x00b9ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000c50000 | 0x00c50000 | 0x00d4ffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00d50000 | 0x00e0dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000e10000 | 0x00e10000 | 0x00f0ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000fe0000 | 0x00fe0000 | 0x00feffff | Private Memory | rw |
|
|
|
- |
| cmd.exe | 0x01140000 | 0x0118ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000001190000 | 0x01190000 | 0x0518ffff | Pagefile Backed Memory | - |
|
|
|
- |
| sortdefault.nls | 0x05190000 | 0x054c6fff | Memory Mapped File | r |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74d30000 | 0x74ea5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75130000 | 0x7521ffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x778d0000 | 0x7798dfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007f410000 | 0x7f410000 | 0x7f50ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007f510000 | 0x7f510000 | 0x7f532fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f537000 | 0x7f537000 | 0x7f537fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f538000 | 0x7f538000 | 0x7f53afff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f53b000 | 0x7f53b000 | 0x7f53dfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f53e000 | 0x7f53e000 | 0x7f53efff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (11)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Windows\SysWOW64 | type = file_attributes |
|
2 | |
| Get Info | wevtutil.exe | type = file_attributes |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
5 | |
| Open | STD_INPUT_HANDLE | - |
|
3 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 178, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\SysWOW64\wevtutil.exe | os_pid = 0xc3c, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x1140000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75130000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x75172780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x7514fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7514a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x74e435c0 |
|
1 |
Environment (19)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
2 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Windows\SysWOW64 |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000000 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #114: wevtutil.exe
0
0
| Information | Value |
|---|---|
| ID | #114 |
| File Name | c:\windows\syswow64\wevtutil.exe |
| Command Line | wevtutil.exe clear-log "Microsoft-IE/Diagnostic" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:01:51, Reason: Child Process |
| Unmonitor | End Time: 00:01:52, Reason: Self Terminated |
| Monitor Duration | 00:00:01 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xc3c |
| Parent PID | 0x54c (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
ED4
0x
2F4
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x00000000004d0000 | 0x004d0000 | 0x004effff | Private Memory | rw |
|
|
|
- |
| private_0x00000000004f0000 | 0x004f0000 | 0x004f1fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000500000 | 0x00500000 | 0x00513fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000520000 | 0x00520000 | 0x0055ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000560000 | 0x00560000 | 0x0059ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000005a0000 | 0x005a0000 | 0x005a3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000005b0000 | 0x005b0000 | 0x005b0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000005c0000 | 0x005c0000 | 0x005c1fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000640000 | 0x00640000 | 0x0064ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000680000 | 0x00680000 | 0x0077ffff | Private Memory | rw |
|
|
|
- |
| wevtutil.exe | 0x00b40000 | 0x00b6efff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000b70000 | 0x00b70000 | 0x04b6ffff | Pagefile Backed Memory | - |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007e780000 | 0x7e780000 | 0x7e7a2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007e7a9000 | 0x7e7a9000 | 0x7e7a9fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007e7aa000 | 0x7e7aa000 | 0x7e7acfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007e7ad000 | 0x7e7ad000 | 0x7e7adfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Process #115: cmd.exe
58
0
| Information | Value |
|---|---|
| ID | #115 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-IEFRAME/Diagnostic" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:01:51, Reason: Child Process |
| Unmonitor | End Time: 00:01:53, Reason: Self Terminated |
| Monitor Duration | 00:00:02 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x7f0 |
| Parent PID | 0x8dc (c:\programdata\safe.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
BE4
0x
828
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x00000000000f0000 | 0x000f0000 | 0x0010ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000000f0000 | 0x000f0000 | 0x000fffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000100000 | 0x00100000 | 0x00103fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000110000 | 0x00110000 | 0x00111fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000110000 | 0x00110000 | 0x0011ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000120000 | 0x00120000 | 0x00133fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000140000 | 0x00140000 | 0x0017ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000180000 | 0x00180000 | 0x0027ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000280000 | 0x00280000 | 0x00283fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000290000 | 0x00290000 | 0x00290fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000002a0000 | 0x002a0000 | 0x002a1fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000002b0000 | 0x002b0000 | 0x002effff | Private Memory | rw |
|
|
|
- |
| private_0x00000000002f0000 | 0x002f0000 | 0x002f3fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000330000 | 0x00330000 | 0x0033ffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00340000 | 0x003fdfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000470000 | 0x00470000 | 0x0056ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000570000 | 0x00570000 | 0x0066ffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x00670000 | 0x009a6fff | Memory Mapped File | r |
|
|
|
- |
| cmd.exe | 0x01140000 | 0x0118ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000001190000 | 0x01190000 | 0x0518ffff | Pagefile Backed Memory | - |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74d30000 | 0x74ea5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75130000 | 0x7521ffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x778d0000 | 0x7798dfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007f5a0000 | 0x7f5a0000 | 0x7f69ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007f6a0000 | 0x7f6a0000 | 0x7f6c2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f6c8000 | 0x7f6c8000 | 0x7f6cafff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f6cb000 | 0x7f6cb000 | 0x7f6cdfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f6ce000 | 0x7f6ce000 | 0x7f6cefff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f6cf000 | 0x7f6cf000 | 0x7f6cffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (11)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Windows\SysWOW64 | type = file_attributes |
|
2 | |
| Get Info | wevtutil.exe | type = file_attributes |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
5 | |
| Open | STD_INPUT_HANDLE | - |
|
3 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 200, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\SysWOW64\wevtutil.exe | os_pid = 0xc50, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x1140000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75130000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x75172780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x7514fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7514a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x74e435c0 |
|
1 |
Environment (19)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
2 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Windows\SysWOW64 |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000000 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #117: wevtutil.exe
0
0
| Information | Value |
|---|---|
| ID | #117 |
| File Name | c:\windows\syswow64\wevtutil.exe |
| Command Line | wevtutil.exe clear-log "Microsoft-IEFRAME/Diagnostic" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:01:52, Reason: Child Process |
| Unmonitor | End Time: 00:01:53, Reason: Self Terminated |
| Monitor Duration | 00:00:01 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xc50 |
| Parent PID | 0x7f0 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
EE0
0x
ED8
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| wevtutil.exe | 0x00b40000 | 0x00b6efff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000c90000 | 0x00c90000 | 0x04c8ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000004c90000 | 0x04c90000 | 0x04caffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004cb0000 | 0x04cb0000 | 0x04cb1fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004cc0000 | 0x04cc0000 | 0x04cd3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000004ce0000 | 0x04ce0000 | 0x04d1ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004d20000 | 0x04d20000 | 0x04d5ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004d60000 | 0x04d60000 | 0x04d63fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000004d70000 | 0x04d70000 | 0x04d70fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000004d80000 | 0x04d80000 | 0x04d81fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004eb0000 | 0x04eb0000 | 0x04ebffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004f30000 | 0x04f30000 | 0x0502ffff | Private Memory | rw |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007f230000 | 0x7f230000 | 0x7f252fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f259000 | 0x7f259000 | 0x7f25bfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f25c000 | 0x7f25c000 | 0x7f25cfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f25e000 | 0x7f25e000 | 0x7f25efff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Process #118: cmd.exe
58
0
| Information | Value |
|---|---|
| ID | #118 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-JSDumpHeap/Diagnostic" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:01:53, Reason: Child Process |
| Unmonitor | End Time: 00:01:55, Reason: Self Terminated |
| Monitor Duration | 00:00:02 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x768 |
| Parent PID | 0x8dc (c:\programdata\safe.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
700
0x
114
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000630000 | 0x00630000 | 0x0064ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000630000 | 0x00630000 | 0x0063ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000640000 | 0x00640000 | 0x00643fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000650000 | 0x00650000 | 0x00651fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000650000 | 0x00650000 | 0x00653fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000660000 | 0x00660000 | 0x00673fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000680000 | 0x00680000 | 0x006bffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000006c0000 | 0x006c0000 | 0x007bffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000007c0000 | 0x007c0000 | 0x007c3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000007d0000 | 0x007d0000 | 0x007d0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000007e0000 | 0x007e0000 | 0x007e1fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x007f0000 | 0x008adfff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000008d0000 | 0x008d0000 | 0x008dffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000008e0000 | 0x008e0000 | 0x0091ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000930000 | 0x00930000 | 0x00a2ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000a30000 | 0x00a30000 | 0x00b2ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000c90000 | 0x00c90000 | 0x00c9ffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x00ca0000 | 0x00fd6fff | Memory Mapped File | r |
|
|
|
- |
| cmd.exe | 0x01140000 | 0x0118ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000001190000 | 0x01190000 | 0x0518ffff | Pagefile Backed Memory | - |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74d30000 | 0x74ea5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75130000 | 0x7521ffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x778d0000 | 0x7798dfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007f1b0000 | 0x7f1b0000 | 0x7f2affff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007f2b0000 | 0x7f2b0000 | 0x7f2d2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f2d6000 | 0x7f2d6000 | 0x7f2d8fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f2d9000 | 0x7f2d9000 | 0x7f2dbfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f2dc000 | 0x7f2dc000 | 0x7f2dcfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f2df000 | 0x7f2df000 | 0x7f2dffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (11)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Windows\SysWOW64 | type = file_attributes |
|
2 | |
| Get Info | wevtutil.exe | type = file_attributes |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
5 | |
| Open | STD_INPUT_HANDLE | - |
|
3 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 152, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\SysWOW64\wevtutil.exe | os_pid = 0xcf0, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x1140000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75130000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x75172780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x7514fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7514a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x74e435c0 |
|
1 |
Environment (19)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
2 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Windows\SysWOW64 |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000000 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #120: wevtutil.exe
0
0
| Information | Value |
|---|---|
| ID | #120 |
| File Name | c:\windows\syswow64\wevtutil.exe |
| Command Line | wevtutil.exe clear-log "Microsoft-JSDumpHeap/Diagnostic" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:01:53, Reason: Child Process |
| Unmonitor | End Time: 00:01:54, Reason: Self Terminated |
| Monitor Duration | 00:00:01 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xcf0 |
| Parent PID | 0x768 (c:\windows\syswow64\wevtutil.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
B20
0x
D24
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| wevtutil.exe | 0x00b40000 | 0x00b6efff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000f50000 | 0x00f50000 | 0x04f4ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000004f50000 | 0x04f50000 | 0x04f6ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004f70000 | 0x04f70000 | 0x04f71fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004f80000 | 0x04f80000 | 0x04f93fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000004fa0000 | 0x04fa0000 | 0x04fdffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004fe0000 | 0x04fe0000 | 0x0501ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000005020000 | 0x05020000 | 0x05023fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000005030000 | 0x05030000 | 0x05030fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000005040000 | 0x05040000 | 0x05041fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005240000 | 0x05240000 | 0x0524ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005370000 | 0x05370000 | 0x0546ffff | Private Memory | rw |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007f1c0000 | 0x7f1c0000 | 0x7f1e2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f1e8000 | 0x7f1e8000 | 0x7f1e8fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f1eb000 | 0x7f1eb000 | 0x7f1edfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f1ee000 | 0x7f1ee000 | 0x7f1eefff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Process #121: cmd.exe
58
0
| Information | Value |
|---|---|
| ID | #121 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-OneCore-Setup/Analytic" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:01:54, Reason: Child Process |
| Unmonitor | End Time: 00:01:55, Reason: Self Terminated |
| Monitor Duration | 00:00:01 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xcac |
| Parent PID | 0x8dc (c:\programdata\safe.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
538
0x
DB8
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000a50000 | 0x00a50000 | 0x00a6ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000a50000 | 0x00a50000 | 0x00a5ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000a60000 | 0x00a60000 | 0x00a63fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000a70000 | 0x00a70000 | 0x00a71fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000a70000 | 0x00a70000 | 0x00a73fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000a80000 | 0x00a80000 | 0x00a93fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000aa0000 | 0x00aa0000 | 0x00adffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000ae0000 | 0x00ae0000 | 0x00bdffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000be0000 | 0x00be0000 | 0x00be3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000bf0000 | 0x00bf0000 | 0x00bf0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000c00000 | 0x00c00000 | 0x00c01fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000c40000 | 0x00c40000 | 0x00d3ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000d40000 | 0x00d40000 | 0x00d7ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000de0000 | 0x00de0000 | 0x00deffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00df0000 | 0x00eadfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000eb0000 | 0x00eb0000 | 0x00faffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001040000 | 0x01040000 | 0x0104ffff | Private Memory | rw |
|
|
|
- |
| cmd.exe | 0x01140000 | 0x0118ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000001190000 | 0x01190000 | 0x0518ffff | Pagefile Backed Memory | - |
|
|
|
- |
| sortdefault.nls | 0x05190000 | 0x054c6fff | Memory Mapped File | r |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74d30000 | 0x74ea5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75130000 | 0x7521ffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x778d0000 | 0x7798dfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007ebd0000 | 0x7ebd0000 | 0x7eccffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007ecd0000 | 0x7ecd0000 | 0x7ecf2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007ecf8000 | 0x7ecf8000 | 0x7ecfafff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ecfb000 | 0x7ecfb000 | 0x7ecfdfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ecfe000 | 0x7ecfe000 | 0x7ecfefff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ecff000 | 0x7ecff000 | 0x7ecfffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (11)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Windows\SysWOW64 | type = file_attributes |
|
2 | |
| Get Info | wevtutil.exe | type = file_attributes |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
5 | |
| Open | STD_INPUT_HANDLE | - |
|
3 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 117, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\SysWOW64\wevtutil.exe | os_pid = 0x6d8, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x1140000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75130000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x75172780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x7514fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7514a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x74e435c0 |
|
1 |
Environment (19)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
2 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Windows\SysWOW64 |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000000 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #123: wevtutil.exe
0
0
| Information | Value |
|---|---|
| ID | #123 |
| File Name | c:\windows\syswow64\wevtutil.exe |
| Command Line | wevtutil.exe clear-log "Microsoft-OneCore-Setup/Analytic" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:01:54, Reason: Child Process |
| Unmonitor | End Time: 00:01:55, Reason: Self Terminated |
| Monitor Duration | 00:00:01 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x6d8 |
| Parent PID | 0xcac (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
67C
0x
CB4
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x00000000001f0000 | 0x001f0000 | 0x0020ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000210000 | 0x00210000 | 0x00211fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000220000 | 0x00220000 | 0x00233fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000240000 | 0x00240000 | 0x0027ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000280000 | 0x00280000 | 0x002bffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000002c0000 | 0x002c0000 | 0x002c3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000002d0000 | 0x002d0000 | 0x002d0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000002e0000 | 0x002e0000 | 0x002e1fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000410000 | 0x00410000 | 0x0041ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000490000 | 0x00490000 | 0x0058ffff | Private Memory | rw |
|
|
|
- |
| wevtutil.exe | 0x00b40000 | 0x00b6efff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000b70000 | 0x00b70000 | 0x04b6ffff | Pagefile Backed Memory | - |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007f2f0000 | 0x7f2f0000 | 0x7f312fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f31a000 | 0x7f31a000 | 0x7f31cfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f31d000 | 0x7f31d000 | 0x7f31dfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f31f000 | 0x7f31f000 | 0x7f31ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Process #124: cmd.exe
58
0
| Information | Value |
|---|---|
| ID | #124 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-PerfTrack-IEFRAME/Diagnostic" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:01:55, Reason: Child Process |
| Unmonitor | End Time: 00:01:57, Reason: Self Terminated |
| Monitor Duration | 00:00:02 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x5b8 |
| Parent PID | 0x8dc (c:\programdata\safe.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
CE8
0x
D98
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000bb0000 | 0x00bb0000 | 0x00bcffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000bb0000 | 0x00bb0000 | 0x00bbffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000bc0000 | 0x00bc0000 | 0x00bc3fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000bd0000 | 0x00bd0000 | 0x00bd1fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000bd0000 | 0x00bd0000 | 0x00bd3fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000be0000 | 0x00be0000 | 0x00bf3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000c00000 | 0x00c00000 | 0x00c3ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000c40000 | 0x00c40000 | 0x00d3ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000d40000 | 0x00d40000 | 0x00d43fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000d50000 | 0x00d50000 | 0x00d50fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000d60000 | 0x00d60000 | 0x00d61fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00d70000 | 0x00e2dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000e30000 | 0x00e30000 | 0x00e6ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000e70000 | 0x00e70000 | 0x00e7ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000f40000 | 0x00f40000 | 0x00f4ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000f50000 | 0x00f50000 | 0x0104ffff | Private Memory | rw |
|
|
|
- |
| cmd.exe | 0x01140000 | 0x0118ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000001190000 | 0x01190000 | 0x0518ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000005190000 | 0x05190000 | 0x0528ffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x05290000 | 0x055c6fff | Memory Mapped File | r |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74d30000 | 0x74ea5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75130000 | 0x7521ffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x778d0000 | 0x7798dfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007e9c0000 | 0x7e9c0000 | 0x7eabffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007eac0000 | 0x7eac0000 | 0x7eae2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007eae7000 | 0x7eae7000 | 0x7eae7fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007eae9000 | 0x7eae9000 | 0x7eaebfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007eaec000 | 0x7eaec000 | 0x7eaeefff | Private Memory | rw |
|
|
|
- |
| private_0x000000007eaef000 | 0x7eaef000 | 0x7eaeffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (11)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Windows\SysWOW64 | type = file_attributes |
|
2 | |
| Get Info | wevtutil.exe | type = file_attributes |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
5 | |
| Open | STD_INPUT_HANDLE | - |
|
3 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 152, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\SysWOW64\wevtutil.exe | os_pid = 0xdc0, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x1140000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75130000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x75172780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x7514fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7514a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x74e435c0 |
|
1 |
Environment (19)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
2 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Windows\SysWOW64 |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000000 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #126: wevtutil.exe
0
0
| Information | Value |
|---|---|
| ID | #126 |
| File Name | c:\windows\syswow64\wevtutil.exe |
| Command Line | wevtutil.exe clear-log "Microsoft-PerfTrack-IEFRAME/Diagnostic" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:01:55, Reason: Child Process |
| Unmonitor | End Time: 00:01:57, Reason: Self Terminated |
| Monitor Duration | 00:00:02 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xdc0 |
| Parent PID | 0x5b8 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
D84
0x
DAC
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000250000 | 0x00250000 | 0x0026ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000270000 | 0x00270000 | 0x00271fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000280000 | 0x00280000 | 0x00293fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000002a0000 | 0x002a0000 | 0x002dffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000002e0000 | 0x002e0000 | 0x0031ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000320000 | 0x00320000 | 0x00323fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000330000 | 0x00330000 | 0x00330fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000340000 | 0x00340000 | 0x00341fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000480000 | 0x00480000 | 0x0048ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000005d0000 | 0x005d0000 | 0x006cffff | Private Memory | rw |
|
|
|
- |
| wevtutil.exe | 0x00b40000 | 0x00b6efff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000b70000 | 0x00b70000 | 0x04b6ffff | Pagefile Backed Memory | - |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007e6d0000 | 0x7e6d0000 | 0x7e6f2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007e6fb000 | 0x7e6fb000 | 0x7e6fbfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007e6fc000 | 0x7e6fc000 | 0x7e6fefff | Private Memory | rw |
|
|
|
- |
| private_0x000000007e6ff000 | 0x7e6ff000 | 0x7e6fffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Process #127: cmd.exe
58
0
| Information | Value |
|---|---|
| ID | #127 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-PerfTrack-MSHTML/Diagnostic" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:01:56, Reason: Child Process |
| Unmonitor | End Time: 00:01:58, Reason: Self Terminated |
| Monitor Duration | 00:00:02 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xd9c |
| Parent PID | 0x8dc (c:\programdata\safe.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
DA0
0x
D94
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x00000000006d0000 | 0x006d0000 | 0x006effff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000006d0000 | 0x006d0000 | 0x006dffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x00000000006e0000 | 0x006e0000 | 0x006e3fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000006f0000 | 0x006f0000 | 0x006f1fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000006f0000 | 0x006f0000 | 0x006f3fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000700000 | 0x00700000 | 0x00713fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000720000 | 0x00720000 | 0x0075ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000760000 | 0x00760000 | 0x0085ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000860000 | 0x00860000 | 0x00863fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000870000 | 0x00870000 | 0x00870fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000880000 | 0x00880000 | 0x00881fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00890000 | 0x0094dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000950000 | 0x00950000 | 0x0098ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000a30000 | 0x00a30000 | 0x00a3ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000a40000 | 0x00a40000 | 0x00b3ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000c30000 | 0x00c30000 | 0x00d2ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000ef0000 | 0x00ef0000 | 0x00efffff | Private Memory | rw |
|
|
|
- |
| cmd.exe | 0x01140000 | 0x0118ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000001190000 | 0x01190000 | 0x0518ffff | Pagefile Backed Memory | - |
|
|
|
- |
| sortdefault.nls | 0x05190000 | 0x054c6fff | Memory Mapped File | r |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74d30000 | 0x74ea5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75130000 | 0x7521ffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x778d0000 | 0x7798dfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007f840000 | 0x7f840000 | 0x7f93ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007f940000 | 0x7f940000 | 0x7f962fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f963000 | 0x7f963000 | 0x7f963fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f968000 | 0x7f968000 | 0x7f968fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f96a000 | 0x7f96a000 | 0x7f96cfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f96d000 | 0x7f96d000 | 0x7f96ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (11)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Windows\SysWOW64 | type = file_attributes |
|
2 | |
| Get Info | wevtutil.exe | type = file_attributes |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
5 | |
| Open | STD_INPUT_HANDLE | - |
|
3 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 136, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\SysWOW64\wevtutil.exe | os_pid = 0xe0c, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x1140000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75130000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x75172780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x7514fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7514a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x74e435c0 |
|
1 |
Environment (19)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
2 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Windows\SysWOW64 |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000000 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #129: wevtutil.exe
0
0
| Information | Value |
|---|---|
| ID | #129 |
| File Name | c:\windows\syswow64\wevtutil.exe |
| Command Line | wevtutil.exe clear-log "Microsoft-PerfTrack-MSHTML/Diagnostic" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:01:57, Reason: Child Process |
| Unmonitor | End Time: 00:01:57, Reason: Self Terminated |
| Monitor Duration | 00:00:00 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xe0c |
| Parent PID | 0xd9c (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
D90
0x
E08
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000ab0000 | 0x00ab0000 | 0x00acffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000ad0000 | 0x00ad0000 | 0x00ad1fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000ae0000 | 0x00ae0000 | 0x00af3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000b00000 | 0x00b00000 | 0x00b3ffff | Private Memory | rw |
|
|
|
- |
| wevtutil.exe | 0x00b40000 | 0x00b6efff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000b70000 | 0x00b70000 | 0x04b6ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000004b70000 | 0x04b70000 | 0x04baffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004bb0000 | 0x04bb0000 | 0x04bb3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000004bc0000 | 0x04bc0000 | 0x04bc0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000004bd0000 | 0x04bd0000 | 0x04bd1fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004c10000 | 0x04c10000 | 0x04c1ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004cd0000 | 0x04cd0000 | 0x04dcffff | Private Memory | rw |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007eca0000 | 0x7eca0000 | 0x7ecc2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007ecc6000 | 0x7ecc6000 | 0x7ecc6fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ecc7000 | 0x7ecc7000 | 0x7ecc7fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007eccd000 | 0x7eccd000 | 0x7eccffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Process #130: cmd.exe
58
0
| Information | Value |
|---|---|
| ID | #130 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-WS-Licensing/Admin" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:01:57, Reason: Child Process |
| Unmonitor | End Time: 00:01:59, Reason: Self Terminated |
| Monitor Duration | 00:00:02 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xe18 |
| Parent PID | 0x8dc (c:\programdata\safe.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
DF0
0x
DC8
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000560000 | 0x00560000 | 0x0057ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000560000 | 0x00560000 | 0x0056ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000570000 | 0x00570000 | 0x00573fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000580000 | 0x00580000 | 0x00581fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000580000 | 0x00580000 | 0x00583fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000590000 | 0x00590000 | 0x005a3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000005b0000 | 0x005b0000 | 0x005effff | Private Memory | rw |
|
|
|
- |
| private_0x00000000005f0000 | 0x005f0000 | 0x006effff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000006f0000 | 0x006f0000 | 0x006f3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000700000 | 0x00700000 | 0x00700fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000710000 | 0x00710000 | 0x00711fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00720000 | 0x007ddfff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000007e0000 | 0x007e0000 | 0x0081ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000860000 | 0x00860000 | 0x0086ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000870000 | 0x00870000 | 0x0096ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000009a0000 | 0x009a0000 | 0x00a9ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000c40000 | 0x00c40000 | 0x00c4ffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x00c50000 | 0x00f86fff | Memory Mapped File | r |
|
|
|
- |
| cmd.exe | 0x01140000 | 0x0118ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000001190000 | 0x01190000 | 0x0518ffff | Pagefile Backed Memory | - |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74d30000 | 0x74ea5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75130000 | 0x7521ffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x778d0000 | 0x7798dfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007e680000 | 0x7e680000 | 0x7e77ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007e780000 | 0x7e780000 | 0x7e7a2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007e7a6000 | 0x7e7a6000 | 0x7e7a8fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007e7a9000 | 0x7e7a9000 | 0x7e7a9fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007e7ac000 | 0x7e7ac000 | 0x7e7aefff | Private Memory | rw |
|
|
|
- |
| private_0x000000007e7af000 | 0x7e7af000 | 0x7e7affff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (11)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Windows\SysWOW64 | type = file_attributes |
|
2 | |
| Get Info | wevtutil.exe | type = file_attributes |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
5 | |
| Open | STD_INPUT_HANDLE | - |
|
3 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 96, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\SysWOW64\wevtutil.exe | os_pid = 0xe24, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x1140000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75130000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x75172780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x7514fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7514a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x74e435c0 |
|
1 |
Environment (19)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
2 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Windows\SysWOW64 |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000000 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #132: wevtutil.exe
0
0
| Information | Value |
|---|---|
| ID | #132 |
| File Name | c:\windows\syswow64\wevtutil.exe |
| Command Line | wevtutil.exe clear-log "Microsoft-WS-Licensing/Admin" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:01:58, Reason: Child Process |
| Unmonitor | End Time: 00:01:59, Reason: Self Terminated |
| Monitor Duration | 00:00:01 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xe24 |
| Parent PID | 0xe18 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
E20
0x
E14
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| wevtutil.exe | 0x00b40000 | 0x00b6efff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000ba0000 | 0x00ba0000 | 0x04b9ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000004ba0000 | 0x04ba0000 | 0x04bbffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004bc0000 | 0x04bc0000 | 0x04bc1fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004bd0000 | 0x04bd0000 | 0x04be3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000004bf0000 | 0x04bf0000 | 0x04c2ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004c30000 | 0x04c30000 | 0x04c6ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004c70000 | 0x04c70000 | 0x04c73fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000004c80000 | 0x04c80000 | 0x04c80fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000004c90000 | 0x04c90000 | 0x04c91fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004d50000 | 0x04d50000 | 0x04d5ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004e90000 | 0x04e90000 | 0x04f8ffff | Private Memory | rw |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007fec0000 | 0x7fec0000 | 0x7fee2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007feeb000 | 0x7feeb000 | 0x7feedfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007feee000 | 0x7feee000 | 0x7feeefff | Private Memory | rw |
|
|
|
- |
| private_0x000000007feef000 | 0x7feef000 | 0x7feeffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Process #133: cmd.exe
58
0
| Information | Value |
|---|---|
| ID | #133 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-WS-Licensing/Debug" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:01:59, Reason: Child Process |
| Unmonitor | End Time: 00:02:01, Reason: Self Terminated |
| Monitor Duration | 00:00:02 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xdd0 |
| Parent PID | 0x8dc (c:\programdata\safe.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
DF4
0x
DDC
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000290000 | 0x00290000 | 0x002affff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000290000 | 0x00290000 | 0x0029ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x00000000002a0000 | 0x002a0000 | 0x002a3fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000002b0000 | 0x002b0000 | 0x002b1fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000002b0000 | 0x002b0000 | 0x002b3fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000002c0000 | 0x002c0000 | 0x002d3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000002e0000 | 0x002e0000 | 0x0031ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000320000 | 0x00320000 | 0x0041ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000420000 | 0x00420000 | 0x00423fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000430000 | 0x00430000 | 0x00430fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000440000 | 0x00440000 | 0x00441fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000460000 | 0x00460000 | 0x0046ffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00470000 | 0x0052dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000530000 | 0x00530000 | 0x0056ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000005f0000 | 0x005f0000 | 0x006effff | Private Memory | rw |
|
|
|
- |
| private_0x00000000006f0000 | 0x006f0000 | 0x007effff | Private Memory | rw |
|
|
|
- |
| private_0x00000000008b0000 | 0x008b0000 | 0x008bffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x008c0000 | 0x00bf6fff | Memory Mapped File | r |
|
|
|
- |
| cmd.exe | 0x01140000 | 0x0118ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000001190000 | 0x01190000 | 0x0518ffff | Pagefile Backed Memory | - |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74d30000 | 0x74ea5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75130000 | 0x7521ffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x778d0000 | 0x7798dfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007f070000 | 0x7f070000 | 0x7f16ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007f170000 | 0x7f170000 | 0x7f192fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f196000 | 0x7f196000 | 0x7f198fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f199000 | 0x7f199000 | 0x7f199fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f19a000 | 0x7f19a000 | 0x7f19cfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f19d000 | 0x7f19d000 | 0x7f19dfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (11)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Windows\SysWOW64 | type = file_attributes |
|
2 | |
| Get Info | wevtutil.exe | type = file_attributes |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
5 | |
| Open | STD_INPUT_HANDLE | - |
|
3 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 56, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\SysWOW64\wevtutil.exe | os_pid = 0xde0, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x1140000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75130000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x75172780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x7514fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7514a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x74e435c0 |
|
1 |
Environment (19)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
2 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Windows\SysWOW64 |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000000 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #135: wevtutil.exe
0
0
| Information | Value |
|---|---|
| ID | #135 |
| File Name | c:\windows\syswow64\wevtutil.exe |
| Command Line | wevtutil.exe clear-log "Microsoft-WS-Licensing/Debug" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:01:59, Reason: Child Process |
| Unmonitor | End Time: 00:02:01, Reason: Self Terminated |
| Monitor Duration | 00:00:02 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xde0 |
| Parent PID | 0xdd0 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
D7C
0x
DE8
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x00000000001d0000 | 0x001d0000 | 0x001effff | Private Memory | rw |
|
|
|
- |
| private_0x00000000001f0000 | 0x001f0000 | 0x001f1fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000200000 | 0x00200000 | 0x00213fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000220000 | 0x00220000 | 0x0025ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000260000 | 0x00260000 | 0x0029ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000002a0000 | 0x002a0000 | 0x002a3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000002b0000 | 0x002b0000 | 0x002b0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000002c0000 | 0x002c0000 | 0x002c1fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000004a0000 | 0x004a0000 | 0x004affff | Private Memory | rw |
|
|
|
- |
| private_0x00000000005d0000 | 0x005d0000 | 0x006cffff | Private Memory | rw |
|
|
|
- |
| wevtutil.exe | 0x00b40000 | 0x00b6efff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000b70000 | 0x00b70000 | 0x04b6ffff | Pagefile Backed Memory | - |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007fbd0000 | 0x7fbd0000 | 0x7fbf2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007fbfa000 | 0x7fbfa000 | 0x7fbfafff | Private Memory | rw |
|
|
|
- |
| private_0x000000007fbfc000 | 0x7fbfc000 | 0x7fbfefff | Private Memory | rw |
|
|
|
- |
| private_0x000000007fbff000 | 0x7fbff000 | 0x7fbfffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Process #136: cmd.exe
58
0
| Information | Value |
|---|---|
| ID | #136 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-WS-Licensing/Diagnostic" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:02:00, Reason: Child Process |
| Unmonitor | End Time: 00:02:02, Reason: Self Terminated |
| Monitor Duration | 00:00:02 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xe10 |
| Parent PID | 0x8dc (c:\programdata\safe.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
D78
0x
224
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000400000 | 0x00400000 | 0x0041ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000400000 | 0x00400000 | 0x0040ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000410000 | 0x00410000 | 0x00413fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000420000 | 0x00420000 | 0x00421fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000420000 | 0x00420000 | 0x00423fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000430000 | 0x00430000 | 0x00443fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000450000 | 0x00450000 | 0x0048ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000490000 | 0x00490000 | 0x0058ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000590000 | 0x00590000 | 0x00593fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000005a0000 | 0x005a0000 | 0x005a0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000005b0000 | 0x005b0000 | 0x005b1fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x005c0000 | 0x0067dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000006a0000 | 0x006a0000 | 0x006affff | Private Memory | rw |
|
|
|
- |
| private_0x00000000006b0000 | 0x006b0000 | 0x006effff | Private Memory | rw |
|
|
|
- |
| private_0x00000000006f0000 | 0x006f0000 | 0x007effff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000850000 | 0x00850000 | 0x0094ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000aa0000 | 0x00aa0000 | 0x00aaffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x00ab0000 | 0x00de6fff | Memory Mapped File | r |
|
|
|
- |
| cmd.exe | 0x01140000 | 0x0118ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000001190000 | 0x01190000 | 0x0518ffff | Pagefile Backed Memory | - |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74d30000 | 0x74ea5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75130000 | 0x7521ffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x778d0000 | 0x7798dfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007e660000 | 0x7e660000 | 0x7e75ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007e760000 | 0x7e760000 | 0x7e782fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007e784000 | 0x7e784000 | 0x7e784fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007e787000 | 0x7e787000 | 0x7e789fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007e78a000 | 0x7e78a000 | 0x7e78cfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007e78d000 | 0x7e78d000 | 0x7e78dfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (11)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Windows\SysWOW64 | type = file_attributes |
|
2 | |
| Get Info | wevtutil.exe | type = file_attributes |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
5 | |
| Open | STD_INPUT_HANDLE | - |
|
3 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 77, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\SysWOW64\wevtutil.exe | os_pid = 0xcf4, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x1140000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75130000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x75172780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x7514fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7514a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x74e435c0 |
|
1 |
Environment (19)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
2 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Windows\SysWOW64 |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000000 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #138: wevtutil.exe
0
0
| Information | Value |
|---|---|
| ID | #138 |
| File Name | c:\windows\syswow64\wevtutil.exe |
| Command Line | wevtutil.exe clear-log "Microsoft-WS-Licensing/Diagnostic" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:02:01, Reason: Child Process |
| Unmonitor | End Time: 00:02:02, Reason: Self Terminated |
| Monitor Duration | 00:00:01 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xcf4 |
| Parent PID | 0xe10 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
EF8
0x
350
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x00000000000b0000 | 0x000b0000 | 0x000cffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000000d0000 | 0x000d0000 | 0x000d1fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000000e0000 | 0x000e0000 | 0x000f3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000100000 | 0x00100000 | 0x0013ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000140000 | 0x00140000 | 0x0017ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000180000 | 0x00180000 | 0x00183fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000190000 | 0x00190000 | 0x00190fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000001a0000 | 0x001a0000 | 0x001a1fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000360000 | 0x00360000 | 0x0036ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000540000 | 0x00540000 | 0x0063ffff | Private Memory | rw |
|
|
|
- |
| wevtutil.exe | 0x00b40000 | 0x00b6efff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000b70000 | 0x00b70000 | 0x04b6ffff | Pagefile Backed Memory | - |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007ed70000 | 0x7ed70000 | 0x7ed92fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007ed95000 | 0x7ed95000 | 0x7ed95fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ed9c000 | 0x7ed9c000 | 0x7ed9efff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ed9f000 | 0x7ed9f000 | 0x7ed9ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Process #139: cmd.exe
58
0
| Information | Value |
|---|---|
| ID | #139 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-AAD/Analytic" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:02:02, Reason: Child Process |
| Unmonitor | End Time: 00:02:04, Reason: Self Terminated |
| Monitor Duration | 00:00:02 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xe34 |
| Parent PID | 0x8dc (c:\programdata\safe.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
E50
0x
348
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000740000 | 0x00740000 | 0x0075ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000740000 | 0x00740000 | 0x0074ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000750000 | 0x00750000 | 0x00753fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000760000 | 0x00760000 | 0x00761fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000760000 | 0x00760000 | 0x00763fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000770000 | 0x00770000 | 0x00783fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000790000 | 0x00790000 | 0x007cffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000007d0000 | 0x007d0000 | 0x008cffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000008d0000 | 0x008d0000 | 0x008d3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000008e0000 | 0x008e0000 | 0x008e0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000008f0000 | 0x008f0000 | 0x008f1fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00900000 | 0x009bdfff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000009c0000 | 0x009c0000 | 0x009fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000a90000 | 0x00a90000 | 0x00a9ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000aa0000 | 0x00aa0000 | 0x00b9ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000c40000 | 0x00c40000 | 0x00c4ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000c70000 | 0x00c70000 | 0x00d6ffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x00d70000 | 0x010a6fff | Memory Mapped File | r |
|
|
|
- |
| cmd.exe | 0x01140000 | 0x0118ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000001190000 | 0x01190000 | 0x0518ffff | Pagefile Backed Memory | - |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74d30000 | 0x74ea5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75130000 | 0x7521ffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x778d0000 | 0x7798dfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007ecf0000 | 0x7ecf0000 | 0x7edeffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007edf0000 | 0x7edf0000 | 0x7ee12fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007ee15000 | 0x7ee15000 | 0x7ee15fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ee19000 | 0x7ee19000 | 0x7ee19fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ee1a000 | 0x7ee1a000 | 0x7ee1cfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ee1d000 | 0x7ee1d000 | 0x7ee1ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (11)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Windows\SysWOW64 | type = file_attributes |
|
2 | |
| Get Info | wevtutil.exe | type = file_attributes |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
5 | |
| Open | STD_INPUT_HANDLE | - |
|
3 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 104, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\SysWOW64\wevtutil.exe | os_pid = 0xdd8, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x1140000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75130000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x75172780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x7514fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7514a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x74e435c0 |
|
1 |
Environment (19)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
2 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Windows\SysWOW64 |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000000 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #141: wevtutil.exe
0
0
| Information | Value |
|---|---|
| ID | #141 |
| File Name | c:\windows\syswow64\wevtutil.exe |
| Command Line | wevtutil.exe clear-log "Microsoft-Windows-AAD/Analytic" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:02:03, Reason: Child Process |
| Unmonitor | End Time: 00:02:04, Reason: Self Terminated |
| Monitor Duration | 00:00:01 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xdd8 |
| Parent PID | 0xe34 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
E54
0x
C64
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00031fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000040000 | 0x00040000 | 0x00053fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000060000 | 0x00060000 | 0x0009ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000000a0000 | 0x000a0000 | 0x000dffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000000e0000 | 0x000e0000 | 0x000e3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000000f0000 | 0x000f0000 | 0x000f0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000100000 | 0x00100000 | 0x00101fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000002c0000 | 0x002c0000 | 0x002cffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000003c0000 | 0x003c0000 | 0x004bffff | Private Memory | rw |
|
|
|
- |
| wevtutil.exe | 0x00b40000 | 0x00b6efff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000b70000 | 0x00b70000 | 0x04b6ffff | Pagefile Backed Memory | - |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007f170000 | 0x7f170000 | 0x7f192fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f193000 | 0x7f193000 | 0x7f193fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f19c000 | 0x7f19c000 | 0x7f19efff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f19f000 | 0x7f19f000 | 0x7f19ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Process #142: cmd.exe
58
0
| Information | Value |
|---|---|
| ID | #142 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-AAD/Operational" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:02:03, Reason: Child Process |
| Unmonitor | End Time: 00:02:06, Reason: Self Terminated |
| Monitor Duration | 00:00:03 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xe38 |
| Parent PID | 0x8dc (c:\programdata\safe.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
E6C
0x
B48
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000a40000 | 0x00a40000 | 0x00a5ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000a40000 | 0x00a40000 | 0x00a4ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000a50000 | 0x00a50000 | 0x00a53fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000a60000 | 0x00a60000 | 0x00a61fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000a60000 | 0x00a60000 | 0x00a63fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000a70000 | 0x00a70000 | 0x00a83fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000a90000 | 0x00a90000 | 0x00acffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000ad0000 | 0x00ad0000 | 0x00bcffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000bd0000 | 0x00bd0000 | 0x00bd3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000be0000 | 0x00be0000 | 0x00be0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000bf0000 | 0x00bf0000 | 0x00bf1fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00c00000 | 0x00cbdfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000ce0000 | 0x00ce0000 | 0x00ddffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000de0000 | 0x00de0000 | 0x00deffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000df0000 | 0x00df0000 | 0x00e2ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000e30000 | 0x00e30000 | 0x00f2ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001030000 | 0x01030000 | 0x0103ffff | Private Memory | rw |
|
|
|
- |
| cmd.exe | 0x01140000 | 0x0118ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000001190000 | 0x01190000 | 0x0518ffff | Pagefile Backed Memory | - |
|
|
|
- |
| sortdefault.nls | 0x05190000 | 0x054c6fff | Memory Mapped File | r |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74d30000 | 0x74ea5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75130000 | 0x7521ffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x778d0000 | 0x7798dfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007f1f0000 | 0x7f1f0000 | 0x7f2effff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007f2f0000 | 0x7f2f0000 | 0x7f312fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f318000 | 0x7f318000 | 0x7f31afff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f31b000 | 0x7f31b000 | 0x7f31dfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f31e000 | 0x7f31e000 | 0x7f31efff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f31f000 | 0x7f31f000 | 0x7f31ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (11)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Windows\SysWOW64 | type = file_attributes |
|
2 | |
| Get Info | wevtutil.exe | type = file_attributes |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
5 | |
| Open | STD_INPUT_HANDLE | - |
|
3 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 136, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\SysWOW64\wevtutil.exe | os_pid = 0x5d8, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x1140000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75130000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x75172780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x7514fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7514a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x74e435c0 |
|
1 |
Environment (19)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
2 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Windows\SysWOW64 |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000000 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #144: wevtutil.exe
0
0
| Information | Value |
|---|---|
| ID | #144 |
| File Name | c:\windows\syswow64\wevtutil.exe |
| Command Line | wevtutil.exe clear-log "Microsoft-Windows-AAD/Operational" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:02:04, Reason: Child Process |
| Unmonitor | End Time: 00:02:06, Reason: Self Terminated |
| Monitor Duration | 00:00:02 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x5d8 |
| Parent PID | 0xe38 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
E40
0x
5F4
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000970000 | 0x00970000 | 0x0098ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000990000 | 0x00990000 | 0x00991fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000009a0000 | 0x009a0000 | 0x009b3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000009c0000 | 0x009c0000 | 0x009fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000a00000 | 0x00a00000 | 0x00a3ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000a40000 | 0x00a40000 | 0x00a43fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000a50000 | 0x00a50000 | 0x00a50fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000a60000 | 0x00a60000 | 0x00a61fff | Private Memory | rw |
|
|
|
- |
| wevtutil.exe | 0x00b40000 | 0x00b6efff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000b70000 | 0x00b70000 | 0x04b6ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000004d10000 | 0x04d10000 | 0x04d1ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004e90000 | 0x04e90000 | 0x04f8ffff | Private Memory | rw |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007f360000 | 0x7f360000 | 0x7f382fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f389000 | 0x7f389000 | 0x7f389fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f38b000 | 0x7f38b000 | 0x7f38dfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f38e000 | 0x7f38e000 | 0x7f38efff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Process #145: cmd.exe
58
0
| Information | Value |
|---|---|
| ID | #145 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-ADSI/Debug" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:02:05, Reason: Child Process |
| Unmonitor | End Time: 00:02:07, Reason: Self Terminated |
| Monitor Duration | 00:00:02 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x328 |
| Parent PID | 0x8dc (c:\programdata\safe.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
304
0x
268
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000d90000 | 0x00d90000 | 0x00daffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000d90000 | 0x00d90000 | 0x00d9ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000da0000 | 0x00da0000 | 0x00da3fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000db0000 | 0x00db0000 | 0x00db1fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000db0000 | 0x00db0000 | 0x00db3fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000dc0000 | 0x00dc0000 | 0x00dd3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000de0000 | 0x00de0000 | 0x00e1ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000e20000 | 0x00e20000 | 0x00f1ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000f20000 | 0x00f20000 | 0x00f23fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000f30000 | 0x00f30000 | 0x00f30fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000f40000 | 0x00f40000 | 0x00f41fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00f50000 | 0x0100dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000001010000 | 0x01010000 | 0x0104ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001080000 | 0x01080000 | 0x0108ffff | Private Memory | rw |
|
|
|
- |
| cmd.exe | 0x01140000 | 0x0118ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000001190000 | 0x01190000 | 0x0518ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000005190000 | 0x05190000 | 0x0528ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005340000 | 0x05340000 | 0x0543ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005610000 | 0x05610000 | 0x0561ffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x05620000 | 0x05956fff | Memory Mapped File | r |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74d30000 | 0x74ea5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75130000 | 0x7521ffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x778d0000 | 0x7798dfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007f390000 | 0x7f390000 | 0x7f48ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007f490000 | 0x7f490000 | 0x7f4b2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f4b6000 | 0x7f4b6000 | 0x7f4b6fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f4b9000 | 0x7f4b9000 | 0x7f4bbfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f4bc000 | 0x7f4bc000 | 0x7f4befff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f4bf000 | 0x7f4bf000 | 0x7f4bffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (11)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Windows\SysWOW64 | type = file_attributes |
|
2 | |
| Get Info | wevtutil.exe | type = file_attributes |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
5 | |
| Open | STD_INPUT_HANDLE | - |
|
3 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 56, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\SysWOW64\wevtutil.exe | os_pid = 0x14c, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x1140000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75130000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x75172780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x7514fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7514a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x74e435c0 |
|
1 |
Environment (19)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
2 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Windows\SysWOW64 |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000000 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #147: wevtutil.exe
0
0
| Information | Value |
|---|---|
| ID | #147 |
| File Name | c:\windows\syswow64\wevtutil.exe |
| Command Line | wevtutil.exe clear-log "Microsoft-Windows-ADSI/Debug" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:02:06, Reason: Child Process |
| Unmonitor | End Time: 00:02:07, Reason: Self Terminated |
| Monitor Duration | 00:00:01 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x14c |
| Parent PID | 0x328 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
AB4
0x
6FC
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000240000 | 0x00240000 | 0x0025ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000260000 | 0x00260000 | 0x00261fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000270000 | 0x00270000 | 0x00283fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000290000 | 0x00290000 | 0x002cffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000002d0000 | 0x002d0000 | 0x0030ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000310000 | 0x00310000 | 0x00313fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000320000 | 0x00320000 | 0x00320fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000330000 | 0x00330000 | 0x00331fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000420000 | 0x00420000 | 0x0042ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000500000 | 0x00500000 | 0x005fffff | Private Memory | rw |
|
|
|
- |
| wevtutil.exe | 0x00b40000 | 0x00b6efff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000b70000 | 0x00b70000 | 0x04b6ffff | Pagefile Backed Memory | - |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007ebd0000 | 0x7ebd0000 | 0x7ebf2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007ebf4000 | 0x7ebf4000 | 0x7ebf4fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ebfc000 | 0x7ebfc000 | 0x7ebfefff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ebff000 | 0x7ebff000 | 0x7ebfffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Process #148: cmd.exe
58
0
| Information | Value |
|---|---|
| ID | #148 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-ASN1/Operational" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:02:07, Reason: Child Process |
| Unmonitor | End Time: 00:02:08, Reason: Self Terminated |
| Monitor Duration | 00:00:01 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xc1c |
| Parent PID | 0x8dc (c:\programdata\safe.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
6E0
0x
E2C
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000380000 | 0x00380000 | 0x0039ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000380000 | 0x00380000 | 0x0038ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000390000 | 0x00390000 | 0x00393fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000003a0000 | 0x003a0000 | 0x003a1fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000003a0000 | 0x003a0000 | 0x003a3fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000003b0000 | 0x003b0000 | 0x003c3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000003d0000 | 0x003d0000 | 0x0040ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000410000 | 0x00410000 | 0x0050ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000510000 | 0x00510000 | 0x00513fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000520000 | 0x00520000 | 0x00520fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000530000 | 0x00530000 | 0x00531fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00540000 | 0x005fdfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000600000 | 0x00600000 | 0x0063ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000670000 | 0x00670000 | 0x0067ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000770000 | 0x00770000 | 0x0086ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000870000 | 0x00870000 | 0x0096ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000b40000 | 0x00b40000 | 0x00b4ffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x00b50000 | 0x00e86fff | Memory Mapped File | r |
|
|
|
- |
| cmd.exe | 0x01140000 | 0x0118ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000001190000 | 0x01190000 | 0x0518ffff | Pagefile Backed Memory | - |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74d30000 | 0x74ea5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75130000 | 0x7521ffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x778d0000 | 0x7798dfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007f8d0000 | 0x7f8d0000 | 0x7f9cffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007f9d0000 | 0x7f9d0000 | 0x7f9f2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f9f8000 | 0x7f9f8000 | 0x7f9fafff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f9fb000 | 0x7f9fb000 | 0x7f9fdfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f9fe000 | 0x7f9fe000 | 0x7f9fefff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f9ff000 | 0x7f9ff000 | 0x7f9fffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (11)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Windows\SysWOW64 | type = file_attributes |
|
2 | |
| Get Info | wevtutil.exe | type = file_attributes |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
5 | |
| Open | STD_INPUT_HANDLE | - |
|
3 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 21, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\SysWOW64\wevtutil.exe | os_pid = 0xe3c, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x1140000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75130000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x75172780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x7514fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7514a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x74e435c0 |
|
1 |
Environment (19)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
2 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Windows\SysWOW64 |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000000 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #150: wevtutil.exe
0
0
| Information | Value |
|---|---|
| ID | #150 |
| File Name | c:\windows\syswow64\wevtutil.exe |
| Command Line | wevtutil.exe clear-log "Microsoft-Windows-ASN1/Operational" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:02:07, Reason: Child Process |
| Unmonitor | End Time: 00:02:08, Reason: Self Terminated |
| Monitor Duration | 00:00:01 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xe3c |
| Parent PID | 0xc1c (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
B44
0x
E68
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x00000000009a0000 | 0x009a0000 | 0x009bffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000009c0000 | 0x009c0000 | 0x009c1fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000009d0000 | 0x009d0000 | 0x009e3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000009f0000 | 0x009f0000 | 0x00a2ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000a30000 | 0x00a30000 | 0x00a6ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000a70000 | 0x00a70000 | 0x00a73fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000a80000 | 0x00a80000 | 0x00a80fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000a90000 | 0x00a90000 | 0x00a91fff | Private Memory | rw |
|
|
|
- |
| wevtutil.exe | 0x00b40000 | 0x00b6efff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000b70000 | 0x00b70000 | 0x04b6ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000004d00000 | 0x04d00000 | 0x04d0ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004e90000 | 0x04e90000 | 0x04f8ffff | Private Memory | rw |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007ecf0000 | 0x7ecf0000 | 0x7ed12fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007ed14000 | 0x7ed14000 | 0x7ed14fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ed18000 | 0x7ed18000 | 0x7ed18fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ed1d000 | 0x7ed1d000 | 0x7ed1ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Process #151: cmd.exe
58
0
| Information | Value |
|---|---|
| ID | #151 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-ATAPort/General" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:02:08, Reason: Child Process |
| Unmonitor | End Time: 00:02:09, Reason: Self Terminated |
| Monitor Duration | 00:00:01 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x830 |
| Parent PID | 0x8dc (c:\programdata\safe.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
2E4
0x
C08
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000540000 | 0x00540000 | 0x0055ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000540000 | 0x00540000 | 0x0054ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000550000 | 0x00550000 | 0x00553fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000560000 | 0x00560000 | 0x00561fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000560000 | 0x00560000 | 0x00563fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000570000 | 0x00570000 | 0x00583fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000590000 | 0x00590000 | 0x005cffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000005d0000 | 0x005d0000 | 0x006cffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000006d0000 | 0x006d0000 | 0x006d3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000006e0000 | 0x006e0000 | 0x006e0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000006f0000 | 0x006f0000 | 0x006f1fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00700000 | 0x007bdfff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000007c0000 | 0x007c0000 | 0x007cffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000007d0000 | 0x007d0000 | 0x0080ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000890000 | 0x00890000 | 0x0089ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000008e0000 | 0x008e0000 | 0x009dffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000009e0000 | 0x009e0000 | 0x00adffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x00ae0000 | 0x00e16fff | Memory Mapped File | r |
|
|
|
- |
| cmd.exe | 0x01140000 | 0x0118ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000001190000 | 0x01190000 | 0x0518ffff | Pagefile Backed Memory | - |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74d30000 | 0x74ea5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75130000 | 0x7521ffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x778d0000 | 0x7798dfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007e870000 | 0x7e870000 | 0x7e96ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007e970000 | 0x7e970000 | 0x7e992fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007e995000 | 0x7e995000 | 0x7e997fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007e998000 | 0x7e998000 | 0x7e99afff | Private Memory | rw |
|
|
|
- |
| private_0x000000007e99b000 | 0x7e99b000 | 0x7e99bfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007e99e000 | 0x7e99e000 | 0x7e99efff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (11)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Windows\SysWOW64 | type = file_attributes |
|
2 | |
| Get Info | wevtutil.exe | type = file_attributes |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
5 | |
| Open | STD_INPUT_HANDLE | - |
|
3 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 88, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\SysWOW64\wevtutil.exe | os_pid = 0xecc, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x1140000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75130000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x75172780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x7514fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7514a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x74e435c0 |
|
1 |
Environment (19)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
2 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Windows\SysWOW64 |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000000 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #153: wevtutil.exe
0
0
| Information | Value |
|---|---|
| ID | #153 |
| File Name | c:\windows\syswow64\wevtutil.exe |
| Command Line | wevtutil.exe clear-log "Microsoft-Windows-ATAPort/General" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:02:08, Reason: Child Process |
| Unmonitor | End Time: 00:02:10, Reason: Self Terminated |
| Monitor Duration | 00:00:02 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xecc |
| Parent PID | 0x830 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
7AC
0x
B38
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000410000 | 0x00410000 | 0x0042ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000430000 | 0x00430000 | 0x00431fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000440000 | 0x00440000 | 0x00453fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000460000 | 0x00460000 | 0x0049ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000004a0000 | 0x004a0000 | 0x004dffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000004e0000 | 0x004e0000 | 0x004e3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000004f0000 | 0x004f0000 | 0x004f0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000500000 | 0x00500000 | 0x00501fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000520000 | 0x00520000 | 0x0052ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000005d0000 | 0x005d0000 | 0x006cffff | Private Memory | rw |
|
|
|
- |
| wevtutil.exe | 0x00b40000 | 0x00b6efff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000b70000 | 0x00b70000 | 0x04b6ffff | Pagefile Backed Memory | - |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007f3d0000 | 0x7f3d0000 | 0x7f3f2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f3fa000 | 0x7f3fa000 | 0x7f3fcfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f3fd000 | 0x7f3fd000 | 0x7f3fdfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f3ff000 | 0x7f3ff000 | 0x7f3fffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Process #154: cmd.exe
58
0
| Information | Value |
|---|---|
| ID | #154 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-ATAPort/SATA-LPM" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:02:09, Reason: Child Process |
| Unmonitor | End Time: 00:02:10, Reason: Self Terminated |
| Monitor Duration | 00:00:01 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xa80 |
| Parent PID | 0x8dc (c:\programdata\safe.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
380
0x
F48
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x00000000008e0000 | 0x008e0000 | 0x008fffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000008e0000 | 0x008e0000 | 0x008effff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x00000000008f0000 | 0x008f0000 | 0x008f3fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000900000 | 0x00900000 | 0x00901fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000900000 | 0x00900000 | 0x00903fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000910000 | 0x00910000 | 0x00923fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000930000 | 0x00930000 | 0x0096ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000970000 | 0x00970000 | 0x00a6ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000a70000 | 0x00a70000 | 0x00a73fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000a80000 | 0x00a80000 | 0x00a80fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000a90000 | 0x00a90000 | 0x00a91fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000aa0000 | 0x00aa0000 | 0x00adffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000b50000 | 0x00b50000 | 0x00b5ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000b60000 | 0x00b60000 | 0x00c5ffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00c60000 | 0x00d1dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000d20000 | 0x00d20000 | 0x00e1ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000f50000 | 0x00f50000 | 0x00f5ffff | Private Memory | rw |
|
|
|
- |
| cmd.exe | 0x01140000 | 0x0118ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000001190000 | 0x01190000 | 0x0518ffff | Pagefile Backed Memory | - |
|
|
|
- |
| sortdefault.nls | 0x05190000 | 0x054c6fff | Memory Mapped File | r |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74d30000 | 0x74ea5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75130000 | 0x7521ffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x778d0000 | 0x7798dfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007ef80000 | 0x7ef80000 | 0x7f07ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007f080000 | 0x7f080000 | 0x7f0a2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f0a3000 | 0x7f0a3000 | 0x7f0a3fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f0a7000 | 0x7f0a7000 | 0x7f0a9fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f0aa000 | 0x7f0aa000 | 0x7f0aafff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f0ad000 | 0x7f0ad000 | 0x7f0affff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (11)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Windows\SysWOW64 | type = file_attributes |
|
2 | |
| Get Info | wevtutil.exe | type = file_attributes |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
5 | |
| Open | STD_INPUT_HANDLE | - |
|
3 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 120, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\SysWOW64\wevtutil.exe | os_pid = 0xf24, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x1140000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75130000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x75172780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x7514fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7514a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x74e435c0 |
|
1 |
Environment (19)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
2 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Windows\SysWOW64 |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000000 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #156: wevtutil.exe
0
0
| Information | Value |
|---|---|
| ID | #156 |
| File Name | c:\windows\syswow64\wevtutil.exe |
| Command Line | wevtutil.exe clear-log "Microsoft-Windows-ATAPort/SATA-LPM" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:02:09, Reason: Child Process |
| Unmonitor | End Time: 00:02:10, Reason: Self Terminated |
| Monitor Duration | 00:00:01 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xf24 |
| Parent PID | 0xa80 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
F34
0x
F2C
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| wevtutil.exe | 0x00b40000 | 0x00b6efff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000e40000 | 0x00e40000 | 0x04e3ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000004e40000 | 0x04e40000 | 0x04e5ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004e60000 | 0x04e60000 | 0x04e61fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004e70000 | 0x04e70000 | 0x04e83fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000004e90000 | 0x04e90000 | 0x04ecffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004ed0000 | 0x04ed0000 | 0x04f0ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004f10000 | 0x04f10000 | 0x04f13fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000004f20000 | 0x04f20000 | 0x04f20fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000004f30000 | 0x04f30000 | 0x04f31fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005080000 | 0x05080000 | 0x0508ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005170000 | 0x05170000 | 0x0526ffff | Private Memory | rw |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007e7a0000 | 0x7e7a0000 | 0x7e7c2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007e7c5000 | 0x7e7c5000 | 0x7e7c5fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007e7cc000 | 0x7e7cc000 | 0x7e7cefff | Private Memory | rw |
|
|
|
- |
| private_0x000000007e7cf000 | 0x7e7cf000 | 0x7e7cffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Process #157: cmd.exe
58
0
| Information | Value |
|---|---|
| ID | #157 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-ActionQueue/Analytic" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:02:09, Reason: Child Process |
| Unmonitor | End Time: 00:02:11, Reason: Self Terminated |
| Monitor Duration | 00:00:02 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xfac |
| Parent PID | 0x8dc (c:\programdata\safe.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
F8C
0x
D14
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000bf0000 | 0x00bf0000 | 0x00c0ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000bf0000 | 0x00bf0000 | 0x00bfffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000c00000 | 0x00c00000 | 0x00c03fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000c10000 | 0x00c10000 | 0x00c11fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000c10000 | 0x00c10000 | 0x00c13fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000c20000 | 0x00c20000 | 0x00c33fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000c40000 | 0x00c40000 | 0x00c7ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000c80000 | 0x00c80000 | 0x00d7ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000d80000 | 0x00d80000 | 0x00d83fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000d90000 | 0x00d90000 | 0x00d90fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000da0000 | 0x00da0000 | 0x00da1fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00db0000 | 0x00e6dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000e70000 | 0x00e70000 | 0x00eaffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000ed0000 | 0x00ed0000 | 0x00edffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000f10000 | 0x00f10000 | 0x00f1ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000f90000 | 0x00f90000 | 0x0108ffff | Private Memory | rw |
|
|
|
- |
| cmd.exe | 0x01140000 | 0x0118ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000001190000 | 0x01190000 | 0x0518ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000005190000 | 0x05190000 | 0x0528ffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x05290000 | 0x055c6fff | Memory Mapped File | r |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74d30000 | 0x74ea5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75130000 | 0x7521ffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x778d0000 | 0x7798dfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007eef0000 | 0x7eef0000 | 0x7efeffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007eff0000 | 0x7eff0000 | 0x7f012fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f016000 | 0x7f016000 | 0x7f016fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f019000 | 0x7f019000 | 0x7f01bfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f01c000 | 0x7f01c000 | 0x7f01cfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f01d000 | 0x7f01d000 | 0x7f01ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (11)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Windows\SysWOW64 | type = file_attributes |
|
2 | |
| Get Info | wevtutil.exe | type = file_attributes |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
5 | |
| Open | STD_INPUT_HANDLE | - |
|
3 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 24, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\SysWOW64\wevtutil.exe | os_pid = 0x818, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x1140000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75130000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x75172780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x7514fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7514a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x74e435c0 |
|
1 |
Environment (19)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
2 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Windows\SysWOW64 |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000000 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #159: wevtutil.exe
0
0
| Information | Value |
|---|---|
| ID | #159 |
| File Name | c:\windows\syswow64\wevtutil.exe |
| Command Line | wevtutil.exe clear-log "Microsoft-Windows-ActionQueue/Analytic" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:02:10, Reason: Child Process |
| Unmonitor | End Time: 00:02:11, Reason: Self Terminated |
| Monitor Duration | 00:00:01 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x818 |
| Parent PID | 0xfac (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
F14
0x
EFC
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000710000 | 0x00710000 | 0x0072ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000730000 | 0x00730000 | 0x00731fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000740000 | 0x00740000 | 0x00753fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000760000 | 0x00760000 | 0x0079ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000007a0000 | 0x007a0000 | 0x007dffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000007e0000 | 0x007e0000 | 0x007e3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000007f0000 | 0x007f0000 | 0x007f0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000800000 | 0x00800000 | 0x00801fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000870000 | 0x00870000 | 0x0087ffff | Private Memory | rw |
|
|
|
- |
| wevtutil.exe | 0x00b40000 | 0x00b6efff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000b70000 | 0x00b70000 | 0x04b6ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000004d50000 | 0x04d50000 | 0x04e4ffff | Private Memory | rw |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007eeb0000 | 0x7eeb0000 | 0x7eed2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007eeda000 | 0x7eeda000 | 0x7eedcfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007eedd000 | 0x7eedd000 | 0x7eeddfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007eedf000 | 0x7eedf000 | 0x7eedffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Process #160: cmd.exe
58
0
| Information | Value |
|---|---|
| ID | #160 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-All-User-Install-Agent/Admin" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:02:10, Reason: Child Process |
| Unmonitor | End Time: 00:02:12, Reason: Self Terminated |
| Monitor Duration | 00:00:02 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xd44 |
| Parent PID | 0x8dc (c:\programdata\safe.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
D3C
0x
544
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x00000000001a0000 | 0x001a0000 | 0x001bffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000001a0000 | 0x001a0000 | 0x001affff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x00000000001b0000 | 0x001b0000 | 0x001b3fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000001c0000 | 0x001c0000 | 0x001c1fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000001c0000 | 0x001c0000 | 0x001c3fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000001d0000 | 0x001d0000 | 0x001e3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000001f0000 | 0x001f0000 | 0x0022ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000230000 | 0x00230000 | 0x0032ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000330000 | 0x00330000 | 0x00333fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000340000 | 0x00340000 | 0x00340fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000350000 | 0x00350000 | 0x00351fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00360000 | 0x0041dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000420000 | 0x00420000 | 0x0045ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000004a0000 | 0x004a0000 | 0x004affff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000510000 | 0x00510000 | 0x0051ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000520000 | 0x00520000 | 0x0061ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000006b0000 | 0x006b0000 | 0x007affff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x007b0000 | 0x00ae6fff | Memory Mapped File | r |
|
|
|
- |
| cmd.exe | 0x01140000 | 0x0118ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000001190000 | 0x01190000 | 0x0518ffff | Pagefile Backed Memory | - |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74d30000 | 0x74ea5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75130000 | 0x7521ffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x778d0000 | 0x7798dfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007ea50000 | 0x7ea50000 | 0x7eb4ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007eb50000 | 0x7eb50000 | 0x7eb72fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007eb73000 | 0x7eb73000 | 0x7eb73fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007eb79000 | 0x7eb79000 | 0x7eb7bfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007eb7c000 | 0x7eb7c000 | 0x7eb7cfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007eb7d000 | 0x7eb7d000 | 0x7eb7ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (11)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Windows\SysWOW64 | type = file_attributes |
|
2 | |
| Get Info | wevtutil.exe | type = file_attributes |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
5 | |
| Open | STD_INPUT_HANDLE | - |
|
3 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 152, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\SysWOW64\wevtutil.exe | os_pid = 0x724, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x1140000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75130000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x75172780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x7514fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7514a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x74e435c0 |
|
1 |
Environment (19)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
2 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Windows\SysWOW64 |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000000 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #162: wevtutil.exe
0
0
| Information | Value |
|---|---|
| ID | #162 |
| File Name | c:\windows\syswow64\wevtutil.exe |
| Command Line | wevtutil.exe clear-log "Microsoft-Windows-All-User-Install-Agent/Admin" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:02:11, Reason: Child Process |
| Unmonitor | End Time: 00:02:12, Reason: Self Terminated |
| Monitor Duration | 00:00:01 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x724 |
| Parent PID | 0xd44 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
ADC
0x
F64
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x00000000005b0000 | 0x005b0000 | 0x005cffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000005d0000 | 0x005d0000 | 0x005d1fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000005e0000 | 0x005e0000 | 0x005f3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000600000 | 0x00600000 | 0x0063ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000640000 | 0x00640000 | 0x0067ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000680000 | 0x00680000 | 0x00683fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000690000 | 0x00690000 | 0x00690fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000006a0000 | 0x006a0000 | 0x006a1fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000750000 | 0x00750000 | 0x0075ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000007b0000 | 0x007b0000 | 0x008affff | Private Memory | rw |
|
|
|
- |
| wevtutil.exe | 0x00b40000 | 0x00b6efff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000b70000 | 0x00b70000 | 0x04b6ffff | Pagefile Backed Memory | - |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007f6b0000 | 0x7f6b0000 | 0x7f6d2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f6d6000 | 0x7f6d6000 | 0x7f6d6fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f6dc000 | 0x7f6dc000 | 0x7f6defff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f6df000 | 0x7f6df000 | 0x7f6dffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Process #163: cmd.exe
58
0
| Information | Value |
|---|---|
| ID | #163 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-AllJoyn/Debug" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:02:12, Reason: Child Process |
| Unmonitor | End Time: 00:02:12, Reason: Self Terminated |
| Monitor Duration | 00:00:00 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xf7c |
| Parent PID | 0x8dc (c:\programdata\safe.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
F5C
0x
E58
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000b60000 | 0x00b60000 | 0x00b7ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000b60000 | 0x00b60000 | 0x00b6ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000b70000 | 0x00b70000 | 0x00b73fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000b80000 | 0x00b80000 | 0x00b81fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000b80000 | 0x00b80000 | 0x00b83fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000b90000 | 0x00b90000 | 0x00ba3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000bb0000 | 0x00bb0000 | 0x00beffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000bf0000 | 0x00bf0000 | 0x00ceffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000cf0000 | 0x00cf0000 | 0x00cf3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000d00000 | 0x00d00000 | 0x00d00fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000d10000 | 0x00d10000 | 0x00d11fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000d20000 | 0x00d20000 | 0x00d5ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000d70000 | 0x00d70000 | 0x00e6ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000ea0000 | 0x00ea0000 | 0x00eaffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000f00000 | 0x00f00000 | 0x00f0ffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00f10000 | 0x00fcdfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000fd0000 | 0x00fd0000 | 0x010cffff | Private Memory | rw |
|
|
|
- |
| cmd.exe | 0x01140000 | 0x0118ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000001190000 | 0x01190000 | 0x0518ffff | Pagefile Backed Memory | - |
|
|
|
- |
| sortdefault.nls | 0x05190000 | 0x054c6fff | Memory Mapped File | r |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74d30000 | 0x74ea5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75130000 | 0x7521ffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x778d0000 | 0x7798dfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007f7d0000 | 0x7f7d0000 | 0x7f8cffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007f8d0000 | 0x7f8d0000 | 0x7f8f2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f8f8000 | 0x7f8f8000 | 0x7f8f8fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f8f9000 | 0x7f8f9000 | 0x7f8fbfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f8fc000 | 0x7f8fc000 | 0x7f8fefff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f8ff000 | 0x7f8ff000 | 0x7f8fffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (11)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Windows\SysWOW64 | type = file_attributes |
|
2 | |
| Get Info | wevtutil.exe | type = file_attributes |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
5 | |
| Open | STD_INPUT_HANDLE | - |
|
3 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 28, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\SysWOW64\wevtutil.exe | os_pid = 0x510, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x1140000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75130000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x75172780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x7514fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7514a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x74e435c0 |
|
1 |
Environment (19)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
2 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Windows\SysWOW64 |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000000 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #165: wevtutil.exe
0
0
| Information | Value |
|---|---|
| ID | #165 |
| File Name | c:\windows\syswow64\wevtutil.exe |
| Command Line | wevtutil.exe clear-log "Microsoft-Windows-AllJoyn/Debug" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:02:12, Reason: Child Process |
| Unmonitor | End Time: 00:02:12, Reason: Self Terminated |
| Monitor Duration | 00:00:00 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x510 |
| Parent PID | 0xf7c (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
950
0x
F40
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| wevtutil.exe | 0x00b40000 | 0x00b6efff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000cb0000 | 0x00cb0000 | 0x04caffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000004cb0000 | 0x04cb0000 | 0x04ccffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004cd0000 | 0x04cd0000 | 0x04cd1fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004ce0000 | 0x04ce0000 | 0x04cf3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000004d00000 | 0x04d00000 | 0x04d3ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004d40000 | 0x04d40000 | 0x04d7ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004d80000 | 0x04d80000 | 0x04d83fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000004d90000 | 0x04d90000 | 0x04d90fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000004da0000 | 0x04da0000 | 0x04da1fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004ee0000 | 0x04ee0000 | 0x04eeffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004f60000 | 0x04f60000 | 0x0505ffff | Private Memory | rw |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007ee20000 | 0x7ee20000 | 0x7ee42fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007ee4b000 | 0x7ee4b000 | 0x7ee4dfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ee4e000 | 0x7ee4e000 | 0x7ee4efff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ee4f000 | 0x7ee4f000 | 0x7ee4ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Process #166: cmd.exe
58
0
| Information | Value |
|---|---|
| ID | #166 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-AllJoyn/Operational" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:02:12, Reason: Child Process |
| Unmonitor | End Time: 00:02:14, Reason: Self Terminated |
| Monitor Duration | 00:00:02 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x2d0 |
| Parent PID | 0x8dc (c:\programdata\safe.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
D08
0x
5DC
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000710000 | 0x00710000 | 0x0072ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000710000 | 0x00710000 | 0x0071ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000720000 | 0x00720000 | 0x00723fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000730000 | 0x00730000 | 0x00731fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000730000 | 0x00730000 | 0x0073ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000740000 | 0x00740000 | 0x00753fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000760000 | 0x00760000 | 0x0079ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000007a0000 | 0x007a0000 | 0x0089ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000008a0000 | 0x008a0000 | 0x008a3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000008b0000 | 0x008b0000 | 0x008b0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000008c0000 | 0x008c0000 | 0x008c1fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x008d0000 | 0x0098dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000990000 | 0x00990000 | 0x009cffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000009d0000 | 0x009d0000 | 0x009d3fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000a10000 | 0x00a10000 | 0x00a1ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000ac0000 | 0x00ac0000 | 0x00bbffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000bc0000 | 0x00bc0000 | 0x00cbffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x00cc0000 | 0x00ff6fff | Memory Mapped File | r |
|
|
|
- |
| cmd.exe | 0x01140000 | 0x0118ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000001190000 | 0x01190000 | 0x0518ffff | Pagefile Backed Memory | - |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74d30000 | 0x74ea5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75130000 | 0x7521ffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x778d0000 | 0x7798dfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007f300000 | 0x7f300000 | 0x7f3fffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007f400000 | 0x7f400000 | 0x7f422fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f428000 | 0x7f428000 | 0x7f42afff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f42b000 | 0x7f42b000 | 0x7f42bfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f42c000 | 0x7f42c000 | 0x7f42efff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f42f000 | 0x7f42f000 | 0x7f42ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (11)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Windows\SysWOW64 | type = file_attributes |
|
2 | |
| Get Info | wevtutil.exe | type = file_attributes |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
5 | |
| Open | STD_INPUT_HANDLE | - |
|
3 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 235, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\SysWOW64\wevtutil.exe | os_pid = 0x63c, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x1140000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75130000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x75172780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x7514fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7514a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x74e435c0 |
|
1 |
Environment (19)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
2 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Windows\SysWOW64 |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000000 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #168: wevtutil.exe
0
0
| Information | Value |
|---|---|
| ID | #168 |
| File Name | c:\windows\syswow64\wevtutil.exe |
| Command Line | wevtutil.exe clear-log "Microsoft-Windows-AllJoyn/Operational" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:02:13, Reason: Child Process |
| Unmonitor | End Time: 00:02:14, Reason: Self Terminated |
| Monitor Duration | 00:00:01 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x63c |
| Parent PID | 0x2d0 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
C98
0x
D38
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000a40000 | 0x00a40000 | 0x00a5ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000a60000 | 0x00a60000 | 0x00a61fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000a70000 | 0x00a70000 | 0x00a83fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000a90000 | 0x00a90000 | 0x00acffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000ad0000 | 0x00ad0000 | 0x00b0ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000b10000 | 0x00b10000 | 0x00b13fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000b20000 | 0x00b20000 | 0x00b20fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000b30000 | 0x00b30000 | 0x00b31fff | Private Memory | rw |
|
|
|
- |
| wevtutil.exe | 0x00b40000 | 0x00b6efff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000b70000 | 0x00b70000 | 0x04b6ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000004d00000 | 0x04d00000 | 0x04d0ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004e70000 | 0x04e70000 | 0x04f6ffff | Private Memory | rw |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007efa0000 | 0x7efa0000 | 0x7efc2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007efca000 | 0x7efca000 | 0x7efcafff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efcb000 | 0x7efcb000 | 0x7efcbfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efcd000 | 0x7efcd000 | 0x7efcffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Process #169: cmd.exe
58
0
| Information | Value |
|---|---|
| ID | #169 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-Anytime-Upgrade-Events/Operational" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:02:14, Reason: Child Process |
| Unmonitor | End Time: 00:02:16, Reason: Self Terminated |
| Monitor Duration | 00:00:02 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x59c |
| Parent PID | 0x8dc (c:\programdata\safe.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
404
0x
548
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000b80000 | 0x00b80000 | 0x00b9ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000b80000 | 0x00b80000 | 0x00b8ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000b90000 | 0x00b90000 | 0x00b93fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000ba0000 | 0x00ba0000 | 0x00ba1fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000ba0000 | 0x00ba0000 | 0x00ba3fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000bb0000 | 0x00bb0000 | 0x00bc3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000bd0000 | 0x00bd0000 | 0x00c0ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000c10000 | 0x00c10000 | 0x00d0ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000d10000 | 0x00d10000 | 0x00d13fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000d20000 | 0x00d20000 | 0x00d20fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000d30000 | 0x00d30000 | 0x00d31fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00d40000 | 0x00dfdfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000e00000 | 0x00e00000 | 0x00e3ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000e50000 | 0x00e50000 | 0x00e5ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000e80000 | 0x00e80000 | 0x00f7ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000f80000 | 0x00f80000 | 0x0107ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000010b0000 | 0x010b0000 | 0x010bffff | Private Memory | rw |
|
|
|
- |
| cmd.exe | 0x01140000 | 0x0118ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000001190000 | 0x01190000 | 0x0518ffff | Pagefile Backed Memory | - |
|
|
|
- |
| sortdefault.nls | 0x05190000 | 0x054c6fff | Memory Mapped File | r |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74d30000 | 0x74ea5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75130000 | 0x7521ffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x778d0000 | 0x7798dfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007f2e0000 | 0x7f2e0000 | 0x7f3dffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007f3e0000 | 0x7f3e0000 | 0x7f402fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f403000 | 0x7f403000 | 0x7f403fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f408000 | 0x7f408000 | 0x7f408fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f40a000 | 0x7f40a000 | 0x7f40cfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f40d000 | 0x7f40d000 | 0x7f40ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (11)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Windows\SysWOW64 | type = file_attributes |
|
2 | |
| Get Info | wevtutil.exe | type = file_attributes |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
5 | |
| Open | STD_INPUT_HANDLE | - |
|
3 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 168, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\SysWOW64\wevtutil.exe | os_pid = 0x438, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x1140000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75130000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x75172780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x7514fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7514a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x74e435c0 |
|
1 |
Environment (19)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
2 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Windows\SysWOW64 |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000000 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #171: wevtutil.exe
0
0
| Information | Value |
|---|---|
| ID | #171 |
| File Name | c:\windows\syswow64\wevtutil.exe |
| Command Line | wevtutil.exe clear-log "Microsoft-Windows-Anytime-Upgrade-Events/Operational" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:02:14, Reason: Child Process |
| Unmonitor | End Time: 00:02:16, Reason: Self Terminated |
| Monitor Duration | 00:00:02 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x438 |
| Parent PID | 0x59c (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
848
0x
C04
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| wevtutil.exe | 0x00b40000 | 0x00b6efff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000b70000 | 0x00b70000 | 0x04b6ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000004b70000 | 0x04b70000 | 0x04b8ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004b90000 | 0x04b90000 | 0x04b91fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004ba0000 | 0x04ba0000 | 0x04bb3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000004bc0000 | 0x04bc0000 | 0x04bfffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004c00000 | 0x04c00000 | 0x04c3ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004c40000 | 0x04c40000 | 0x04c43fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000004c50000 | 0x04c50000 | 0x04c50fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000004c60000 | 0x04c60000 | 0x04c61fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004d10000 | 0x04d10000 | 0x04d1ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004e20000 | 0x04e20000 | 0x04f1ffff | Private Memory | rw |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007eae0000 | 0x7eae0000 | 0x7eb02fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007eb04000 | 0x7eb04000 | 0x7eb04fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007eb0c000 | 0x7eb0c000 | 0x7eb0efff | Private Memory | rw |
|
|
|
- |
| private_0x000000007eb0f000 | 0x7eb0f000 | 0x7eb0ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Process #172: cmd.exe
58
0
| Information | Value |
|---|---|
| ID | #172 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-Anytime-Upgrade/Analytic" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:02:15, Reason: Child Process |
| Unmonitor | End Time: 00:02:18, Reason: Self Terminated |
| Monitor Duration | 00:00:03 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xf4c |
| Parent PID | 0x8dc (c:\programdata\safe.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
EF4
0x
540
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x00000000005d0000 | 0x005d0000 | 0x005effff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000005d0000 | 0x005d0000 | 0x005dffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x00000000005e0000 | 0x005e0000 | 0x005effff | Private Memory | rw |
|
|
|
- |
| private_0x00000000005f0000 | 0x005f0000 | 0x005f1fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000005f0000 | 0x005f0000 | 0x005f3fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000600000 | 0x00600000 | 0x00613fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000620000 | 0x00620000 | 0x0065ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000660000 | 0x00660000 | 0x0075ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000760000 | 0x00760000 | 0x00763fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000770000 | 0x00770000 | 0x00770fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000780000 | 0x00780000 | 0x00781fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000790000 | 0x00790000 | 0x007cffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000007d0000 | 0x007d0000 | 0x007d3fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000007f0000 | 0x007f0000 | 0x007fffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00800000 | 0x008bdfff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000008e0000 | 0x008e0000 | 0x009dffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000009e0000 | 0x009e0000 | 0x00adffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x00ae0000 | 0x00e16fff | Memory Mapped File | r |
|
|
|
- |
| cmd.exe | 0x01140000 | 0x0118ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000001190000 | 0x01190000 | 0x0518ffff | Pagefile Backed Memory | - |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74d30000 | 0x74ea5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75130000 | 0x7521ffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x778d0000 | 0x7798dfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007efd0000 | 0x7efd0000 | 0x7f0cffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007f0d0000 | 0x7f0d0000 | 0x7f0f2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f0f6000 | 0x7f0f6000 | 0x7f0f6fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f0f9000 | 0x7f0f9000 | 0x7f0fbfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f0fc000 | 0x7f0fc000 | 0x7f0fefff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f0ff000 | 0x7f0ff000 | 0x7f0fffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (11)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Windows\SysWOW64 | type = file_attributes |
|
2 | |
| Get Info | wevtutil.exe | type = file_attributes |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
5 | |
| Open | STD_INPUT_HANDLE | - |
|
3 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 88, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\SysWOW64\wevtutil.exe | os_pid = 0x788, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x1140000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75130000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x75172780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x7514fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7514a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x74e435c0 |
|
1 |
Environment (19)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
2 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Windows\SysWOW64 |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000000 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #174: wevtutil.exe
0
0
| Information | Value |
|---|---|
| ID | #174 |
| File Name | c:\windows\syswow64\wevtutil.exe |
| Command Line | wevtutil.exe clear-log "Microsoft-Windows-Anytime-Upgrade/Analytic" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:02:17, Reason: Child Process |
| Unmonitor | End Time: 00:02:18, Reason: Self Terminated |
| Monitor Duration | 00:00:01 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x788 |
| Parent PID | 0xf4c (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
94C
0x
B24
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| wevtutil.exe | 0x00b40000 | 0x00b6efff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000e90000 | 0x00e90000 | 0x04e8ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000004e90000 | 0x04e90000 | 0x04eaffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004eb0000 | 0x04eb0000 | 0x04eb1fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004ec0000 | 0x04ec0000 | 0x04ed3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000004ee0000 | 0x04ee0000 | 0x04f1ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004f20000 | 0x04f20000 | 0x04f5ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004f60000 | 0x04f60000 | 0x04f63fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000004f70000 | 0x04f70000 | 0x04f70fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000004f80000 | 0x04f80000 | 0x04f81fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005110000 | 0x05110000 | 0x0511ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000052f0000 | 0x052f0000 | 0x053effff | Private Memory | rw |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007e550000 | 0x7e550000 | 0x7e572fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007e57b000 | 0x7e57b000 | 0x7e57dfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007e57e000 | 0x7e57e000 | 0x7e57efff | Private Memory | rw |
|
|
|
- |
| private_0x000000007e57f000 | 0x7e57f000 | 0x7e57ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Process #175: cmd.exe
58
0
| Information | Value |
|---|---|
| ID | #175 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-AppHost/Admin" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:02:17, Reason: Child Process |
| Unmonitor | End Time: 00:02:21, Reason: Self Terminated |
| Monitor Duration | 00:00:04 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x5f0 |
| Parent PID | 0x8dc (c:\programdata\safe.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
B4C
0x
978
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000550000 | 0x00550000 | 0x0056ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000550000 | 0x00550000 | 0x0055ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000560000 | 0x00560000 | 0x00563fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000570000 | 0x00570000 | 0x00571fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000570000 | 0x00570000 | 0x00573fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000580000 | 0x00580000 | 0x00593fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000005a0000 | 0x005a0000 | 0x005dffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000005e0000 | 0x005e0000 | 0x006dffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000006e0000 | 0x006e0000 | 0x006e3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000006f0000 | 0x006f0000 | 0x006f0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000700000 | 0x00700000 | 0x00701fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00710000 | 0x007cdfff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000007d0000 | 0x007d0000 | 0x0080ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000008b0000 | 0x008b0000 | 0x008bffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000008c0000 | 0x008c0000 | 0x009bffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000aa0000 | 0x00aa0000 | 0x00b9ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000d70000 | 0x00d70000 | 0x00d7ffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x00d80000 | 0x010b6fff | Memory Mapped File | r |
|
|
|
- |
| cmd.exe | 0x01140000 | 0x0118ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000001190000 | 0x01190000 | 0x0518ffff | Pagefile Backed Memory | - |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74d30000 | 0x74ea5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75130000 | 0x7521ffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x778d0000 | 0x7798dfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007f450000 | 0x7f450000 | 0x7f54ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007f550000 | 0x7f550000 | 0x7f572fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f577000 | 0x7f577000 | 0x7f579fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f57a000 | 0x7f57a000 | 0x7f57cfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f57d000 | 0x7f57d000 | 0x7f57dfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f57f000 | 0x7f57f000 | 0x7f57ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (11)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Windows\SysWOW64 | type = file_attributes |
|
2 | |
| Get Info | wevtutil.exe | type = file_attributes |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
5 | |
| Open | STD_INPUT_HANDLE | - |
|
3 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 248, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\SysWOW64\wevtutil.exe | os_pid = 0xb60, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x1140000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75130000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x75172780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x7514fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7514a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x74e435c0 |
|
1 |
Environment (19)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
2 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Windows\SysWOW64 |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000000 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #177: wevtutil.exe
0
0
| Information | Value |
|---|---|
| ID | #177 |
| File Name | c:\windows\syswow64\wevtutil.exe |
| Command Line | wevtutil.exe clear-log "Microsoft-Windows-AppHost/Admin" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:02:18, Reason: Child Process |
| Unmonitor | End Time: 00:02:21, Reason: Self Terminated |
| Monitor Duration | 00:00:03 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xb60 |
| Parent PID | 0x5f0 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
998
0x
99C
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000450000 | 0x00450000 | 0x0046ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000470000 | 0x00470000 | 0x00471fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000480000 | 0x00480000 | 0x00493fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000004a0000 | 0x004a0000 | 0x004dffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000004e0000 | 0x004e0000 | 0x0051ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000520000 | 0x00520000 | 0x00523fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000530000 | 0x00530000 | 0x00530fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000540000 | 0x00540000 | 0x00541fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000660000 | 0x00660000 | 0x0066ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000006e0000 | 0x006e0000 | 0x007dffff | Private Memory | rw |
|
|
|
- |
| wevtutil.exe | 0x00b40000 | 0x00b6efff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000b70000 | 0x00b70000 | 0x04b6ffff | Pagefile Backed Memory | - |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007e880000 | 0x7e880000 | 0x7e8a2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007e8a6000 | 0x7e8a6000 | 0x7e8a6fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007e8a7000 | 0x7e8a7000 | 0x7e8a7fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007e8ad000 | 0x7e8ad000 | 0x7e8affff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Process #178: cmd.exe
58
0
| Information | Value |
|---|---|
| ID | #178 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-AppHost/ApplicationTracing" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:02:23, Reason: Child Process |
| Unmonitor | End Time: 00:02:24, Reason: Self Terminated |
| Monitor Duration | 00:00:01 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x994 |
| Parent PID | 0x8dc (c:\programdata\safe.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
B74
0x
CC8
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000d00000 | 0x00d00000 | 0x00d1ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000d00000 | 0x00d00000 | 0x00d0ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000d10000 | 0x00d10000 | 0x00d13fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000d20000 | 0x00d20000 | 0x00d21fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000d20000 | 0x00d20000 | 0x00d23fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000d30000 | 0x00d30000 | 0x00d43fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000d50000 | 0x00d50000 | 0x00d8ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000d90000 | 0x00d90000 | 0x00e8ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000e90000 | 0x00e90000 | 0x00e93fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000ea0000 | 0x00ea0000 | 0x00ea0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000eb0000 | 0x00eb0000 | 0x00eb1fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00ec0000 | 0x00f7dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000f90000 | 0x00f90000 | 0x00f9ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000fa0000 | 0x00fa0000 | 0x00fdffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000fe0000 | 0x00fe0000 | 0x010dffff | Private Memory | rw |
|
|
|
- |
| cmd.exe | 0x01140000 | 0x0118ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000001190000 | 0x01190000 | 0x0518ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x00000000052d0000 | 0x052d0000 | 0x053cffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000055b0000 | 0x055b0000 | 0x055bffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x055c0000 | 0x058f6fff | Memory Mapped File | r |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74d30000 | 0x74ea5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75130000 | 0x7521ffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x778d0000 | 0x7798dfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007f3e0000 | 0x7f3e0000 | 0x7f4dffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007f4e0000 | 0x7f4e0000 | 0x7f502fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f506000 | 0x7f506000 | 0x7f506fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f509000 | 0x7f509000 | 0x7f50bfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f50c000 | 0x7f50c000 | 0x7f50cfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f50d000 | 0x7f50d000 | 0x7f50ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (11)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Windows\SysWOW64 | type = file_attributes |
|
2 | |
| Get Info | wevtutil.exe | type = file_attributes |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
5 | |
| Open | STD_INPUT_HANDLE | - |
|
3 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 144, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\SysWOW64\wevtutil.exe | os_pid = 0xf9c, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x1140000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75130000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x75172780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x7514fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7514a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x74e435c0 |
|
1 |
Environment (19)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
2 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Windows\SysWOW64 |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000000 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #180: wevtutil.exe
0
0
| Information | Value |
|---|---|
| ID | #180 |
| File Name | c:\windows\syswow64\wevtutil.exe |
| Command Line | wevtutil.exe clear-log "Microsoft-Windows-AppHost/ApplicationTracing" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:02:24, Reason: Child Process |
| Unmonitor | End Time: 00:02:24, Reason: Self Terminated |
| Monitor Duration | 00:00:00 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xf9c |
| Parent PID | 0x994 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
AD0
0x
EF0
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| wevtutil.exe | 0x00b40000 | 0x00b6efff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000ed0000 | 0x00ed0000 | 0x04ecffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000004ed0000 | 0x04ed0000 | 0x04eeffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004ef0000 | 0x04ef0000 | 0x04ef1fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004f00000 | 0x04f00000 | 0x04f13fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000004f20000 | 0x04f20000 | 0x04f5ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004f60000 | 0x04f60000 | 0x04f9ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004fa0000 | 0x04fa0000 | 0x04fa3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000004fb0000 | 0x04fb0000 | 0x04fb0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000004fc0000 | 0x04fc0000 | 0x04fc1fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005050000 | 0x05050000 | 0x0505ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005120000 | 0x05120000 | 0x0521ffff | Private Memory | rw |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007e3b0000 | 0x7e3b0000 | 0x7e3d2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007e3d8000 | 0x7e3d8000 | 0x7e3d8fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007e3db000 | 0x7e3db000 | 0x7e3ddfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007e3de000 | 0x7e3de000 | 0x7e3defff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Process #181: cmd.exe
58
0
| Information | Value |
|---|---|
| ID | #181 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-AppHost/Diagnostic" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:02:24, Reason: Child Process |
| Unmonitor | End Time: 00:02:26, Reason: Self Terminated |
| Monitor Duration | 00:00:02 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xf18 |
| Parent PID | 0x8dc (c:\programdata\safe.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
F98
0x
7EC
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x00000000008a0000 | 0x008a0000 | 0x008bffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000008a0000 | 0x008a0000 | 0x008affff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x00000000008b0000 | 0x008b0000 | 0x008b3fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000008c0000 | 0x008c0000 | 0x008c1fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000008c0000 | 0x008c0000 | 0x008c3fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000008d0000 | 0x008d0000 | 0x008e3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000008f0000 | 0x008f0000 | 0x0092ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000930000 | 0x00930000 | 0x00a2ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000a30000 | 0x00a30000 | 0x00a33fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000a40000 | 0x00a40000 | 0x00a40fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000a50000 | 0x00a50000 | 0x00a51fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000a70000 | 0x00a70000 | 0x00a7ffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00a80000 | 0x00b3dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000b40000 | 0x00b40000 | 0x00b7ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000bd0000 | 0x00bd0000 | 0x00bdffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000c30000 | 0x00c30000 | 0x00d2ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000d30000 | 0x00d30000 | 0x00e2ffff | Private Memory | rw |
|
|
|
- |
| cmd.exe | 0x01140000 | 0x0118ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000001190000 | 0x01190000 | 0x0518ffff | Pagefile Backed Memory | - |
|
|
|
- |
| sortdefault.nls | 0x05190000 | 0x054c6fff | Memory Mapped File | r |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74d30000 | 0x74ea5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75130000 | 0x7521ffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x778d0000 | 0x7798dfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007f460000 | 0x7f460000 | 0x7f55ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007f560000 | 0x7f560000 | 0x7f582fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f583000 | 0x7f583000 | 0x7f583fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f589000 | 0x7f589000 | 0x7f58bfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f58c000 | 0x7f58c000 | 0x7f58efff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f58f000 | 0x7f58f000 | 0x7f58ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (11)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Windows\SysWOW64 | type = file_attributes |
|
2 | |
| Get Info | wevtutil.exe | type = file_attributes |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
5 | |
| Open | STD_INPUT_HANDLE | - |
|
3 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 174, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\SysWOW64\wevtutil.exe | os_pid = 0x920, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x1140000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75130000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x75172780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x7514fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7514a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x74e435c0 |
|
1 |
Environment (19)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
2 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Windows\SysWOW64 |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000000 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #183: wevtutil.exe
0
0
| Information | Value |
|---|---|
| ID | #183 |
| File Name | c:\windows\syswow64\wevtutil.exe |
| Command Line | wevtutil.exe clear-log "Microsoft-Windows-AppHost/Diagnostic" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:02:25, Reason: Child Process |
| Unmonitor | End Time: 00:02:26, Reason: Self Terminated |
| Monitor Duration | 00:00:01 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x920 |
| Parent PID | 0xf18 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
EE4
0x
FF4
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000250000 | 0x00250000 | 0x0026ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000270000 | 0x00270000 | 0x00271fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000280000 | 0x00280000 | 0x00293fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000002a0000 | 0x002a0000 | 0x002dffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000002e0000 | 0x002e0000 | 0x0031ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000320000 | 0x00320000 | 0x00323fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000330000 | 0x00330000 | 0x00330fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000340000 | 0x00340000 | 0x00341fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000420000 | 0x00420000 | 0x0042ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000550000 | 0x00550000 | 0x0064ffff | Private Memory | rw |
|
|
|
- |
| wevtutil.exe | 0x00b40000 | 0x00b6efff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000b70000 | 0x00b70000 | 0x04b6ffff | Pagefile Backed Memory | - |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007f600000 | 0x7f600000 | 0x7f622fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f625000 | 0x7f625000 | 0x7f625fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f62c000 | 0x7f62c000 | 0x7f62efff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f62f000 | 0x7f62f000 | 0x7f62ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Process #184: cmd.exe
58
0
| Information | Value |
|---|---|
| ID | #184 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-AppHost/Internal" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:02:27, Reason: Child Process |
| Unmonitor | End Time: 00:02:29, Reason: Self Terminated |
| Monitor Duration | 00:00:02 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x7d8 |
| Parent PID | 0x8dc (c:\programdata\safe.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
C2C
0x
EDC
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000710000 | 0x00710000 | 0x0072ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000710000 | 0x00710000 | 0x0071ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000720000 | 0x00720000 | 0x00723fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000730000 | 0x00730000 | 0x00731fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000730000 | 0x00730000 | 0x00733fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000740000 | 0x00740000 | 0x00753fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000760000 | 0x00760000 | 0x0079ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000007a0000 | 0x007a0000 | 0x0089ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000008a0000 | 0x008a0000 | 0x008a3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000008b0000 | 0x008b0000 | 0x008b0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000008c0000 | 0x008c0000 | 0x008c1fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x008d0000 | 0x0098dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000990000 | 0x00990000 | 0x009cffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000009e0000 | 0x009e0000 | 0x009effff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000ae0000 | 0x00ae0000 | 0x00bdffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000be0000 | 0x00be0000 | 0x00cdffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000df0000 | 0x00df0000 | 0x00dfffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x00e00000 | 0x01136fff | Memory Mapped File | r |
|
|
|
- |
| cmd.exe | 0x01140000 | 0x0118ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000001190000 | 0x01190000 | 0x0518ffff | Pagefile Backed Memory | - |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74d30000 | 0x74ea5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75130000 | 0x7521ffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x778d0000 | 0x7798dfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007e730000 | 0x7e730000 | 0x7e82ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007e830000 | 0x7e830000 | 0x7e852fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007e856000 | 0x7e856000 | 0x7e858fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007e859000 | 0x7e859000 | 0x7e859fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007e85c000 | 0x7e85c000 | 0x7e85efff | Private Memory | rw |
|
|
|
- |
| private_0x000000007e85f000 | 0x7e85f000 | 0x7e85ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (11)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Windows\SysWOW64 | type = file_attributes |
|
2 | |
| Get Info | wevtutil.exe | type = file_attributes |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
5 | |
| Open | STD_INPUT_HANDLE | - |
|
3 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 86, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\SysWOW64\wevtutil.exe | os_pid = 0x3d0, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x1140000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75130000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x75172780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x7514fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7514a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x74e435c0 |
|
1 |
Environment (19)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
2 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Windows\SysWOW64 |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000000 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #187: wevtutil.exe
0
0
| Information | Value |
|---|---|
| ID | #187 |
| File Name | c:\windows\syswow64\wevtutil.exe |
| Command Line | wevtutil.exe clear-log "Microsoft-Windows-AppHost/Internal" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:02:29, Reason: Child Process |
| Unmonitor | End Time: 00:02:29, Reason: Self Terminated |
| Monitor Duration | 00:00:00 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x3d0 |
| Parent PID | 0x7d8 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
CFC
0x
C3C
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000490000 | 0x00490000 | 0x004affff | Private Memory | rw |
|
|
|
- |
| private_0x00000000004b0000 | 0x004b0000 | 0x004b1fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000004c0000 | 0x004c0000 | 0x004d3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000004e0000 | 0x004e0000 | 0x0051ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000520000 | 0x00520000 | 0x0055ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000560000 | 0x00560000 | 0x00563fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000570000 | 0x00570000 | 0x00570fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000580000 | 0x00580000 | 0x00581fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000780000 | 0x00780000 | 0x0078ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000890000 | 0x00890000 | 0x0098ffff | Private Memory | rw |
|
|
|
- |
| wevtutil.exe | 0x00b40000 | 0x00b6efff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000b70000 | 0x00b70000 | 0x04b6ffff | Pagefile Backed Memory | - |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007ee50000 | 0x7ee50000 | 0x7ee72fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007ee7b000 | 0x7ee7b000 | 0x7ee7bfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ee7c000 | 0x7ee7c000 | 0x7ee7efff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ee7f000 | 0x7ee7f000 | 0x7ee7ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Process #188: cmd.exe
58
0
| Information | Value |
|---|---|
| ID | #188 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-AppID/Operational" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:02:29, Reason: Child Process |
| Unmonitor | End Time: 00:02:38, Reason: Self Terminated |
| Monitor Duration | 00:00:09 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xc74 |
| Parent PID | 0x8dc (c:\programdata\safe.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
BF4
0x
B20
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000520000 | 0x00520000 | 0x0053ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000520000 | 0x00520000 | 0x0052ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000530000 | 0x00530000 | 0x00533fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000540000 | 0x00540000 | 0x00541fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000540000 | 0x00540000 | 0x00543fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000550000 | 0x00550000 | 0x00563fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000570000 | 0x00570000 | 0x005affff | Private Memory | rw |
|
|
|
- |
| private_0x00000000005b0000 | 0x005b0000 | 0x006affff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000006b0000 | 0x006b0000 | 0x006b3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000006c0000 | 0x006c0000 | 0x006c0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000006d0000 | 0x006d0000 | 0x006d1fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x006e0000 | 0x0079dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000007b0000 | 0x007b0000 | 0x007bffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000007c0000 | 0x007c0000 | 0x007fffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000008e0000 | 0x008e0000 | 0x009dffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000009e0000 | 0x009e0000 | 0x00adffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000ca0000 | 0x00ca0000 | 0x00caffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x00cb0000 | 0x00fe6fff | Memory Mapped File | r |
|
|
|
- |
| cmd.exe | 0x01140000 | 0x0118ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000001190000 | 0x01190000 | 0x0518ffff | Pagefile Backed Memory | - |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74d30000 | 0x74ea5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75130000 | 0x7521ffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x778d0000 | 0x7798dfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007e5a0000 | 0x7e5a0000 | 0x7e69ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007e6a0000 | 0x7e6a0000 | 0x7e6c2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007e6c7000 | 0x7e6c7000 | 0x7e6c7fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007e6c9000 | 0x7e6c9000 | 0x7e6cbfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007e6cc000 | 0x7e6cc000 | 0x7e6ccfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007e6cd000 | 0x7e6cd000 | 0x7e6cffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (11)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Windows\SysWOW64 | type = file_attributes |
|
2 | |
| Get Info | wevtutil.exe | type = file_attributes |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
5 | |
| Open | STD_INPUT_HANDLE | - |
|
3 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 72, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\SysWOW64\wevtutil.exe | os_pid = 0xdb8, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x1140000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75130000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x75172780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x7514fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7514a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x74e435c0 |
|
1 |
Environment (19)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
2 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Windows\SysWOW64 |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000000 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #190: cmd.exe
203
0
| Information | Value |
|---|---|
| ID | #190 |
| File Name | c:\windows\system32\cmd.exe |
| Command Line | "C:\Windows\System32\cmd.exe" /C cd C:\ProgramData\ && release.bat |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:02:36, Reason: Child Process |
| Unmonitor | End Time: 00:04:31, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:55 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xc8c |
| Parent PID | 0xfdc (c:\users\ciihmnxmn6ps\desktop\kraken.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
67C
0x
CE8
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000aae8d00000 | 0xaae8d00000 | 0xaae8d1ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000aae8d00000 | 0xaae8d00000 | 0xaae8d0ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x000000aae8d10000 | 0xaae8d10000 | 0xaae8d16fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000aae8d20000 | 0xaae8d20000 | 0xaae8d33fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000aae8d40000 | 0xaae8d40000 | 0xaae8e3ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000aae8e40000 | 0xaae8e40000 | 0xaae8e43fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000aae8e50000 | 0xaae8e50000 | 0xaae8e50fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000aae8e60000 | 0xaae8e60000 | 0xaae8e61fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0xaae8e70000 | 0xaae8f2dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000aae8f30000 | 0xaae8f30000 | 0xaae8f36fff | Private Memory | rw |
|
|
|
- |
| private_0x000000aae8f40000 | 0xaae8f40000 | 0xaae8f4ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000aae8f50000 | 0xaae8f50000 | 0xaae904ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000aae9050000 | 0xaae9050000 | 0xaae914ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000aae9220000 | 0xaae9220000 | 0xaae922ffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0xaae9230000 | 0xaae9566fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x00007df5ff6a0000 | 0x7df5ff6a0000 | 0x7ff5ff69ffff | Pagefile Backed Memory | - |
|
|
|
- |
| pagefile_0x00007ff648400000 | 0x7ff648400000 | 0x7ff6484fffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00007ff648500000 | 0x7ff648500000 | 0x7ff648522fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00007ff64852a000 | 0x7ff64852a000 | 0x7ff64852bfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff64852c000 | 0x7ff64852c000 | 0x7ff64852dfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff64852e000 | 0x7ff64852e000 | 0x7ff64852efff | Private Memory | rw |
|
|
|
- |
| cmd.exe | 0x7ff6493d0000 | 0x7ff649428fff | Memory Mapped File | rwx |
|
|
|
- |
| cmdext.dll | 0x7ffaf0470000 | 0x7ffaf0479fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x7ffaf4e50000 | 0x7ffaf502cfff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x7ffaf5290000 | 0x7ffaf53b5fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x7ffaf5700000 | 0x7ffaf579cfff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x7ffaf57a0000 | 0x7ffaf57fafff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x7ffaf70d0000 | 0x7ffaf717cfff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x7ffaf75d0000 | 0x7ffaf7675fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
Host Behavior
File (131)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\ProgramData\release.bat | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
7 | |
| Create | C:\ProgramData\release.bat | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\ProgramData\release.bat | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
3 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\Desktop | type = file_attributes |
|
2 | |
| Get Info | C:\ProgramData | type = file_attributes |
|
2 | |
| Get Info | release.bat | type = file_attributes |
|
1 | |
| Get Info | - | type = file_type |
|
7 | |
| Get Info | STD_OUTPUT_HANDLE | type = file_type |
|
5 | |
| Get Info | - | type = file_type |
|
1 | |
| Get Info | - | type = file_type |
|
3 | |
| Get Info | cmd.exe | type = file_attributes |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
30 | |
| Open | STD_INPUT_HANDLE | - |
|
8 | |
| Open | - | - |
|
28 | |
| Open | - | - |
|
4 | |
| Open | - | - |
|
12 | |
| Read | - | size = 8191, size_out = 789 |
|
1 | |
| Read | - | size = 8191, size_out = 771 |
|
1 | |
| Read | - | size = 8191, size_out = 769 |
|
1 | |
| Read | - | size = 8191, size_out = 753 |
|
1 | |
| Read | - | size = 8191, size_out = 742 |
|
1 | |
| Read | - | size = 8191, size_out = 740 |
|
1 | |
| Read | - | size = 8191, size_out = 696 |
|
1 | |
| Read | - | size = 8191, size_out = 637 |
|
1 | |
| Read | - | size = 8191, size_out = 541 |
|
1 | |
| Read | - | size = 8191, size_out = 539 |
|
1 | |
| Read | - | size = 8191, size_out = 509 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 2 |
|
2 | |
| Write | STD_OUTPUT_HANDLE | size = 15 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 3 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 12 |
|
1 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (3)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\system32\reg.exe | os_pid = 0x57c, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 | |
| Create | C:\Windows\system32\reg.exe | os_pid = 0xd90, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 | |
| Create | C:\Windows\system32\cmd.exe | os_pid = 0xda0, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\system32\cmd.exe | base_address = 0x7ff6493d0000 |
|
1 | |
| Get Handle | c:\windows\system32\kernel32.dll | base_address = 0x7ffaf70d0000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\system32\cmd.exe, file_name_orig = C:\Windows\System32\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetThreadUILanguage, address_out = 0x7ffaf70ed550 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CopyFileExW, address_out = 0x7ffaf70f25e0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7ffaf70f1f90 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x7ffaf4ea3a10 |
|
1 |
Environment (42)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
12 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
8 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
8 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Get Environment String | name = PROMPT, result_out = $P$G |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Users\CIiHmnxMn6Ps\Desktop |
|
1 | |
| Set Environment String | name = =C:, value = C:\ProgramData |
|
1 | |
| Set Environment String | name = COPYCMD |
|
3 | |
| Set Environment String | name = =ExitCode, value = 00000000 |
|
2 | |
| Set Environment String | name = =ExitCodeAscii |
|
2 |
Process #191: cmd.exe
72
0
| Information | Value |
|---|---|
| ID | #191 |
| File Name | c:\windows\system32\cmd.exe |
| Command Line | "C:\Windows\System32\cmd.exe" /C ping 127.0.0.1 -n 3 > NUL&&del /Q /F /S "C:\Users\CIiHmnxMn6Ps\Desktop\Kraken.exe" |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:02:36, Reason: Child Process |
| Unmonitor | End Time: 00:02:41, Reason: Self Terminated |
| Monitor Duration | 00:00:05 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xcb4 |
| Parent PID | 0xfdc (c:\users\ciihmnxmn6ps\desktop\kraken.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
F6C
0x
D98
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000622f790000 | 0x622f790000 | 0x622f7affff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000622f790000 | 0x622f790000 | 0x622f79ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x000000622f7a0000 | 0x622f7a0000 | 0x622f7a6fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000622f7b0000 | 0x622f7b0000 | 0x622f7c3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000622f7d0000 | 0x622f7d0000 | 0x622f8cffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000622f8d0000 | 0x622f8d0000 | 0x622f8d3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000622f8e0000 | 0x622f8e0000 | 0x622f8e0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000622f8f0000 | 0x622f8f0000 | 0x622f8f1fff | Private Memory | rw |
|
|
|
- |
| private_0x000000622f900000 | 0x622f900000 | 0x622f906fff | Private Memory | rw |
|
|
|
- |
| cmd.exe.mui | 0x622f910000 | 0x622f930fff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000622f960000 | 0x622f960000 | 0x622fa5ffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x622fa60000 | 0x622fb1dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000622fb20000 | 0x622fb20000 | 0x622fc1ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000622fdd0000 | 0x622fdd0000 | 0x622fddffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x622fde0000 | 0x6230116fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x00007df5ff2d0000 | 0x7df5ff2d0000 | 0x7ff5ff2cffff | Pagefile Backed Memory | - |
|
|
|
- |
| pagefile_0x00007ff648b80000 | 0x7ff648b80000 | 0x7ff648c7ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00007ff648c80000 | 0x7ff648c80000 | 0x7ff648ca2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00007ff648caa000 | 0x7ff648caa000 | 0x7ff648caafff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff648cac000 | 0x7ff648cac000 | 0x7ff648cadfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff648cae000 | 0x7ff648cae000 | 0x7ff648caffff | Private Memory | rw |
|
|
|
- |
| cmd.exe | 0x7ff6493d0000 | 0x7ff649428fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x7ffaf4e50000 | 0x7ffaf502cfff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x7ffaf5700000 | 0x7ffaf579cfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x7ffaf70d0000 | 0x7ffaf717cfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
Host Behavior
File (25)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | NUL | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\Desktop | type = file_attributes |
|
3 | |
| Get Info | STD_OUTPUT_HANDLE | type = file_type |
|
2 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\Desktop\Kraken.exe | type = file_attributes |
|
2 | |
| Open | STD_OUTPUT_HANDLE | - |
|
12 | |
| Open | STD_INPUT_HANDLE | - |
|
3 | |
| Open | \??\C:\Users\CIiHmnxMn6Ps\Desktop\Kraken.exe | desired_access = DELETE, open_options = FILE_NON_DIRECTORY_FILE, FILE_DELETE_ON_CLOSE, FILE_OPEN_FOR_BACKUP_INTENT, share_mode = FILE_SHARE_DELETE |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 57 |
|
1 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\system32\PING.EXE | os_pid = 0xd74, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\system32\cmd.exe | base_address = 0x7ff6493d0000 |
|
1 | |
| Get Handle | c:\windows\system32\kernel32.dll | base_address = 0x7ffaf70d0000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\system32\cmd.exe, file_name_orig = C:\Windows\System32\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetThreadUILanguage, address_out = 0x7ffaf70ed550 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CopyFileExW, address_out = 0x7ffaf70f25e0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7ffaf70f1f90 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x7ffaf4ea3a10 |
|
1 |
Environment (19)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
2 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Users\CIiHmnxMn6Ps\Desktop |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000000 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #192: wevtutil.exe
0
0
| Information | Value |
|---|---|
| ID | #192 |
| File Name | c:\windows\syswow64\wevtutil.exe |
| Command Line | wevtutil.exe clear-log "Microsoft-Windows-AppID/Operational" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:02:36, Reason: Child Process |
| Unmonitor | End Time: 00:02:38, Reason: Self Terminated |
| Monitor Duration | 00:00:02 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xdb8 |
| Parent PID | 0xc74 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
C90
0x
458
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| wevtutil.exe | 0x00b40000 | 0x00b6efff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000d50000 | 0x00d50000 | 0x04d4ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000004d50000 | 0x04d50000 | 0x04d6ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004d70000 | 0x04d70000 | 0x04d71fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004d80000 | 0x04d80000 | 0x04d93fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000004da0000 | 0x04da0000 | 0x04ddffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004de0000 | 0x04de0000 | 0x04e1ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004e20000 | 0x04e20000 | 0x04e23fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000004e30000 | 0x04e30000 | 0x04e30fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000004e40000 | 0x04e40000 | 0x04e41fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004f50000 | 0x04f50000 | 0x04f5ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000050a0000 | 0x050a0000 | 0x0519ffff | Private Memory | rw |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007ef50000 | 0x7ef50000 | 0x7ef72fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007ef78000 | 0x7ef78000 | 0x7ef78fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ef7a000 | 0x7ef7a000 | 0x7ef7afff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ef7d000 | 0x7ef7d000 | 0x7ef7ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Process #195: ping.exe
73
6
| Information | Value |
|---|---|
| ID | #195 |
| File Name | c:\windows\system32\ping.exe |
| Command Line | ping 127.0.0.1 -n 3 |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:02:37, Reason: Child Process |
| Unmonitor | End Time: 00:02:41, Reason: Self Terminated |
| Monitor Duration | 00:00:04 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xd74 |
| Parent PID | 0xcb4 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
CA4
0x
D1C
0x
F80
0x
B00
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x0000004124f90000 | 0x4124f90000 | 0x4124faffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000004124f90000 | 0x4124f90000 | 0x4124f9ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000004124fa0000 | 0x4124fa0000 | 0x4124fa6fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000004124fb0000 | 0x4124fb0000 | 0x4124fc3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000004124fd0000 | 0x4124fd0000 | 0x412504ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000004125050000 | 0x4125050000 | 0x4125053fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000004125060000 | 0x4125060000 | 0x4125060fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000004125070000 | 0x4125070000 | 0x4125071fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x4125080000 | 0x412513dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000004125140000 | 0x4125140000 | 0x41251bffff | Private Memory | rw |
|
|
|
- |
| private_0x00000041251c0000 | 0x41251c0000 | 0x41251c6fff | Private Memory | rw |
|
|
|
- |
| ping.exe.mui | 0x41251d0000 | 0x41251d2fff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000041251f0000 | 0x41251f0000 | 0x41252effff | Private Memory | rw |
|
|
|
- |
| private_0x00000041252f0000 | 0x41252f0000 | 0x412536ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000004125370000 | 0x4125370000 | 0x41253effff | Private Memory | rw |
|
|
|
- |
| private_0x00000041254e0000 | 0x41254e0000 | 0x41254effff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00007df5ff120000 | 0x7df5ff120000 | 0x7ff5ff11ffff | Pagefile Backed Memory | - |
|
|
|
- |
| pagefile_0x00007ff74eab0000 | 0x7ff74eab0000 | 0x7ff74ebaffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00007ff74ebb0000 | 0x7ff74ebb0000 | 0x7ff74ebd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00007ff74ebd7000 | 0x7ff74ebd7000 | 0x7ff74ebd7fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff74ebd8000 | 0x7ff74ebd8000 | 0x7ff74ebd9fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff74ebda000 | 0x7ff74ebda000 | 0x7ff74ebdbfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff74ebdc000 | 0x7ff74ebdc000 | 0x7ff74ebddfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff74ebde000 | 0x7ff74ebde000 | 0x7ff74ebdffff | Private Memory | rw |
|
|
|
- |
| ping.exe | 0x7ff74f4d0000 | 0x7ff74f4dafff | Memory Mapped File | rwx |
|
|
|
- |
| wship6.dll | 0x7ffaec7b0000 | 0x7ffaec7b7fff | Memory Mapped File | rwx |
|
|
|
- |
| wshtcpip.dll | 0x7ffaec7c0000 | 0x7ffaec7c7fff | Memory Mapped File | rwx |
|
|
|
- |
| wshqos.dll | 0x7ffaec7d0000 | 0x7ffaec7d9fff | Memory Mapped File | rwx |
|
|
|
- |
| winnsi.dll | 0x7ffaf1940000 | 0x7ffaf194afff | Memory Mapped File | rwx |
|
|
|
- |
| iphlpapi.dll | 0x7ffaf1960000 | 0x7ffaf1997fff | Memory Mapped File | rwx |
|
|
|
- |
| mswsock.dll | 0x7ffaf3ca0000 | 0x7ffaf3cfcfff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x7ffaf4e50000 | 0x7ffaf502cfff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x7ffaf5290000 | 0x7ffaf53b5fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x7ffaf5700000 | 0x7ffaf579cfff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x7ffaf57a0000 | 0x7ffaf57fafff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x7ffaf70d0000 | 0x7ffaf717cfff | Memory Mapped File | rwx |
|
|
|
- |
| ws2_32.dll | 0x7ffaf7560000 | 0x7ffaf75c8fff | Memory Mapped File | rwx |
|
|
|
- |
| nsi.dll | 0x7ffaf7680000 | 0x7ffaf7687fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
Host Behavior
File (50)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | STD_OUTPUT_HANDLE | type = file_type |
|
17 | |
| Open | STD_OUTPUT_HANDLE | - |
|
17 | |
| Write | STD_OUTPUT_HANDLE | size = 20 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 24 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 22 |
|
3 | |
| Write | STD_OUTPUT_HANDLE | size = 9 |
|
9 | |
| Write | STD_OUTPUT_HANDLE | size = 92 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 97 |
|
1 |
Registry (2)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters | value_name = DefaultTTL, data = 0, type = REG_NONE |
|
1 |
Module (1)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\system32\ping.exe | base_address = 0x7ff74f4d0000 |
|
1 |
System (2)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Sleep | duration = 1000 milliseconds (1.000 seconds) |
|
2 |
Environment (17)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | name = OutputEncoding |
|
17 |
Network Behavior
ICMP (3)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Send ICMP Echo | source_address = 0.0.0.0, timeout = 4000 |
|
3 |
DNS (3)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Resolve Address | address = 127.0.0.1, host_out = 127.0.0.1 |
|
2 | |
| Resolve Name | host = 127.0.0.1, address_out = 127.0.0.1 |
|
1 |
Process #196: reg.exe
12
0
| Information | Value |
|---|---|
| ID | #196 |
| File Name | c:\windows\system32\reg.exe |
| Command Line | REG ADD "HKEY_CURRENT_USER\Software\Sysinternals\SDelete" |
| Initial Working Directory | C:\ProgramData\ |
| Monitor | Start Time: 00:02:37, Reason: Child Process |
| Unmonitor | End Time: 00:02:38, Reason: Self Terminated |
| Monitor Duration | 00:00:01 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x57c |
| Parent PID | 0xc8c (c:\windows\system32\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
580
0x
F20
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x0000002201500000 | 0x2201500000 | 0x220151ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000002201500000 | 0x2201500000 | 0x220150ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000002201510000 | 0x2201510000 | 0x2201516fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000002201520000 | 0x2201520000 | 0x2201533fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000002201540000 | 0x2201540000 | 0x22015bffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000022015c0000 | 0x22015c0000 | 0x22015c3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000022015d0000 | 0x22015d0000 | 0x22015d0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000022015e0000 | 0x22015e0000 | 0x22015e1fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x22015f0000 | 0x22016adfff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000022016b0000 | 0x22016b0000 | 0x220172ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000002201730000 | 0x2201730000 | 0x220182ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000002201830000 | 0x2201830000 | 0x2201836fff | Private Memory | rw |
|
|
|
- |
| kernelbase.dll.mui | 0x2201840000 | 0x220191efff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000002201970000 | 0x2201970000 | 0x220197ffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x2201980000 | 0x2201cb6fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x00007df5ff910000 | 0x7df5ff910000 | 0x7ff5ff90ffff | Pagefile Backed Memory | - |
|
|
|
- |
| pagefile_0x00007ff6f4fb0000 | 0x7ff6f4fb0000 | 0x7ff6f50affff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00007ff6f50b0000 | 0x7ff6f50b0000 | 0x7ff6f50d2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00007ff6f50db000 | 0x7ff6f50db000 | 0x7ff6f50dcfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6f50dd000 | 0x7ff6f50dd000 | 0x7ff6f50defff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6f50df000 | 0x7ff6f50df000 | 0x7ff6f50dffff | Private Memory | rw |
|
|
|
- |
| reg.exe | 0x7ff6f5ec0000 | 0x7ff6f5f15fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x7ffaf4e50000 | 0x7ffaf502cfff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x7ffaf5290000 | 0x7ffaf53b5fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x7ffaf5700000 | 0x7ffaf579cfff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x7ffaf57a0000 | 0x7ffaf57fafff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x7ffaf70d0000 | 0x7ffaf717cfff | Memory Mapped File | rwx |
|
|
|
- |
| ws2_32.dll | 0x7ffaf7560000 | 0x7ffaf75c8fff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x7ffaf75d0000 | 0x7ffaf7675fff | Memory Mapped File | rwx |
|
|
|
- |
| nsi.dll | 0x7ffaf7680000 | 0x7ffaf7687fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
Host Behavior
File (6)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | STD_OUTPUT_HANDLE | type = file_type |
|
2 | |
| Open | STD_OUTPUT_HANDLE | - |
|
3 | |
| Write | STD_OUTPUT_HANDLE | size = 39 |
|
1 |
Registry (4)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create Key | HKEY_CURRENT_USER\Software\Sysinternals\SDelete | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System | - |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Sysinternals\SDelete | - |
|
1 | |
| Write Value | HKEY_CURRENT_USER\Software\Sysinternals\SDelete | size = 2, type = REG_SZ |
|
1 |
Module (1)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\system32\reg.exe | base_address = 0x7ff6f5ec0000 |
|
1 |
Process #197: cmd.exe
58
0
| Information | Value |
|---|---|
| ID | #197 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-AppLocker/EXE and DLL" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:02:38, Reason: Child Process |
| Unmonitor | End Time: 00:02:38, Reason: Self Terminated |
| Monitor Duration | 00:00:00 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xee8 |
| Parent PID | 0x8dc (c:\programdata\safe.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
D40
0x
A24
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000ab0000 | 0x00ab0000 | 0x00acffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000ab0000 | 0x00ab0000 | 0x00abffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000ac0000 | 0x00ac0000 | 0x00ac3fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000ad0000 | 0x00ad0000 | 0x00ad1fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000ad0000 | 0x00ad0000 | 0x00adffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000ae0000 | 0x00ae0000 | 0x00af3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000b00000 | 0x00b00000 | 0x00b3ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000b40000 | 0x00b40000 | 0x00c3ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000c40000 | 0x00c40000 | 0x00c43fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000c50000 | 0x00c50000 | 0x00c50fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000c60000 | 0x00c60000 | 0x00c61fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00c70000 | 0x00d2dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000d30000 | 0x00d30000 | 0x00d6ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000d70000 | 0x00d70000 | 0x00d7ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000d80000 | 0x00d80000 | 0x00e7ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000e80000 | 0x00e80000 | 0x00e83fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000f60000 | 0x00f60000 | 0x0105ffff | Private Memory | rw |
|
|
|
- |
| cmd.exe | 0x01140000 | 0x0118ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000001190000 | 0x01190000 | 0x0518ffff | Pagefile Backed Memory | - |
|
|
|
- |
| sortdefault.nls | 0x05190000 | 0x054c6fff | Memory Mapped File | r |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74d30000 | 0x74ea5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75130000 | 0x7521ffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x778d0000 | 0x7798dfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007ef30000 | 0x7ef30000 | 0x7f02ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007f030000 | 0x7f030000 | 0x7f052fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f057000 | 0x7f057000 | 0x7f057fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f059000 | 0x7f059000 | 0x7f05bfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f05c000 | 0x7f05c000 | 0x7f05efff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f05f000 | 0x7f05f000 | 0x7f05ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (11)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Windows\SysWOW64 | type = file_attributes |
|
2 | |
| Get Info | wevtutil.exe | type = file_attributes |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
5 | |
| Open | STD_INPUT_HANDLE | - |
|
3 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 35, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\SysWOW64\wevtutil.exe | os_pid = 0xfd4, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x1140000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75130000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x75172780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x7514fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7514a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x74e435c0 |
|
1 |
Environment (19)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
2 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Windows\SysWOW64 |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000000 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #199: wevtutil.exe
0
0
| Information | Value |
|---|---|
| ID | #199 |
| File Name | c:\windows\syswow64\wevtutil.exe |
| Command Line | wevtutil.exe clear-log "Microsoft-Windows-AppLocker/EXE and DLL" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:02:38, Reason: Child Process |
| Unmonitor | End Time: 00:02:39, Reason: Self Terminated |
| Monitor Duration | 00:00:01 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xfd4 |
| Parent PID | 0xee8 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
688
0x
F44
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000660000 | 0x00660000 | 0x0067ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000680000 | 0x00680000 | 0x00681fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000690000 | 0x00690000 | 0x006a3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000006b0000 | 0x006b0000 | 0x006effff | Private Memory | rw |
|
|
|
- |
| private_0x00000000006f0000 | 0x006f0000 | 0x0072ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000730000 | 0x00730000 | 0x00733fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000740000 | 0x00740000 | 0x00740fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000750000 | 0x00750000 | 0x00751fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000007e0000 | 0x007e0000 | 0x007effff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000890000 | 0x00890000 | 0x0098ffff | Private Memory | rw |
|
|
|
- |
| wevtutil.exe | 0x00b40000 | 0x00b6efff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000b70000 | 0x00b70000 | 0x04b6ffff | Pagefile Backed Memory | - |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007f1b0000 | 0x7f1b0000 | 0x7f1d2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f1d9000 | 0x7f1d9000 | 0x7f1dbfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f1dc000 | 0x7f1dc000 | 0x7f1dcfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f1dd000 | 0x7f1dd000 | 0x7f1ddfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Process #200: reg.exe
12
0
| Information | Value |
|---|---|
| ID | #200 |
| File Name | c:\windows\system32\reg.exe |
| Command Line | REG ADD "HKEY_CURRENT_USER\Software\Sysinternals\SDelete" /v EulaAccepted /t REG_DWORD /d 1 /f |
| Initial Working Directory | C:\ProgramData\ |
| Monitor | Start Time: 00:02:38, Reason: Child Process |
| Unmonitor | End Time: 00:02:39, Reason: Self Terminated |
| Monitor Duration | 00:00:01 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xd90 |
| Parent PID | 0xc8c (c:\windows\system32\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
E08
0x
E00
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x0000004474c20000 | 0x4474c20000 | 0x4474c3ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000004474c20000 | 0x4474c20000 | 0x4474c2ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000004474c30000 | 0x4474c30000 | 0x4474c3ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000004474c40000 | 0x4474c40000 | 0x4474c53fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000004474c60000 | 0x4474c60000 | 0x4474cdffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000004474ce0000 | 0x4474ce0000 | 0x4474ce3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000004474cf0000 | 0x4474cf0000 | 0x4474cf0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000004474d00000 | 0x4474d00000 | 0x4474d01fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x4474d10000 | 0x4474dcdfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000004474dd0000 | 0x4474dd0000 | 0x4474e4ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000004474e50000 | 0x4474e50000 | 0x4474e56fff | Private Memory | rw |
|
|
|
- |
| private_0x0000004474e60000 | 0x4474e60000 | 0x4474e66fff | Private Memory | rw |
|
|
|
- |
| private_0x0000004474e80000 | 0x4474e80000 | 0x4474f7ffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x4474f80000 | 0x44752b6fff | Memory Mapped File | r |
|
|
|
- |
| kernelbase.dll.mui | 0x44752c0000 | 0x447539efff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x00007df5ff790000 | 0x7df5ff790000 | 0x7ff5ff78ffff | Pagefile Backed Memory | - |
|
|
|
- |
| pagefile_0x00007ff6f5a30000 | 0x7ff6f5a30000 | 0x7ff6f5b2ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00007ff6f5b30000 | 0x7ff6f5b30000 | 0x7ff6f5b52fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00007ff6f5b55000 | 0x7ff6f5b55000 | 0x7ff6f5b55fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6f5b5c000 | 0x7ff6f5b5c000 | 0x7ff6f5b5dfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6f5b5e000 | 0x7ff6f5b5e000 | 0x7ff6f5b5ffff | Private Memory | rw |
|
|
|
- |
| reg.exe | 0x7ff6f5ec0000 | 0x7ff6f5f15fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x7ffaf4e50000 | 0x7ffaf502cfff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x7ffaf5290000 | 0x7ffaf53b5fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x7ffaf5700000 | 0x7ffaf579cfff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x7ffaf57a0000 | 0x7ffaf57fafff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x7ffaf70d0000 | 0x7ffaf717cfff | Memory Mapped File | rwx |
|
|
|
- |
| ws2_32.dll | 0x7ffaf7560000 | 0x7ffaf75c8fff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x7ffaf75d0000 | 0x7ffaf7675fff | Memory Mapped File | rwx |
|
|
|
- |
| nsi.dll | 0x7ffaf7680000 | 0x7ffaf7687fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
Host Behavior
File (6)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | STD_OUTPUT_HANDLE | type = file_type |
|
2 | |
| Open | STD_OUTPUT_HANDLE | - |
|
3 | |
| Write | STD_OUTPUT_HANDLE | size = 39 |
|
1 |
Registry (4)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create Key | HKEY_CURRENT_USER\Software\Sysinternals\SDelete | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System | - |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Sysinternals\SDelete | value_name = EulaAccepted |
|
1 | |
| Write Value | HKEY_CURRENT_USER\Software\Sysinternals\SDelete | value_name = EulaAccepted, data = 1, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 |
Module (1)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\system32\reg.exe | base_address = 0x7ff6f5ec0000 |
|
1 |
Process #201: cmd.exe
46
0
| Information | Value |
|---|---|
| ID | #201 |
| File Name | c:\windows\system32\cmd.exe |
| Command Line | cmd.exe /c C:\ProgramData\sdelete.exe -c -z C: |
| Initial Working Directory | C:\ProgramData\ |
| Monitor | Start Time: 00:02:38, Reason: Child Process |
| Unmonitor | End Time: 00:04:31, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:53 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xda0 |
| Parent PID | 0xc8c (c:\windows\system32\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
D94
0x
E04
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x0000003539d10000 | 0x3539d10000 | 0x3539d2ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000003539d10000 | 0x3539d10000 | 0x3539d1ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000003539d20000 | 0x3539d20000 | 0x3539d26fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000003539d30000 | 0x3539d30000 | 0x3539d43fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000003539d50000 | 0x3539d50000 | 0x3539e4ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000003539e50000 | 0x3539e50000 | 0x3539e53fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000003539e60000 | 0x3539e60000 | 0x3539e60fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000003539e70000 | 0x3539e70000 | 0x3539e71fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x3539e80000 | 0x3539f3dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000003539f40000 | 0x3539f40000 | 0x3539f46fff | Private Memory | rw |
|
|
|
- |
| private_0x000000353a020000 | 0x353a020000 | 0x353a02ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000353a030000 | 0x353a030000 | 0x353a12ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000353a130000 | 0x353a130000 | 0x353a22ffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x353a230000 | 0x353a566fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x00007df5ffa80000 | 0x7df5ffa80000 | 0x7ff5ffa7ffff | Pagefile Backed Memory | - |
|
|
|
- |
| sysmain.sdb | 0x7ff648200000 | 0x7ff64858ffff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x00007ff648590000 | 0x7ff648590000 | 0x7ff64868ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00007ff648690000 | 0x7ff648690000 | 0x7ff6486b2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00007ff6486b8000 | 0x7ff6486b8000 | 0x7ff6486b8fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6486bc000 | 0x7ff6486bc000 | 0x7ff6486bdfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6486be000 | 0x7ff6486be000 | 0x7ff6486bffff | Private Memory | rw |
|
|
|
- |
| cmd.exe | 0x7ff6493d0000 | 0x7ff649428fff | Memory Mapped File | rwx |
|
|
|
- |
| apphelp.dll | 0x7ffaf2b90000 | 0x7ffaf2c07fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x7ffaf4e50000 | 0x7ffaf502cfff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x7ffaf5700000 | 0x7ffaf579cfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x7ffaf70d0000 | 0x7ffaf717cfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
Host Behavior
File (6)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\ProgramData | type = file_attributes |
|
2 | |
| Open | STD_OUTPUT_HANDLE | - |
|
3 | |
| Open | STD_INPUT_HANDLE | - |
|
1 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\ProgramData\sdelete.exe | os_pid = 0xda4, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\system32\cmd.exe | base_address = 0x7ff6493d0000 |
|
1 | |
| Get Handle | c:\windows\system32\kernel32.dll | base_address = 0x7ffaf70d0000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\system32\cmd.exe, file_name_orig = C:\Windows\system32\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetThreadUILanguage, address_out = 0x7ffaf70ed550 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CopyFileExW, address_out = 0x7ffaf70f25e0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7ffaf70f1f90 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x7ffaf4ea3a10 |
|
1 |
Environment (12)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
4 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
1 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
2 | |
| Get Environment String | name = PROMPT, result_out = $P$G |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = =C:, value = C:\ProgramData |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 |
Process #202: sdelete.exe
16671
0
| Information | Value |
|---|---|
| ID | #202 |
| File Name | c:\programdata\sdelete.exe |
| Command Line | C:\ProgramData\sdelete.exe -c -z C: |
| Initial Working Directory | C:\ProgramData\ |
| Monitor | Start Time: 00:02:38, Reason: Child Process |
| Unmonitor | End Time: 00:04:31, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:53 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xda4 |
| Parent PID | 0xda0 (c:\windows\system32\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
DC0
0x
5B8
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| sdelete.exe | 0x00950000 | 0x00977fff | Memory Mapped File | rwx |
|
|
|
|
| private_0x0000000000a70000 | 0x00a70000 | 0x00a8ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000a70000 | 0x00a70000 | 0x00a7ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000a80000 | 0x00a80000 | 0x00a83fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000a90000 | 0x00a90000 | 0x00a91fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000a90000 | 0x00a90000 | 0x00a90fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000aa0000 | 0x00aa0000 | 0x00ab3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000ac0000 | 0x00ac0000 | 0x00afffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000b00000 | 0x00b00000 | 0x00bfffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000c00000 | 0x00c00000 | 0x00c03fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000c10000 | 0x00c10000 | 0x00c10fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000c20000 | 0x00c20000 | 0x00c21fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00c30000 | 0x00cedfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000cf0000 | 0x00cf0000 | 0x00d2ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000d30000 | 0x00d30000 | 0x00d30fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000de0000 | 0x00de0000 | 0x00deffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000eb0000 | 0x00eb0000 | 0x00faffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000fb0000 | 0x00fb0000 | 0x010affff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000010b0000 | 0x010b0000 | 0x01237fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000001250000 | 0x01250000 | 0x0125ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000001260000 | 0x01260000 | 0x013e0fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000013f0000 | 0x013f0000 | 0x027effff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000002900000 | 0x02900000 | 0x0290ffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x02910000 | 0x02c46fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000002c50000 | 0x02c50000 | 0x0364ffff | Private Memory | rw |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| rsaenh.dll | 0x74270000 | 0x7429efff | Memory Mapped File | rwx |
|
|
|
- |
| bcrypt.dll | 0x742a0000 | 0x742bafff | Memory Mapped File | rwx |
|
|
|
- |
| cryptsp.dll | 0x742c0000 | 0x742d2fff | Memory Mapped File | rwx |
|
|
|
- |
| comctl32.dll | 0x742e0000 | 0x74371fff | Memory Mapped File | rwx |
|
|
|
- |
| userenv.dll | 0x743f0000 | 0x74408fff | Memory Mapped File | rwx |
|
|
|
- |
| version.dll | 0x748e0000 | 0x748e7fff | Memory Mapped File | rwx |
|
|
|
- |
| apphelp.dll | 0x74990000 | 0x74a20fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x74a30000 | 0x74a88fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x74a90000 | 0x74a99fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x74aa0000 | 0x74abdfff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x74ad0000 | 0x74c0ffff | Memory Mapped File | rwx |
|
|
|
- |
| shlwapi.dll | 0x74c10000 | 0x74c53fff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x74c60000 | 0x74cdafff | Memory Mapped File | rwx |
|
|
|
- |
| powrprof.dll | 0x74ce0000 | 0x74d23fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74d30000 | 0x74ea5fff | Memory Mapped File | rwx |
|
|
|
- |
| comdlg32.dll | 0x74eb0000 | 0x74f6dfff | Memory Mapped File | rwx |
|
|
|
- |
| combase.dll | 0x74f70000 | 0x75129fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75130000 | 0x7521ffff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x75220000 | 0x7524afff | Memory Mapped File | rwx |
|
|
|
- |
| kernel.appcore.dll | 0x752b0000 | 0x752bbfff | Memory Mapped File | rwx |
|
|
|
- |
| shell32.dll | 0x752c0000 | 0x7667efff | Memory Mapped File | rwx |
|
|
|
- |
| windows.storage.dll | 0x76800000 | 0x76cdcfff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x76da0000 | 0x76ebffff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x770b0000 | 0x770f2fff | Memory Mapped File | rwx |
|
|
|
- |
| profapi.dll | 0x77100000 | 0x7710efff | Memory Mapped File | rwx |
|
|
|
- |
| shcore.dll | 0x771d0000 | 0x7725cfff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x772c0000 | 0x7736bfff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x77370000 | 0x774bcfff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x778d0000 | 0x7798dfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007f0a0000 | 0x7f0a0000 | 0x7f19ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007f1a0000 | 0x7f1a0000 | 0x7f1c2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f1c4000 | 0x7f1c4000 | 0x7f1c4fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f1c8000 | 0x7f1c8000 | 0x7f1cafff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f1cb000 | 0x7f1cb000 | 0x7f1cdfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f1ce000 | 0x7f1ce000 | 0x7f1cefff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7ffaf7a0ffff | Private Memory | r |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (4164)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\CIIHMN~1\AppData\Local\Temp\SDELTEMP | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_HIDDEN, FILE_FLAG_DELETE_ON_CLOSE, FILE_FLAG_SEQUENTIAL_SCAN, FILE_FLAG_NO_BUFFERING |
|
1 | |
| Get Info | STD_INPUT_HANDLE | type = file_type |
|
1 | |
| Get Info | STD_OUTPUT_HANDLE | type = file_type |
|
2 | |
| Get Info | STD_ERROR_HANDLE | type = file_type |
|
1 | |
| Open | STD_INPUT_HANDLE | - |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
2 | |
| Open | STD_ERROR_HANDLE | - |
|
1 | |
| Write | STD_ERROR_HANDLE | size = 119 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 28 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 29 |
|
1 | |
| Write | C:\Users\CIIHMN~1\AppData\Local\Temp\SDELTEMP | size = 524288 |
|
4151 | |
| Write | C:\Users\CIIHMN~1\AppData\Local\Temp\SDELTEMP | size = 524288 |
|
1 |
Registry (5)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create Key | HKEY_CURRENT_USER\Software\Sysinternals\SDelete | - |
|
1 | |
| Create Key | HKEY_CURRENT_USER\Software\Sysinternals\SDelete | - |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Sysinternals\SDelete | value_name = EulaAccepted, data = 1 |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Sysinternals\SDelete | value_name = EulaAccepted, data = 1 |
|
1 | |
| Write Value | HKEY_CURRENT_USER\Software\Sysinternals\SDelete | value_name = EulaAccepted, data = 1, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 |
Module (8346)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | Kernel32.dll | base_address = 0x75130000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75130000 |
|
4153 | |
| Get Handle | c:\windows\syswow64\ntdll.dll | base_address = 0x77990000 |
|
2 | |
| Get Filename | - | process_name = c:\programdata\sdelete.exe, file_name_orig = C:\ProgramData\sdelete.exe, size = 260 |
|
1 | |
| Get Filename | - | process_name = c:\programdata\sdelete.exe, file_name_orig = C:\ProgramData\sdelete.exe, size = 520 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | address_out = 0x7514a330 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsFree, address_out = 0x7514f400 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsGetValue, address_out = 0x75147580 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsSetValue, address_out = 0x75149910 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = InitializeCriticalSectionEx, address_out = 0x75156030 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateEventExW, address_out = 0x75155f90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateSemaphoreExW, address_out = 0x75155ff0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadStackGuarantee, address_out = 0x7514a5d0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateThreadpoolTimer, address_out = 0x7514a690 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadpoolTimer, address_out = 0x779c40f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WaitForThreadpoolTimerCallbacks, address_out = 0x779bd630 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CloseThreadpoolTimer, address_out = 0x779becf0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateThreadpoolWait, address_out = 0x75155720 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadpoolWait, address_out = 0x779be140 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CloseThreadpoolWait, address_out = 0x779beb60 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | address_out = 0x779f9990 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FreeLibraryWhenCallbackReturns, address_out = 0x779f5540 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentProcessorNumber, address_out = 0x779e9dc0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetLogicalProcessorInformation, address_out = 0x7514a550 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateSymbolicLinkW, address_out = 0x75170a40 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetDefaultDllDirectories, address_out = 0x74e60790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = EnumSystemLocalesEx, address_out = 0x7514f8a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CompareStringEx, address_out = 0x7514fa30 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetDateFormatEx, address_out = 0x75171030 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetLocaleInfoEx, address_out = 0x7514a000 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetTimeFormatEx, address_out = 0x751714b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetUserDefaultLocaleName, address_out = 0x7514a4f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsValidLocaleName, address_out = 0x751716f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LCMapStringEx, address_out = 0x75149970 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentPackageId, address_out = 0x74de3c90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetTickCount64, address_out = 0x75148710 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetFileInformationByHandleExW, address_out = 0x0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetFileInformationByHandleW, address_out = 0x0 |
|
1 | |
| Get Address | c:\windows\syswow64\ntdll.dll | function = NtFsControlFile, address_out = 0x779f8f70 |
|
1 | |
| Get Address | c:\windows\syswow64\ntdll.dll | function = RtlNtStatusToDosError, address_out = 0x779e3010 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = Wow64EnableWow64FsRedirection, address_out = 0x7516b6a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetDiskFreeSpaceExW, address_out = 0x751562d0 |
|
4152 |
Driver (1)
| Operation | Driver | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Control | C:\Users\CIIHMN~1\AppData\Local\Temp\SDELTEMP | control_code = 0x9c040 |
|
1 |
System (1772)
| Operation | Additional Information | Success | Count | Logfile | |
|---|---|---|---|---|---|
| Get Time | type = Ticks, time = 240093 |
|
1 | ||
| Get Time | type = Ticks, time = 240109 |
|
3 | ||
| Get Time | type = Ticks, time = 240140 |
|
1 | ||
| Get Time | type = Ticks, time = 240156 |
|
2 | ||
| Get Time | type = Ticks, time = 240171 |
|
1 | ||
| Get Time | type = Ticks, time = 240187 |
|
2 | ||
| Get Time | type = Ticks, time = 240640 |
|
1 | ||
| Get Time | type = Ticks, time = 240781 |
|
1 | ||
| Get Time | type = Ticks, time = 240859 |
|
1 | ||
| Get Time | type = Ticks, time = 240906 |
|
1 | ||
| Get Time | type = Ticks, time = 241046 |
|
1 | ||
| Get Time | type = Ticks, time = 241062 |
|
6 | ||
| Get Time | type = Ticks, time = 241078 |
|
1 | ||
| Get Time | type = Ticks, time = 241171 |
|
1 | ||
| Get Time | type = Ticks, time = 241203 |
|
1 | ||
| Get Time | type = Ticks, time = 241265 |
|
1 | ||
| Get Time | type = Ticks, time = 241312 |
|
1 | ||
| Get Time | type = Ticks, time = 241453 |
|
1 | ||
| Get Time | type = Ticks, time = 241515 |
|
1 | ||
| Get Time | type = Ticks, time = 241687 |
|
1 | ||
| Get Time | type = Ticks, time = 241750 |
|
1 | ||
| Get Time | type = Ticks, time = 241765 |
|
1 | ||
| Get Time | type = Ticks, time = 241828 |
|
1 | ||
| Get Time | type = Ticks, time = 241906 |
|
1 | ||
| Get Time | type = Ticks, time = 241937 |
|
1 | ||
| Get Time | type = Ticks, time = 241984 |
|
1 | ||
| Get Time | type = Ticks, time = 242015 |
|
1 | ||
| Get Time | type = Ticks, time = 242171 |
|
1 | ||
| Get Time | type = Ticks, time = 242265 |
|
1 | ||
| Get Time | type = Ticks, time = 242343 |
|
1 | ||
| Get Time | type = Ticks, time = 242375 |
|
1 | ||
| Get Time | type = Ticks, time = 242421 |
|
1 | ||
| Get Time | type = Ticks, time = 242515 |
|
1 | ||
| Get Time | type = Ticks, time = 242546 |
|
1 | ||
| Get Time | type = Ticks, time = 242593 |
|
1 | ||
| Get Time | type = Ticks, time = 242625 |
|
1 | ||
| Get Time | type = Ticks, time = 242734 |
|
1 | ||
| Get Time | type = Ticks, time = 242812 |
|
1 | ||
| Get Time | type = Ticks, time = 242875 |
|
1 | ||
| Get Time | type = Ticks, time = 242937 |
|
1 | ||
| Get Time | type = Ticks, time = 243031 |
|
1 | ||
| Get Time | type = Ticks, time = 243062 |
|
2 | ||
| Get Time | type = Ticks, time = 243140 |
|
1 | ||
| Get Time | type = Ticks, time = 243250 |
|
1 | ||
| Get Time | type = Ticks, time = 243328 |
|
1 | ||
| Get Time | type = Ticks, time = 243468 |
|
1 | ||
| Get Time | type = Ticks, time = 243531 |
|
3 | ||
| Get Time | type = Ticks, time = 243593 |
|
1 | ||
| Get Time | type = Ticks, time = 243734 |
|
1 | ||
| Get Time | type = Ticks, time = 243781 |
|
1 | ||
| Get Time | type = Ticks, time = 243796 |
|
1 | ||
| Get Time | type = Ticks, time = 243859 |
|
1 | ||
| Get Time | type = Ticks, time = 243968 |
|
1 | ||
| Get Time | type = Ticks, time = 244015 |
|
2 | ||
| Get Time | type = Ticks, time = 244203 |
|
1 | ||
| Get Time | type = Ticks, time = 244281 |
|
1 | ||
| Get Time | type = Ticks, time = 244390 |
|
1 | ||
| Get Time | type = Ticks, time = 244484 |
|
1 | ||
| Get Time | type = Ticks, time = 244546 |
|
1 | ||
| Get Time | type = Ticks, time = 244734 |
|
1 | ||
| Get Time | type = Ticks, time = 244781 |
|
1 | ||
| Get Time | type = Ticks, time = 244828 |
|
1 | ||
| Get Time | type = Ticks, time = 244875 |
|
1 | ||
| Get Time | type = Ticks, time = 244890 |
|
1 | ||
| Get Time | type = Ticks, time = 245203 |
|
3 | ||
| Get Time | type = Ticks, time = 245218 |
|
5 | ||
| Get Time | type = Ticks, time = 245234 |
|
5 | ||
| Get Time | type = Ticks, time = 245812 |
|
1 | ||
| Get Time | type = Ticks, time = 245984 |
|
1 | ||
| Get Time | type = Ticks, time = 246062 |
|
1 | ||
| Get Time | type = Ticks, time = 246140 |
|
1 | ||
| Get Time | type = Ticks, time = 246250 |
|
1 | ||
| Get Time | type = Ticks, time = 246296 |
|
1 | ||
| Get Time | type = Ticks, time = 246343 |
|
1 | ||
| Get Time | type = Ticks, time = 246359 |
|
1 | ||
| Get Time | type = Ticks, time = 246390 |
|
1 | ||
| Get Time | type = Ticks, time = 246437 |
|
1 | ||
| Get Time | type = Ticks, time = 246468 |
|
9 | ||
| Get Time | type = Ticks, time = 246484 |
|
1 | ||
| Get Time | type = Ticks, time = 246515 |
|
1 | ||
| Get Time | type = Ticks, time = 246531 |
|
1 | ||
| Get Time | type = Ticks, time = 246562 |
|
1 | ||
| Get Time | type = Ticks, time = 246578 |
|
1 | ||
| Get Time | type = Ticks, time = 246609 |
|
4 | ||
| Get Time | type = Ticks, time = 246843 |
|
1 | ||
| Get Time | type = Ticks, time = 246937 |
|
1 | ||
| Get Time | type = Ticks, time = 247000 |
|
1 | ||
| Get Time | type = Ticks, time = 247171 |
|
1 | ||
| Get Time | type = Ticks, time = 247375 |
|
1 | ||
| Get Time | type = Ticks, time = 247453 |
|
1 | ||
| Get Time | type = Ticks, time = 247500 |
|
1 | ||
| Get Time | type = Ticks, time = 247515 |
|
1 | ||
| Get Time | type = Ticks, time = 247562 |
|
1 | ||
| Get Time | type = Ticks, time = 247593 |
|
1 | ||
| Get Time | type = Ticks, time = 247828 |
|
1 | ||
| Get Time | type = Ticks, time = 247906 |
|
1 | ||
| Get Time | type = Ticks, time = 248078 |
|
1 | ||
| Get Time | type = Ticks, time = 248187 |
|
1 | ||
| Get Time | type = Ticks, time = 248218 |
|
1 | ||
| Get Time | type = Ticks, time = 248281 |
|
1 | ||
| Get Time | type = Ticks, time = 248390 |
|
1 | ||
| Get Time | type = Ticks, time = 248421 |
|
1 | ||
| Get Time | type = Ticks, time = 248437 |
|
1 | ||
| Get Time | type = Ticks, time = 248484 |
|
1 | ||
| Get Time | type = Ticks, time = 248546 |
|
1 | ||
| Get Time | type = Ticks, time = 248593 |
|
1 | ||
| Get Time | type = Ticks, time = 248984 |
|
1 | ||
| Get Time | type = Ticks, time = 249046 |
|
1 | ||
| Get Time | type = Ticks, time = 249062 |
|
1 | ||
| Get Time | type = Ticks, time = 249093 |
|
1 | ||
| Get Time | type = Ticks, time = 249125 |
|
1 | ||
| Get Time | type = Ticks, time = 249156 |
|
1 | ||
| Get Time | type = Ticks, time = 249171 |
|
1 | ||
| Get Time | type = Ticks, time = 249203 |
|
1 | ||
| Get Time | type = Ticks, time = 249312 |
|
1 | ||
| Get Time | type = Ticks, time = 249359 |
|
1 | ||
| Get Time | type = Ticks, time = 249406 |
|
1 | ||
| Get Time | type = Ticks, time = 249437 |
|
1 | ||
| Get Time | type = Ticks, time = 249484 |
|
1 | ||
| Get Time | type = Ticks, time = 249500 |
|
1 | ||
| Get Time | type = Ticks, time = 249546 |
|
1 | ||
| Get Time | type = Ticks, time = 249734 |
|
2 | ||
| Get Time | type = Ticks, time = 249765 |
|
2 | ||
| Get Time | type = Ticks, time = 249812 |
|
1 | ||
| Get Time | type = Ticks, time = 249890 |
|
1 | ||
| Get Time | type = Ticks, time = 249921 |
|
1 | ||
| Get Time | type = Ticks, time = 250281 |
|
1 | ||
| Get Time | type = Ticks, time = 250296 |
|
1 | ||
| Get Time | type = Ticks, time = 250328 |
|
1 | ||
| Get Time | type = Ticks, time = 250359 |
|
1 | ||
| Get Time | type = Ticks, time = 250375 |
|
1 | ||
| Get Time | type = Ticks, time = 250406 |
|
1 | ||
| Get Time | type = Ticks, time = 250484 |
|
1 | ||
| Get Time | type = Ticks, time = 250546 |
|
1 | ||
| Get Time | type = Ticks, time = 250640 |
|
1 | ||
| Get Time | type = Ticks, time = 250968 |
|
2 | ||
| Get Time | type = Ticks, time = 251015 |
|
1 | ||
| Get Time | type = Ticks, time = 251093 |
|
1 | ||
| Get Time | type = Ticks, time = 251312 |
|
1 | ||
| Get Time | type = Ticks, time = 251421 |
|
1 | ||
| Get Time | type = Ticks, time = 251515 |
|
1 | ||
| Get Time | type = Ticks, time = 251562 |
|
2 | ||
| Get Time | type = Ticks, time = 251609 |
|
1 | ||
| Get Time | type = Ticks, time = 251671 |
|
1 | ||
| Get Time | type = Ticks, time = 251703 |
|
1 | ||
| Get Time | type = Ticks, time = 251718 |
|
1 | ||
| Get Time | type = Ticks, time = 251765 |
|
1 | ||
| Get Time | type = Ticks, time = 251781 |
|
1 | ||
| Get Time | type = Ticks, time = 251859 |
|
1 | ||
| Get Time | type = Ticks, time = 251875 |
|
1 | ||
| Get Time | type = Ticks, time = 251906 |
|
1 | ||
| Get Time | type = Ticks, time = 251937 |
|
1 | ||
| Get Time | type = Ticks, time = 252015 |
|
1 | ||
| Get Time | type = Ticks, time = 252031 |
|
1 | ||
| Get Time | type = Ticks, time = 252062 |
|
1 | ||
| Get Time | type = Ticks, time = 252109 |
|
1 | ||
| Get Time | type = Ticks, time = 252140 |
|
1 | ||
| Get Time | type = Ticks, time = 252187 |
|
1 | ||
| Get Time | type = Ticks, time = 252265 |
|
1 | ||
| Get Time | type = Ticks, time = 252328 |
|
1 | ||
| Get Time | type = Ticks, time = 252375 |
|
2 | ||
| Get Time | type = Ticks, time = 252437 |
|
1 | ||
| Get Time | type = Ticks, time = 252500 |
|
1 | ||
| Get Time | type = Ticks, time = 252515 |
|
2 | ||
| Get Time | type = Ticks, time = 252562 |
|
1 | ||
| Get Time | type = Ticks, time = 252593 |
|
1 | ||
| Get Time | type = Ticks, time = 252671 |
|
1 | ||
| Get Time | type = Ticks, time = 252765 |
|
1 | ||
| Get Time | type = Ticks, time = 252859 |
|
1 | ||
| Get Time | type = Ticks, time = 252953 |
|
1 | ||
| Get Time | type = Ticks, time = 253015 |
|
1 | ||
| Get Time | type = Ticks, time = 253750 |
|
1 | ||
| Get Time | type = Ticks, time = 253875 |
|
1 | ||
| Get Time | type = Ticks, time = 253953 |
|
1 | ||
| Get Time | type = Ticks, time = 254375 |
|
1 | ||
| Get Time | type = Ticks, time = 254546 |
|
1 | ||
| Get Time | type = Ticks, time = 255140 |
|
1 | ||
| Get Time | type = Ticks, time = 255203 |
|
1 | ||
| Get Time | type = Ticks, time = 255234 |
|
2 | ||
| Get Time | type = Ticks, time = 255265 |
|
1 | ||
| Get Time | type = Ticks, time = 255296 |
|
2 | ||
| Get Time | type = Ticks, time = 255312 |
|
2 | ||
| Get Time | type = Ticks, time = 255328 |
|
1 | ||
| Get Time | type = Ticks, time = 255343 |
|
2 | ||
| Get Time | type = Ticks, time = 255359 |
|
1 | ||
| Get Time | type = Ticks, time = 255375 |
|
1 | ||
| Get Time | type = Ticks, time = 255406 |
|
2 | ||
| Get Time | type = Ticks, time = 255437 |
|
2 | ||
| Get Time | type = Ticks, time = 255500 |
|
1 | ||
| Get Time | type = Ticks, time = 255515 |
|
4 | ||
| Get Time | type = Ticks, time = 255562 |
|
4 | ||
| Get Time | type = Ticks, time = 255609 |
|
1 | ||
| Get Time | type = Ticks, time = 255640 |
|
1 | ||
| Get Time | type = Ticks, time = 255718 |
|
3 | ||
| Get Time | type = Ticks, time = 255734 |
|
3 | ||
| Get Time | type = Ticks, time = 255968 |
|
4 | ||
| Get Time | type = Ticks, time = 255984 |
|
4 | ||
| Get Time | type = Ticks, time = 256000 |
|
2 | ||
| Get Time | type = Ticks, time = 256046 |
|
1 | ||
| Get Time | type = Ticks, time = 256078 |
|
1 | ||
| Get Time | type = Ticks, time = 256109 |
|
1 | ||
| Get Time | type = Ticks, time = 256156 |
|
1 | ||
| Get Time | type = Ticks, time = 256250 |
|
1 | ||
| Get Time | type = Ticks, time = 256296 |
|
1 | ||
| Get Time | type = Ticks, time = 256343 |
|
1 | ||
| Get Time | type = Ticks, time = 256484 |
|
1 | ||
| Get Time | type = Ticks, time = 256531 |
|
1 | ||
| Get Time | type = Ticks, time = 256578 |
|
1 | ||
| Get Time | type = Ticks, time = 256625 |
|
2 | ||
| Get Time | type = Ticks, time = 256640 |
|
1 | ||
| Get Time | type = Ticks, time = 256656 |
|
2 | ||
| Get Time | type = Ticks, time = 256671 |
|
1 | ||
| Get Time | type = Ticks, time = 256687 |
|
1 | ||
| Get Time | type = Ticks, time = 256703 |
|
4 | ||
| Get Time | type = Ticks, time = 256718 |
|
5 | ||
| Get Time | type = Ticks, time = 256734 |
|
2 | ||
| Get Time | type = Ticks, time = 256796 |
|
1 | ||
| Get Time | type = Ticks, time = 256812 |
|
1 | ||
| Get Time | type = Ticks, time = 256859 |
|
1 | ||
| Get Time | type = Ticks, time = 256906 |
|
1 | ||
| Get Time | type = Ticks, time = 256937 |
|
2 | ||
| Get Time | type = Ticks, time = 256984 |
|
1 | ||
| Get Time | type = Ticks, time = 257000 |
|
1 | ||
| Get Time | type = Ticks, time = 257015 |
|
1 | ||
| Get Time | type = Ticks, time = 257062 |
|
1 | ||
| Get Time | type = Ticks, time = 257078 |
|
2 | ||
| Get Time | type = Ticks, time = 257093 |
|
1 | ||
| Get Time | type = Ticks, time = 257125 |
|
1 | ||
| Get Time | type = Ticks, time = 257156 |
|
1 | ||
| Get Time | type = Ticks, time = 257187 |
|
1 | ||
| Get Time | type = Ticks, time = 257203 |
|
1 | ||
| Get Time | type = Ticks, time = 257218 |
|
3 | ||
| Get Time | type = Ticks, time = 257234 |
|
4 | ||
| Get Time | type = Ticks, time = 257250 |
|
2 | ||
| Get Time | type = Ticks, time = 257265 |
|
4 | ||
| Get Time | type = Ticks, time = 257281 |
|
4 | ||
| Get Time | type = Ticks, time = 257296 |
|
4 | ||
| Get Time | type = Ticks, time = 257312 |
|
1 | ||
| Get Time | type = Ticks, time = 257328 |
|
5 | ||
| Get Time | type = Ticks, time = 257343 |
|
4 | ||
| Get Time | type = Ticks, time = 257359 |
|
4 | ||
| Get Time | type = Ticks, time = 257375 |
|
3 | ||
| Get Time | type = Ticks, time = 257390 |
|
4 | ||
| Get Time | type = Ticks, time = 257406 |
|
4 | ||
| Get Time | type = Ticks, time = 257468 |
|
1 | ||
| Get Time | type = Ticks, time = 257515 |
|
2 | ||
| Get Time | type = Ticks, time = 257546 |
|
3 | ||
| Get Time | type = Ticks, time = 257609 |
|
2 | ||
| Get Time | type = Ticks, time = 257640 |
|
1 | ||
| Get Time | type = Ticks, time = 257671 |
|
1 | ||
| Get Time | type = Ticks, time = 257718 |
|
1 | ||
| Get Time | type = Ticks, time = 257937 |
|
1 | ||
| Get Time | type = Ticks, time = 257953 |
|
1 | ||
| Get Time | type = Ticks, time = 257968 |
|
2 | ||
| Get Time | type = Ticks, time = 257984 |
|
4 | ||
| Get Time | type = Ticks, time = 258000 |
|
3 | ||
| Get Time | type = Ticks, time = 258015 |
|
3 | ||
| Get Time | type = Ticks, time = 258031 |
|
4 | ||
| Get Time | type = Ticks, time = 258046 |
|
5 | ||
| Get Time | type = Ticks, time = 258062 |
|
3 | ||
| Get Time | type = Ticks, time = 258078 |
|
2 | ||
| Get Time | type = Ticks, time = 258093 |
|
1 | ||
| Get Time | type = Ticks, time = 258109 |
|
1 | ||
| Get Time | type = Ticks, time = 258156 |
|
1 | ||
| Get Time | type = Ticks, time = 258203 |
|
1 | ||
| Get Time | type = Ticks, time = 258265 |
|
1 | ||
| Get Time | type = Ticks, time = 258328 |
|
1 | ||
| Get Time | type = Ticks, time = 258390 |
|
1 | ||
| Get Time | type = Ticks, time = 258421 |
|
1 | ||
| Get Time | type = Ticks, time = 258453 |
|
1 | ||
| Get Time | type = Ticks, time = 258468 |
|
2 | ||
| Get Time | type = Ticks, time = 258484 |
|
1 | ||
| Get Time | type = Ticks, time = 258500 |
|
1 | ||
| Get Time | type = Ticks, time = 258515 |
|
1 | ||
| Get Time | type = Ticks, time = 258531 |
|
2 | ||
| Get Time | type = Ticks, time = 258546 |
|
2 | ||
| Get Time | type = Ticks, time = 258562 |
|
1 | ||
| Get Time | type = Ticks, time = 258578 |
|
1 | ||
| Get Time | type = Ticks, time = 258593 |
|
1 | ||
| Get Time | type = Ticks, time = 258625 |
|
1 | ||
| Get Time | type = Ticks, time = 258671 |
|
1 | ||
| Get Time | type = Ticks, time = 258703 |
|
2 | ||
| Get Time | type = Ticks, time = 258921 |
|
1 | ||
| Get Time | type = Ticks, time = 258953 |
|
1 | ||
| Get Time | type = Ticks, time = 258984 |
|
1 | ||
| Get Time | type = Ticks, time = 259031 |
|
2 | ||
| Get Time | type = Ticks, time = 259046 |
|
1 | ||
| Get Time | type = Ticks, time = 259093 |
|
1 | ||
| Get Time | type = Ticks, time = 259140 |
|
1 | ||
| Get Time | type = Ticks, time = 259156 |
|
1 | ||
| Get Time | type = Ticks, time = 259187 |
|
3 | ||
| Get Time | type = Ticks, time = 259203 |
|
1 | ||
| Get Time | type = Ticks, time = 259234 |
|
1 | ||
| Get Time | type = Ticks, time = 259250 |
|
2 | ||
| Get Time | type = Ticks, time = 259265 |
|
1 | ||
| Get Time | type = Ticks, time = 259281 |
|
1 | ||
| Get Time | type = Ticks, time = 259312 |
|
1 | ||
| Get Time | type = Ticks, time = 259359 |
|
2 | ||
| Get Time | type = Ticks, time = 259375 |
|
1 | ||
| Get Time | type = Ticks, time = 259390 |
|
1 | ||
| Get Time | type = Ticks, time = 259437 |
|
1 | ||
| Get Time | type = Ticks, time = 259453 |
|
1 | ||
| Get Time | type = Ticks, time = 259484 |
|
1 | ||
| Get Time | type = Ticks, time = 259500 |
|
2 | ||
| Get Time | type = Ticks, time = 259515 |
|
1 | ||
| Get Time | type = Ticks, time = 259562 |
|
1 | ||
| Get Time | type = Ticks, time = 259609 |
|
1 | ||
| Get Time | type = Ticks, time = 259625 |
|
1 | ||
| Get Time | type = Ticks, time = 259640 |
|
1 | ||
| Get Time | type = Ticks, time = 259656 |
|
1 | ||
| Get Time | type = Ticks, time = 259687 |
|
2 | ||
| Get Time | type = Ticks, time = 259703 |
|
2 | ||
| Get Time | type = Ticks, time = 259718 |
|
2 | ||
| Get Time | type = Ticks, time = 259734 |
|
2 | ||
| Get Time | type = Ticks, time = 259859 |
|
1 | ||
| Get Time | type = Ticks, time = 259890 |
|
1 | ||
| Get Time | type = Ticks, time = 259937 |
|
1 | ||
| Get Time | type = Ticks, time = 259953 |
|
1 | ||
| Get Time | type = Ticks, time = 259968 |
|
1 | ||
| Get Time | type = Ticks, time = 260015 |
|
1 | ||
| Get Time | type = Ticks, time = 260031 |
|
1 | ||
| Get Time | type = Ticks, time = 260062 |
|
2 | ||
| Get Time | type = Ticks, time = 260125 |
|
1 | ||
| Get Time | type = Ticks, time = 260171 |
|
2 | ||
| Get Time | type = Ticks, time = 260187 |
|
1 | ||
| Get Time | type = Ticks, time = 260218 |
|
2 | ||
| Get Time | type = Ticks, time = 260250 |
|
2 | ||
| Get Time | type = Ticks, time = 260328 |
|
2 | ||
| Get Time | type = Ticks, time = 260343 |
|
2 | ||
| Get Time | type = Ticks, time = 260359 |
|
2 | ||
| Get Time | type = Ticks, time = 260375 |
|
2 | ||
| Get Time | type = Ticks, time = 260437 |
|
2 | ||
| Get Time | type = Ticks, time = 260484 |
|
2 | ||
| Get Time | type = Ticks, time = 260562 |
|
1 | ||
| Get Time | type = Ticks, time = 260578 |
|
1 | ||
| Get Time | type = Ticks, time = 260593 |
|
1 | ||
| Get Time | type = Ticks, time = 260625 |
|
1 | ||
| Get Time | type = Ticks, time = 260640 |
|
1 | ||
| Get Time | type = Ticks, time = 260671 |
|
1 | ||
| Get Time | type = Ticks, time = 260703 |
|
1 | ||
| Get Time | type = Ticks, time = 260734 |
|
1 | ||
| Get Time | type = Ticks, time = 260890 |
|
1 | ||
| Get Time | type = Ticks, time = 260937 |
|
2 | ||
| Get Time | type = Ticks, time = 260968 |
|
5 | ||
| Get Time | type = Ticks, time = 261031 |
|
2 | ||
| Get Time | type = Ticks, time = 261046 |
|
4 | ||
| Get Time | type = Ticks, time = 261062 |
|
1 | ||
| Get Time | type = Ticks, time = 261109 |
|
1 | ||
| Get Time | type = Ticks, time = 261140 |
|
1 | ||
| Get Time | type = Ticks, time = 261171 |
|
2 | ||
| Get Time | type = Ticks, time = 261218 |
|
1 | ||
| Get Time | type = Ticks, time = 261234 |
|
1 | ||
| Get Time | type = Ticks, time = 261250 |
|
1 | ||
| Get Time | type = Ticks, time = 261296 |
|
2 | ||
| Get Time | type = Ticks, time = 261312 |
|
1 | ||
| Get Time | type = Ticks, time = 261343 |
|
1 | ||
| Get Time | type = Ticks, time = 261390 |
|
1 | ||
| Get Time | type = Ticks, time = 261421 |
|
1 | ||
| Get Time | type = Ticks, time = 261437 |
|
2 | ||
| Get Time | type = Ticks, time = 261453 |
|
3 | ||
| Get Time | type = Ticks, time = 261468 |
|
6 | ||
| Get Time | type = Ticks, time = 261484 |
|
2 | ||
| Get Time | type = Ticks, time = 261500 |
|
1 | ||
| Get Time | type = Ticks, time = 261546 |
|
1 | ||
| Get Time | type = Ticks, time = 261593 |
|
1 | ||
| Get Time | type = Ticks, time = 261640 |
|
1 | ||
| Get Time | type = Ticks, time = 261656 |
|
2 | ||
| Get Time | type = Ticks, time = 261687 |
|
1 | ||
| Get Time | type = Ticks, time = 261703 |
|
1 | ||
| Get Time | type = Ticks, time = 261890 |
|
1 | ||
| Get Time | type = Ticks, time = 261921 |
|
1 | ||
| Get Time | type = Ticks, time = 261953 |
|
1 | ||
| Get Time | type = Ticks, time = 261968 |
|
3 | ||
| Get Time | type = Ticks, time = 261984 |
|
4 | ||
| Get Time | type = Ticks, time = 262015 |
|
1 | ||
| Get Time | type = Ticks, time = 262046 |
|
1 | ||
| Get Time | type = Ticks, time = 262078 |
|
1 | ||
| Get Time | type = Ticks, time = 262093 |
|
1 | ||
| Get Time | type = Ticks, time = 262109 |
|
2 | ||
| Get Time | type = Ticks, time = 262125 |
|
3 | ||
| Get Time | type = Ticks, time = 262140 |
|
2 | ||
| Get Time | type = Ticks, time = 262156 |
|
4 | ||
| Get Time | type = Ticks, time = 262171 |
|
4 | ||
| Get Time | type = Ticks, time = 262187 |
|
3 | ||
| Get Time | type = Ticks, time = 262203 |
|
3 | ||
| Get Time | type = Ticks, time = 262218 |
|
4 | ||
| Get Time | type = Ticks, time = 262234 |
|
1 | ||
| Get Time | type = Ticks, time = 262265 |
|
1 | ||
| Get Time | type = Ticks, time = 262312 |
|
1 | ||
| Get Time | type = Ticks, time = 262328 |
|
1 | ||
| Get Time | type = Ticks, time = 262343 |
|
1 | ||
| Get Time | type = Ticks, time = 262390 |
|
1 | ||
| Get Time | type = Ticks, time = 262406 |
|
1 | ||
| Get Time | type = Ticks, time = 262421 |
|
1 | ||
| Get Time | type = Ticks, time = 262453 |
|
1 | ||
| Get Time | type = Ticks, time = 262468 |
|
2 | ||
| Get Time | type = Ticks, time = 262484 |
|
3 | ||
| Get Time | type = Ticks, time = 262515 |
|
1 | ||
| Get Time | type = Ticks, time = 262546 |
|
1 | ||
| Get Time | type = Ticks, time = 262562 |
|
1 | ||
| Get Time | type = Ticks, time = 262578 |
|
1 | ||
| Get Time | type = Ticks, time = 262593 |
|
3 | ||
| Get Time | type = Ticks, time = 262609 |
|
1 | ||
| Get Time | type = Ticks, time = 262625 |
|
5 | ||
| Get Time | type = Ticks, time = 262640 |
|
4 | ||
| Get Time | type = Ticks, time = 262656 |
|
4 | ||
| Get Time | type = Ticks, time = 262671 |
|
4 | ||
| Get Time | type = Ticks, time = 262687 |
|
3 | ||
| Get Time | type = Ticks, time = 262703 |
|
4 | ||
| Get Time | type = Ticks, time = 262718 |
|
2 | ||
| Get Time | type = Ticks, time = 262875 |
|
1 | ||
| Get Time | type = Ticks, time = 262921 |
|
1 | ||
| Get Time | type = Ticks, time = 262937 |
|
1 | ||
| Get Time | type = Ticks, time = 262953 |
|
2 | ||
| Get Time | type = Ticks, time = 263000 |
|
1 | ||
| Get Time | type = Ticks, time = 263015 |
|
1 | ||
| Get Time | type = Ticks, time = 263046 |
|
1 | ||
| Get Time | type = Ticks, time = 263062 |
|
1 | ||
| Get Time | type = Ticks, time = 263093 |
|
1 | ||
| Get Time | type = Ticks, time = 263125 |
|
1 | ||
| Get Time | type = Ticks, time = 263156 |
|
2 | ||
| Get Time | type = Ticks, time = 263171 |
|
1 | ||
| Get Time | type = Ticks, time = 263203 |
|
5 | ||
| Get Time | type = Ticks, time = 263218 |
|
2 | ||
| Get Time | type = Ticks, time = 263234 |
|
4 | ||
| Get Time | type = Ticks, time = 263250 |
|
4 | ||
| Get Time | type = Ticks, time = 263265 |
|
4 | ||
| Get Time | type = Ticks, time = 263281 |
|
5 | ||
| Get Time | type = Ticks, time = 263296 |
|
3 | ||
| Get Time | type = Ticks, time = 263312 |
|
4 | ||
| Get Time | type = Ticks, time = 263328 |
|
1 | ||
| Get Time | type = Ticks, time = 263359 |
|
1 | ||
| Get Time | type = Ticks, time = 263406 |
|
2 | ||
| Get Time | type = Ticks, time = 263437 |
|
2 | ||
| Get Time | type = Ticks, time = 263484 |
|
1 | ||
| Get Time | type = Ticks, time = 263500 |
|
1 | ||
| Get Time | type = Ticks, time = 263515 |
|
1 | ||
| Get Time | type = Ticks, time = 263546 |
|
1 | ||
| Get Time | type = Ticks, time = 263562 |
|
1 | ||
| Get Time | type = Ticks, time = 263578 |
|
1 | ||
| Get Time | type = Ticks, time = 263609 |
|
1 | ||
| Get Time | type = Ticks, time = 263640 |
|
1 | ||
| Get Time | type = Ticks, time = 263656 |
|
1 | ||
| Get Time | type = Ticks, time = 263671 |
|
2 | ||
| Get Time | type = Ticks, time = 263687 |
|
5 | ||
| Get Time | type = Ticks, time = 263703 |
|
2 | ||
| Get Time | type = Ticks, time = 263718 |
|
4 | ||
| Get Time | type = Ticks, time = 263734 |
|
3 | ||
| Get Time | type = Ticks, time = 263906 |
|
1 | ||
| Get Time | type = Ticks, time = 263937 |
|
1 | ||
| Get Time | type = Ticks, time = 263984 |
|
1 | ||
| Get Time | type = Ticks, time = 264015 |
|
1 | ||
| Get Time | type = Ticks, time = 264046 |
|
3 | ||
| Get Time | type = Ticks, time = 264093 |
|
2 | ||
| Get Time | type = Ticks, time = 264109 |
|
1 | ||
| Get Time | type = Ticks, time = 264156 |
|
2 | ||
| Get Time | type = Ticks, time = 264171 |
|
1 | ||
| Get Time | type = Ticks, time = 264203 |
|
1 | ||
| Get Time | type = Ticks, time = 264234 |
|
1 | ||
| Get Time | type = Ticks, time = 264265 |
|
1 | ||
| Get Time | type = Ticks, time = 264281 |
|
2 | ||
| Get Time | type = Ticks, time = 264296 |
|
1 | ||
| Get Time | type = Ticks, time = 264312 |
|
2 | ||
| Get Time | type = Ticks, time = 264328 |
|
5 | ||
| Get Time | type = Ticks, time = 264343 |
|
3 | ||
| Get Time | type = Ticks, time = 264359 |
|
6 | ||
| Get Time | type = Ticks, time = 264375 |
|
4 | ||
| Get Time | type = Ticks, time = 264390 |
|
4 | ||
| Get Time | type = Ticks, time = 264406 |
|
2 | ||
| Get Time | type = Ticks, time = 264421 |
|
4 | ||
| Get Time | type = Ticks, time = 264437 |
|
4 | ||
| Get Time | type = Ticks, time = 264453 |
|
1 | ||
| Get Time | type = Ticks, time = 264484 |
|
1 | ||
| Get Time | type = Ticks, time = 264531 |
|
2 | ||
| Get Time | type = Ticks, time = 264562 |
|
2 | ||
| Get Time | type = Ticks, time = 264609 |
|
1 | ||
| Get Time | type = Ticks, time = 264625 |
|
1 | ||
| Get Time | type = Ticks, time = 264640 |
|
1 | ||
| Get Time | type = Ticks, time = 264671 |
|
1 | ||
| Get Time | type = Ticks, time = 264687 |
|
2 | ||
| Get Time | type = Ticks, time = 264703 |
|
4 | ||
| Get Time | type = Ticks, time = 264734 |
|
1 | ||
| Get Time | type = Ticks, time = 264921 |
|
1 | ||
| Get Time | type = Ticks, time = 264953 |
|
1 | ||
| Get Time | type = Ticks, time = 264968 |
|
2 | ||
| Get Time | type = Ticks, time = 264984 |
|
2 | ||
| Get Time | type = Ticks, time = 265000 |
|
2 | ||
| Get Time | type = Ticks, time = 265015 |
|
4 | ||
| Get Time | type = Ticks, time = 265031 |
|
4 | ||
| Get Time | type = Ticks, time = 265046 |
|
4 | ||
| Get Time | type = Ticks, time = 265062 |
|
3 | ||
| Get Time | type = Ticks, time = 265109 |
|
1 | ||
| Get Time | type = Ticks, time = 265156 |
|
2 | ||
| Get Time | type = Ticks, time = 265187 |
|
1 | ||
| Get Time | type = Ticks, time = 265218 |
|
1 | ||
| Get Time | type = Ticks, time = 265250 |
|
1 | ||
| Get Time | type = Ticks, time = 265281 |
|
1 | ||
| Get Time | type = Ticks, time = 265296 |
|
1 | ||
| Get Time | type = Ticks, time = 265312 |
|
2 | ||
| Get Time | type = Ticks, time = 265343 |
|
1 | ||
| Get Time | type = Ticks, time = 265375 |
|
1 | ||
| Get Time | type = Ticks, time = 265406 |
|
1 | ||
| Get Time | type = Ticks, time = 265437 |
|
1 | ||
| Get Time | type = Ticks, time = 265453 |
|
2 | ||
| Get Time | type = Ticks, time = 265468 |
|
4 | ||
| Get Time | type = Ticks, time = 265500 |
|
4 | ||
| Get Time | type = Ticks, time = 265515 |
|
4 | ||
| Get Time | type = Ticks, time = 265531 |
|
4 | ||
| Get Time | type = Ticks, time = 265546 |
|
1 | ||
| Get Time | type = Ticks, time = 265562 |
|
3 | ||
| Get Time | type = Ticks, time = 265578 |
|
4 | ||
| Get Time | type = Ticks, time = 265593 |
|
1 | ||
| Get Time | type = Ticks, time = 265625 |
|
1 | ||
| Get Time | type = Ticks, time = 265671 |
|
2 | ||
| Get Time | type = Ticks, time = 265703 |
|
1 | ||
| Get Time | type = Ticks, time = 265890 |
|
1 | ||
| Get Time | type = Ticks, time = 267109 |
|
2 | ||
| Get Time | type = Ticks, time = 267171 |
|
3 | ||
| Get Time | type = Ticks, time = 267187 |
|
3 | ||
| Get Time | type = Ticks, time = 267203 |
|
2 | ||
| Get Time | type = Ticks, time = 267218 |
|
5 | ||
| Get Time | type = Ticks, time = 267234 |
|
4 | ||
| Get Time | type = Ticks, time = 267265 |
|
1 | ||
| Get Time | type = Ticks, time = 267281 |
|
4 | ||
| Get Time | type = Ticks, time = 267296 |
|
4 | ||
| Get Time | type = Ticks, time = 267312 |
|
1 | ||
| Get Time | type = Ticks, time = 267359 |
|
1 | ||
| Get Time | type = Ticks, time = 267406 |
|
1 | ||
| Get Time | type = Ticks, time = 267421 |
|
1 | ||
| Get Time | type = Ticks, time = 267453 |
|
2 | ||
| Get Time | type = Ticks, time = 267500 |
|
1 | ||
| Get Time | type = Ticks, time = 267515 |
|
1 | ||
| Get Time | type = Ticks, time = 267546 |
|
1 | ||
| Get Time | type = Ticks, time = 267578 |
|
2 | ||
| Get Time | type = Ticks, time = 267593 |
|
3 | ||
| Get Time | type = Ticks, time = 267609 |
|
3 | ||
| Get Time | type = Ticks, time = 267640 |
|
1 | ||
| Get Time | type = Ticks, time = 267671 |
|
1 | ||
| Get Time | type = Ticks, time = 267687 |
|
1 | ||
| Get Time | type = Ticks, time = 267703 |
|
1 | ||
| Get Time | type = Ticks, time = 267718 |
|
3 | ||
| Get Time | type = Ticks, time = 267734 |
|
2 | ||
| Get Time | type = Ticks, time = 267921 |
|
1 | ||
| Get Time | type = Ticks, time = 267953 |
|
1 | ||
| Get Time | type = Ticks, time = 268000 |
|
1 | ||
| Get Time | type = Ticks, time = 268015 |
|
1 | ||
| Get Time | type = Ticks, time = 268031 |
|
3 | ||
| Get Time | type = Ticks, time = 268078 |
|
2 | ||
| Get Time | type = Ticks, time = 268125 |
|
1 | ||
| Get Time | type = Ticks, time = 268140 |
|
2 | ||
| Get Time | type = Ticks, time = 268156 |
|
1 | ||
| Get Time | type = Ticks, time = 268187 |
|
1 | ||
| Get Time | type = Ticks, time = 268218 |
|
1 | ||
| Get Time | type = Ticks, time = 268234 |
|
1 | ||
| Get Time | type = Ticks, time = 268250 |
|
2 | ||
| Get Time | type = Ticks, time = 268265 |
|
1 | ||
| Get Time | type = Ticks, time = 268281 |
|
6 | ||
| Get Time | type = Ticks, time = 268296 |
|
4 | ||
| Get Time | type = Ticks, time = 268312 |
|
4 | ||
| Get Time | type = Ticks, time = 268328 |
|
4 | ||
| Get Time | type = Ticks, time = 268343 |
|
3 | ||
| Get Time | type = Ticks, time = 268359 |
|
4 | ||
| Get Time | type = Ticks, time = 268375 |
|
4 | ||
| Get Time | type = Ticks, time = 268390 |
|
1 | ||
| Get Time | type = Ticks, time = 268421 |
|
1 | ||
| Get Time | type = Ticks, time = 268484 |
|
1 | ||
| Get Time | type = Ticks, time = 268515 |
|
1 | ||
| Get Time | type = Ticks, time = 268562 |
|
1 | ||
| Get Time | type = Ticks, time = 268578 |
|
1 | ||
| Get Time | type = Ticks, time = 268593 |
|
1 | ||
| Get Time | type = Ticks, time = 268625 |
|
2 | ||
| Get Time | type = Ticks, time = 268640 |
|
1 | ||
| Get Time | type = Ticks, time = 268656 |
|
1 | ||
| Get Time | type = Ticks, time = 268687 |
|
1 | ||
| Get Time | type = Ticks, time = 268718 |
|
1 | ||
| Get Time | type = Ticks, time = 268734 |
|
1 | ||
| Get Time | type = Ticks, time = 269125 |
|
1 | ||
| Get Time | type = Ticks, time = 269140 |
|
2 | ||
| Get Time | type = Ticks, time = 269156 |
|
1 | ||
| Get Time | type = Ticks, time = 269171 |
|
4 | ||
| Get Time | type = Ticks, time = 269187 |
|
3 | ||
| Get Time | type = Ticks, time = 269203 |
|
5 | ||
| Get Time | type = Ticks, time = 269218 |
|
5 | ||
| Get Time | type = Ticks, time = 269234 |
|
4 | ||
| Get Time | type = Ticks, time = 269250 |
|
4 | ||
| Get Time | type = Ticks, time = 269265 |
|
4 | ||
| Get Time | type = Ticks, time = 269281 |
|
5 | ||
| Get Time | type = Ticks, time = 269296 |
|
1 | ||
| Get Time | type = Ticks, time = 269328 |
|
1 | ||
| Get Time | type = Ticks, time = 269375 |
|
2 | ||
| Get Time | type = Ticks, time = 269406 |
|
2 | ||
| Get Time | type = Ticks, time = 269437 |
|
1 | ||
| Get Time | type = Ticks, time = 269484 |
|
2 | ||
| Get Time | type = Ticks, time = 269500 |
|
1 | ||
| Get Time | type = Ticks, time = 269515 |
|
1 | ||
| Get Time | type = Ticks, time = 269546 |
|
1 | ||
| Get Time | type = Ticks, time = 269593 |
|
2 | ||
| Get Time | type = Ticks, time = 269609 |
|
4 | ||
| Get Time | type = Ticks, time = 269625 |
|
3 | ||
| Get Time | type = Ticks, time = 269640 |
|
6 | ||
| Get Time | type = Ticks, time = 269656 |
|
4 | ||
| Get Time | type = Ticks, time = 269671 |
|
4 | ||
| Get Time | type = Ticks, time = 269687 |
|
4 | ||
| Get Time | type = Ticks, time = 269703 |
|
4 | ||
| Get Time | type = Ticks, time = 269718 |
|
4 | ||
| Get Time | type = Ticks, time = 269734 |
|
1 | ||
| Get Time | type = Ticks, time = 269953 |
|
1 | ||
| Get Time | type = Ticks, time = 269984 |
|
1 | ||
| Get Time | type = Ticks, time = 270000 |
|
1 | ||
| Get Time | type = Ticks, time = 270031 |
|
3 | ||
| Get Time | type = Ticks, time = 270062 |
|
1 | ||
| Get Time | type = Ticks, time = 270093 |
|
1 | ||
| Get Time | type = Ticks, time = 270125 |
|
2 | ||
| Get Time | type = Ticks, time = 270140 |
|
2 | ||
| Get Time | type = Ticks, time = 270171 |
|
1 | ||
| Get Time | type = Ticks, time = 270203 |
|
1 | ||
| Get Time | type = Ticks, time = 270218 |
|
2 | ||
| Get Time | type = Ticks, time = 270234 |
|
3 | ||
| Get Time | type = Ticks, time = 270250 |
|
2 | ||
| Get Time | type = Ticks, time = 270265 |
|
4 | ||
| Get Time | type = Ticks, time = 270281 |
|
6 | ||
| Get Time | type = Ticks, time = 270296 |
|
3 | ||
| Get Time | type = Ticks, time = 270312 |
|
2 | ||
| Get Time | type = Ticks, time = 270328 |
|
3 | ||
| Get Time | type = Ticks, time = 270343 |
|
2 | ||
| Get Time | type = Ticks, time = 270359 |
|
5 | ||
| Get Time | type = Ticks, time = 270375 |
|
1 | ||
| Get Time | type = Ticks, time = 270406 |
|
1 | ||
| Get Time | type = Ticks, time = 270437 |
|
1 | ||
| Get Time | type = Ticks, time = 270468 |
|
2 | ||
| Get Time | type = Ticks, time = 270515 |
|
1 | ||
| Get Time | type = Ticks, time = 270562 |
|
2 | ||
| Get Time | type = Ticks, time = 270578 |
|
3 | ||
| Get Time | type = Ticks, time = 270625 |
|
1 | ||
| Get Time | type = Ticks, time = 270656 |
|
1 | ||
| Get Time | type = Ticks, time = 270671 |
|
1 | ||
| Get Time | type = Ticks, time = 270687 |
|
2 | ||
| Get Time | type = Ticks, time = 270703 |
|
1 | ||
| Get Time | type = Ticks, time = 270718 |
|
3 | ||
| Get Time | type = Ticks, time = 270734 |
|
4 | ||
| Get Time | type = Ticks, time = 270781 |
|
1 | ||
| Get Time | type = Ticks, time = 270796 |
|
4 | ||
| Get Time | type = Ticks, time = 270812 |
|
5 | ||
| Get Time | type = Ticks, time = 270828 |
|
4 | ||
| Get Time | type = Ticks, time = 270843 |
|
4 | ||
| Get Time | type = Ticks, time = 270859 |
|
4 | ||
| Get Time | type = Ticks, time = 270875 |
|
5 | ||
| Get Time | type = Ticks, time = 270890 |
|
4 | ||
| Get Time | type = Ticks, time = 270906 |
|
1 | ||
| Get Time | type = Ticks, time = 270937 |
|
1 | ||
| Get Time | type = Ticks, time = 270984 |
|
2 | ||
| Get Time | type = Ticks, time = 271015 |
|
1 | ||
| Get Time | type = Ticks, time = 271062 |
|
1 | ||
| Get Time | type = Ticks, time = 271078 |
|
1 | ||
| Get Time | type = Ticks, time = 271109 |
|
1 | ||
| Get Time | type = Ticks, time = 271140 |
|
2 | ||
| Get Time | type = Ticks, time = 271156 |
|
2 | ||
| Get Time | type = Ticks, time = 271187 |
|
1 | ||
| Get Time | type = Ticks, time = 271218 |
|
1 | ||
| Get Time | type = Ticks, time = 271250 |
|
1 | ||
| Get Time | type = Ticks, time = 271265 |
|
1 | ||
| Get Time | type = Ticks, time = 272000 |
|
2 | ||
| Get Time | type = Ticks, time = 272015 |
|
1 | ||
| Get Time | type = Ticks, time = 272031 |
|
4 | ||
| Get Time | type = Ticks, time = 272046 |
|
5 | ||
| Get Time | type = Ticks, time = 272062 |
|
4 | ||
| Get Time | type = Ticks, time = 272078 |
|
3 | ||
| Get Time | type = Ticks, time = 272093 |
|
5 | ||
| Get Time | type = Ticks, time = 272109 |
|
1 | ||
| Get Time | type = Ticks, time = 272125 |
|
1 | ||
| Get Time | type = Ticks, time = 272140 |
|
2 | ||
| Get Time | type = Ticks, time = 272156 |
|
4 | ||
| Get Time | type = Ticks, time = 272171 |
|
4 | ||
| Get Time | type = Ticks, time = 272187 |
|
1 | ||
| Get Time | type = Ticks, time = 272218 |
|
1 | ||
| Get Time | type = Ticks, time = 272234 |
|
1 | ||
| Get Time | type = Ticks, time = 272250 |
|
1 | ||
| Get Time | type = Ticks, time = 272296 |
|
2 | ||
| Get Time | type = Ticks, time = 272343 |
|
2 | ||
| Get Time | type = Ticks, time = 272359 |
|
4 | ||
| Get Time | type = Ticks, time = 272375 |
|
1 | ||
| Get Time | type = Ticks, time = 272406 |
|
1 | ||
| Get Time | type = Ticks, time = 272453 |
|
2 | ||
| Get Time | type = Ticks, time = 272468 |
|
4 | ||
| Get Time | type = Ticks, time = 272484 |
|
4 | ||
| Get Time | type = Ticks, time = 272500 |
|
5 | ||
| Get Time | type = Ticks, time = 272515 |
|
4 | ||
| Get Time | type = Ticks, time = 272531 |
|
4 | ||
| Get Time | type = Ticks, time = 272546 |
|
4 | ||
| Get Time | type = Ticks, time = 272562 |
|
5 | ||
| Get Time | type = Ticks, time = 272578 |
|
3 | ||
| Get Time | type = Ticks, time = 272593 |
|
1 | ||
| Get Time | type = Ticks, time = 272625 |
|
1 | ||
| Get Time | type = Ticks, time = 272671 |
|
2 | ||
| Get Time | type = Ticks, time = 272703 |
|
2 | ||
| Get Time | type = Ticks, time = 272812 |
|
2 | ||
| Get Time | type = Ticks, time = 272875 |
|
2 | ||
| Get Time | type = Ticks, time = 272890 |
|
2 | ||
| Get Time | type = Ticks, time = 272937 |
|
1 | ||
| Get Time | type = Ticks, time = 272984 |
|
2 | ||
| Get Time | type = Ticks, time = 273000 |
|
1 | ||
| Get Time | type = Ticks, time = 273015 |
|
4 | ||
| Get Time | type = Ticks, time = 273031 |
|
3 | ||
| Get Time | type = Ticks, time = 273062 |
|
2 | ||
| Get Time | type = Ticks, time = 273078 |
|
3 | ||
| Get Time | type = Ticks, time = 273093 |
|
3 | ||
| Get Time | type = Ticks, time = 273109 |
|
1 | ||
| Get Time | type = Ticks, time = 273125 |
|
3 | ||
| Get Time | type = Ticks, time = 273140 |
|
1 | ||
| Get Time | type = Ticks, time = 273187 |
|
1 | ||
| Get Time | type = Ticks, time = 273234 |
|
1 | ||
| Get Time | type = Ticks, time = 273250 |
|
1 | ||
| Get Time | type = Ticks, time = 273281 |
|
2 | ||
| Get Time | type = Ticks, time = 273328 |
|
1 | ||
| Get Time | type = Ticks, time = 273343 |
|
1 | ||
| Get Time | type = Ticks, time = 273390 |
|
2 | ||
| Get Time | type = Ticks, time = 273406 |
|
2 | ||
| Get Time | type = Ticks, time = 273421 |
|
1 | ||
| Get Time | type = Ticks, time = 273453 |
|
1 | ||
| Get Time | type = Ticks, time = 273500 |
|
2 | ||
| Get Time | type = Ticks, time = 273515 |
|
1 | ||
| Get Time | type = Ticks, time = 273531 |
|
2 | ||
| Get Time | type = Ticks, time = 273546 |
|
2 | ||
| Get Time | type = Ticks, time = 273562 |
|
4 | ||
| Get Time | type = Ticks, time = 273578 |
|
4 | ||
| Get Time | type = Ticks, time = 273593 |
|
1 | ||
| Get Time | type = Ticks, time = 273609 |
|
1 | ||
| Get Time | type = Ticks, time = 273625 |
|
1 | ||
| Get Time | type = Ticks, time = 273640 |
|
2 | ||
| Get Time | type = Ticks, time = 273671 |
|
1 | ||
| Get Time | type = Ticks, time = 273718 |
|
1 | ||
| Get Time | type = Ticks, time = 273734 |
|
1 | ||
| Get Time | type = Ticks, time = 273796 |
|
1 | ||
| Get Time | type = Ticks, time = 273812 |
|
2 | ||
| Get Time | type = Ticks, time = 273859 |
|
1 | ||
| Get Time | type = Ticks, time = 273906 |
|
1 | ||
| Get Time | type = Ticks, time = 273921 |
|
2 | ||
| Get Time | type = Ticks, time = 273937 |
|
1 | ||
| Get Time | type = Ticks, time = 273968 |
|
1 | ||
| Get Time | type = Ticks, time = 274000 |
|
2 | ||
| Get Time | type = Ticks, time = 274031 |
|
3 | ||
| Get Time | type = Ticks, time = 274046 |
|
2 | ||
| Get Time | type = Ticks, time = 274062 |
|
1 | ||
| Get Time | type = Ticks, time = 274078 |
|
5 | ||
| Get Time | type = Ticks, time = 274093 |
|
4 | ||
| Get Time | type = Ticks, time = 274109 |
|
3 | ||
| Get Time | type = Ticks, time = 274125 |
|
1 | ||
| Get Time | type = Ticks, time = 274140 |
|
3 | ||
| Get Time | type = Ticks, time = 274156 |
|
5 | ||
| Get Time | type = Ticks, time = 274171 |
|
2 | ||
| Get Time | type = Ticks, time = 274218 |
|
1 | ||
| Get Time | type = Ticks, time = 274265 |
|
2 | ||
| Get Time | type = Ticks, time = 274296 |
|
3 | ||
| Get Time | type = Ticks, time = 274343 |
|
1 | ||
| Get Time | type = Ticks, time = 274359 |
|
1 | ||
| Get Time | type = Ticks, time = 274375 |
|
1 | ||
| Get Time | type = Ticks, time = 274406 |
|
1 | ||
| Get Time | type = Ticks, time = 274421 |
|
1 | ||
| Get Time | type = Ticks, time = 274437 |
|
1 | ||
| Get Time | type = Ticks, time = 274468 |
|
1 | ||
| Get Time | type = Ticks, time = 274515 |
|
1 | ||
| Get Time | type = Ticks, time = 274531 |
|
1 | ||
| Get Time | type = Ticks, time = 274546 |
|
2 | ||
| Get Time | type = Ticks, time = 274562 |
|
1 | ||
| Get Time | type = Ticks, time = 274578 |
|
1 | ||
| Get Time | type = Ticks, time = 274609 |
|
4 | ||
| Get Time | type = Ticks, time = 274625 |
|
3 | ||
| Get Time | type = Ticks, time = 274640 |
|
3 | ||
| Get Time | type = Ticks, time = 274656 |
|
4 | ||
| Get Time | type = Ticks, time = 274671 |
|
2 | ||
| Get Time | type = Ticks, time = 274703 |
|
1 | ||
| Get Time | type = Ticks, time = 274812 |
|
1 | ||
| Get Time | type = Ticks, time = 274828 |
|
1 | ||
| Get Time | type = Ticks, time = 274890 |
|
2 | ||
| Get Time | type = Ticks, time = 274937 |
|
1 | ||
| Get Time | type = Ticks, time = 274953 |
|
1 | ||
| Get Time | type = Ticks, time = 275000 |
|
1 | ||
| Get Time | type = Ticks, time = 275015 |
|
1 | ||
| Get Time | type = Ticks, time = 275031 |
|
2 | ||
| Get Time | type = Ticks, time = 275078 |
|
1 | ||
| Get Time | type = Ticks, time = 275109 |
|
1 | ||
| Get Time | type = Ticks, time = 275125 |
|
1 | ||
| Get Time | type = Ticks, time = 275140 |
|
1 | ||
| Get Time | type = Ticks, time = 275156 |
|
2 | ||
| Get Time | type = Ticks, time = 275171 |
|
6 | ||
| Get Time | type = Ticks, time = 275187 |
|
2 | ||
| Get Time | type = Ticks, time = 275218 |
|
2 | ||
| Get Time | type = Ticks, time = 275234 |
|
1 | ||
| Get Time | type = Ticks, time = 275296 |
|
1 | ||
| Get Time | type = Ticks, time = 275328 |
|
1 | ||
| Get Time | type = Ticks, time = 275343 |
|
1 | ||
| Get Time | type = Ticks, time = 275375 |
|
2 | ||
| Get Time | type = Ticks, time = 275421 |
|
2 | ||
| Get Time | type = Ticks, time = 275453 |
|
1 | ||
| Get Time | type = Ticks, time = 275484 |
|
2 | ||
| Get Time | type = Ticks, time = 275500 |
|
2 | ||
| Get Time | type = Ticks, time = 275531 |
|
1 | ||
| Get Time | type = Ticks, time = 275562 |
|
1 | ||
| Get Time | type = Ticks, time = 275578 |
|
1 | ||
| Get Time | type = Ticks, time = 275593 |
|
2 | ||
| Get Time | type = Ticks, time = 275609 |
|
2 | ||
| Get Time | type = Ticks, time = 275625 |
|
1 | ||
| Get Time | type = Ticks, time = 275640 |
|
1 | ||
| Get Time | type = Ticks, time = 275656 |
|
1 | ||
| Get Time | type = Ticks, time = 275671 |
|
1 | ||
| Get Time | type = Ticks, time = 275703 |
|
3 | ||
| Get Time | type = Ticks, time = 275718 |
|
3 | ||
| Get Time | type = Ticks, time = 275734 |
|
1 | ||
| Get Time | type = Ticks, time = 275812 |
|
1 | ||
| Get Time | type = Ticks, time = 275859 |
|
2 | ||
| Get Time | type = Ticks, time = 275890 |
|
2 | ||
| Get Time | type = Ticks, time = 275937 |
|
1 | ||
| Get Time | type = Ticks, time = 275953 |
|
1 | ||
| Get Time | type = Ticks, time = 275968 |
|
1 | ||
| Get Time | type = Ticks, time = 276000 |
|
1 | ||
| Get Time | type = Ticks, time = 276015 |
|
2 | ||
| Get Time | type = Ticks, time = 276031 |
|
3 | ||
| Get Time | type = Ticks, time = 276062 |
|
1 | ||
| Get Time | type = Ticks, time = 276093 |
|
1 | ||
| Get Time | type = Ticks, time = 276125 |
|
2 | ||
| Get Time | type = Ticks, time = 276140 |
|
3 | ||
| Get Time | type = Ticks, time = 276156 |
|
4 | ||
| Get Time | type = Ticks, time = 276171 |
|
3 | ||
| Get Time | type = Ticks, time = 276187 |
|
3 | ||
| Get Time | type = Ticks, time = 276203 |
|
4 | ||
| Get Time | type = Ticks, time = 276218 |
|
5 | ||
| Get Time | type = Ticks, time = 276234 |
|
3 | ||
| Get Time | type = Ticks, time = 276250 |
|
4 | ||
| Get Time | type = Ticks, time = 276828 |
|
1 | ||
| Get Time | type = Ticks, time = 276875 |
|
1 | ||
| Get Time | type = Ticks, time = 276890 |
|
1 | ||
| Get Time | type = Ticks, time = 276921 |
|
2 | ||
| Get Time | type = Ticks, time = 276937 |
|
3 | ||
| Get Time | type = Ticks, time = 276953 |
|
1 | ||
| Get Time | type = Ticks, time = 276968 |
|
1 | ||
| Get Time | type = Ticks, time = 277015 |
|
1 | ||
| Get Time | type = Ticks, time = 277062 |
|
1 | ||
| Get Time | type = Ticks, time = 277109 |
|
1 | ||
| Get Time | type = Ticks, time = 277140 |
|
2 | ||
| Get Time | type = Ticks, time = 277171 |
|
1 | ||
| Get Time | type = Ticks, time = 277187 |
|
1 | ||
| Get Time | type = Ticks, time = 277218 |
|
1 | ||
| Get Time | type = Ticks, time = 277250 |
|
1 | ||
| Get Time | type = Ticks, time = 277265 |
|
1 | ||
| Get Time | type = Ticks, time = 277296 |
|
1 | ||
| Get Time | type = Ticks, time = 277328 |
|
1 | ||
| Get Time | type = Ticks, time = 277359 |
|
3 | ||
| Get Time | type = Ticks, time = 277390 |
|
2 | ||
| Get Time | type = Ticks, time = 277406 |
|
2 | ||
| Get Time | type = Ticks, time = 277453 |
|
2 | ||
| Get Time | type = Ticks, time = 277468 |
|
4 | ||
| Get Time | type = Ticks, time = 277484 |
|
1 | ||
| Get Time | type = Ticks, time = 277515 |
|
1 | ||
| Get Time | type = Ticks, time = 277562 |
|
1 | ||
| Get Time | type = Ticks, time = 277593 |
|
2 | ||
| Get Time | type = Ticks, time = 277640 |
|
1 | ||
| Get Time | type = Ticks, time = 277656 |
|
1 | ||
| Get Time | type = Ticks, time = 277703 |
|
1 | ||
| Get Time | type = Ticks, time = 277718 |
|
2 | ||
| Get Time | type = Ticks, time = 277734 |
|
1 | ||
| Get Time | type = Ticks, time = 277796 |
|
1 | ||
| Get Time | type = Ticks, time = 277828 |
|
1 | ||
| Get Time | type = Ticks, time = 277859 |
|
1 | ||
| Get Time | type = Ticks, time = 277875 |
|
2 | ||
| Get Time | type = Ticks, time = 277906 |
|
2 | ||
| Get Time | type = Ticks, time = 277921 |
|
3 | ||
| Get Time | type = Ticks, time = 277937 |
|
5 | ||
| Get Time | type = Ticks, time = 277953 |
|
5 | ||
| Get Time | type = Ticks, time = 277968 |
|
2 | ||
| Get Time | type = Ticks, time = 278000 |
|
1 | ||
| Get Time | type = Ticks, time = 278015 |
|
1 | ||
| Get Time | type = Ticks, time = 278078 |
|
1 | ||
| Get Time | type = Ticks, time = 278125 |
|
1 | ||
| Get Time | type = Ticks, time = 278156 |
|
1 | ||
| Get Time | type = Ticks, time = 278203 |
|
1 | ||
| Get Time | type = Ticks, time = 278218 |
|
1 | ||
| Get Time | type = Ticks, time = 278250 |
|
1 | ||
| Get Time | type = Ticks, time = 278281 |
|
1 | ||
| Get Time | type = Ticks, time = 278296 |
|
2 | ||
| Get Time | type = Ticks, time = 278343 |
|
1 | ||
| Get Time | type = Ticks, time = 278390 |
|
1 | ||
| Get Time | type = Ticks, time = 278421 |
|
1 | ||
| Get Time | type = Ticks, time = 278437 |
|
1 | ||
| Get Time | type = Ticks, time = 278468 |
|
1 | ||
| Get Time | type = Ticks, time = 278500 |
|
3 | ||
| Get Time | type = Ticks, time = 278578 |
|
1 | ||
| Get Time | type = Ticks, time = 278625 |
|
2 | ||
| Get Time | type = Ticks, time = 278656 |
|
2 | ||
| Get Time | type = Ticks, time = 278703 |
|
2 | ||
| Get Time | type = Ticks, time = 278812 |
|
2 | ||
| Get Time | type = Ticks, time = 278828 |
|
1 | ||
| Get Time | type = Ticks, time = 278859 |
|
1 | ||
| Get Time | type = Ticks, time = 278890 |
|
1 | ||
| Get Time | type = Ticks, time = 278906 |
|
1 | ||
| Get Time | type = Ticks, time = 278921 |
|
3 | ||
| Get Time | type = Ticks, time = 278937 |
|
3 | ||
| Get Time | type = Ticks, time = 278953 |
|
2 | ||
| Get Time | type = Ticks, time = 278968 |
|
2 | ||
| Get Time | type = Ticks, time = 278984 |
|
4 | ||
| Get Time | type = Ticks, time = 279000 |
|
2 | ||
| Get Time | type = Ticks, time = 279015 |
|
4 | ||
| Get Time | type = Ticks, time = 279031 |
|
4 | ||
| Get Time | type = Ticks, time = 279046 |
|
1 | ||
| Get Time | type = Ticks, time = 279109 |
|
1 | ||
| Get Time | type = Ticks, time = 279156 |
|
2 | ||
| Get Time | type = Ticks, time = 279187 |
|
2 | ||
| Get Time | type = Ticks, time = 279234 |
|
1 | ||
| Get Time | type = Ticks, time = 279250 |
|
1 | ||
| Get Time | type = Ticks, time = 279265 |
|
1 | ||
| Get Time | type = Ticks, time = 279296 |
|
3 | ||
| Get Time | type = Ticks, time = 279312 |
|
1 | ||
| Get Time | type = Ticks, time = 279343 |
|
1 | ||
| Get Time | type = Ticks, time = 279375 |
|
1 | ||
| Get Time | type = Ticks, time = 279406 |
|
1 | ||
| Get Time | type = Ticks, time = 279421 |
|
1 | ||
| Get Time | type = Ticks, time = 279437 |
|
1 | ||
| Get Time | type = Ticks, time = 279453 |
|
2 | ||
| Get Time | type = Ticks, time = 279468 |
|
3 | ||
| Get Time | type = Ticks, time = 279484 |
|
5 | ||
| Get Time | type = Ticks, time = 279500 |
|
4 | ||
| Get Time | type = Ticks, time = 279531 |
|
1 | ||
| Get Time | type = Ticks, time = 279562 |
|
1 | ||
| Get Time | type = Ticks, time = 279609 |
|
1 | ||
| Get Time | type = Ticks, time = 279640 |
|
1 | ||
| Get Time | type = Ticks, time = 279687 |
|
1 | ||
| Get Time | type = Ticks, time = 279796 |
|
1 | ||
| Get Time | type = Ticks, time = 279812 |
|
1 | ||
| Get Time | type = Ticks, time = 279828 |
|
1 | ||
| Get Time | type = Ticks, time = 279843 |
|
2 | ||
| Get Time | type = Ticks, time = 279875 |
|
1 | ||
| Get Time | type = Ticks, time = 279906 |
|
1 | ||
| Get Time | type = Ticks, time = 279921 |
|
2 | ||
| Get Time | type = Ticks, time = 279937 |
|
2 | ||
| Get Time | type = Ticks, time = 279953 |
|
3 | ||
| Get Time | type = Ticks, time = 279968 |
|
4 | ||
| Get Time | type = Ticks, time = 279984 |
|
3 | ||
| Get Time | type = Ticks, time = 280000 |
|
2 | ||
| Get Time | type = Ticks, time = 280015 |
|
2 | ||
| Get Time | type = Ticks, time = 280031 |
|
1 | ||
| Get Time | type = Ticks, time = 280046 |
|
1 | ||
| Get Time | type = Ticks, time = 280062 |
|
1 | ||
| Get Time | type = Ticks, time = 280078 |
|
1 | ||
| Get Time | type = Ticks, time = 280156 |
|
1 | ||
| Get Time | type = Ticks, time = 280171 |
|
1 | ||
| Get Time | type = Ticks, time = 280187 |
|
1 | ||
| Get Time | type = Ticks, time = 280234 |
|
1 | ||
| Get Time | type = Ticks, time = 280281 |
|
1 | ||
| Get Time | type = Ticks, time = 280312 |
|
1 | ||
| Get Time | type = Ticks, time = 280343 |
|
1 | ||
| Get Time | type = Ticks, time = 280375 |
|
1 | ||
| Get Time | type = Ticks, time = 280390 |
|
1 | ||
| Get Time | type = Ticks, time = 280406 |
|
1 | ||
| Get Time | type = Ticks, time = 280421 |
|
1 | ||
| Get Time | type = Ticks, time = 280437 |
|
1 | ||
| Get Time | type = Ticks, time = 280468 |
|
2 | ||
| Get Time | type = Ticks, time = 280500 |
|
2 | ||
| Get Time | type = Ticks, time = 280531 |
|
1 | ||
| Get Time | type = Ticks, time = 280546 |
|
1 | ||
| Get Time | type = Ticks, time = 280593 |
|
2 | ||
| Get Time | type = Ticks, time = 280609 |
|
1 | ||
| Get Time | type = Ticks, time = 280671 |
|
1 | ||
| Get Time | type = Ticks, time = 280687 |
|
1 | ||
| Get Time | type = Ticks, time = 280718 |
|
1 | ||
| Get Time | type = Ticks, time = 280734 |
|
1 | ||
| Get Time | type = Ticks, time = 280796 |
|
1 | ||
| Get Time | type = Ticks, time = 280828 |
|
1 | ||
| Get Time | type = Ticks, time = 280859 |
|
1 | ||
| Get Time | type = Ticks, time = 280875 |
|
1 | ||
| Get Time | type = Ticks, time = 280890 |
|
1 | ||
| Get Time | type = Ticks, time = 280937 |
|
2 | ||
| Get Time | type = Ticks, time = 280968 |
|
2 | ||
| Get Time | type = Ticks, time = 280984 |
|
3 | ||
| Get Time | type = Ticks, time = 281000 |
|
5 | ||
| Get Time | type = Ticks, time = 281015 |
|
3 | ||
| Get Time | type = Ticks, time = 281031 |
|
2 | ||
| Get Time | type = Ticks, time = 281046 |
|
1 | ||
| Get Time | type = Ticks, time = 281062 |
|
1 | ||
| Get Time | type = Ticks, time = 281093 |
|
1 | ||
| Get Time | type = Ticks, time = 281109 |
|
1 | ||
| Get Time | type = Ticks, time = 281156 |
|
1 | ||
| Get Time | type = Ticks, time = 281187 |
|
2 | ||
| Get Time | type = Ticks, time = 281234 |
|
1 | ||
| Get Time | type = Ticks, time = 281250 |
|
1 | ||
| Get Time | type = Ticks, time = 281265 |
|
1 | ||
| Get Time | type = Ticks, time = 282171 |
|
1 | ||
| Get Time | type = Ticks, time = 282921 |
|
1 | ||
| Get Time | type = Ticks, time = 282953 |
|
2 | ||
| Get Time | type = Ticks, time = 282984 |
|
1 | ||
| Get Time | type = Ticks, time = 283062 |
|
1 | ||
| Get Time | type = Ticks, time = 283171 |
|
1 | ||
| Get Time | type = Ticks, time = 283218 |
|
1 | ||
| Get Time | type = Ticks, time = 283265 |
|
1 | ||
| Get Time | type = Ticks, time = 283296 |
|
1 | ||
| Get Time | type = Ticks, time = 283312 |
|
1 | ||
| Get Time | type = Ticks, time = 283343 |
|
1 | ||
| Get Time | type = Ticks, time = 283375 |
|
2 | ||
| Get Time | type = Ticks, time = 283406 |
|
2 | ||
| Get Time | type = Ticks, time = 283421 |
|
2 | ||
| Get Time | type = Ticks, time = 283437 |
|
3 | ||
| Get Time | type = Ticks, time = 283453 |
|
1 | ||
|
For performance reasons, the remaining 1 entries are omitted.
The remaining entries can be found in glog.xml. |
|||||
Environment (1)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
1 |
Process #203: cmd.exe
58
0
| Information | Value |
|---|---|
| ID | #203 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-AppLocker/MSI and Script" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:02:38, Reason: Child Process |
| Unmonitor | End Time: 00:02:40, Reason: Self Terminated |
| Monitor Duration | 00:00:02 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x444 |
| Parent PID | 0x8dc (c:\programdata\safe.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
E0C
0x
E20
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000640000 | 0x00640000 | 0x0065ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000640000 | 0x00640000 | 0x0064ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000650000 | 0x00650000 | 0x00653fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000660000 | 0x00660000 | 0x00661fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000660000 | 0x00660000 | 0x00663fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000670000 | 0x00670000 | 0x00683fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000690000 | 0x00690000 | 0x006cffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000006d0000 | 0x006d0000 | 0x007cffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000007d0000 | 0x007d0000 | 0x007d3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000007e0000 | 0x007e0000 | 0x007e0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000007f0000 | 0x007f0000 | 0x007f1fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00800000 | 0x008bdfff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000008c0000 | 0x008c0000 | 0x008cffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000008f0000 | 0x008f0000 | 0x009effff | Private Memory | rw |
|
|
|
- |
| private_0x00000000009f0000 | 0x009f0000 | 0x00a2ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000a30000 | 0x00a30000 | 0x00b2ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000bb0000 | 0x00bb0000 | 0x00bbffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x00bc0000 | 0x00ef6fff | Memory Mapped File | r |
|
|
|
- |
| cmd.exe | 0x01140000 | 0x0118ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000001190000 | 0x01190000 | 0x0518ffff | Pagefile Backed Memory | - |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74d30000 | 0x74ea5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75130000 | 0x7521ffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x778d0000 | 0x7798dfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007f040000 | 0x7f040000 | 0x7f13ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007f140000 | 0x7f140000 | 0x7f162fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f166000 | 0x7f166000 | 0x7f166fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f168000 | 0x7f168000 | 0x7f16afff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f16b000 | 0x7f16b000 | 0x7f16dfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f16e000 | 0x7f16e000 | 0x7f16efff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (11)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Windows\SysWOW64 | type = file_attributes |
|
2 | |
| Get Info | wevtutil.exe | type = file_attributes |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
5 | |
| Open | STD_INPUT_HANDLE | - |
|
3 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 144, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\SysWOW64\wevtutil.exe | os_pid = 0xe14, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x1140000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75130000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x75172780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x7514fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7514a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x74e435c0 |
|
1 |
Environment (19)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
2 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Windows\SysWOW64 |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000000 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #205: wevtutil.exe
0
0
| Information | Value |
|---|---|
| ID | #205 |
| File Name | c:\windows\syswow64\wevtutil.exe |
| Command Line | wevtutil.exe clear-log "Microsoft-Windows-AppLocker/MSI and Script" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:02:39, Reason: Child Process |
| Unmonitor | End Time: 00:02:40, Reason: Self Terminated |
| Monitor Duration | 00:00:01 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xe14 |
| Parent PID | 0x444 (c:\windows\syswow64\wevtutil.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
DEC
0x
DF0
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000140000 | 0x00140000 | 0x0015ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000140000 | 0x00140000 | 0x0014ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000150000 | 0x00150000 | 0x00153fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000160000 | 0x00160000 | 0x00161fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000170000 | 0x00170000 | 0x00183fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000190000 | 0x00190000 | 0x001cffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000001d0000 | 0x001d0000 | 0x0020ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000210000 | 0x00210000 | 0x00213fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000220000 | 0x00220000 | 0x00220fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000230000 | 0x00230000 | 0x00231fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000240000 | 0x00240000 | 0x0027ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000280000 | 0x00280000 | 0x002bffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000002c0000 | 0x002c0000 | 0x003bffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000420000 | 0x00420000 | 0x0042ffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00430000 | 0x004edfff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000006c0000 | 0x006c0000 | 0x006cffff | Private Memory | rw |
|
|
|
- |
| wevtutil.exe | 0x00b40000 | 0x00b6efff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000b70000 | 0x00b70000 | 0x04b6ffff | Pagefile Backed Memory | - |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| wevtapi.dll | 0x74220000 | 0x7426dfff | Memory Mapped File | rwx |
|
|
|
- |
| bcrypt.dll | 0x742a0000 | 0x742bafff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x74a30000 | 0x74a88fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x74a90000 | 0x74a99fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x74aa0000 | 0x74abdfff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x74c60000 | 0x74cdafff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74d30000 | 0x74ea5fff | Memory Mapped File | rwx |
|
|
|
- |
| combase.dll | 0x74f70000 | 0x75129fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75130000 | 0x7521ffff | Memory Mapped File | rwx |
|
|
|
- |
| oleaut32.dll | 0x76ce0000 | 0x76d71fff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x770b0000 | 0x770f2fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x772c0000 | 0x7736bfff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x778d0000 | 0x7798dfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007e7f0000 | 0x7e7f0000 | 0x7e8effff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007e8f0000 | 0x7e8f0000 | 0x7e912fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007e915000 | 0x7e915000 | 0x7e915fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007e918000 | 0x7e918000 | 0x7e918fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007e91a000 | 0x7e91a000 | 0x7e91cfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007e91d000 | 0x7e91d000 | 0x7e91ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Process #206: cmd.exe
58
0
| Information | Value |
|---|---|
| ID | #206 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-AppLocker/Packaged app-Deployment" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:02:40, Reason: Child Process |
| Unmonitor | End Time: 00:02:40, Reason: Self Terminated |
| Monitor Duration | 00:00:00 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xdc8 |
| Parent PID | 0x8dc (c:\programdata\safe.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
DF8
0x
D7C
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x00000000005f0000 | 0x005f0000 | 0x0060ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000005f0000 | 0x005f0000 | 0x005fffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000600000 | 0x00600000 | 0x00603fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000610000 | 0x00610000 | 0x00611fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000610000 | 0x00610000 | 0x00613fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000620000 | 0x00620000 | 0x00633fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000640000 | 0x00640000 | 0x0067ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000680000 | 0x00680000 | 0x0077ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000780000 | 0x00780000 | 0x00783fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000790000 | 0x00790000 | 0x00790fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000007a0000 | 0x007a0000 | 0x007a1fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x007b0000 | 0x0086dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000870000 | 0x00870000 | 0x008affff | Private Memory | rw |
|
|
|
- |
| private_0x00000000008d0000 | 0x008d0000 | 0x008dffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000970000 | 0x00970000 | 0x0097ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000980000 | 0x00980000 | 0x00a7ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000ac0000 | 0x00ac0000 | 0x00bbffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x00bc0000 | 0x00ef6fff | Memory Mapped File | r |
|
|
|
- |
| cmd.exe | 0x01140000 | 0x0118ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000001190000 | 0x01190000 | 0x0518ffff | Pagefile Backed Memory | - |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74d30000 | 0x74ea5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75130000 | 0x7521ffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x778d0000 | 0x7798dfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007f100000 | 0x7f100000 | 0x7f1fffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007f200000 | 0x7f200000 | 0x7f222fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f227000 | 0x7f227000 | 0x7f229fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f22a000 | 0x7f22a000 | 0x7f22cfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f22d000 | 0x7f22d000 | 0x7f22dfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f22f000 | 0x7f22f000 | 0x7f22ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (11)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Windows\SysWOW64 | type = file_attributes |
|
2 | |
| Get Info | wevtutil.exe | type = file_attributes |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
5 | |
| Open | STD_INPUT_HANDLE | - |
|
3 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 184, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\SysWOW64\wevtutil.exe | os_pid = 0xde8, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x1140000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75130000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x75172780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x7514fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7514a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x74e435c0 |
|
1 |
Environment (19)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
2 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Windows\SysWOW64 |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000000 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #208: wevtutil.exe
0
0
| Information | Value |
|---|---|
| ID | #208 |
| File Name | c:\windows\syswow64\wevtutil.exe |
| Command Line | wevtutil.exe clear-log "Microsoft-Windows-AppLocker/Packaged app-Deployment" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:02:40, Reason: Child Process |
| Unmonitor | End Time: 00:02:40, Reason: Self Terminated |
| Monitor Duration | 00:00:00 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xde8 |
| Parent PID | 0xdc8 (c:\windows\syswow64\wevtutil.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
DCC
0x
DF4
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| wevtutil.exe | 0x00b40000 | 0x00b6efff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000fe0000 | 0x00fe0000 | 0x04fdffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000004fe0000 | 0x04fe0000 | 0x04ffffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005000000 | 0x05000000 | 0x05001fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000005010000 | 0x05010000 | 0x05023fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000005030000 | 0x05030000 | 0x0506ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005070000 | 0x05070000 | 0x050affff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000050b0000 | 0x050b0000 | 0x050b3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000050c0000 | 0x050c0000 | 0x050c0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000050d0000 | 0x050d0000 | 0x050d1fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005250000 | 0x05250000 | 0x0525ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005370000 | 0x05370000 | 0x0546ffff | Private Memory | rw |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007ea10000 | 0x7ea10000 | 0x7ea32fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007ea38000 | 0x7ea38000 | 0x7ea3afff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ea3b000 | 0x7ea3b000 | 0x7ea3bfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ea3e000 | 0x7ea3e000 | 0x7ea3efff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Process #209: cmd.exe
58
0
| Information | Value |
|---|---|
| ID | #209 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-AppLocker/Packaged app-Execution" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:02:40, Reason: Child Process |
| Unmonitor | End Time: 00:02:41, Reason: Self Terminated |
| Monitor Duration | 00:00:01 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xddc |
| Parent PID | 0x8dc (c:\programdata\safe.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
DC4
0x
D78
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000b10000 | 0x00b10000 | 0x00b2ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000b10000 | 0x00b10000 | 0x00b1ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000b20000 | 0x00b20000 | 0x00b23fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000b30000 | 0x00b30000 | 0x00b31fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000b30000 | 0x00b30000 | 0x00b33fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000b40000 | 0x00b40000 | 0x00b53fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000b60000 | 0x00b60000 | 0x00b9ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000ba0000 | 0x00ba0000 | 0x00c9ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000ca0000 | 0x00ca0000 | 0x00ca3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000cb0000 | 0x00cb0000 | 0x00cb0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000cc0000 | 0x00cc0000 | 0x00cc1fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000cd0000 | 0x00cd0000 | 0x00d0ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000d30000 | 0x00d30000 | 0x00d3ffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00d40000 | 0x00dfdfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000e30000 | 0x00e30000 | 0x00f2ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000f30000 | 0x00f30000 | 0x0102ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001110000 | 0x01110000 | 0x0111ffff | Private Memory | rw |
|
|
|
- |
| cmd.exe | 0x01140000 | 0x0118ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000001190000 | 0x01190000 | 0x0518ffff | Pagefile Backed Memory | - |
|
|
|
- |
| sortdefault.nls | 0x05190000 | 0x054c6fff | Memory Mapped File | r |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74d30000 | 0x74ea5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75130000 | 0x7521ffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x778d0000 | 0x7798dfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007f4d0000 | 0x7f4d0000 | 0x7f5cffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007f5d0000 | 0x7f5d0000 | 0x7f5f2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f5f3000 | 0x7f5f3000 | 0x7f5f3fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f5f8000 | 0x7f5f8000 | 0x7f5fafff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f5fb000 | 0x7f5fb000 | 0x7f5fbfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f5fd000 | 0x7f5fd000 | 0x7f5fffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (11)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Windows\SysWOW64 | type = file_attributes |
|
2 | |
| Get Info | wevtutil.exe | type = file_attributes |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
5 | |
| Open | STD_INPUT_HANDLE | - |
|
3 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 168, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\SysWOW64\wevtutil.exe | os_pid = 0x224, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x1140000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75130000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x75172780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x7514fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7514a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x74e435c0 |
|
1 |
Environment (19)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
2 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Windows\SysWOW64 |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000000 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #211: wevtutil.exe
0
0
| Information | Value |
|---|---|
| ID | #211 |
| File Name | c:\windows\syswow64\wevtutil.exe |
| Command Line | wevtutil.exe clear-log "Microsoft-Windows-AppLocker/Packaged app-Execution" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:02:40, Reason: Child Process |
| Unmonitor | End Time: 00:02:41, Reason: Self Terminated |
| Monitor Duration | 00:00:01 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x224 |
| Parent PID | 0xddc (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
D18
0x
D34
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x00000000003a0000 | 0x003a0000 | 0x003bffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000003c0000 | 0x003c0000 | 0x003c1fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000003d0000 | 0x003d0000 | 0x003e3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000003f0000 | 0x003f0000 | 0x0042ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000430000 | 0x00430000 | 0x0046ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000470000 | 0x00470000 | 0x00473fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000480000 | 0x00480000 | 0x00480fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000490000 | 0x00490000 | 0x00491fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000580000 | 0x00580000 | 0x0058ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000006c0000 | 0x006c0000 | 0x007bffff | Private Memory | rw |
|
|
|
- |
| wevtutil.exe | 0x00b40000 | 0x00b6efff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000b70000 | 0x00b70000 | 0x04b6ffff | Pagefile Backed Memory | - |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007e5a0000 | 0x7e5a0000 | 0x7e5c2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007e5c5000 | 0x7e5c5000 | 0x7e5c5fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007e5ca000 | 0x7e5ca000 | 0x7e5ccfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007e5cd000 | 0x7e5cd000 | 0x7e5cdfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Process #212: cmd.exe
58
0
| Information | Value |
|---|---|
| ID | #212 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-AppModel-Runtime/Admin" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:02:41, Reason: Child Process |
| Unmonitor | End Time: 00:02:41, Reason: Self Terminated |
| Monitor Duration | 00:00:00 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xde0 |
| Parent PID | 0x8dc (c:\programdata\safe.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
DD0
0x
E54
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x00000000006c0000 | 0x006c0000 | 0x006dffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000006c0000 | 0x006c0000 | 0x006cffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x00000000006d0000 | 0x006d0000 | 0x006d3fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000006e0000 | 0x006e0000 | 0x006e1fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000006e0000 | 0x006e0000 | 0x006e3fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000006f0000 | 0x006f0000 | 0x00703fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000710000 | 0x00710000 | 0x0074ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000750000 | 0x00750000 | 0x0084ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000850000 | 0x00850000 | 0x00853fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000860000 | 0x00860000 | 0x00860fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000870000 | 0x00870000 | 0x00871fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00880000 | 0x0093dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000940000 | 0x00940000 | 0x0097ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000009a0000 | 0x009a0000 | 0x009affff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000a40000 | 0x00a40000 | 0x00a4ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000a50000 | 0x00a50000 | 0x00b4ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000ba0000 | 0x00ba0000 | 0x00c9ffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x00ca0000 | 0x00fd6fff | Memory Mapped File | r |
|
|
|
- |
| cmd.exe | 0x01140000 | 0x0118ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000001190000 | 0x01190000 | 0x0518ffff | Pagefile Backed Memory | - |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74d30000 | 0x74ea5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75130000 | 0x7521ffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x778d0000 | 0x7798dfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007f0e0000 | 0x7f0e0000 | 0x7f102fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f108000 | 0x7f108000 | 0x7f10afff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f10b000 | 0x7f10b000 | 0x7f10dfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f10e000 | 0x7f10e000 | 0x7f10efff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f10f000 | 0x7f10f000 | 0x7f10ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (11)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Windows\SysWOW64 | type = file_attributes |
|
2 | |
| Get Info | wevtutil.exe | type = file_attributes |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
5 | |
| Open | STD_INPUT_HANDLE | - |
|
3 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 136, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\SysWOW64\wevtutil.exe | os_pid = 0xc64, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x1140000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75130000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x75172780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x7514fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7514a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x74e435c0 |
|
1 |
Environment (19)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
2 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Windows\SysWOW64 |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000000 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #214: wevtutil.exe
0
0
| Information | Value |
|---|---|
| ID | #214 |
| File Name | c:\windows\syswow64\wevtutil.exe |
| Command Line | wevtutil.exe clear-log "Microsoft-Windows-AppModel-Runtime/Admin" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:02:41, Reason: Child Process |
| Unmonitor | End Time: 00:02:41, Reason: Self Terminated |
| Monitor Duration | 00:00:00 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xc64 |
| Parent PID | 0xde0 (c:\windows\syswow64\wevtutil.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
D20
0x
E50
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000280000 | 0x00280000 | 0x0029ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000002a0000 | 0x002a0000 | 0x002a1fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000002b0000 | 0x002b0000 | 0x002c3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000002d0000 | 0x002d0000 | 0x0030ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000310000 | 0x00310000 | 0x0034ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000350000 | 0x00350000 | 0x00353fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000360000 | 0x00360000 | 0x00360fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000370000 | 0x00370000 | 0x00371fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000003f0000 | 0x003f0000 | 0x003fffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000004a0000 | 0x004a0000 | 0x0059ffff | Private Memory | rw |
|
|
|
- |
| wevtutil.exe | 0x00b40000 | 0x00b6efff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000b70000 | 0x00b70000 | 0x04b6ffff | Pagefile Backed Memory | - |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007e830000 | 0x7e830000 | 0x7e852fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007e855000 | 0x7e855000 | 0x7e855fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007e85a000 | 0x7e85a000 | 0x7e85cfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007e85d000 | 0x7e85d000 | 0x7e85dfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Process #215: cmd.exe
58
0
| Information | Value |
|---|---|
| ID | #215 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-AppModel-Runtime/Analytic" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:02:41, Reason: Child Process |
| Unmonitor | End Time: 00:02:42, Reason: Self Terminated |
| Monitor Duration | 00:00:01 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x348 |
| Parent PID | 0x8dc (c:\programdata\safe.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
1A0
0x
E40
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000460000 | 0x00460000 | 0x0047ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000460000 | 0x00460000 | 0x0046ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000470000 | 0x00470000 | 0x00473fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000480000 | 0x00480000 | 0x00481fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000480000 | 0x00480000 | 0x00483fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000490000 | 0x00490000 | 0x004a3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000004b0000 | 0x004b0000 | 0x004effff | Private Memory | rw |
|
|
|
- |
| private_0x00000000004f0000 | 0x004f0000 | 0x005effff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000005f0000 | 0x005f0000 | 0x005f3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000600000 | 0x00600000 | 0x00600fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000610000 | 0x00610000 | 0x00611fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00620000 | 0x006ddfff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000006e0000 | 0x006e0000 | 0x0071ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000750000 | 0x00750000 | 0x0075ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000007a0000 | 0x007a0000 | 0x007affff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000840000 | 0x00840000 | 0x0093ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000940000 | 0x00940000 | 0x00a3ffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x00a40000 | 0x00d76fff | Memory Mapped File | r |
|
|
|
- |
| cmd.exe | 0x01140000 | 0x0118ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000001190000 | 0x01190000 | 0x0518ffff | Pagefile Backed Memory | - |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74d30000 | 0x74ea5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75130000 | 0x7521ffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x778d0000 | 0x7798dfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007f2d0000 | 0x7f2d0000 | 0x7f3cffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007f3d0000 | 0x7f3d0000 | 0x7f3f2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f3f6000 | 0x7f3f6000 | 0x7f3f8fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f3f9000 | 0x7f3f9000 | 0x7f3f9fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f3fc000 | 0x7f3fc000 | 0x7f3fefff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f3ff000 | 0x7f3ff000 | 0x7f3fffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (11)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Windows\SysWOW64 | type = file_attributes |
|
2 | |
| Get Info | wevtutil.exe | type = file_attributes |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
5 | |
| Open | STD_INPUT_HANDLE | - |
|
3 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 200, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\SysWOW64\wevtutil.exe | os_pid = 0x5f4, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x1140000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75130000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x75172780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x7514fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7514a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x74e435c0 |
|
1 |
Environment (19)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
2 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Windows\SysWOW64 |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000000 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #217: wevtutil.exe
0
0
| Information | Value |
|---|---|
| ID | #217 |
| File Name | c:\windows\syswow64\wevtutil.exe |
| Command Line | wevtutil.exe clear-log "Microsoft-Windows-AppModel-Runtime/Analytic" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:02:42, Reason: Child Process |
| Unmonitor | End Time: 00:02:42, Reason: Self Terminated |
| Monitor Duration | 00:00:00 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x5f4 |
| Parent PID | 0x348 (c:\windows\syswow64\wevtutil.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
E74
0x
E6C
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| wevtutil.exe | 0x00b40000 | 0x00b6efff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000f80000 | 0x00f80000 | 0x04f7ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000004f80000 | 0x04f80000 | 0x04f9ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004fa0000 | 0x04fa0000 | 0x04fa1fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004fb0000 | 0x04fb0000 | 0x04fc3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000004fd0000 | 0x04fd0000 | 0x0500ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005010000 | 0x05010000 | 0x0504ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000005050000 | 0x05050000 | 0x05053fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000005060000 | 0x05060000 | 0x05060fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000005070000 | 0x05070000 | 0x05071fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005090000 | 0x05090000 | 0x0518ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000051d0000 | 0x051d0000 | 0x051dffff | Private Memory | rw |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007ee40000 | 0x7ee40000 | 0x7ee62fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007ee64000 | 0x7ee64000 | 0x7ee64fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ee67000 | 0x7ee67000 | 0x7ee67fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ee6d000 | 0x7ee6d000 | 0x7ee6ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Process #218: cmd.exe
58
0
| Information | Value |
|---|---|
| ID | #218 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-AppModel-Runtime/Debug" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:02:42, Reason: Child Process |
| Unmonitor | End Time: 00:02:43, Reason: Self Terminated |
| Monitor Duration | 00:00:01 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xb48 |
| Parent PID | 0x8dc (c:\programdata\safe.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
81C
0x
604
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000490000 | 0x00490000 | 0x004affff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000490000 | 0x00490000 | 0x0049ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x00000000004a0000 | 0x004a0000 | 0x004a3fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000004b0000 | 0x004b0000 | 0x004b1fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000004b0000 | 0x004b0000 | 0x004b3fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000004c0000 | 0x004c0000 | 0x004d3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000004e0000 | 0x004e0000 | 0x0051ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000520000 | 0x00520000 | 0x0061ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000620000 | 0x00620000 | 0x00623fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000630000 | 0x00630000 | 0x00630fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000640000 | 0x00640000 | 0x00641fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00650000 | 0x0070dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000710000 | 0x00710000 | 0x0074ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000830000 | 0x00830000 | 0x0083ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000840000 | 0x00840000 | 0x0093ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000950000 | 0x00950000 | 0x00a4ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000b60000 | 0x00b60000 | 0x00b6ffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x00b70000 | 0x00ea6fff | Memory Mapped File | r |
|
|
|
- |
| cmd.exe | 0x01140000 | 0x0118ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000001190000 | 0x01190000 | 0x0518ffff | Pagefile Backed Memory | - |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74d30000 | 0x74ea5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75130000 | 0x7521ffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x778d0000 | 0x7798dfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007ec40000 | 0x7ec40000 | 0x7ed3ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007ed40000 | 0x7ed40000 | 0x7ed62fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007ed66000 | 0x7ed66000 | 0x7ed66fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ed69000 | 0x7ed69000 | 0x7ed6bfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ed6c000 | 0x7ed6c000 | 0x7ed6efff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ed6f000 | 0x7ed6f000 | 0x7ed6ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (11)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Windows\SysWOW64 | type = file_attributes |
|
2 | |
| Get Info | wevtutil.exe | type = file_attributes |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
5 | |
| Open | STD_INPUT_HANDLE | - |
|
3 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 232, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\SysWOW64\wevtutil.exe | os_pid = 0x7e8, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x1140000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75130000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x75172780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x7514fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7514a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x74e435c0 |
|
1 |
Environment (19)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
2 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Windows\SysWOW64 |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000000 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #220: wevtutil.exe
0
0
| Information | Value |
|---|---|
| ID | #220 |
| File Name | c:\windows\syswow64\wevtutil.exe |
| Command Line | wevtutil.exe clear-log "Microsoft-Windows-AppModel-Runtime/Debug" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:02:42, Reason: Child Process |
| Unmonitor | End Time: 00:02:42, Reason: Self Terminated |
| Monitor Duration | 00:00:00 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x7e8 |
| Parent PID | 0xb48 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
CB0
0x
AB4
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x00000000009e0000 | 0x009e0000 | 0x009fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000a00000 | 0x00a00000 | 0x00a01fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000a10000 | 0x00a10000 | 0x00a23fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000a30000 | 0x00a30000 | 0x00a6ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000a70000 | 0x00a70000 | 0x00aaffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000ab0000 | 0x00ab0000 | 0x00ab3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000ac0000 | 0x00ac0000 | 0x00ac0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000ad0000 | 0x00ad0000 | 0x00ad1fff | Private Memory | rw |
|
|
|
- |
| wevtutil.exe | 0x00b40000 | 0x00b6efff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000b70000 | 0x00b70000 | 0x04b6ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000004d30000 | 0x04d30000 | 0x04d3ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004e60000 | 0x04e60000 | 0x04f5ffff | Private Memory | rw |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007fa20000 | 0x7fa20000 | 0x7fa42fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007fa49000 | 0x7fa49000 | 0x7fa4bfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007fa4c000 | 0x7fa4c000 | 0x7fa4cfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007fa4f000 | 0x7fa4f000 | 0x7fa4ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Process #221: cmd.exe
58
0
| Information | Value |
|---|---|
| ID | #221 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-AppModel-Runtime/Diagnostics" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:02:42, Reason: Child Process |
| Unmonitor | End Time: 00:02:43, Reason: Self Terminated |
| Monitor Duration | 00:00:01 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x6fc |
| Parent PID | 0x8dc (c:\programdata\safe.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
F58
0x
328
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000fa0000 | 0x00fa0000 | 0x00fbffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000fa0000 | 0x00fa0000 | 0x00faffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000fb0000 | 0x00fb0000 | 0x00fb3fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000fc0000 | 0x00fc0000 | 0x00fc1fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000fc0000 | 0x00fc0000 | 0x00fc3fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000fd0000 | 0x00fd0000 | 0x00fe3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000ff0000 | 0x00ff0000 | 0x0102ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001030000 | 0x01030000 | 0x0112ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000001130000 | 0x01130000 | 0x01133fff | Pagefile Backed Memory | r |
|
|
|
- |
| cmd.exe | 0x01140000 | 0x0118ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000001190000 | 0x01190000 | 0x0518ffff | Pagefile Backed Memory | - |
|
|
|
- |
| pagefile_0x0000000005190000 | 0x05190000 | 0x05190fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000051a0000 | 0x051a0000 | 0x051a1fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000051c0000 | 0x051c0000 | 0x052bffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000052c0000 | 0x052c0000 | 0x052fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005360000 | 0x05360000 | 0x0536ffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x05370000 | 0x0542dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000005430000 | 0x05430000 | 0x0552ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000056d0000 | 0x056d0000 | 0x056dffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x056e0000 | 0x05a16fff | Memory Mapped File | r |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74d30000 | 0x74ea5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75130000 | 0x7521ffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x778d0000 | 0x7798dfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007fa50000 | 0x7fa50000 | 0x7fb4ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007fb50000 | 0x7fb50000 | 0x7fb72fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007fb77000 | 0x7fb77000 | 0x7fb79fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007fb7a000 | 0x7fb7a000 | 0x7fb7cfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007fb7d000 | 0x7fb7d000 | 0x7fb7dfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007fb7f000 | 0x7fb7f000 | 0x7fb7ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (11)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Windows\SysWOW64 | type = file_attributes |
|
2 | |
| Get Info | wevtutil.exe | type = file_attributes |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
5 | |
| Open | STD_INPUT_HANDLE | - |
|
3 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 200, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\SysWOW64\wevtutil.exe | os_pid = 0x520, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x1140000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75130000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x75172780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x7514fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7514a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x74e435c0 |
|
1 |
Environment (19)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
2 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Windows\SysWOW64 |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000000 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #223: wevtutil.exe
0
0
| Information | Value |
|---|---|
| ID | #223 |
| File Name | c:\windows\syswow64\wevtutil.exe |
| Command Line | wevtutil.exe clear-log "Microsoft-Windows-AppModel-Runtime/Diagnostics" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:02:43, Reason: Child Process |
| Unmonitor | End Time: 00:02:43, Reason: Self Terminated |
| Monitor Duration | 00:00:00 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x520 |
| Parent PID | 0x6fc (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
E28
0x
948
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| wevtutil.exe | 0x00b40000 | 0x00b6efff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000e80000 | 0x00e80000 | 0x04e7ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000004e80000 | 0x04e80000 | 0x04e9ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004ea0000 | 0x04ea0000 | 0x04ea1fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004eb0000 | 0x04eb0000 | 0x04ec3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000004ed0000 | 0x04ed0000 | 0x04f0ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004f10000 | 0x04f10000 | 0x04f4ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004f50000 | 0x04f50000 | 0x04f53fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000004f60000 | 0x04f60000 | 0x04f60fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000004f70000 | 0x04f70000 | 0x04f71fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000050a0000 | 0x050a0000 | 0x050affff | Private Memory | rw |
|
|
|
- |
| private_0x00000000050e0000 | 0x050e0000 | 0x051dffff | Private Memory | rw |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007eaa0000 | 0x7eaa0000 | 0x7eac2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007eac5000 | 0x7eac5000 | 0x7eac5fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007eaca000 | 0x7eaca000 | 0x7eacafff | Private Memory | rw |
|
|
|
- |
| private_0x000000007eacd000 | 0x7eacd000 | 0x7eacffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Process #224: cmd.exe
58
0
| Information | Value |
|---|---|
| ID | #224 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-AppModel-State/Debug" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:02:43, Reason: Child Process |
| Unmonitor | End Time: 00:02:44, Reason: Self Terminated |
| Monitor Duration | 00:00:01 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x4b0 |
| Parent PID | 0x8dc (c:\programdata\safe.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
B44
0x
B04
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000d60000 | 0x00d60000 | 0x00d7ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000d60000 | 0x00d60000 | 0x00d6ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000d70000 | 0x00d70000 | 0x00d73fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000d80000 | 0x00d80000 | 0x00d81fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000d80000 | 0x00d80000 | 0x00d83fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000d90000 | 0x00d90000 | 0x00da3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000db0000 | 0x00db0000 | 0x00deffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000df0000 | 0x00df0000 | 0x00eeffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000ef0000 | 0x00ef0000 | 0x00ef3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000f00000 | 0x00f00000 | 0x00f00fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000f10000 | 0x00f10000 | 0x00f11fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00f20000 | 0x00fddfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000fe0000 | 0x00fe0000 | 0x0101ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001060000 | 0x01060000 | 0x0106ffff | Private Memory | rw |
|
|
|
- |
| cmd.exe | 0x01140000 | 0x0118ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000001190000 | 0x01190000 | 0x0518ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000005190000 | 0x05190000 | 0x0528ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005370000 | 0x05370000 | 0x0546ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005630000 | 0x05630000 | 0x0563ffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x05640000 | 0x05976fff | Memory Mapped File | r |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74d30000 | 0x74ea5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75130000 | 0x7521ffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x778d0000 | 0x7798dfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007f920000 | 0x7f920000 | 0x7fa1ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007fa20000 | 0x7fa20000 | 0x7fa42fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007fa48000 | 0x7fa48000 | 0x7fa4afff | Private Memory | rw |
|
|
|
- |
| private_0x000000007fa4b000 | 0x7fa4b000 | 0x7fa4dfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007fa4e000 | 0x7fa4e000 | 0x7fa4efff | Private Memory | rw |
|
|
|
- |
| private_0x000000007fa4f000 | 0x7fa4f000 | 0x7fa4ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (11)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Windows\SysWOW64 | type = file_attributes |
|
2 | |
| Get Info | wevtutil.exe | type = file_attributes |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
5 | |
| Open | STD_INPUT_HANDLE | - |
|
3 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 125, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\SysWOW64\wevtutil.exe | os_pid = 0xe3c, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x1140000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75130000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x75172780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x7514fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7514a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x74e435c0 |
|
1 |
Environment (19)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
2 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Windows\SysWOW64 |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000000 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #226: wevtutil.exe
0
0
| Information | Value |
|---|---|
| ID | #226 |
| File Name | c:\windows\syswow64\wevtutil.exe |
| Command Line | wevtutil.exe clear-log "Microsoft-Windows-AppModel-State/Debug" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:02:43, Reason: Child Process |
| Unmonitor | End Time: 00:02:44, Reason: Self Terminated |
| Monitor Duration | 00:00:01 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xe3c |
| Parent PID | 0x4b0 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
C1C
0x
E60
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000690000 | 0x00690000 | 0x006affff | Private Memory | rw |
|
|
|
- |
| private_0x00000000006b0000 | 0x006b0000 | 0x006b1fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000006c0000 | 0x006c0000 | 0x006d3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000006e0000 | 0x006e0000 | 0x0071ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000720000 | 0x00720000 | 0x0075ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000760000 | 0x00760000 | 0x00763fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000770000 | 0x00770000 | 0x00770fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000780000 | 0x00780000 | 0x00781fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000008b0000 | 0x008b0000 | 0x008bffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000009c0000 | 0x009c0000 | 0x00abffff | Private Memory | rw |
|
|
|
- |
| wevtutil.exe | 0x00b40000 | 0x00b6efff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000b70000 | 0x00b70000 | 0x04b6ffff | Pagefile Backed Memory | - |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007e8c0000 | 0x7e8c0000 | 0x7e8e2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007e8e5000 | 0x7e8e5000 | 0x7e8e5fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007e8e9000 | 0x7e8e9000 | 0x7e8e9fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007e8ed000 | 0x7e8ed000 | 0x7e8effff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Process #227: cmd.exe
58
0
| Information | Value |
|---|---|
| ID | #227 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-AppModel-State/Diagnostic" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:02:43, Reason: Child Process |
| Unmonitor | End Time: 00:02:44, Reason: Self Terminated |
| Monitor Duration | 00:00:01 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xfb4 |
| Parent PID | 0x8dc (c:\programdata\safe.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
218
0x
7AC
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000cd0000 | 0x00cd0000 | 0x00ceffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000cd0000 | 0x00cd0000 | 0x00cdffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000ce0000 | 0x00ce0000 | 0x00ce3fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000cf0000 | 0x00cf0000 | 0x00cf1fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000cf0000 | 0x00cf0000 | 0x00cf3fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000d00000 | 0x00d00000 | 0x00d13fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000d20000 | 0x00d20000 | 0x00d5ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000d60000 | 0x00d60000 | 0x00e5ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000e60000 | 0x00e60000 | 0x00e63fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000e70000 | 0x00e70000 | 0x00e70fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000e80000 | 0x00e80000 | 0x00e81fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000e90000 | 0x00e90000 | 0x00ecffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000f40000 | 0x00f40000 | 0x00f4ffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00f50000 | 0x0100dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000001010000 | 0x01010000 | 0x0110ffff | Private Memory | rw |
|
|
|
- |
| cmd.exe | 0x01140000 | 0x0118ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000001190000 | 0x01190000 | 0x0518ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000005220000 | 0x05220000 | 0x0522ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005350000 | 0x05350000 | 0x0544ffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x05450000 | 0x05786fff | Memory Mapped File | r |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74d30000 | 0x74ea5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75130000 | 0x7521ffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x778d0000 | 0x7798dfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007fa50000 | 0x7fa50000 | 0x7fb4ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007fb50000 | 0x7fb50000 | 0x7fb72fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007fb73000 | 0x7fb73000 | 0x7fb73fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007fb74000 | 0x7fb74000 | 0x7fb74fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007fb7a000 | 0x7fb7a000 | 0x7fb7cfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007fb7d000 | 0x7fb7d000 | 0x7fb7ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (11)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Windows\SysWOW64 | type = file_attributes |
|
2 | |
| Get Info | wevtutil.exe | type = file_attributes |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
5 | |
| Open | STD_INPUT_HANDLE | - |
|
3 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 5, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\SysWOW64\wevtutil.exe | os_pid = 0xb38, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x1140000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75130000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x75172780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x7514fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7514a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x74e435c0 |
|
1 |
Environment (19)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
2 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Windows\SysWOW64 |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000000 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #229: wevtutil.exe
0
0
| Information | Value |
|---|---|
| ID | #229 |
| File Name | c:\windows\syswow64\wevtutil.exe |
| Command Line | wevtutil.exe clear-log "Microsoft-Windows-AppModel-State/Diagnostic" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:02:44, Reason: Child Process |
| Unmonitor | End Time: 00:02:44, Reason: Self Terminated |
| Monitor Duration | 00:00:00 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xb38 |
| Parent PID | 0xfb4 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
BD0
0x
428
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x00000000000d0000 | 0x000d0000 | 0x000effff | Private Memory | rw |
|
|
|
- |
| private_0x00000000000f0000 | 0x000f0000 | 0x000f1fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000100000 | 0x00100000 | 0x00113fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000120000 | 0x00120000 | 0x0015ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000160000 | 0x00160000 | 0x0019ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000001a0000 | 0x001a0000 | 0x001a3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000001b0000 | 0x001b0000 | 0x001b0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000001c0000 | 0x001c0000 | 0x001c1fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000260000 | 0x00260000 | 0x0035ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000390000 | 0x00390000 | 0x0039ffff | Private Memory | rw |
|
|
|
- |
| wevtutil.exe | 0x00b40000 | 0x00b6efff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000b70000 | 0x00b70000 | 0x04b6ffff | Pagefile Backed Memory | - |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007e270000 | 0x7e270000 | 0x7e292fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007e29a000 | 0x7e29a000 | 0x7e29afff | Private Memory | rw |
|
|
|
- |
| private_0x000000007e29b000 | 0x7e29b000 | 0x7e29bfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007e29d000 | 0x7e29d000 | 0x7e29ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Process #230: cmd.exe
58
0
| Information | Value |
|---|---|
| ID | #230 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-AppReadiness/Admin" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:02:44, Reason: Child Process |
| Unmonitor | End Time: 00:02:45, Reason: Self Terminated |
| Monitor Duration | 00:00:01 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x960 |
| Parent PID | 0x8dc (c:\programdata\safe.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
F84
0x
BF0
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000fd0000 | 0x00fd0000 | 0x00feffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000fd0000 | 0x00fd0000 | 0x00fdffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000fe0000 | 0x00fe0000 | 0x00fe3fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000ff0000 | 0x00ff0000 | 0x00ff1fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000ff0000 | 0x00ff0000 | 0x00ff3fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000001000000 | 0x01000000 | 0x01013fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000001020000 | 0x01020000 | 0x0105ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000001060000 | 0x01060000 | 0x01063fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000001070000 | 0x01070000 | 0x01070fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000001080000 | 0x01080000 | 0x01081fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001090000 | 0x01090000 | 0x010cffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000010e0000 | 0x010e0000 | 0x010effff | Private Memory | rw |
|
|
|
- |
| cmd.exe | 0x01140000 | 0x0118ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000001190000 | 0x01190000 | 0x0518ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000005190000 | 0x05190000 | 0x0528ffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x05290000 | 0x0534dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000005350000 | 0x05350000 | 0x0544ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005480000 | 0x05480000 | 0x0557ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005690000 | 0x05690000 | 0x0569ffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x056a0000 | 0x059d6fff | Memory Mapped File | r |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74d30000 | 0x74ea5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75130000 | 0x7521ffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x778d0000 | 0x7798dfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007f4e0000 | 0x7f4e0000 | 0x7f5dffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007f5e0000 | 0x7f5e0000 | 0x7f602fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f607000 | 0x7f607000 | 0x7f607fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f609000 | 0x7f609000 | 0x7f609fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f60a000 | 0x7f60a000 | 0x7f60cfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f60d000 | 0x7f60d000 | 0x7f60ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (11)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Windows\SysWOW64 | type = file_attributes |
|
2 | |
| Get Info | wevtutil.exe | type = file_attributes |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
5 | |
| Open | STD_INPUT_HANDLE | - |
|
3 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 120, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\SysWOW64\wevtutil.exe | os_pid = 0xecc, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x1140000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75130000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x75172780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x7514fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7514a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x74e435c0 |
|
1 |
Environment (19)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
2 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Windows\SysWOW64 |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000000 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #232: wevtutil.exe
0
0
| Information | Value |
|---|---|
| ID | #232 |
| File Name | c:\windows\syswow64\wevtutil.exe |
| Command Line | wevtutil.exe clear-log "Microsoft-Windows-AppReadiness/Admin" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:02:44, Reason: Child Process |
| Unmonitor | End Time: 00:02:45, Reason: Self Terminated |
| Monitor Duration | 00:00:01 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xecc |
| Parent PID | 0x960 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
424
0x
830
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x00000000002a0000 | 0x002a0000 | 0x002bffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000002c0000 | 0x002c0000 | 0x002c1fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000002d0000 | 0x002d0000 | 0x002e3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000002f0000 | 0x002f0000 | 0x0032ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000330000 | 0x00330000 | 0x0036ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000370000 | 0x00370000 | 0x00373fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000380000 | 0x00380000 | 0x00380fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000390000 | 0x00390000 | 0x00391fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000003f0000 | 0x003f0000 | 0x003fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000570000 | 0x00570000 | 0x0066ffff | Private Memory | rw |
|
|
|
- |
| wevtutil.exe | 0x00b40000 | 0x00b6efff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000b70000 | 0x00b70000 | 0x04b6ffff | Pagefile Backed Memory | - |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007e9b0000 | 0x7e9b0000 | 0x7e9d2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007e9d5000 | 0x7e9d5000 | 0x7e9d5fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007e9db000 | 0x7e9db000 | 0x7e9ddfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007e9de000 | 0x7e9de000 | 0x7e9defff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Process #233: cmd.exe
58
0
| Information | Value |
|---|---|
| ID | #233 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-AppReadiness/Debug" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:02:45, Reason: Child Process |
| Unmonitor | End Time: 00:02:45, Reason: Self Terminated |
| Monitor Duration | 00:00:00 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x278 |
| Parent PID | 0x8dc (c:\programdata\safe.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
3D4
0x
64C
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000280000 | 0x00280000 | 0x0029ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000280000 | 0x00280000 | 0x0028ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000290000 | 0x00290000 | 0x00293fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000002a0000 | 0x002a0000 | 0x002a1fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000002a0000 | 0x002a0000 | 0x002a3fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000002b0000 | 0x002b0000 | 0x002c3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000002d0000 | 0x002d0000 | 0x0030ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000310000 | 0x00310000 | 0x0040ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000410000 | 0x00410000 | 0x00413fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000420000 | 0x00420000 | 0x00420fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000430000 | 0x00430000 | 0x00431fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00440000 | 0x004fdfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000500000 | 0x00500000 | 0x0053ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000580000 | 0x00580000 | 0x0058ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000590000 | 0x00590000 | 0x0068ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000006a0000 | 0x006a0000 | 0x0079ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000940000 | 0x00940000 | 0x0094ffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x00950000 | 0x00c86fff | Memory Mapped File | r |
|
|
|
- |
| cmd.exe | 0x01140000 | 0x0118ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000001190000 | 0x01190000 | 0x0518ffff | Pagefile Backed Memory | - |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74d30000 | 0x74ea5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75130000 | 0x7521ffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x778d0000 | 0x7798dfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007f100000 | 0x7f100000 | 0x7f1fffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007f200000 | 0x7f200000 | 0x7f222fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f225000 | 0x7f225000 | 0x7f225fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f229000 | 0x7f229000 | 0x7f22bfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f22c000 | 0x7f22c000 | 0x7f22cfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f22d000 | 0x7f22d000 | 0x7f22ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (11)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Windows\SysWOW64 | type = file_attributes |
|
2 | |
| Get Info | wevtutil.exe | type = file_attributes |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
5 | |
| Open | STD_INPUT_HANDLE | - |
|
3 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 88, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\SysWOW64\wevtutil.exe | os_pid = 0x5e8, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x1140000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75130000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x75172780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x7514fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7514a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x74e435c0 |
|
1 |
Environment (19)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
2 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Windows\SysWOW64 |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000000 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #235: wevtutil.exe
0
0
| Information | Value |
|---|---|
| ID | #235 |
| File Name | c:\windows\syswow64\wevtutil.exe |
| Command Line | wevtutil.exe clear-log "Microsoft-Windows-AppReadiness/Debug" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:02:45, Reason: Child Process |
| Unmonitor | End Time: 00:02:45, Reason: Self Terminated |
| Monitor Duration | 00:00:00 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x5e8 |
| Parent PID | 0x278 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
754
0x
F34
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x00000000002c0000 | 0x002c0000 | 0x002dffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000002e0000 | 0x002e0000 | 0x002e1fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000002f0000 | 0x002f0000 | 0x00303fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000310000 | 0x00310000 | 0x0034ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000350000 | 0x00350000 | 0x0038ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000390000 | 0x00390000 | 0x00393fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000003a0000 | 0x003a0000 | 0x003a0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000003b0000 | 0x003b0000 | 0x003b1fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000420000 | 0x00420000 | 0x0042ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000540000 | 0x00540000 | 0x0063ffff | Private Memory | rw |
|
|
|
- |
| wevtutil.exe | 0x00b40000 | 0x00b6efff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000b70000 | 0x00b70000 | 0x04b6ffff | Pagefile Backed Memory | - |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007ef60000 | 0x7ef60000 | 0x7ef82fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007ef89000 | 0x7ef89000 | 0x7ef8bfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ef8c000 | 0x7ef8c000 | 0x7ef8cfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ef8f000 | 0x7ef8f000 | 0x7ef8ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Process #236: cmd.exe
58
0
| Information | Value |
|---|---|
| ID | #236 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-AppReadiness/Operational" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:02:45, Reason: Child Process |
| Unmonitor | End Time: 00:02:46, Reason: Self Terminated |
| Monitor Duration | 00:00:01 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xf2c |
| Parent PID | 0x8dc (c:\programdata\safe.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
F10
0x
A80
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000e80000 | 0x00e80000 | 0x00e9ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000e80000 | 0x00e80000 | 0x00e8ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000e90000 | 0x00e90000 | 0x00e93fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000ea0000 | 0x00ea0000 | 0x00ea1fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000ea0000 | 0x00ea0000 | 0x00ea3fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000eb0000 | 0x00eb0000 | 0x00ec3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000ed0000 | 0x00ed0000 | 0x00f0ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000f10000 | 0x00f10000 | 0x0100ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000001010000 | 0x01010000 | 0x01013fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000001020000 | 0x01020000 | 0x01020fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000001030000 | 0x01030000 | 0x01031fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001050000 | 0x01050000 | 0x0105ffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x01060000 | 0x0111dfff | Memory Mapped File | r |
|
|
|
- |
| cmd.exe | 0x01140000 | 0x0118ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000001190000 | 0x01190000 | 0x0518ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000005190000 | 0x05190000 | 0x051cffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005210000 | 0x05210000 | 0x0521ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000052c0000 | 0x052c0000 | 0x053bffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000053c0000 | 0x053c0000 | 0x054bffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x054c0000 | 0x057f6fff | Memory Mapped File | r |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74d30000 | 0x74ea5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75130000 | 0x7521ffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x778d0000 | 0x7798dfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007fbf0000 | 0x7fbf0000 | 0x7fceffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007fcf0000 | 0x7fcf0000 | 0x7fd12fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007fd17000 | 0x7fd17000 | 0x7fd19fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007fd1a000 | 0x7fd1a000 | 0x7fd1cfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007fd1d000 | 0x7fd1d000 | 0x7fd1dfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007fd1f000 | 0x7fd1f000 | 0x7fd1ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (11)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Windows\SysWOW64 | type = file_attributes |
|
2 | |
| Get Info | wevtutil.exe | type = file_attributes |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
5 | |
| Open | STD_INPUT_HANDLE | - |
|
3 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 184, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\SysWOW64\wevtutil.exe | os_pid = 0xf00, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x1140000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75130000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x75172780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x7514fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7514a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x74e435c0 |
|
1 |
Environment (19)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
2 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Windows\SysWOW64 |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000000 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #238: wevtutil.exe
0
0
| Information | Value |
|---|---|
| ID | #238 |
| File Name | c:\windows\syswow64\wevtutil.exe |
| Command Line | wevtutil.exe clear-log "Microsoft-Windows-AppReadiness/Operational" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:02:45, Reason: Child Process |
| Unmonitor | End Time: 00:02:46, Reason: Self Terminated |
| Monitor Duration | 00:00:01 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xf00 |
| Parent PID | 0xf2c (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
974
0x
FE4
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x00000000003b0000 | 0x003b0000 | 0x003cffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000003d0000 | 0x003d0000 | 0x003d1fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000003e0000 | 0x003e0000 | 0x003f3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000400000 | 0x00400000 | 0x0043ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000440000 | 0x00440000 | 0x0047ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000480000 | 0x00480000 | 0x00483fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000490000 | 0x00490000 | 0x00490fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000004a0000 | 0x004a0000 | 0x004a1fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000004e0000 | 0x004e0000 | 0x005dffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000650000 | 0x00650000 | 0x0065ffff | Private Memory | rw |
|
|
|
- |
| wevtutil.exe | 0x00b40000 | 0x00b6efff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000b70000 | 0x00b70000 | 0x04b6ffff | Pagefile Backed Memory | - |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007fb50000 | 0x7fb50000 | 0x7fb72fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007fb7b000 | 0x7fb7b000 | 0x7fb7dfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007fb7e000 | 0x7fb7e000 | 0x7fb7efff | Private Memory | rw |
|
|
|
- |
| private_0x000000007fb7f000 | 0x7fb7f000 | 0x7fb7ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Process #239: cmd.exe
58
0
| Information | Value |
|---|---|
| ID | #239 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-AppSruProv" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:02:46, Reason: Child Process |
| Unmonitor | End Time: 00:02:47, Reason: Self Terminated |
| Monitor Duration | 00:00:01 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x3ec |
| Parent PID | 0x8dc (c:\programdata\safe.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
18C
0x
F04
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000b40000 | 0x00b40000 | 0x00b5ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000b40000 | 0x00b40000 | 0x00b4ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000b50000 | 0x00b50000 | 0x00b53fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000b60000 | 0x00b60000 | 0x00b61fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000b60000 | 0x00b60000 | 0x00b63fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000b70000 | 0x00b70000 | 0x00b83fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000b90000 | 0x00b90000 | 0x00bcffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000bd0000 | 0x00bd0000 | 0x00ccffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000cd0000 | 0x00cd0000 | 0x00cd3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000ce0000 | 0x00ce0000 | 0x00ce0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000cf0000 | 0x00cf0000 | 0x00cf1fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00d00000 | 0x00dbdfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000dc0000 | 0x00dc0000 | 0x00dfffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000e10000 | 0x00e10000 | 0x00e1ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000e80000 | 0x00e80000 | 0x00f7ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000f80000 | 0x00f80000 | 0x0107ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001130000 | 0x01130000 | 0x0113ffff | Private Memory | rw |
|
|
|
- |
| cmd.exe | 0x01140000 | 0x0118ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000001190000 | 0x01190000 | 0x0518ffff | Pagefile Backed Memory | - |
|
|
|
- |
| sortdefault.nls | 0x05190000 | 0x054c6fff | Memory Mapped File | r |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74d30000 | 0x74ea5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75130000 | 0x7521ffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x778d0000 | 0x7798dfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007f370000 | 0x7f370000 | 0x7f46ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007f470000 | 0x7f470000 | 0x7f492fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f496000 | 0x7f496000 | 0x7f496fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f499000 | 0x7f499000 | 0x7f49bfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f49c000 | 0x7f49c000 | 0x7f49efff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f49f000 | 0x7f49f000 | 0x7f49ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (11)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Windows\SysWOW64 | type = file_attributes |
|
2 | |
| Get Info | wevtutil.exe | type = file_attributes |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
5 | |
| Open | STD_INPUT_HANDLE | - |
|
3 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 104, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\SysWOW64\wevtutil.exe | os_pid = 0xf8c, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x1140000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75130000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x75172780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x7514fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7514a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x74e435c0 |
|
1 |
Environment (19)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
2 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Windows\SysWOW64 |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000000 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #241: wevtutil.exe
0
0
| Information | Value |
|---|---|
| ID | #241 |
| File Name | c:\windows\syswow64\wevtutil.exe |
| Command Line | wevtutil.exe clear-log "Microsoft-Windows-AppSruProv" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:02:46, Reason: Child Process |
| Unmonitor | End Time: 00:02:47, Reason: Self Terminated |
| Monitor Duration | 00:00:01 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xf8c |
| Parent PID | 0x3ec (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
D14
0x
E70
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| wevtutil.exe | 0x00b40000 | 0x00b6efff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000f60000 | 0x00f60000 | 0x04f5ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000004f60000 | 0x04f60000 | 0x04f7ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004f80000 | 0x04f80000 | 0x04f81fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004f90000 | 0x04f90000 | 0x04fa3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000004fb0000 | 0x04fb0000 | 0x04feffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004ff0000 | 0x04ff0000 | 0x0502ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000005030000 | 0x05030000 | 0x05033fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000005040000 | 0x05040000 | 0x05040fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000005050000 | 0x05050000 | 0x05051fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005090000 | 0x05090000 | 0x0509ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000051f0000 | 0x051f0000 | 0x052effff | Private Memory | rw |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007eae0000 | 0x7eae0000 | 0x7eb02fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007eb08000 | 0x7eb08000 | 0x7eb08fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007eb09000 | 0x7eb09000 | 0x7eb09fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007eb0d000 | 0x7eb0d000 | 0x7eb0ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Process #242: cmd.exe
58
0
| Information | Value |
|---|---|
| ID | #242 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-AppXDeployment/Diagnostic" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:02:46, Reason: Child Process |
| Unmonitor | End Time: 00:02:47, Reason: Self Terminated |
| Monitor Duration | 00:00:01 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x364 |
| Parent PID | 0x8dc (c:\programdata\safe.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
818
0x
5D0
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000290000 | 0x00290000 | 0x002affff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000290000 | 0x00290000 | 0x0029ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x00000000002a0000 | 0x002a0000 | 0x002a3fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000002b0000 | 0x002b0000 | 0x002b1fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000002b0000 | 0x002b0000 | 0x002b3fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000002c0000 | 0x002c0000 | 0x002d3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000002e0000 | 0x002e0000 | 0x0031ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000320000 | 0x00320000 | 0x0041ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000420000 | 0x00420000 | 0x00423fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000430000 | 0x00430000 | 0x00430fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000440000 | 0x00440000 | 0x00441fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00450000 | 0x0050dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000510000 | 0x00510000 | 0x0051ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000520000 | 0x00520000 | 0x0055ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000580000 | 0x00580000 | 0x0058ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000630000 | 0x00630000 | 0x0072ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000730000 | 0x00730000 | 0x0082ffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x00830000 | 0x00b66fff | Memory Mapped File | r |
|
|
|
- |
| cmd.exe | 0x01140000 | 0x0118ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000001190000 | 0x01190000 | 0x0518ffff | Pagefile Backed Memory | - |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74d30000 | 0x74ea5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75130000 | 0x7521ffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x778d0000 | 0x7798dfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007fa40000 | 0x7fa40000 | 0x7fb3ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007fb40000 | 0x7fb40000 | 0x7fb62fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007fb64000 | 0x7fb64000 | 0x7fb64fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007fb68000 | 0x7fb68000 | 0x7fb6afff | Private Memory | rw |
|
|
|
- |
| private_0x000000007fb6b000 | 0x7fb6b000 | 0x7fb6dfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007fb6e000 | 0x7fb6e000 | 0x7fb6efff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (11)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Windows\SysWOW64 | type = file_attributes |
|
2 | |
| Get Info | wevtutil.exe | type = file_attributes |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
5 | |
| Open | STD_INPUT_HANDLE | - |
|
3 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 200, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\SysWOW64\wevtutil.exe | os_pid = 0xadc, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x1140000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75130000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x75172780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x7514fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7514a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x74e435c0 |
|
1 |
Environment (19)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
2 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Windows\SysWOW64 |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000000 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #244: wevtutil.exe
0
0
| Information | Value |
|---|---|
| ID | #244 |
| File Name | c:\windows\syswow64\wevtutil.exe |
| Command Line | wevtutil.exe clear-log "Microsoft-Windows-AppXDeployment/Diagnostic" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:02:47, Reason: Child Process |
| Unmonitor | End Time: 00:02:47, Reason: Self Terminated |
| Monitor Duration | 00:00:00 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xadc |
| Parent PID | 0x364 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
F64
0x
2D4
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| wevtutil.exe | 0x00b40000 | 0x00b6efff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000b70000 | 0x00b70000 | 0x04b6ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000004b70000 | 0x04b70000 | 0x04b8ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004b90000 | 0x04b90000 | 0x04b91fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004ba0000 | 0x04ba0000 | 0x04bb3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000004bc0000 | 0x04bc0000 | 0x04bfffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004c00000 | 0x04c00000 | 0x04c3ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004c40000 | 0x04c40000 | 0x04c43fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000004c50000 | 0x04c50000 | 0x04c50fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000004c60000 | 0x04c60000 | 0x04c61fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004c90000 | 0x04c90000 | 0x04c9ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004ce0000 | 0x04ce0000 | 0x04ddffff | Private Memory | rw |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007f4f0000 | 0x7f4f0000 | 0x7f512fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f519000 | 0x7f519000 | 0x7f519fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f51c000 | 0x7f51c000 | 0x7f51cfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f51d000 | 0x7f51d000 | 0x7f51ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Process #245: cmd.exe
58
0
| Information | Value |
|---|---|
| ID | #245 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-AppXDeployment/Operational" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:02:47, Reason: Child Process |
| Unmonitor | End Time: 00:02:48, Reason: Self Terminated |
| Monitor Duration | 00:00:01 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xd3c |
| Parent PID | 0x8dc (c:\programdata\safe.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
544
0x
F7C
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000a20000 | 0x00a20000 | 0x00a3ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000a20000 | 0x00a20000 | 0x00a2ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000a30000 | 0x00a30000 | 0x00a33fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000a40000 | 0x00a40000 | 0x00a41fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000a40000 | 0x00a40000 | 0x00a43fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000a50000 | 0x00a50000 | 0x00a63fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000a70000 | 0x00a70000 | 0x00aaffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000ab0000 | 0x00ab0000 | 0x00baffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000bb0000 | 0x00bb0000 | 0x00bb3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000bc0000 | 0x00bc0000 | 0x00bc0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000bd0000 | 0x00bd0000 | 0x00bd1fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000be0000 | 0x00be0000 | 0x00beffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00bf0000 | 0x00cadfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000cd0000 | 0x00cd0000 | 0x00dcffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000dd0000 | 0x00dd0000 | 0x00e0ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000e10000 | 0x00e10000 | 0x00f0ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000010e0000 | 0x010e0000 | 0x010effff | Private Memory | rw |
|
|
|
- |
| cmd.exe | 0x01140000 | 0x0118ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000001190000 | 0x01190000 | 0x0518ffff | Pagefile Backed Memory | - |
|
|
|
- |
| sortdefault.nls | 0x05190000 | 0x054c6fff | Memory Mapped File | r |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74d30000 | 0x74ea5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75130000 | 0x7521ffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x778d0000 | 0x7798dfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007ea70000 | 0x7ea70000 | 0x7eb6ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007eb70000 | 0x7eb70000 | 0x7eb92fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007eb98000 | 0x7eb98000 | 0x7eb98fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007eb99000 | 0x7eb99000 | 0x7eb9bfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007eb9c000 | 0x7eb9c000 | 0x7eb9efff | Private Memory | rw |
|
|
|
- |
| private_0x000000007eb9f000 | 0x7eb9f000 | 0x7eb9ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (11)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Windows\SysWOW64 | type = file_attributes |
|
2 | |
| Get Info | wevtutil.exe | type = file_attributes |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
5 | |
| Open | STD_INPUT_HANDLE | - |
|
3 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 242, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\SysWOW64\wevtutil.exe | os_pid = 0xf78, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x1140000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75130000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x75172780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x7514fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7514a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x74e435c0 |
|
1 |
Environment (19)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
2 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Windows\SysWOW64 |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000000 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #247: wevtutil.exe
0
0
| Information | Value |
|---|---|
| ID | #247 |
| File Name | c:\windows\syswow64\wevtutil.exe |
| Command Line | wevtutil.exe clear-log "Microsoft-Windows-AppXDeployment/Operational" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:02:47, Reason: Child Process |
| Unmonitor | End Time: 00:02:48, Reason: Self Terminated |
| Monitor Duration | 00:00:01 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xf78 |
| Parent PID | 0xd3c (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
C9C
0x
EEC
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000140000 | 0x00140000 | 0x0015ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000160000 | 0x00160000 | 0x00161fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000170000 | 0x00170000 | 0x00183fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000190000 | 0x00190000 | 0x001cffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000001d0000 | 0x001d0000 | 0x0020ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000210000 | 0x00210000 | 0x00213fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000220000 | 0x00220000 | 0x00220fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000230000 | 0x00230000 | 0x00231fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000003b0000 | 0x003b0000 | 0x003bffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000520000 | 0x00520000 | 0x0061ffff | Private Memory | rw |
|
|
|
- |
| wevtutil.exe | 0x00b40000 | 0x00b6efff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000b70000 | 0x00b70000 | 0x04b6ffff | Pagefile Backed Memory | - |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007f7f0000 | 0x7f7f0000 | 0x7f812fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f813000 | 0x7f813000 | 0x7f813fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f81a000 | 0x7f81a000 | 0x7f81afff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f81d000 | 0x7f81d000 | 0x7f81ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Process #248: cmd.exe
58
0
| Information | Value |
|---|---|
| ID | #248 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-AppXDeploymentServer/Debug" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:02:48, Reason: Child Process |
| Unmonitor | End Time: 00:02:49, Reason: Self Terminated |
| Monitor Duration | 00:00:01 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xc98 |
| Parent PID | 0x8dc (c:\programdata\safe.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
D38
0x
63C
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000510000 | 0x00510000 | 0x0052ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000510000 | 0x00510000 | 0x0051ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000520000 | 0x00520000 | 0x00523fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000530000 | 0x00530000 | 0x00531fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000530000 | 0x00530000 | 0x00533fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000540000 | 0x00540000 | 0x00553fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000560000 | 0x00560000 | 0x0059ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000005a0000 | 0x005a0000 | 0x0069ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000006a0000 | 0x006a0000 | 0x006a3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000006b0000 | 0x006b0000 | 0x006b0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000006c0000 | 0x006c0000 | 0x006c1fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x006d0000 | 0x0078dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000790000 | 0x00790000 | 0x007cffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000810000 | 0x00810000 | 0x0081ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000870000 | 0x00870000 | 0x0087ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000008a0000 | 0x008a0000 | 0x0099ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000009a0000 | 0x009a0000 | 0x00a9ffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x00aa0000 | 0x00dd6fff | Memory Mapped File | r |
|
|
|
- |
| cmd.exe | 0x01140000 | 0x0118ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000001190000 | 0x01190000 | 0x0518ffff | Pagefile Backed Memory | - |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74d30000 | 0x74ea5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75130000 | 0x7521ffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x778d0000 | 0x7798dfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007e980000 | 0x7e980000 | 0x7ea7ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007ea80000 | 0x7ea80000 | 0x7eaa2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007eaa8000 | 0x7eaa8000 | 0x7eaaafff | Private Memory | rw |
|
|
|
- |
| private_0x000000007eaab000 | 0x7eaab000 | 0x7eaabfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007eaac000 | 0x7eaac000 | 0x7eaacfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007eaad000 | 0x7eaad000 | 0x7eaaffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (11)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Windows\SysWOW64 | type = file_attributes |
|
2 | |
| Get Info | wevtutil.exe | type = file_attributes |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
5 | |
| Open | STD_INPUT_HANDLE | - |
|
3 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 144, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\SysWOW64\wevtutil.exe | os_pid = 0x2d0, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x1140000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75130000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x75172780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x7514fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7514a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x74e435c0 |
|
1 |
Environment (19)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
2 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Windows\SysWOW64 |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000000 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #250: wevtutil.exe
0
0
| Information | Value |
|---|---|
| ID | #250 |
| File Name | c:\windows\syswow64\wevtutil.exe |
| Command Line | wevtutil.exe clear-log "Microsoft-Windows-AppXDeploymentServer/Debug" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:02:48, Reason: Child Process |
| Unmonitor | End Time: 00:02:49, Reason: Self Terminated |
| Monitor Duration | 00:00:01 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x2d0 |
| Parent PID | 0xc98 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
5A8
0x
190
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x00000000005d0000 | 0x005d0000 | 0x005effff | Private Memory | rw |
|
|
|
- |
| private_0x00000000005f0000 | 0x005f0000 | 0x005f1fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000600000 | 0x00600000 | 0x00613fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000620000 | 0x00620000 | 0x0065ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000660000 | 0x00660000 | 0x0069ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000006a0000 | 0x006a0000 | 0x006a3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000006b0000 | 0x006b0000 | 0x006b0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000006c0000 | 0x006c0000 | 0x006c1fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000007b0000 | 0x007b0000 | 0x007bffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000840000 | 0x00840000 | 0x0093ffff | Private Memory | rw |
|
|
|
- |
| wevtutil.exe | 0x00b40000 | 0x00b6efff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000b70000 | 0x00b70000 | 0x04b6ffff | Pagefile Backed Memory | - |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007f220000 | 0x7f220000 | 0x7f242fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f248000 | 0x7f248000 | 0x7f248fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f24c000 | 0x7f24c000 | 0x7f24efff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f24f000 | 0x7f24f000 | 0x7f24ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Process #251: cmd.exe
58
0
| Information | Value |
|---|---|
| ID | #251 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-AppXDeploymentServer/Diagnostic" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:02:49, Reason: Child Process |
| Unmonitor | End Time: 00:02:49, Reason: Self Terminated |
| Monitor Duration | 00:00:00 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x1b4 |
| Parent PID | 0x8dc (c:\programdata\safe.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
848
0x
1A4
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000c20000 | 0x00c20000 | 0x00c3ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000c20000 | 0x00c20000 | 0x00c2ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000c30000 | 0x00c30000 | 0x00c33fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000c40000 | 0x00c40000 | 0x00c41fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000c40000 | 0x00c40000 | 0x00c43fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000c50000 | 0x00c50000 | 0x00c63fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000c70000 | 0x00c70000 | 0x00caffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000cb0000 | 0x00cb0000 | 0x00daffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000db0000 | 0x00db0000 | 0x00db3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000dc0000 | 0x00dc0000 | 0x00dc0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000dd0000 | 0x00dd0000 | 0x00dd1fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000de0000 | 0x00de0000 | 0x00e1ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000e70000 | 0x00e70000 | 0x00e7ffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00e80000 | 0x00f3dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000fd0000 | 0x00fd0000 | 0x010cffff | Private Memory | rw |
|
|
|
- |
| cmd.exe | 0x01140000 | 0x0118ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000001190000 | 0x01190000 | 0x0518ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000005190000 | 0x05190000 | 0x0528ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005390000 | 0x05390000 | 0x0539ffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x053a0000 | 0x056d6fff | Memory Mapped File | r |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74d30000 | 0x74ea5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75130000 | 0x7521ffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x778d0000 | 0x7798dfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007f210000 | 0x7f210000 | 0x7f30ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007f310000 | 0x7f310000 | 0x7f332fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f334000 | 0x7f334000 | 0x7f334fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f339000 | 0x7f339000 | 0x7f33bfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f33c000 | 0x7f33c000 | 0x7f33efff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f33f000 | 0x7f33f000 | 0x7f33ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (11)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Windows\SysWOW64 | type = file_attributes |
|
2 | |
| Get Info | wevtutil.exe | type = file_attributes |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
5 | |
| Open | STD_INPUT_HANDLE | - |
|
3 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 160, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\SysWOW64\wevtutil.exe | os_pid = 0x438, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x1140000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75130000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x75172780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x7514fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7514a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x74e435c0 |
|
1 |
Environment (19)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
2 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Windows\SysWOW64 |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000000 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #253: wevtutil.exe
0
0
| Information | Value |
|---|---|
| ID | #253 |
| File Name | c:\windows\syswow64\wevtutil.exe |
| Command Line | wevtutil.exe clear-log "Microsoft-Windows-AppXDeploymentServer/Diagnostic" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:02:49, Reason: Child Process |
| Unmonitor | End Time: 00:02:49, Reason: Self Terminated |
| Monitor Duration | 00:00:00 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x438 |
| Parent PID | 0x1b4 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
59C
0x
E5C
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| wevtutil.exe | 0x00b40000 | 0x00b6efff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000f80000 | 0x00f80000 | 0x04f7ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000004f80000 | 0x04f80000 | 0x04f9ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004fa0000 | 0x04fa0000 | 0x04fa1fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004fb0000 | 0x04fb0000 | 0x04fc3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000004fd0000 | 0x04fd0000 | 0x0500ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005010000 | 0x05010000 | 0x0504ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000005050000 | 0x05050000 | 0x05053fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000005060000 | 0x05060000 | 0x05060fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000005070000 | 0x05070000 | 0x05071fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000051a0000 | 0x051a0000 | 0x051affff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005290000 | 0x05290000 | 0x0538ffff | Private Memory | rw |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007ea60000 | 0x7ea60000 | 0x7ea82fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007ea89000 | 0x7ea89000 | 0x7ea8bfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ea8c000 | 0x7ea8c000 | 0x7ea8cfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ea8d000 | 0x7ea8d000 | 0x7ea8dfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Process #254: cmd.exe
58
0
| Information | Value |
|---|---|
| ID | #254 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-AppXDeploymentServer/Operational" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:02:49, Reason: Child Process |
| Unmonitor | End Time: 00:02:50, Reason: Self Terminated |
| Monitor Duration | 00:00:01 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xc88 |
| Parent PID | 0x8dc (c:\programdata\safe.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
60C
0x
814
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000fb0000 | 0x00fb0000 | 0x00fcffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000fb0000 | 0x00fb0000 | 0x00fbffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000fc0000 | 0x00fc0000 | 0x00fc3fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000fd0000 | 0x00fd0000 | 0x00fd1fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000fd0000 | 0x00fd0000 | 0x00fd3fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000fe0000 | 0x00fe0000 | 0x00ff3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000001000000 | 0x01000000 | 0x0103ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001040000 | 0x01040000 | 0x0113ffff | Private Memory | rw |
|
|
|
- |
| cmd.exe | 0x01140000 | 0x0118ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000001190000 | 0x01190000 | 0x0518ffff | Pagefile Backed Memory | - |
|
|
|
- |
| pagefile_0x0000000005190000 | 0x05190000 | 0x05193fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000051a0000 | 0x051a0000 | 0x051a0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000051b0000 | 0x051b0000 | 0x051b1fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000051f0000 | 0x051f0000 | 0x051fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005200000 | 0x05200000 | 0x0523ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000052b0000 | 0x052b0000 | 0x053affff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x053b0000 | 0x0546dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000005470000 | 0x05470000 | 0x0556ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000056c0000 | 0x056c0000 | 0x056cffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x056d0000 | 0x05a06fff | Memory Mapped File | r |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74d30000 | 0x74ea5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75130000 | 0x7521ffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x778d0000 | 0x7798dfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007e5e0000 | 0x7e5e0000 | 0x7e6dffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007e6e0000 | 0x7e6e0000 | 0x7e702fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007e707000 | 0x7e707000 | 0x7e707fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007e709000 | 0x7e709000 | 0x7e70bfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007e70c000 | 0x7e70c000 | 0x7e70efff | Private Memory | rw |
|
|
|
- |
| private_0x000000007e70f000 | 0x7e70f000 | 0x7e70ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (11)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Windows\SysWOW64 | type = file_attributes |
|
2 | |
| Get Info | wevtutil.exe | type = file_attributes |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
5 | |
| Open | STD_INPUT_HANDLE | - |
|
3 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 104, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\SysWOW64\wevtutil.exe | os_pid = 0xd6c, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x1140000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75130000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x75172780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x7514fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7514a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x74e435c0 |
|
1 |
Environment (19)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
2 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Windows\SysWOW64 |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000000 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #256: wevtutil.exe
0
0
| Information | Value |
|---|---|
| ID | #256 |
| File Name | c:\windows\syswow64\wevtutil.exe |
| Command Line | wevtutil.exe clear-log "Microsoft-Windows-AppXDeploymentServer/Operational" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:02:49, Reason: Child Process |
| Unmonitor | End Time: 00:02:50, Reason: Self Terminated |
| Monitor Duration | 00:00:01 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xd6c |
| Parent PID | 0xc88 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
94C
0x
B24
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| wevtutil.exe | 0x00b40000 | 0x00b6efff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000e70000 | 0x00e70000 | 0x04e6ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000004e70000 | 0x04e70000 | 0x04e8ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004e90000 | 0x04e90000 | 0x04e91fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004ea0000 | 0x04ea0000 | 0x04eb3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000004ec0000 | 0x04ec0000 | 0x04efffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004f00000 | 0x04f00000 | 0x04f3ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004f40000 | 0x04f40000 | 0x04f43fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000004f50000 | 0x04f50000 | 0x04f50fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000004f60000 | 0x04f60000 | 0x04f61fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005080000 | 0x05080000 | 0x0508ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005170000 | 0x05170000 | 0x0526ffff | Private Memory | rw |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007e310000 | 0x7e310000 | 0x7e332fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007e333000 | 0x7e333000 | 0x7e333fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007e336000 | 0x7e336000 | 0x7e336fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007e33d000 | 0x7e33d000 | 0x7e33ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Process #257: cmd.exe
58
0
| Information | Value |
|---|---|
| ID | #257 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-AppXDeploymentServer/Restricted" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:02:50, Reason: Child Process |
| Unmonitor | End Time: 00:02:51, Reason: Self Terminated |
| Monitor Duration | 00:00:01 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xb68 |
| Parent PID | 0x8dc (c:\programdata\safe.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
EF4
0x
CDC
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000ff0000 | 0x00ff0000 | 0x0100ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000ff0000 | 0x00ff0000 | 0x00ffffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000001000000 | 0x01000000 | 0x01003fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001010000 | 0x01010000 | 0x01011fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001010000 | 0x01010000 | 0x01013fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000001020000 | 0x01020000 | 0x01033fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000001040000 | 0x01040000 | 0x0107ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000001080000 | 0x01080000 | 0x01083fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000001090000 | 0x01090000 | 0x01090fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000010a0000 | 0x010a0000 | 0x010a1fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000010b0000 | 0x010b0000 | 0x010effff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001120000 | 0x01120000 | 0x0112ffff | Private Memory | rw |
|
|
|
- |
| cmd.exe | 0x01140000 | 0x0118ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000001190000 | 0x01190000 | 0x0518ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000005190000 | 0x05190000 | 0x0528ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005290000 | 0x05290000 | 0x0538ffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x05390000 | 0x0544dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000005450000 | 0x05450000 | 0x0554ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005630000 | 0x05630000 | 0x0563ffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x05640000 | 0x05976fff | Memory Mapped File | r |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74d30000 | 0x74ea5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75130000 | 0x7521ffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x778d0000 | 0x7798dfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007ef10000 | 0x7ef10000 | 0x7f00ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007f010000 | 0x7f010000 | 0x7f032fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f035000 | 0x7f035000 | 0x7f037fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f038000 | 0x7f038000 | 0x7f038fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f03b000 | 0x7f03b000 | 0x7f03bfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f03d000 | 0x7f03d000 | 0x7f03ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (11)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Windows\SysWOW64 | type = file_attributes |
|
2 | |
| Get Info | wevtutil.exe | type = file_attributes |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
5 | |
| Open | STD_INPUT_HANDLE | - |
|
3 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 92, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\SysWOW64\wevtutil.exe | os_pid = 0x788, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x1140000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75130000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x75172780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x7514fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7514a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x74e435c0 |
|
1 |
Environment (19)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
2 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Windows\SysWOW64 |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000000 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #259: wevtutil.exe
0
0
| Information | Value |
|---|---|
| ID | #259 |
| File Name | c:\windows\syswow64\wevtutil.exe |
| Command Line | wevtutil.exe clear-log "Microsoft-Windows-AppXDeploymentServer/Restricted" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:02:50, Reason: Child Process |
| Unmonitor | End Time: 00:02:51, Reason: Self Terminated |
| Monitor Duration | 00:00:01 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x788 |
| Parent PID | 0xb68 (c:\windows\syswow64\wevtutil.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
F4C
0x
F08
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| wevtutil.exe | 0x00b40000 | 0x00b6efff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000f20000 | 0x00f20000 | 0x04f1ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000004f20000 | 0x04f20000 | 0x04f3ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004f40000 | 0x04f40000 | 0x04f41fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004f50000 | 0x04f50000 | 0x04f63fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000004f70000 | 0x04f70000 | 0x04faffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004fb0000 | 0x04fb0000 | 0x04feffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004ff0000 | 0x04ff0000 | 0x04ff3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000005000000 | 0x05000000 | 0x05000fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000005010000 | 0x05010000 | 0x05011fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005180000 | 0x05180000 | 0x0518ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005350000 | 0x05350000 | 0x0544ffff | Private Memory | rw |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007ec70000 | 0x7ec70000 | 0x7ec92fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007ec9a000 | 0x7ec9a000 | 0x7ec9afff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ec9c000 | 0x7ec9c000 | 0x7ec9efff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ec9f000 | 0x7ec9f000 | 0x7ec9ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Process #261: cmd.exe
58
0
| Information | Value |
|---|---|
| ID | #261 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-ApplicabilityEngine/Analytic" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:02:51, Reason: Child Process |
| Unmonitor | End Time: 00:02:53, Reason: Self Terminated |
| Monitor Duration | 00:00:02 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x34c |
| Parent PID | 0x8dc (c:\programdata\safe.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
B4C
0x
EC0
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000080000 | 0x00080000 | 0x0009ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000080000 | 0x00080000 | 0x0008ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000090000 | 0x00090000 | 0x00093fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000000a0000 | 0x000a0000 | 0x000a1fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000000a0000 | 0x000a0000 | 0x000a3fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000000b0000 | 0x000b0000 | 0x000c3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000000d0000 | 0x000d0000 | 0x0010ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000110000 | 0x00110000 | 0x0020ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000210000 | 0x00210000 | 0x00213fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000220000 | 0x00220000 | 0x00220fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000230000 | 0x00230000 | 0x00231fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000250000 | 0x00250000 | 0x0034ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000350000 | 0x00350000 | 0x0038ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000003d0000 | 0x003d0000 | 0x003dffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x003e0000 | 0x0049dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000004a0000 | 0x004a0000 | 0x0059ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000680000 | 0x00680000 | 0x0068ffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x00690000 | 0x009c6fff | Memory Mapped File | r |
|
|
|
- |
| cmd.exe | 0x01140000 | 0x0118ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000001190000 | 0x01190000 | 0x0518ffff | Pagefile Backed Memory | - |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74d30000 | 0x74ea5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75130000 | 0x7521ffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x778d0000 | 0x7798dfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007f140000 | 0x7f140000 | 0x7f23ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007f240000 | 0x7f240000 | 0x7f262fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f266000 | 0x7f266000 | 0x7f266fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f267000 | 0x7f267000 | 0x7f269fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f26a000 | 0x7f26a000 | 0x7f26cfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f26d000 | 0x7f26d000 | 0x7f26dfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (11)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Windows\SysWOW64 | type = file_attributes |
|
2 | |
| Get Info | wevtutil.exe | type = file_attributes |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
5 | |
| Open | STD_INPUT_HANDLE | - |
|
3 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 152, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\SysWOW64\wevtutil.exe | os_pid = 0xec8, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x1140000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75130000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x75172780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x7514fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7514a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x74e435c0 |
|
1 |
Environment (19)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
2 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Windows\SysWOW64 |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000000 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #263: wevtutil.exe
0
0
| Information | Value |
|---|---|
| ID | #263 |
| File Name | c:\windows\syswow64\wevtutil.exe |
| Command Line | wevtutil.exe clear-log "Microsoft-Windows-ApplicabilityEngine/Analytic" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:02:51, Reason: Child Process |
| Unmonitor | End Time: 00:02:52, Reason: Self Terminated |
| Monitor Duration | 00:00:01 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xec8 |
| Parent PID | 0x34c (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
EC4
0x
E90
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000190000 | 0x00190000 | 0x001affff | Private Memory | rw |
|
|
|
- |
| private_0x00000000001b0000 | 0x001b0000 | 0x001b1fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000001c0000 | 0x001c0000 | 0x001d3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000001e0000 | 0x001e0000 | 0x0021ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000220000 | 0x00220000 | 0x0025ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000260000 | 0x00260000 | 0x00263fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000270000 | 0x00270000 | 0x00270fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000280000 | 0x00280000 | 0x00281fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000002d0000 | 0x002d0000 | 0x003cffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000440000 | 0x00440000 | 0x0044ffff | Private Memory | rw |
|
|
|
- |
| wevtutil.exe | 0x00b40000 | 0x00b6efff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000b70000 | 0x00b70000 | 0x04b6ffff | Pagefile Backed Memory | - |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007efd0000 | 0x7efd0000 | 0x7eff2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007eff6000 | 0x7eff6000 | 0x7eff6fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007effc000 | 0x7effc000 | 0x7effefff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efff000 | 0x7efff000 | 0x7effffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Process #265: cmd.exe
58
0
| Information | Value |
|---|---|
| ID | #265 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-ApplicabilityEngine/Operational" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:02:51, Reason: Child Process |
| Unmonitor | End Time: 00:02:54, Reason: Self Terminated |
| Monitor Duration | 00:00:03 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xad0 |
| Parent PID | 0x8dc (c:\programdata\safe.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
EF0
0x
994
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000f40000 | 0x00f40000 | 0x00f5ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000f40000 | 0x00f40000 | 0x00f4ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000f50000 | 0x00f50000 | 0x00f53fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000f60000 | 0x00f60000 | 0x00f61fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000f60000 | 0x00f60000 | 0x00f6ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000f70000 | 0x00f70000 | 0x00f83fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000f90000 | 0x00f90000 | 0x00fcffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000fd0000 | 0x00fd0000 | 0x010cffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000010d0000 | 0x010d0000 | 0x010d3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000010e0000 | 0x010e0000 | 0x010e0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000010f0000 | 0x010f0000 | 0x010f1fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001100000 | 0x01100000 | 0x0113ffff | Private Memory | rw |
|
|
|
- |
| cmd.exe | 0x01140000 | 0x0118ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000001190000 | 0x01190000 | 0x0518ffff | Pagefile Backed Memory | - |
|
|
|
- |
| locale.nls | 0x05190000 | 0x0524dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000005250000 | 0x05250000 | 0x05253fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005300000 | 0x05300000 | 0x0530ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005310000 | 0x05310000 | 0x0540ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005490000 | 0x05490000 | 0x0558ffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x05590000 | 0x058c6fff | Memory Mapped File | r |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74d30000 | 0x74ea5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75130000 | 0x7521ffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x778d0000 | 0x7798dfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007f390000 | 0x7f390000 | 0x7f48ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007f490000 | 0x7f490000 | 0x7f4b2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f4b6000 | 0x7f4b6000 | 0x7f4b8fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f4b9000 | 0x7f4b9000 | 0x7f4bbfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f4bc000 | 0x7f4bc000 | 0x7f4bcfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f4be000 | 0x7f4be000 | 0x7f4befff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (11)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Windows\SysWOW64 | type = file_attributes |
|
2 | |
| Get Info | wevtutil.exe | type = file_attributes |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
5 | |
| Open | STD_INPUT_HANDLE | - |
|
3 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 152, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\SysWOW64\wevtutil.exe | os_pid = 0xb58, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x1140000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75130000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x75172780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x7514fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7514a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x74e435c0 |
|
1 |
Environment (19)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
2 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Windows\SysWOW64 |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000000 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #267: wevtutil.exe
0
0
| Information | Value |
|---|---|
| ID | #267 |
| File Name | c:\windows\syswow64\wevtutil.exe |
| Command Line | wevtutil.exe clear-log "Microsoft-Windows-ApplicabilityEngine/Operational" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:02:52, Reason: Child Process |
| Unmonitor | End Time: 00:02:53, Reason: Self Terminated |
| Monitor Duration | 00:00:01 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xb58 |
| Parent PID | 0xad0 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
904
0x
F94
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| wevtutil.exe | 0x00b40000 | 0x00b6efff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000e60000 | 0x00e60000 | 0x04e5ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000004e60000 | 0x04e60000 | 0x04e7ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004e80000 | 0x04e80000 | 0x04e81fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004e90000 | 0x04e90000 | 0x04ea3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000004eb0000 | 0x04eb0000 | 0x04eeffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004ef0000 | 0x04ef0000 | 0x04f2ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004f30000 | 0x04f30000 | 0x04f33fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000004f40000 | 0x04f40000 | 0x04f40fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000004f50000 | 0x04f50000 | 0x04f51fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000050c0000 | 0x050c0000 | 0x050cffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005230000 | 0x05230000 | 0x0532ffff | Private Memory | rw |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007f200000 | 0x7f200000 | 0x7f222fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f223000 | 0x7f223000 | 0x7f223fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f22a000 | 0x7f22a000 | 0x7f22cfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f22d000 | 0x7f22d000 | 0x7f22dfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Process #269: cmd.exe
58
0
| Information | Value |
|---|---|
| ID | #269 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-Application Server-Applications/Admin" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:02:53, Reason: Child Process |
| Unmonitor | End Time: 00:02:55, Reason: Self Terminated |
| Monitor Duration | 00:00:02 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xc48 |
| Parent PID | 0x8dc (c:\programdata\safe.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
EE4
0x
FD0
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000f60000 | 0x00f60000 | 0x00f7ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000f60000 | 0x00f60000 | 0x00f6ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000f70000 | 0x00f70000 | 0x00f73fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000f80000 | 0x00f80000 | 0x00f81fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000f80000 | 0x00f80000 | 0x00f8ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000f90000 | 0x00f90000 | 0x00fa3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000fb0000 | 0x00fb0000 | 0x00feffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000ff0000 | 0x00ff0000 | 0x010effff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000010f0000 | 0x010f0000 | 0x010f3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000001100000 | 0x01100000 | 0x01100fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000001110000 | 0x01110000 | 0x01111fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001120000 | 0x01120000 | 0x01123fff | Private Memory | rw |
|
|
|
- |
| cmd.exe | 0x01140000 | 0x0118ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000001190000 | 0x01190000 | 0x0518ffff | Pagefile Backed Memory | - |
|
|
|
- |
| locale.nls | 0x05190000 | 0x0524dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000005250000 | 0x05250000 | 0x0528ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005300000 | 0x05300000 | 0x0530ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005310000 | 0x05310000 | 0x0540ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005430000 | 0x05430000 | 0x0552ffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x05530000 | 0x05866fff | Memory Mapped File | r |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74d30000 | 0x74ea5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75130000 | 0x7521ffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x778d0000 | 0x7798dfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007ee90000 | 0x7ee90000 | 0x7ef8ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007ef90000 | 0x7ef90000 | 0x7efb2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007efb4000 | 0x7efb4000 | 0x7efb6fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efb7000 | 0x7efb7000 | 0x7efb7fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efba000 | 0x7efba000 | 0x7efbafff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efbd000 | 0x7efbd000 | 0x7efbffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (11)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Windows\SysWOW64 | type = file_attributes |
|
2 | |
| Get Info | wevtutil.exe | type = file_attributes |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
5 | |
| Open | STD_INPUT_HANDLE | - |
|
3 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 104, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\SysWOW64\wevtutil.exe | os_pid = 0xf18, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x1140000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75130000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x75172780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x7514fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7514a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x74e435c0 |
|
1 |
Environment (19)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
2 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Windows\SysWOW64 |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000000 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #271: wevtutil.exe
0
0
| Information | Value |
|---|---|
| ID | #271 |
| File Name | c:\windows\syswow64\wevtutil.exe |
| Command Line | wevtutil.exe clear-log "Microsoft-Windows-Application Server-Applications/Admin" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:02:54, Reason: Child Process |
| Unmonitor | End Time: 00:02:55, Reason: Self Terminated |
| Monitor Duration | 00:00:01 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xf18 |
| Parent PID | 0xc48 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
FB0
0x
FCC
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| wevtutil.exe | 0x00b40000 | 0x00b6efff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000f00000 | 0x00f00000 | 0x04efffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000004f00000 | 0x04f00000 | 0x04f1ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004f20000 | 0x04f20000 | 0x04f21fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004f30000 | 0x04f30000 | 0x04f43fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000004f50000 | 0x04f50000 | 0x04f8ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004f90000 | 0x04f90000 | 0x04fcffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004fd0000 | 0x04fd0000 | 0x04fd3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000004fe0000 | 0x04fe0000 | 0x04fe0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000004ff0000 | 0x04ff0000 | 0x04ff1fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005150000 | 0x05150000 | 0x0515ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005320000 | 0x05320000 | 0x0541ffff | Private Memory | rw |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007fb80000 | 0x7fb80000 | 0x7fba2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007fba8000 | 0x7fba8000 | 0x7fba8fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007fbac000 | 0x7fbac000 | 0x7fbaefff | Private Memory | rw |
|
|
|
- |
| private_0x000000007fbaf000 | 0x7fbaf000 | 0x7fbaffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Process #272: cmd.exe
58
0
| Information | Value |
|---|---|
| ID | #272 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-Application Server-Applications/Analytic" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:02:55, Reason: Child Process |
| Unmonitor | End Time: 00:02:56, Reason: Self Terminated |
| Monitor Duration | 00:00:01 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xff8 |
| Parent PID | 0x8dc (c:\programdata\safe.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
CFC
0x
7D8
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000910000 | 0x00910000 | 0x0092ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000910000 | 0x00910000 | 0x0091ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000920000 | 0x00920000 | 0x00923fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000930000 | 0x00930000 | 0x00931fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000930000 | 0x00930000 | 0x00933fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000940000 | 0x00940000 | 0x00953fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000960000 | 0x00960000 | 0x0099ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000009a0000 | 0x009a0000 | 0x00a9ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000aa0000 | 0x00aa0000 | 0x00aa3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000ab0000 | 0x00ab0000 | 0x00ab0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000ac0000 | 0x00ac0000 | 0x00ac1fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00ad0000 | 0x00b8dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000b90000 | 0x00b90000 | 0x00bcffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000bd0000 | 0x00bd0000 | 0x00bdffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000c50000 | 0x00c50000 | 0x00d4ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000d50000 | 0x00d50000 | 0x00e4ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001000000 | 0x01000000 | 0x0100ffff | Private Memory | rw |
|
|
|
- |
| cmd.exe | 0x01140000 | 0x0118ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000001190000 | 0x01190000 | 0x0518ffff | Pagefile Backed Memory | - |
|
|
|
- |
| sortdefault.nls | 0x05190000 | 0x054c6fff | Memory Mapped File | r |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74d30000 | 0x74ea5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75130000 | 0x7521ffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x778d0000 | 0x7798dfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007fa90000 | 0x7fa90000 | 0x7fb8ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007fb90000 | 0x7fb90000 | 0x7fbb2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007fbb4000 | 0x7fbb4000 | 0x7fbb4fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007fbb9000 | 0x7fbb9000 | 0x7fbbbfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007fbbc000 | 0x7fbbc000 | 0x7fbbefff | Private Memory | rw |
|
|
|
- |
| private_0x000000007fbbf000 | 0x7fbbf000 | 0x7fbbffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (11)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Windows\SysWOW64 | type = file_attributes |
|
2 | |
| Get Info | wevtutil.exe | type = file_attributes |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
5 | |
| Open | STD_INPUT_HANDLE | - |
|
3 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 136, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\SysWOW64\wevtutil.exe | os_pid = 0xffc, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x1140000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75130000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x75172780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x7514fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7514a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x74e435c0 |
|
1 |
Environment (19)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
2 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Windows\SysWOW64 |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000000 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #274: wevtutil.exe
0
0
| Information | Value |
|---|---|
| ID | #274 |
| File Name | c:\windows\syswow64\wevtutil.exe |
| Command Line | wevtutil.exe clear-log "Microsoft-Windows-Application Server-Applications/Analytic" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:02:55, Reason: Child Process |
| Unmonitor | End Time: 00:02:56, Reason: Self Terminated |
| Monitor Duration | 00:00:01 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xffc |
| Parent PID | 0xff8 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
C0C
0x
370
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000630000 | 0x00630000 | 0x0064ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000650000 | 0x00650000 | 0x00651fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000660000 | 0x00660000 | 0x00673fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000680000 | 0x00680000 | 0x006bffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000006c0000 | 0x006c0000 | 0x006fffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000700000 | 0x00700000 | 0x00703fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000710000 | 0x00710000 | 0x00710fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000720000 | 0x00720000 | 0x00721fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000008c0000 | 0x008c0000 | 0x008cffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000009b0000 | 0x009b0000 | 0x00aaffff | Private Memory | rw |
|
|
|
- |
| wevtutil.exe | 0x00b40000 | 0x00b6efff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000b70000 | 0x00b70000 | 0x04b6ffff | Pagefile Backed Memory | - |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007e5b0000 | 0x7e5b0000 | 0x7e5d2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007e5d9000 | 0x7e5d9000 | 0x7e5d9fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007e5dc000 | 0x7e5dc000 | 0x7e5defff | Private Memory | rw |
|
|
|
- |
| private_0x000000007e5df000 | 0x7e5df000 | 0x7e5dffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Process #275: cmd.exe
58
0
| Information | Value |
|---|---|
| ID | #275 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-Application Server-Applications/Debug" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:02:55, Reason: Child Process |
| Unmonitor | End Time: 00:02:57, Reason: Self Terminated |
| Monitor Duration | 00:00:02 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xed8 |
| Parent PID | 0x8dc (c:\programdata\safe.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
75C
0x
C4C
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000d10000 | 0x00d10000 | 0x00d2ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000d10000 | 0x00d10000 | 0x00d1ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000d20000 | 0x00d20000 | 0x00d23fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000d30000 | 0x00d30000 | 0x00d31fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000d30000 | 0x00d30000 | 0x00d33fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000d40000 | 0x00d40000 | 0x00d53fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000d60000 | 0x00d60000 | 0x00d9ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000da0000 | 0x00da0000 | 0x00e9ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000ea0000 | 0x00ea0000 | 0x00ea3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000eb0000 | 0x00eb0000 | 0x00eb0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000ec0000 | 0x00ec0000 | 0x00ec1fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00ed0000 | 0x00f8dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000f90000 | 0x00f90000 | 0x00fcffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000fd0000 | 0x00fd0000 | 0x00fdffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000fe0000 | 0x00fe0000 | 0x010dffff | Private Memory | rw |
|
|
|
- |
| cmd.exe | 0x01140000 | 0x0118ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000001190000 | 0x01190000 | 0x0518ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000005240000 | 0x05240000 | 0x0533ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005410000 | 0x05410000 | 0x0541ffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x05420000 | 0x05756fff | Memory Mapped File | r |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74d30000 | 0x74ea5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75130000 | 0x7521ffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x778d0000 | 0x7798dfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007f620000 | 0x7f620000 | 0x7f71ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007f720000 | 0x7f720000 | 0x7f742fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f747000 | 0x7f747000 | 0x7f749fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f74a000 | 0x7f74a000 | 0x7f74afff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f74c000 | 0x7f74c000 | 0x7f74efff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f74f000 | 0x7f74f000 | 0x7f74ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (11)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Windows\SysWOW64 | type = file_attributes |
|
2 | |
| Get Info | wevtutil.exe | type = file_attributes |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
5 | |
| Open | STD_INPUT_HANDLE | - |
|
3 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 184, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\SysWOW64\wevtutil.exe | os_pid = 0xc78, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x1140000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75130000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x75172780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x7514fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7514a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x74e435c0 |
|
1 |
Environment (19)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
2 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Windows\SysWOW64 |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000000 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #277: wevtutil.exe
0
0
| Information | Value |
|---|---|
| ID | #277 |
| File Name | c:\windows\syswow64\wevtutil.exe |
| Command Line | wevtutil.exe clear-log "Microsoft-Windows-Application Server-Applications/Debug" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:02:56, Reason: Child Process |
| Unmonitor | End Time: 00:02:57, Reason: Self Terminated |
| Monitor Duration | 00:00:01 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xc78 |
| Parent PID | 0xed8 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
908
0x
C84
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x00000000002a0000 | 0x002a0000 | 0x002bffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000002c0000 | 0x002c0000 | 0x002c1fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000002d0000 | 0x002d0000 | 0x002e3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000002f0000 | 0x002f0000 | 0x0032ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000330000 | 0x00330000 | 0x0036ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000370000 | 0x00370000 | 0x00373fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000380000 | 0x00380000 | 0x00380fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000390000 | 0x00390000 | 0x00391fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000004d0000 | 0x004d0000 | 0x004dffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000006a0000 | 0x006a0000 | 0x0079ffff | Private Memory | rw |
|
|
|
- |
| wevtutil.exe | 0x00b40000 | 0x00b6efff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000b70000 | 0x00b70000 | 0x04b6ffff | Pagefile Backed Memory | - |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007e5e0000 | 0x7e5e0000 | 0x7e602fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007e60a000 | 0x7e60a000 | 0x7e60cfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007e60d000 | 0x7e60d000 | 0x7e60dfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007e60f000 | 0x7e60f000 | 0x7e60ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Process #278: cmd.exe
58
0
| Information | Value |
|---|---|
| ID | #278 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-Application Server-Applications/Operational" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:02:56, Reason: Child Process |
| Unmonitor | End Time: 00:02:57, Reason: Self Terminated |
| Monitor Duration | 00:00:01 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xf88 |
| Parent PID | 0x8dc (c:\programdata\safe.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
FEC
0x
CF0
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000310000 | 0x00310000 | 0x0032ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000310000 | 0x00310000 | 0x0031ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000320000 | 0x00320000 | 0x00323fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000330000 | 0x00330000 | 0x00331fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000330000 | 0x00330000 | 0x00333fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000340000 | 0x00340000 | 0x00353fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000360000 | 0x00360000 | 0x0039ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000003a0000 | 0x003a0000 | 0x0049ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000004a0000 | 0x004a0000 | 0x004a3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000004b0000 | 0x004b0000 | 0x004b0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000004c0000 | 0x004c0000 | 0x004c1fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000500000 | 0x00500000 | 0x0050ffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00510000 | 0x005cdfff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000005f0000 | 0x005f0000 | 0x006effff | Private Memory | rw |
|
|
|
- |
| private_0x00000000006f0000 | 0x006f0000 | 0x0072ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000730000 | 0x00730000 | 0x0082ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000008b0000 | 0x008b0000 | 0x008bffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x008c0000 | 0x00bf6fff | Memory Mapped File | r |
|
|
|
- |
| cmd.exe | 0x01140000 | 0x0118ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000001190000 | 0x01190000 | 0x0518ffff | Pagefile Backed Memory | - |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74d30000 | 0x74ea5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75130000 | 0x7521ffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x778d0000 | 0x7798dfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007f200000 | 0x7f200000 | 0x7f2fffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007f300000 | 0x7f300000 | 0x7f322fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f326000 | 0x7f326000 | 0x7f326fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f329000 | 0x7f329000 | 0x7f329fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f32a000 | 0x7f32a000 | 0x7f32cfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f32d000 | 0x7f32d000 | 0x7f32ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (11)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Windows\SysWOW64 | type = file_attributes |
|
2 | |
| Get Info | wevtutil.exe | type = file_attributes |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
5 | |
| Open | STD_INPUT_HANDLE | - |
|
3 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 232, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\SysWOW64\wevtutil.exe | os_pid = 0xc60, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x1140000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75130000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x75172780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x7514fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7514a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x74e435c0 |
|
1 |
Environment (19)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
2 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Windows\SysWOW64 |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000000 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #280: wevtutil.exe
0
0
| Information | Value |
|---|---|
| ID | #280 |
| File Name | c:\windows\syswow64\wevtutil.exe |
| Command Line | wevtutil.exe clear-log "Microsoft-Windows-Application Server-Applications/Operational" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:02:56, Reason: Child Process |
| Unmonitor | End Time: 00:02:57, Reason: Self Terminated |
| Monitor Duration | 00:00:01 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xc60 |
| Parent PID | 0xf88 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
C90
0x
458
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| wevtutil.exe | 0x00b40000 | 0x00b6efff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000c10000 | 0x00c10000 | 0x04c0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000004c10000 | 0x04c10000 | 0x04c2ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004c30000 | 0x04c30000 | 0x04c31fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004c40000 | 0x04c40000 | 0x04c53fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000004c60000 | 0x04c60000 | 0x04c9ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004ca0000 | 0x04ca0000 | 0x04cdffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004ce0000 | 0x04ce0000 | 0x04ce3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000004cf0000 | 0x04cf0000 | 0x04cf0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000004d00000 | 0x04d00000 | 0x04d01fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004df0000 | 0x04df0000 | 0x04dfffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004fe0000 | 0x04fe0000 | 0x050dffff | Private Memory | rw |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007e310000 | 0x7e310000 | 0x7e332fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007e33b000 | 0x7e33b000 | 0x7e33dfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007e33e000 | 0x7e33e000 | 0x7e33efff | Private Memory | rw |
|
|
|
- |
| private_0x000000007e33f000 | 0x7e33f000 | 0x7e33ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Process #281: cmd.exe
58
0
| Information | Value |
|---|---|
| ID | #281 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-Application-Experience/Compatibility-Infrastructure-Debug" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:02:57, Reason: Child Process |
| Unmonitor | End Time: 00:02:57, Reason: Self Terminated |
| Monitor Duration | 00:00:00 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xdb8 |
| Parent PID | 0x8dc (c:\programdata\safe.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
BE4
0x
C68
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000630000 | 0x00630000 | 0x0064ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000630000 | 0x00630000 | 0x0063ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000640000 | 0x00640000 | 0x00643fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000650000 | 0x00650000 | 0x00651fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000650000 | 0x00650000 | 0x00653fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000660000 | 0x00660000 | 0x00673fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000680000 | 0x00680000 | 0x006bffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000006c0000 | 0x006c0000 | 0x007bffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000007c0000 | 0x007c0000 | 0x007c3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000007d0000 | 0x007d0000 | 0x007d0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000007e0000 | 0x007e0000 | 0x007e1fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x007f0000 | 0x008adfff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000008b0000 | 0x008b0000 | 0x008effff | Private Memory | rw |
|
|
|
- |
| private_0x00000000009a0000 | 0x009a0000 | 0x009affff | Private Memory | rw |
|
|
|
- |
| private_0x00000000009b0000 | 0x009b0000 | 0x00aaffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000b60000 | 0x00b60000 | 0x00c5ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000d40000 | 0x00d40000 | 0x00d4ffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x00d50000 | 0x01086fff | Memory Mapped File | r |
|
|
|
- |
| cmd.exe | 0x01140000 | 0x0118ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000001190000 | 0x01190000 | 0x0518ffff | Pagefile Backed Memory | - |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74d30000 | 0x74ea5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75130000 | 0x7521ffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x778d0000 | 0x7798dfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007e240000 | 0x7e240000 | 0x7e33ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007e340000 | 0x7e340000 | 0x7e362fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007e365000 | 0x7e365000 | 0x7e367fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007e368000 | 0x7e368000 | 0x7e368fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007e36b000 | 0x7e36b000 | 0x7e36bfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007e36d000 | 0x7e36d000 | 0x7e36ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (11)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Windows\SysWOW64 | type = file_attributes |
|
2 | |
| Get Info | wevtutil.exe | type = file_attributes |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
5 | |
| Open | STD_INPUT_HANDLE | - |
|
3 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 168, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\SysWOW64\wevtutil.exe | os_pid = 0xee0, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x1140000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75130000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x75172780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x7514fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7514a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x74e435c0 |
|
1 |
Environment (19)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
2 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Windows\SysWOW64 |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000000 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #283: wevtutil.exe
0
0
| Information | Value |
|---|---|
| ID | #283 |
| File Name | c:\windows\syswow64\wevtutil.exe |
| Command Line | wevtutil.exe clear-log "Microsoft-Windows-Application-Experience/Compatibility-Infrastructure-Debug" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:02:57, Reason: Child Process |
| Unmonitor | End Time: 00:02:57, Reason: Self Terminated |
| Monitor Duration | 00:00:00 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xee0 |
| Parent PID | 0xdb8 (c:\windows\syswow64\wevtutil.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
580
0x
F20
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000900000 | 0x00900000 | 0x0091ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000920000 | 0x00920000 | 0x00921fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000930000 | 0x00930000 | 0x00943fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000950000 | 0x00950000 | 0x0098ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000990000 | 0x00990000 | 0x009cffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000009d0000 | 0x009d0000 | 0x009d3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000009e0000 | 0x009e0000 | 0x009e0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000009f0000 | 0x009f0000 | 0x009f1fff | Private Memory | rw |
|
|
|
- |
| wevtutil.exe | 0x00b40000 | 0x00b6efff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000b70000 | 0x00b70000 | 0x04b6ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000004ce0000 | 0x04ce0000 | 0x04ceffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004d80000 | 0x04d80000 | 0x04e7ffff | Private Memory | rw |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007f530000 | 0x7f530000 | 0x7f552fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f558000 | 0x7f558000 | 0x7f558fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f55c000 | 0x7f55c000 | 0x7f55efff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f55f000 | 0x7f55f000 | 0x7f55ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Process #284: cmd.exe
58
0
| Information | Value |
|---|---|
| ID | #284 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-Application-Experience/Program-Compatibility-Assistant" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:02:57, Reason: Child Process |
| Unmonitor | End Time: 00:02:58, Reason: Self Terminated |
| Monitor Duration | 00:00:01 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x57c |
| Parent PID | 0x8dc (c:\programdata\safe.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
688
0x
8D8
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000a90000 | 0x00a90000 | 0x00aaffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000a90000 | 0x00a90000 | 0x00a9ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000aa0000 | 0x00aa0000 | 0x00aa3fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000ab0000 | 0x00ab0000 | 0x00ab1fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000ab0000 | 0x00ab0000 | 0x00ab3fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000ac0000 | 0x00ac0000 | 0x00ad3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000ae0000 | 0x00ae0000 | 0x00b1ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000b20000 | 0x00b20000 | 0x00c1ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000c20000 | 0x00c20000 | 0x00c23fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000c30000 | 0x00c30000 | 0x00c30fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000c40000 | 0x00c40000 | 0x00c41fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00c50000 | 0x00d0dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000d10000 | 0x00d10000 | 0x00d4ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000e10000 | 0x00e10000 | 0x00e1ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000e20000 | 0x00e20000 | 0x00f1ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001010000 | 0x01010000 | 0x0110ffff | Private Memory | rw |
|
|
|
- |
| cmd.exe | 0x01140000 | 0x0118ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000001190000 | 0x01190000 | 0x0518ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x00000000052e0000 | 0x052e0000 | 0x052effff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x052f0000 | 0x05626fff | Memory Mapped File | r |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74d30000 | 0x74ea5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75130000 | 0x7521ffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x778d0000 | 0x7798dfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007f720000 | 0x7f720000 | 0x7f81ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007f820000 | 0x7f820000 | 0x7f842fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f848000 | 0x7f848000 | 0x7f84afff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f84b000 | 0x7f84b000 | 0x7f84dfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f84e000 | 0x7f84e000 | 0x7f84efff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f84f000 | 0x7f84f000 | 0x7f84ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (11)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Windows\SysWOW64 | type = file_attributes |
|
2 | |
| Get Info | wevtutil.exe | type = file_attributes |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
5 | |
| Open | STD_INPUT_HANDLE | - |
|
3 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 56, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\SysWOW64\wevtutil.exe | os_pid = 0xa24, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x1140000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75130000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x75172780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x7514fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7514a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x74e435c0 |
|
1 |
Environment (19)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
2 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Windows\SysWOW64 |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000000 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #286: wevtutil.exe
0
0
| Information | Value |
|---|---|
| ID | #286 |
| File Name | c:\windows\syswow64\wevtutil.exe |
| Command Line | wevtutil.exe clear-log "Microsoft-Windows-Application-Experience/Program-Compatibility-Assistant" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:02:58, Reason: Child Process |
| Unmonitor | End Time: 00:02:58, Reason: Self Terminated |
| Monitor Duration | 00:00:00 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xa24 |
| Parent PID | 0x57c (c:\windows\system32\reg.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
EE8
0x
9E4
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x00000000008f0000 | 0x008f0000 | 0x0090ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000910000 | 0x00910000 | 0x00911fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000920000 | 0x00920000 | 0x00933fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000940000 | 0x00940000 | 0x0097ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000980000 | 0x00980000 | 0x009bffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000009c0000 | 0x009c0000 | 0x009c3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000009d0000 | 0x009d0000 | 0x009d0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000009e0000 | 0x009e0000 | 0x009e1fff | Private Memory | rw |
|
|
|
- |
| wevtutil.exe | 0x00b40000 | 0x00b6efff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000b70000 | 0x00b70000 | 0x04b6ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000004d00000 | 0x04d00000 | 0x04d0ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004e40000 | 0x04e40000 | 0x04f3ffff | Private Memory | rw |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007e7e0000 | 0x7e7e0000 | 0x7e802fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007e807000 | 0x7e807000 | 0x7e807fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007e809000 | 0x7e809000 | 0x7e809fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007e80d000 | 0x7e80d000 | 0x7e80ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Process #287: cmd.exe
58
0
| Information | Value |
|---|---|
| ID | #287 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-Application-Experience/Program-Compatibility-Assistant/Analytic" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:02:58, Reason: Child Process |
| Unmonitor | End Time: 00:02:59, Reason: Self Terminated |
| Monitor Duration | 00:00:01 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x93c |
| Parent PID | 0x8dc (c:\programdata\safe.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
DA8
0x
E20
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000450000 | 0x00450000 | 0x0046ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000450000 | 0x00450000 | 0x0045ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000460000 | 0x00460000 | 0x00463fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000470000 | 0x00470000 | 0x00471fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000470000 | 0x00470000 | 0x00473fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000480000 | 0x00480000 | 0x00493fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000004a0000 | 0x004a0000 | 0x004dffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000004e0000 | 0x004e0000 | 0x005dffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000005e0000 | 0x005e0000 | 0x005e3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000005f0000 | 0x005f0000 | 0x005f0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000600000 | 0x00600000 | 0x00601fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00610000 | 0x006cdfff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000006d0000 | 0x006d0000 | 0x0070ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000007d0000 | 0x007d0000 | 0x007dffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000008b0000 | 0x008b0000 | 0x009affff | Private Memory | rw |
|
|
|
- |
| private_0x00000000009b0000 | 0x009b0000 | 0x00aaffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000bb0000 | 0x00bb0000 | 0x00bbffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x00bc0000 | 0x00ef6fff | Memory Mapped File | r |
|
|
|
- |
| cmd.exe | 0x01140000 | 0x0118ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000001190000 | 0x01190000 | 0x0518ffff | Pagefile Backed Memory | - |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74d30000 | 0x74ea5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75130000 | 0x7521ffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x778d0000 | 0x7798dfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007f390000 | 0x7f390000 | 0x7f48ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007f490000 | 0x7f490000 | 0x7f4b2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f4b8000 | 0x7f4b8000 | 0x7f4b8fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f4b9000 | 0x7f4b9000 | 0x7f4bbfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f4bc000 | 0x7f4bc000 | 0x7f4befff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f4bf000 | 0x7f4bf000 | 0x7f4bffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (11)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Windows\SysWOW64 | type = file_attributes |
|
2 | |
| Get Info | wevtutil.exe | type = file_attributes |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
5 | |
| Open | STD_INPUT_HANDLE | - |
|
3 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 88, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\SysWOW64\wevtutil.exe | os_pid = 0x790, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x1140000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75130000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x75172780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x7514fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7514a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x74e435c0 |
|
1 |
Environment (19)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
2 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Windows\SysWOW64 |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000000 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #289: wevtutil.exe
0
0
| Information | Value |
|---|---|
| ID | #289 |
| File Name | c:\windows\syswow64\wevtutil.exe |
| Command Line | wevtutil.exe clear-log "Microsoft-Windows-Application-Experience/Program-Compatibility-Assistant/Analytic" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:02:58, Reason: Child Process |
| Unmonitor | End Time: 00:02:59, Reason: Self Terminated |
| Monitor Duration | 00:00:01 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x790 |
| Parent PID | 0x93c (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
444
0x
DFC
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| wevtutil.exe | 0x00b40000 | 0x00b6efff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000da0000 | 0x00da0000 | 0x04d9ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000004da0000 | 0x04da0000 | 0x04dbffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004dc0000 | 0x04dc0000 | 0x04dc1fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004dd0000 | 0x04dd0000 | 0x04de3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000004df0000 | 0x04df0000 | 0x04e2ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004e30000 | 0x04e30000 | 0x04e6ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004e70000 | 0x04e70000 | 0x04e73fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000004e80000 | 0x04e80000 | 0x04e80fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000004e90000 | 0x04e90000 | 0x04e91fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004eb0000 | 0x04eb0000 | 0x04ebffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005070000 | 0x05070000 | 0x0516ffff | Private Memory | rw |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007ef10000 | 0x7ef10000 | 0x7ef32fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007ef39000 | 0x7ef39000 | 0x7ef3bfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ef3c000 | 0x7ef3c000 | 0x7ef3cfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ef3f000 | 0x7ef3f000 | 0x7ef3ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Process #290: cmd.exe
58
0
| Information | Value |
|---|---|
| ID | #290 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-Application-Experience/Program-Compatibility-Assistant/Trace" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:02:59, Reason: Child Process |
| Unmonitor | End Time: 00:02:59, Reason: Self Terminated |
| Monitor Duration | 00:00:00 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xe24 |
| Parent PID | 0x8dc (c:\programdata\safe.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
D9C
0x
DC8
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000080000 | 0x00080000 | 0x0009ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000080000 | 0x00080000 | 0x0008ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000090000 | 0x00090000 | 0x00093fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000000a0000 | 0x000a0000 | 0x000a1fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000000a0000 | 0x000a0000 | 0x000a3fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000000b0000 | 0x000b0000 | 0x000c3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000000d0000 | 0x000d0000 | 0x0010ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000110000 | 0x00110000 | 0x0020ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000210000 | 0x00210000 | 0x00213fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000220000 | 0x00220000 | 0x00220fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000230000 | 0x00230000 | 0x00231fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000240000 | 0x00240000 | 0x0033ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000340000 | 0x00340000 | 0x0037ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000003b0000 | 0x003b0000 | 0x003bffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x003c0000 | 0x0047dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000480000 | 0x00480000 | 0x0057ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000005c0000 | 0x005c0000 | 0x005cffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x005d0000 | 0x00906fff | Memory Mapped File | r |
|
|
|
- |
| cmd.exe | 0x01140000 | 0x0118ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000001190000 | 0x01190000 | 0x0518ffff | Pagefile Backed Memory | - |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74d30000 | 0x74ea5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75130000 | 0x7521ffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x778d0000 | 0x7798dfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007e510000 | 0x7e510000 | 0x7e60ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007e610000 | 0x7e610000 | 0x7e632fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007e633000 | 0x7e633000 | 0x7e633fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007e636000 | 0x7e636000 | 0x7e636fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007e63a000 | 0x7e63a000 | 0x7e63cfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007e63d000 | 0x7e63d000 | 0x7e63ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (11)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Windows\SysWOW64 | type = file_attributes |
|
2 | |
| Get Info | wevtutil.exe | type = file_attributes |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
5 | |
| Open | STD_INPUT_HANDLE | - |
|
3 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 0, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\SysWOW64\wevtutil.exe | os_pid = 0xd80, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x1140000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75130000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x75172780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x7514fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7514a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x74e435c0 |
|
1 |
Environment (19)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
2 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Windows\SysWOW64 |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000000 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #292: wevtutil.exe
0
0
| Information | Value |
|---|---|
| ID | #292 |
| File Name | c:\windows\syswow64\wevtutil.exe |
| Command Line | wevtutil.exe clear-log "Microsoft-Windows-Application-Experience/Program-Compatibility-Assistant/Trace" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:02:59, Reason: Child Process |
| Unmonitor | End Time: 00:02:59, Reason: Self Terminated |
| Monitor Duration | 00:00:00 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xd80 |
| Parent PID | 0xe24 (c:\windows\syswow64\wevtutil.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
E18
0x
DD4
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000350000 | 0x00350000 | 0x0036ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000370000 | 0x00370000 | 0x00371fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000380000 | 0x00380000 | 0x00393fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000003a0000 | 0x003a0000 | 0x003dffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000003e0000 | 0x003e0000 | 0x0041ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000420000 | 0x00420000 | 0x00423fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000430000 | 0x00430000 | 0x00430fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000440000 | 0x00440000 | 0x00441fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000630000 | 0x00630000 | 0x0063ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000007f0000 | 0x007f0000 | 0x008effff | Private Memory | rw |
|
|
|
- |
| wevtutil.exe | 0x00b40000 | 0x00b6efff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000b70000 | 0x00b70000 | 0x04b6ffff | Pagefile Backed Memory | - |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007f470000 | 0x7f470000 | 0x7f492fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f493000 | 0x7f493000 | 0x7f493fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f49c000 | 0x7f49c000 | 0x7f49efff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f49f000 | 0x7f49f000 | 0x7f49ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Process #293: cmd.exe
58
0
| Information | Value |
|---|---|
| ID | #293 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-Application-Experience/Program-Compatibility-Troubleshooter" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:02:59, Reason: Child Process |
| Unmonitor | End Time: 00:03:00, Reason: Self Terminated |
| Monitor Duration | 00:00:01 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xe30 |
| Parent PID | 0x8dc (c:\programdata\safe.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
CA4
0x
F6C
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000c70000 | 0x00c70000 | 0x00c8ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000c70000 | 0x00c70000 | 0x00c7ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000c80000 | 0x00c80000 | 0x00c83fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000c90000 | 0x00c90000 | 0x00c91fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000c90000 | 0x00c90000 | 0x00c93fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000ca0000 | 0x00ca0000 | 0x00cb3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000cc0000 | 0x00cc0000 | 0x00cfffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000d00000 | 0x00d00000 | 0x00dfffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000e00000 | 0x00e00000 | 0x00e03fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000e10000 | 0x00e10000 | 0x00e10fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000e20000 | 0x00e20000 | 0x00e21fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00e30000 | 0x00eedfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000f20000 | 0x00f20000 | 0x00f2ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000f30000 | 0x00f30000 | 0x00f6ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000f70000 | 0x00f70000 | 0x0106ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001130000 | 0x01130000 | 0x0113ffff | Private Memory | rw |
|
|
|
- |
| cmd.exe | 0x01140000 | 0x0118ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000001190000 | 0x01190000 | 0x0518ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x00000000052e0000 | 0x052e0000 | 0x053dffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x053e0000 | 0x05716fff | Memory Mapped File | r |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74d30000 | 0x74ea5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75130000 | 0x7521ffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x778d0000 | 0x7798dfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007ea60000 | 0x7ea60000 | 0x7eb5ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007eb60000 | 0x7eb60000 | 0x7eb82fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007eb85000 | 0x7eb85000 | 0x7eb85fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007eb89000 | 0x7eb89000 | 0x7eb8bfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007eb8c000 | 0x7eb8c000 | 0x7eb8efff | Private Memory | rw |
|
|
|
- |
| private_0x000000007eb8f000 | 0x7eb8f000 | 0x7eb8ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (11)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Windows\SysWOW64 | type = file_attributes |
|
2 | |
| Get Info | wevtutil.exe | type = file_attributes |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
5 | |
| Open | STD_INPUT_HANDLE | - |
|
3 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 240, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\SysWOW64\wevtutil.exe | os_pid = 0xd98, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x1140000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75130000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x75172780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x7514fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7514a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x74e435c0 |
|
1 |
Environment (19)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
2 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Windows\SysWOW64 |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000000 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #295: wevtutil.exe
0
0
| Information | Value |
|---|---|
| ID | #295 |
| File Name | c:\windows\syswow64\wevtutil.exe |
| Command Line | wevtutil.exe clear-log "Microsoft-Windows-Application-Experience/Program-Compatibility-Troubleshooter" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:02:59, Reason: Child Process |
| Unmonitor | End Time: 00:03:00, Reason: Self Terminated |
| Monitor Duration | 00:00:01 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xd98 |
| Parent PID | 0xe30 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
DB0
0x
CB4
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x00000000005f0000 | 0x005f0000 | 0x0060ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000610000 | 0x00610000 | 0x00611fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000620000 | 0x00620000 | 0x00633fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000640000 | 0x00640000 | 0x0067ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000680000 | 0x00680000 | 0x006bffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000006c0000 | 0x006c0000 | 0x006c3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000006d0000 | 0x006d0000 | 0x006d0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000006e0000 | 0x006e0000 | 0x006e1fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000008b0000 | 0x008b0000 | 0x008bffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000009e0000 | 0x009e0000 | 0x00adffff | Private Memory | rw |
|
|
|
- |
| wevtutil.exe | 0x00b40000 | 0x00b6efff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000b70000 | 0x00b70000 | 0x04b6ffff | Pagefile Backed Memory | - |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007e4b0000 | 0x7e4b0000 | 0x7e4d2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007e4d3000 | 0x7e4d3000 | 0x7e4d3fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007e4d4000 | 0x7e4d4000 | 0x7e4d4fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007e4dd000 | 0x7e4dd000 | 0x7e4dffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Process #296: cmd.exe
58
0
| Information | Value |
|---|---|
| ID | #296 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-Application-Experience/Program-Inventory" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:03:00, Reason: Child Process |
| Unmonitor | End Time: 00:03:00, Reason: Self Terminated |
| Monitor Duration | 00:00:00 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x768 |
| Parent PID | 0x8dc (c:\programdata\safe.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
D18
0x
D78
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000e20000 | 0x00e20000 | 0x00e3ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000e20000 | 0x00e20000 | 0x00e2ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000e30000 | 0x00e30000 | 0x00e33fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000e40000 | 0x00e40000 | 0x00e41fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000e40000 | 0x00e40000 | 0x00e43fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000e50000 | 0x00e50000 | 0x00e63fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000e70000 | 0x00e70000 | 0x00eaffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000eb0000 | 0x00eb0000 | 0x00faffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000fb0000 | 0x00fb0000 | 0x00fb3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000fc0000 | 0x00fc0000 | 0x00fc0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000fd0000 | 0x00fd0000 | 0x00fd1fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00fe0000 | 0x0109dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000010a0000 | 0x010a0000 | 0x010affff | Private Memory | rw |
|
|
|
- |
| private_0x00000000010b0000 | 0x010b0000 | 0x010effff | Private Memory | rw |
|
|
|
- |
| cmd.exe | 0x01140000 | 0x0118ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000001190000 | 0x01190000 | 0x0518ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000005190000 | 0x05190000 | 0x0528ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005340000 | 0x05340000 | 0x0543ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005550000 | 0x05550000 | 0x0555ffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x05560000 | 0x05896fff | Memory Mapped File | r |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74d30000 | 0x74ea5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75130000 | 0x7521ffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x778d0000 | 0x7798dfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007e970000 | 0x7e970000 | 0x7ea6ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007ea70000 | 0x7ea70000 | 0x7ea92fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007ea95000 | 0x7ea95000 | 0x7ea95fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ea99000 | 0x7ea99000 | 0x7ea9bfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ea9c000 | 0x7ea9c000 | 0x7ea9efff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ea9f000 | 0x7ea9f000 | 0x7ea9ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (11)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Windows\SysWOW64 | type = file_attributes |
|
2 | |
| Get Info | wevtutil.exe | type = file_attributes |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
5 | |
| Open | STD_INPUT_HANDLE | - |
|
3 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 184, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\SysWOW64\wevtutil.exe | os_pid = 0xcf8, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x1140000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75130000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x75172780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x7514fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7514a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x74e435c0 |
|
1 |
Environment (19)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
2 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Windows\SysWOW64 |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000000 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #298: wevtutil.exe
0
0
| Information | Value |
|---|---|
| ID | #298 |
| File Name | c:\windows\syswow64\wevtutil.exe |
| Command Line | wevtutil.exe clear-log "Microsoft-Windows-Application-Experience/Program-Inventory" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:03:00, Reason: Child Process |
| Unmonitor | End Time: 00:03:01, Reason: Self Terminated |
| Monitor Duration | 00:00:01 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xcf8 |
| Parent PID | 0x768 (c:\windows\syswow64\wevtutil.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
DDC
0x
EF8
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x00000000002b0000 | 0x002b0000 | 0x002cffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000002d0000 | 0x002d0000 | 0x002d1fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000002e0000 | 0x002e0000 | 0x002f3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000300000 | 0x00300000 | 0x0033ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000340000 | 0x00340000 | 0x0037ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000380000 | 0x00380000 | 0x00383fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000390000 | 0x00390000 | 0x00390fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000003a0000 | 0x003a0000 | 0x003a1fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000540000 | 0x00540000 | 0x0054ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000610000 | 0x00610000 | 0x0070ffff | Private Memory | rw |
|
|
|
- |
| wevtutil.exe | 0x00b40000 | 0x00b6efff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000b70000 | 0x00b70000 | 0x04b6ffff | Pagefile Backed Memory | - |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007f240000 | 0x7f240000 | 0x7f262fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f26b000 | 0x7f26b000 | 0x7f26bfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f26c000 | 0x7f26c000 | 0x7f26efff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f26f000 | 0x7f26f000 | 0x7f26ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Process #299: cmd.exe
58
0
| Information | Value |
|---|---|
| ID | #299 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-Application-Experience/Program-Telemetry" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:03:00, Reason: Child Process |
| Unmonitor | End Time: 00:03:01, Reason: Self Terminated |
| Monitor Duration | 00:00:01 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xd8c |
| Parent PID | 0x8dc (c:\programdata\safe.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
114
0x
BE0
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000ee0000 | 0x00ee0000 | 0x00efffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000ee0000 | 0x00ee0000 | 0x00eeffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000ef0000 | 0x00ef0000 | 0x00ef3fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000f00000 | 0x00f00000 | 0x00f01fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000f00000 | 0x00f00000 | 0x00f03fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000f10000 | 0x00f10000 | 0x00f23fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000f30000 | 0x00f30000 | 0x00f6ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000f70000 | 0x00f70000 | 0x0106ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000001070000 | 0x01070000 | 0x01073fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000001080000 | 0x01080000 | 0x01080fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000001090000 | 0x01090000 | 0x01091fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000010a0000 | 0x010a0000 | 0x010dffff | Private Memory | rw |
|
|
|
- |
| cmd.exe | 0x01140000 | 0x0118ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000001190000 | 0x01190000 | 0x0518ffff | Pagefile Backed Memory | - |
|
|
|
- |
| locale.nls | 0x05190000 | 0x0524dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000005250000 | 0x05250000 | 0x0525ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005260000 | 0x05260000 | 0x0535ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000053f0000 | 0x053f0000 | 0x054effff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005620000 | 0x05620000 | 0x0562ffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x05630000 | 0x05966fff | Memory Mapped File | r |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74d30000 | 0x74ea5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75130000 | 0x7521ffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x778d0000 | 0x7798dfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007f7c0000 | 0x7f7c0000 | 0x7f8bffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007f8c0000 | 0x7f8c0000 | 0x7f8e2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f8e8000 | 0x7f8e8000 | 0x7f8eafff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f8eb000 | 0x7f8eb000 | 0x7f8edfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f8ee000 | 0x7f8ee000 | 0x7f8eefff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f8ef000 | 0x7f8ef000 | 0x7f8effff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (11)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Windows\SysWOW64 | type = file_attributes |
|
2 | |
| Get Info | wevtutil.exe | type = file_attributes |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
5 | |
| Open | STD_INPUT_HANDLE | - |
|
3 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 184, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\SysWOW64\wevtutil.exe | os_pid = 0x7f0, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x1140000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75130000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x75172780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x7514fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7514a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x74e435c0 |
|
1 |
Environment (19)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
2 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Windows\SysWOW64 |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000000 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #301: wevtutil.exe
0
0
| Information | Value |
|---|---|
| ID | #301 |
| File Name | c:\windows\syswow64\wevtutil.exe |
| Command Line | wevtutil.exe clear-log "Microsoft-Windows-Application-Experience/Program-Telemetry" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:03:01, Reason: Child Process |
| Unmonitor | End Time: 00:03:01, Reason: Self Terminated |
| Monitor Duration | 00:00:00 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x7f0 |
| Parent PID | 0xd8c (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
D20
0x
E50
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000090000 | 0x00090000 | 0x000affff | Private Memory | rw |
|
|
|
- |
| private_0x00000000000b0000 | 0x000b0000 | 0x000b1fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000000c0000 | 0x000c0000 | 0x000d3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000000e0000 | 0x000e0000 | 0x0011ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000120000 | 0x00120000 | 0x0015ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000160000 | 0x00160000 | 0x00163fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000170000 | 0x00170000 | 0x00170fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000180000 | 0x00180000 | 0x00181fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000002c0000 | 0x002c0000 | 0x002cffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000400000 | 0x00400000 | 0x004fffff | Private Memory | rw |
|
|
|
- |
| wevtutil.exe | 0x00b40000 | 0x00b6efff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000b70000 | 0x00b70000 | 0x04b6ffff | Pagefile Backed Memory | - |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007f730000 | 0x7f730000 | 0x7f752fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f754000 | 0x7f754000 | 0x7f754fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f757000 | 0x7f757000 | 0x7f757fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f75d000 | 0x7f75d000 | 0x7f75ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Process #302: cmd.exe
58
0
| Information | Value |
|---|---|
| ID | #302 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-Application-Experience/Steps-Recorder" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:03:01, Reason: Child Process |
| Unmonitor | End Time: 00:03:02, Reason: Self Terminated |
| Monitor Duration | 00:00:01 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xe1c |
| Parent PID | 0x8dc (c:\programdata\safe.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
DD0
0x
E48
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x00000000003b0000 | 0x003b0000 | 0x003cffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000003b0000 | 0x003b0000 | 0x003bffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x00000000003c0000 | 0x003c0000 | 0x003c3fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000003d0000 | 0x003d0000 | 0x003d1fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000003d0000 | 0x003d0000 | 0x003d3fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000003e0000 | 0x003e0000 | 0x003f3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000400000 | 0x00400000 | 0x0043ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000440000 | 0x00440000 | 0x0053ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000540000 | 0x00540000 | 0x00543fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000550000 | 0x00550000 | 0x00550fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000560000 | 0x00560000 | 0x00561fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000570000 | 0x00570000 | 0x005affff | Private Memory | rw |
|
|
|
- |
| private_0x00000000005c0000 | 0x005c0000 | 0x006bffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000720000 | 0x00720000 | 0x0072ffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00730000 | 0x007edfff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000007f0000 | 0x007f0000 | 0x008effff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000a30000 | 0x00a30000 | 0x00a3ffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x00a40000 | 0x00d76fff | Memory Mapped File | r |
|
|
|
- |
| cmd.exe | 0x01140000 | 0x0118ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000001190000 | 0x01190000 | 0x0518ffff | Pagefile Backed Memory | - |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74d30000 | 0x74ea5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75130000 | 0x7521ffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x778d0000 | 0x7798dfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007efb0000 | 0x7efb0000 | 0x7f0affff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007f0b0000 | 0x7f0b0000 | 0x7f0d2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f0d5000 | 0x7f0d5000 | 0x7f0d5fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f0d6000 | 0x7f0d6000 | 0x7f0d6fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f0da000 | 0x7f0da000 | 0x7f0dcfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f0dd000 | 0x7f0dd000 | 0x7f0dffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (11)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Windows\SysWOW64 | type = file_attributes |
|
2 | |
| Get Info | wevtutil.exe | type = file_attributes |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
5 | |
| Open | STD_INPUT_HANDLE | - |
|
3 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 230, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\SysWOW64\wevtutil.exe | os_pid = 0xdd8, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x1140000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75130000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x75172780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x7514fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7514a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x74e435c0 |
|
1 |
Environment (19)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
2 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Windows\SysWOW64 |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000000 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #304: wevtutil.exe
0
0
| Information | Value |
|---|---|
| ID | #304 |
| File Name | c:\windows\syswow64\wevtutil.exe |
| Command Line | wevtutil.exe clear-log "Microsoft-Windows-Application-Experience/Steps-Recorder" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:03:01, Reason: Child Process |
| Unmonitor | End Time: 00:03:02, Reason: Self Terminated |
| Monitor Duration | 00:00:01 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xdd8 |
| Parent PID | 0xe1c (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
E74
0x
E6C
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| wevtutil.exe | 0x00b40000 | 0x00b6efff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000d50000 | 0x00d50000 | 0x04d4ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000004d50000 | 0x04d50000 | 0x04d6ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004d70000 | 0x04d70000 | 0x04d71fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004d80000 | 0x04d80000 | 0x04d93fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000004da0000 | 0x04da0000 | 0x04ddffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004de0000 | 0x04de0000 | 0x04e1ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004e20000 | 0x04e20000 | 0x04e23fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000004e30000 | 0x04e30000 | 0x04e30fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000004e40000 | 0x04e40000 | 0x04e41fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004ed0000 | 0x04ed0000 | 0x04edffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005050000 | 0x05050000 | 0x0514ffff | Private Memory | rw |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007f0e0000 | 0x7f0e0000 | 0x7f102fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f108000 | 0x7f108000 | 0x7f108fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f10c000 | 0x7f10c000 | 0x7f10efff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f10f000 | 0x7f10f000 | 0x7f10ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Process #305: cmd.exe
58
0
| Information | Value |
|---|---|
| ID | #305 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-ApplicationResourceManagementSystem/Diagnostic" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:03:01, Reason: Child Process |
| Unmonitor | End Time: 00:03:02, Reason: Self Terminated |
| Monitor Duration | 00:00:01 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xde4 |
| Parent PID | 0x8dc (c:\programdata\safe.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
1A0
0x
D04
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000430000 | 0x00430000 | 0x0044ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000430000 | 0x00430000 | 0x0043ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000440000 | 0x00440000 | 0x00443fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000450000 | 0x00450000 | 0x00451fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000450000 | 0x00450000 | 0x00453fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000460000 | 0x00460000 | 0x00473fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000480000 | 0x00480000 | 0x004bffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000004c0000 | 0x004c0000 | 0x005bffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000005c0000 | 0x005c0000 | 0x005c3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000005d0000 | 0x005d0000 | 0x005d0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000005e0000 | 0x005e0000 | 0x005e1fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x005f0000 | 0x006adfff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000006b0000 | 0x006b0000 | 0x007affff | Private Memory | rw |
|
|
|
- |
| private_0x00000000007e0000 | 0x007e0000 | 0x007effff | Private Memory | rw |
|
|
|
- |
| private_0x00000000007f0000 | 0x007f0000 | 0x0082ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000830000 | 0x00830000 | 0x0092ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000a60000 | 0x00a60000 | 0x00a6ffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x00a70000 | 0x00da6fff | Memory Mapped File | r |
|
|
|
- |
| cmd.exe | 0x01140000 | 0x0118ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000001190000 | 0x01190000 | 0x0518ffff | Pagefile Backed Memory | - |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74d30000 | 0x74ea5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75130000 | 0x7521ffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x778d0000 | 0x7798dfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007f790000 | 0x7f790000 | 0x7f88ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007f890000 | 0x7f890000 | 0x7f8b2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f8b6000 | 0x7f8b6000 | 0x7f8b8fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f8b9000 | 0x7f8b9000 | 0x7f8bbfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f8bc000 | 0x7f8bc000 | 0x7f8bcfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f8bf000 | 0x7f8bf000 | 0x7f8bffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (11)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Windows\SysWOW64 | type = file_attributes |
|
2 | |
| Get Info | wevtutil.exe | type = file_attributes |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
5 | |
| Open | STD_INPUT_HANDLE | - |
|
3 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 72, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\SysWOW64\wevtutil.exe | os_pid = 0x5d8, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x1140000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75130000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x75172780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x7514fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7514a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x74e435c0 |
|
1 |
Environment (19)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
2 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Windows\SysWOW64 |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000000 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #307: wevtutil.exe
0
0
| Information | Value |
|---|---|
| ID | #307 |
| File Name | c:\windows\syswow64\wevtutil.exe |
| Command Line | wevtutil.exe clear-log "Microsoft-Windows-ApplicationResourceManagementSystem/Diagnostic" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:03:02, Reason: Child Process |
| Unmonitor | End Time: 00:03:02, Reason: Self Terminated |
| Monitor Duration | 00:00:00 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x5d8 |
| Parent PID | 0xde4 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
CB0
0x
AB4
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| wevtutil.exe | 0x00b40000 | 0x00b6efff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000cf0000 | 0x00cf0000 | 0x04ceffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000004cf0000 | 0x04cf0000 | 0x04d0ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004d10000 | 0x04d10000 | 0x04d11fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004d20000 | 0x04d20000 | 0x04d33fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000004d40000 | 0x04d40000 | 0x04d7ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004d80000 | 0x04d80000 | 0x04dbffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004dc0000 | 0x04dc0000 | 0x04dc3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000004dd0000 | 0x04dd0000 | 0x04dd0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000004de0000 | 0x04de0000 | 0x04de1fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004e40000 | 0x04e40000 | 0x04e4ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004f80000 | 0x04f80000 | 0x0507ffff | Private Memory | rw |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007e9e0000 | 0x7e9e0000 | 0x7ea02fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007ea0b000 | 0x7ea0b000 | 0x7ea0bfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ea0c000 | 0x7ea0c000 | 0x7ea0efff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ea0f000 | 0x7ea0f000 | 0x7ea0ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Process #308: cmd.exe
58
0
| Information | Value |
|---|---|
| ID | #308 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-ApplicationResourceManagementSystem/Operational" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:03:02, Reason: Child Process |
| Unmonitor | End Time: 00:03:03, Reason: Self Terminated |
| Monitor Duration | 00:00:01 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x2b0 |
| Parent PID | 0x8dc (c:\programdata\safe.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
81C
0x
554
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000070000 | 0x00070000 | 0x0008ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000070000 | 0x00070000 | 0x0007ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000080000 | 0x00080000 | 0x00083fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000090000 | 0x00090000 | 0x00091fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000090000 | 0x00090000 | 0x00093fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000000a0000 | 0x000a0000 | 0x000b3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000000c0000 | 0x000c0000 | 0x000fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000100000 | 0x00100000 | 0x001fffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000200000 | 0x00200000 | 0x00203fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000210000 | 0x00210000 | 0x00210fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000220000 | 0x00220000 | 0x00221fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000230000 | 0x00230000 | 0x0026ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000002a0000 | 0x002a0000 | 0x002affff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x002b0000 | 0x0036dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000370000 | 0x00370000 | 0x0046ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000470000 | 0x00470000 | 0x0056ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000620000 | 0x00620000 | 0x0062ffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x00630000 | 0x00966fff | Memory Mapped File | r |
|
|
|
- |
| cmd.exe | 0x01140000 | 0x0118ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000001190000 | 0x01190000 | 0x0518ffff | Pagefile Backed Memory | - |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74d30000 | 0x74ea5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75130000 | 0x7521ffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x778d0000 | 0x7798dfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007f110000 | 0x7f110000 | 0x7f20ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007f210000 | 0x7f210000 | 0x7f232fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f236000 | 0x7f236000 | 0x7f236fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f238000 | 0x7f238000 | 0x7f238fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f23a000 | 0x7f23a000 | 0x7f23cfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f23d000 | 0x7f23d000 | 0x7f23ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (11)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Windows\SysWOW64 | type = file_attributes |
|
2 | |
| Get Info | wevtutil.exe | type = file_attributes |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
5 | |
| Open | STD_INPUT_HANDLE | - |
|
3 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 208, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\SysWOW64\wevtutil.exe | os_pid = 0x268, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x1140000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75130000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x75172780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x7514fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7514a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x74e435c0 |
|
1 |
Environment (19)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
2 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Windows\SysWOW64 |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000000 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #310: wevtutil.exe
0
0
| Information | Value |
|---|---|
| ID | #310 |
| File Name | c:\windows\syswow64\wevtutil.exe |
| Command Line | wevtutil.exe clear-log "Microsoft-Windows-ApplicationResourceManagementSystem/Operational" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:03:02, Reason: Child Process |
| Unmonitor | End Time: 00:03:03, Reason: Self Terminated |
| Monitor Duration | 00:00:01 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x268 |
| Parent PID | 0x2b0 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
E28
0x
948
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000320000 | 0x00320000 | 0x0033ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000340000 | 0x00340000 | 0x00341fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000350000 | 0x00350000 | 0x00363fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000370000 | 0x00370000 | 0x003affff | Private Memory | rw |
|
|
|
- |
| private_0x00000000003b0000 | 0x003b0000 | 0x003effff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000003f0000 | 0x003f0000 | 0x003f3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000400000 | 0x00400000 | 0x00400fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000410000 | 0x00410000 | 0x00411fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000530000 | 0x00530000 | 0x0053ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000690000 | 0x00690000 | 0x0078ffff | Private Memory | rw |
|
|
|
- |
| wevtutil.exe | 0x00b40000 | 0x00b6efff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000b70000 | 0x00b70000 | 0x04b6ffff | Pagefile Backed Memory | - |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007f120000 | 0x7f120000 | 0x7f142fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f146000 | 0x7f146000 | 0x7f146fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f14c000 | 0x7f14c000 | 0x7f14efff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f14f000 | 0x7f14f000 | 0x7f14ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Process #311: cmd.exe
58
0
| Information | Value |
|---|---|
| ID | #311 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-AppxPackaging/Debug" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:03:03, Reason: Child Process |
| Unmonitor | End Time: 00:03:03, Reason: Self Terminated |
| Monitor Duration | 00:00:00 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x15c |
| Parent PID | 0x8dc (c:\programdata\safe.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
F58
0x
304
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000d40000 | 0x00d40000 | 0x00d5ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000d40000 | 0x00d40000 | 0x00d4ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000d50000 | 0x00d50000 | 0x00d53fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000d60000 | 0x00d60000 | 0x00d61fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000d60000 | 0x00d60000 | 0x00d63fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000d70000 | 0x00d70000 | 0x00d83fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000d90000 | 0x00d90000 | 0x00dcffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000dd0000 | 0x00dd0000 | 0x00ecffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000ed0000 | 0x00ed0000 | 0x00ed3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000ee0000 | 0x00ee0000 | 0x00ee0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000ef0000 | 0x00ef0000 | 0x00ef1fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00f00000 | 0x00fbdfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000fc0000 | 0x00fc0000 | 0x00ffffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001050000 | 0x01050000 | 0x0105ffff | Private Memory | rw |
|
|
|
- |
| cmd.exe | 0x01140000 | 0x0118ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000001190000 | 0x01190000 | 0x0518ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000005190000 | 0x05190000 | 0x0528ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000052f0000 | 0x052f0000 | 0x053effff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005570000 | 0x05570000 | 0x0557ffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x05580000 | 0x058b6fff | Memory Mapped File | r |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74d30000 | 0x74ea5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75130000 | 0x7521ffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x778d0000 | 0x7798dfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007f5d0000 | 0x7f5d0000 | 0x7f6cffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007f6d0000 | 0x7f6d0000 | 0x7f6f2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f6f3000 | 0x7f6f3000 | 0x7f6f3fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f6f9000 | 0x7f6f9000 | 0x7f6fbfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f6fc000 | 0x7f6fc000 | 0x7f6fefff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f6ff000 | 0x7f6ff000 | 0x7f6fffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (11)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Windows\SysWOW64 | type = file_attributes |
|
2 | |
| Get Info | wevtutil.exe | type = file_attributes |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
5 | |
| Open | STD_INPUT_HANDLE | - |
|
3 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 55, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\SysWOW64\wevtutil.exe | os_pid = 0xc38, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x1140000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75130000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x75172780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x7514fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7514a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x74e435c0 |
|
1 |
Environment (19)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
2 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Windows\SysWOW64 |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000000 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #313: wevtutil.exe
0
0
| Information | Value |
|---|---|
| ID | #313 |
| File Name | c:\windows\syswow64\wevtutil.exe |
| Command Line | wevtutil.exe clear-log "Microsoft-Windows-AppxPackaging/Debug" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:03:03, Reason: Child Process |
| Unmonitor | End Time: 00:03:03, Reason: Self Terminated |
| Monitor Duration | 00:00:00 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xc38 |
| Parent PID | 0x15c (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
C1C
0x
E60
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000240000 | 0x00240000 | 0x0025ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000260000 | 0x00260000 | 0x00261fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000270000 | 0x00270000 | 0x00283fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000290000 | 0x00290000 | 0x002cffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000002d0000 | 0x002d0000 | 0x0030ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000310000 | 0x00310000 | 0x00313fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000320000 | 0x00320000 | 0x00320fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000330000 | 0x00330000 | 0x00331fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000360000 | 0x00360000 | 0x0036ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000003c0000 | 0x003c0000 | 0x004bffff | Private Memory | rw |
|
|
|
- |
| wevtutil.exe | 0x00b40000 | 0x00b6efff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000b70000 | 0x00b70000 | 0x04b6ffff | Pagefile Backed Memory | - |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007fb70000 | 0x7fb70000 | 0x7fb92fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007fb96000 | 0x7fb96000 | 0x7fb96fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007fb9c000 | 0x7fb9c000 | 0x7fb9efff | Private Memory | rw |
|
|
|
- |
| private_0x000000007fb9f000 | 0x7fb9f000 | 0x7fb9ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Process #314: cmd.exe
58
0
| Information | Value |
|---|---|
| ID | #314 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-AppxPackaging/Operational" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:03:03, Reason: Child Process |
| Unmonitor | End Time: 00:03:04, Reason: Self Terminated |
| Monitor Duration | 00:00:01 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xe2c |
| Parent PID | 0x8dc (c:\programdata\safe.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
B44
0x
E68
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000f50000 | 0x00f50000 | 0x00f6ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000f50000 | 0x00f50000 | 0x00f5ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000f60000 | 0x00f60000 | 0x00f63fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000f70000 | 0x00f70000 | 0x00f71fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000f70000 | 0x00f70000 | 0x00f73fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000f80000 | 0x00f80000 | 0x00f93fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000fa0000 | 0x00fa0000 | 0x00fdffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000fe0000 | 0x00fe0000 | 0x010dffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000010e0000 | 0x010e0000 | 0x010e3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000010f0000 | 0x010f0000 | 0x010f0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000001100000 | 0x01100000 | 0x01101fff | Private Memory | rw |
|
|
|
- |
| cmd.exe | 0x01140000 | 0x0118ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000001190000 | 0x01190000 | 0x0518ffff | Pagefile Backed Memory | - |
|
|
|
- |
| locale.nls | 0x05190000 | 0x0524dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000005250000 | 0x05250000 | 0x0528ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000052e0000 | 0x052e0000 | 0x052effff | Private Memory | rw |
|
|
|
- |
| private_0x00000000052f0000 | 0x052f0000 | 0x053effff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005440000 | 0x05440000 | 0x0553ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005710000 | 0x05710000 | 0x0571ffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x05720000 | 0x05a56fff | Memory Mapped File | r |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74d30000 | 0x74ea5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75130000 | 0x7521ffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x778d0000 | 0x7798dfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007e980000 | 0x7e980000 | 0x7ea7ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007ea80000 | 0x7ea80000 | 0x7eaa2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007eaa6000 | 0x7eaa6000 | 0x7eaa6fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007eaa9000 | 0x7eaa9000 | 0x7eaabfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007eaac000 | 0x7eaac000 | 0x7eaaefff | Private Memory | rw |
|
|
|
- |
| private_0x000000007eaaf000 | 0x7eaaf000 | 0x7eaaffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (11)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Windows\SysWOW64 | type = file_attributes |
|
2 | |
| Get Info | wevtutil.exe | type = file_attributes |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
5 | |
| Open | STD_INPUT_HANDLE | - |
|
3 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 144, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\SysWOW64\wevtutil.exe | os_pid = 0x6c0, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x1140000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75130000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x75172780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x7514fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7514a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x74e435c0 |
|
1 |
Environment (19)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
2 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Windows\SysWOW64 |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000000 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #316: wevtutil.exe
0
0
| Information | Value |
|---|---|
| ID | #316 |
| File Name | c:\windows\syswow64\wevtutil.exe |
| Command Line | wevtutil.exe clear-log "Microsoft-Windows-AppxPackaging/Operational" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:03:03, Reason: Child Process |
| Unmonitor | End Time: 00:03:04, Reason: Self Terminated |
| Monitor Duration | 00:00:01 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x6c0 |
| Parent PID | 0xe2c (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
BD0
0x
428
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000230000 | 0x00230000 | 0x0024ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000250000 | 0x00250000 | 0x00251fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000260000 | 0x00260000 | 0x00273fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000280000 | 0x00280000 | 0x002bffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000002c0000 | 0x002c0000 | 0x002fffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000300000 | 0x00300000 | 0x00303fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000310000 | 0x00310000 | 0x00310fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000320000 | 0x00320000 | 0x00321fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000360000 | 0x00360000 | 0x0045ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000004e0000 | 0x004e0000 | 0x004effff | Private Memory | rw |
|
|
|
- |
| wevtutil.exe | 0x00b40000 | 0x00b6efff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000b70000 | 0x00b70000 | 0x04b6ffff | Pagefile Backed Memory | - |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007f650000 | 0x7f650000 | 0x7f672fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f67a000 | 0x7f67a000 | 0x7f67cfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f67d000 | 0x7f67d000 | 0x7f67dfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f67f000 | 0x7f67f000 | 0x7f67ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Process #317: cmd.exe
58
0
| Information | Value |
|---|---|
| ID | #317 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-AppxPackaging/Performance" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:03:04, Reason: Child Process |
| Unmonitor | End Time: 00:03:04, Reason: Self Terminated |
| Monitor Duration | 00:00:00 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x468 |
| Parent PID | 0x8dc (c:\programdata\safe.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
218
0x
204
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000860000 | 0x00860000 | 0x0087ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000860000 | 0x00860000 | 0x0086ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000870000 | 0x00870000 | 0x00873fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000880000 | 0x00880000 | 0x00881fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000880000 | 0x00880000 | 0x00883fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000890000 | 0x00890000 | 0x008a3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000008b0000 | 0x008b0000 | 0x008effff | Private Memory | rw |
|
|
|
- |
| private_0x00000000008f0000 | 0x008f0000 | 0x009effff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000009f0000 | 0x009f0000 | 0x009f3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000a00000 | 0x00a00000 | 0x00a00fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000a10000 | 0x00a10000 | 0x00a11fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00a20000 | 0x00addfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000ae0000 | 0x00ae0000 | 0x00b1ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000b80000 | 0x00b80000 | 0x00b8ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000b90000 | 0x00b90000 | 0x00c8ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000d60000 | 0x00d60000 | 0x00e5ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001050000 | 0x01050000 | 0x0105ffff | Private Memory | rw |
|
|
|
- |
| cmd.exe | 0x01140000 | 0x0118ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000001190000 | 0x01190000 | 0x0518ffff | Pagefile Backed Memory | - |
|
|
|
- |
| sortdefault.nls | 0x05190000 | 0x054c6fff | Memory Mapped File | r |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74d30000 | 0x74ea5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75130000 | 0x7521ffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x778d0000 | 0x7798dfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007e640000 | 0x7e640000 | 0x7e73ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007e740000 | 0x7e740000 | 0x7e762fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007e765000 | 0x7e765000 | 0x7e767fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007e768000 | 0x7e768000 | 0x7e768fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007e76a000 | 0x7e76a000 | 0x7e76cfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007e76d000 | 0x7e76d000 | 0x7e76dfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (11)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Windows\SysWOW64 | type = file_attributes |
|
2 | |
| Get Info | wevtutil.exe | type = file_attributes |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
5 | |
| Open | STD_INPUT_HANDLE | - |
|
3 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 24, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\SysWOW64\wevtutil.exe | os_pid = 0x5c0, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x1140000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75130000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x75172780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x7514fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7514a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x74e435c0 |
|
1 |
Environment (19)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
2 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Windows\SysWOW64 |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000000 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #319: wevtutil.exe
0
0
| Information | Value |
|---|---|
| ID | #319 |
| File Name | c:\windows\syswow64\wevtutil.exe |
| Command Line | wevtutil.exe clear-log "Microsoft-Windows-AppxPackaging/Performance" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:03:04, Reason: Child Process |
| Unmonitor | End Time: 00:03:05, Reason: Self Terminated |
| Monitor Duration | 00:00:01 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x5c0 |
| Parent PID | 0x468 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
424
0x
830
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000940000 | 0x00940000 | 0x0095ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000960000 | 0x00960000 | 0x00961fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000970000 | 0x00970000 | 0x00983fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000990000 | 0x00990000 | 0x009cffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000009d0000 | 0x009d0000 | 0x00a0ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000a10000 | 0x00a10000 | 0x00a13fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000a20000 | 0x00a20000 | 0x00a20fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000a30000 | 0x00a30000 | 0x00a31fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000b00000 | 0x00b00000 | 0x00b0ffff | Private Memory | rw |
|
|
|
- |
| wevtutil.exe | 0x00b40000 | 0x00b6efff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000b70000 | 0x00b70000 | 0x04b6ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000004bc0000 | 0x04bc0000 | 0x04cbffff | Private Memory | rw |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007edc0000 | 0x7edc0000 | 0x7ede2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007edea000 | 0x7edea000 | 0x7edecfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007eded000 | 0x7eded000 | 0x7ededfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007edef000 | 0x7edef000 | 0x7edeffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Process #320: cmd.exe
58
0
| Information | Value |
|---|---|
| ID | #320 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-AssignedAccess/Admin" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:03:04, Reason: Child Process |
| Unmonitor | End Time: 00:03:05, Reason: Self Terminated |
| Monitor Duration | 00:00:01 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xc08 |
| Parent PID | 0x8dc (c:\programdata\safe.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
F84
0x
C34
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000030000 | 0x00030000 | 0x0004ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000030000 | 0x00030000 | 0x0003ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000040000 | 0x00040000 | 0x00043fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000050000 | 0x00050000 | 0x00051fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000050000 | 0x00050000 | 0x00053fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000060000 | 0x00060000 | 0x00073fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000080000 | 0x00080000 | 0x000bffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000000c0000 | 0x000c0000 | 0x001bffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000001c0000 | 0x001c0000 | 0x001c3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000001d0000 | 0x001d0000 | 0x001d0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000001e0000 | 0x001e0000 | 0x001e1fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x001f0000 | 0x002adfff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000002b0000 | 0x002b0000 | 0x002effff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000320000 | 0x00320000 | 0x0032ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000330000 | 0x00330000 | 0x0042ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000480000 | 0x00480000 | 0x0057ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000690000 | 0x00690000 | 0x0069ffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x006a0000 | 0x009d6fff | Memory Mapped File | r |
|
|
|
- |
| cmd.exe | 0x01140000 | 0x0118ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000001190000 | 0x01190000 | 0x0518ffff | Pagefile Backed Memory | - |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74d30000 | 0x74ea5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75130000 | 0x7521ffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x778d0000 | 0x7798dfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007ef00000 | 0x7ef00000 | 0x7effffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007f000000 | 0x7f000000 | 0x7f022fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f023000 | 0x7f023000 | 0x7f023fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f029000 | 0x7f029000 | 0x7f02bfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f02c000 | 0x7f02c000 | 0x7f02efff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f02f000 | 0x7f02f000 | 0x7f02ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (11)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Windows\SysWOW64 | type = file_attributes |
|
2 | |
| Get Info | wevtutil.exe | type = file_attributes |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
5 | |
| Open | STD_INPUT_HANDLE | - |
|
3 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 139, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\SysWOW64\wevtutil.exe | os_pid = 0x2c0, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x1140000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75130000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x75172780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x7514fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7514a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x74e435c0 |
|
1 |
Environment (19)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
2 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Windows\SysWOW64 |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000000 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #322: wevtutil.exe
0
0
| Information | Value |
|---|---|
| ID | #322 |
| File Name | c:\windows\syswow64\wevtutil.exe |
| Command Line | wevtutil.exe clear-log "Microsoft-Windows-AssignedAccess/Admin" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:03:05, Reason: Child Process |
| Unmonitor | End Time: 00:03:05, Reason: Self Terminated |
| Monitor Duration | 00:00:00 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x2c0 |
| Parent PID | 0xc08 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
754
0x
F34
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000060000 | 0x00060000 | 0x0007ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000080000 | 0x00080000 | 0x00081fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000090000 | 0x00090000 | 0x000a3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000000b0000 | 0x000b0000 | 0x000effff | Private Memory | rw |
|
|
|
- |
| private_0x00000000000f0000 | 0x000f0000 | 0x0012ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000130000 | 0x00130000 | 0x00133fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000140000 | 0x00140000 | 0x00140fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000150000 | 0x00150000 | 0x00151fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000280000 | 0x00280000 | 0x0028ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000480000 | 0x00480000 | 0x0057ffff | Private Memory | rw |
|
|
|
- |
| wevtutil.exe | 0x00b40000 | 0x00b6efff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000b70000 | 0x00b70000 | 0x04b6ffff | Pagefile Backed Memory | - |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007f190000 | 0x7f190000 | 0x7f1b2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f1b6000 | 0x7f1b6000 | 0x7f1b6fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f1bb000 | 0x7f1bb000 | 0x7f1bbfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f1bd000 | 0x7f1bd000 | 0x7f1bffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Process #323: cmd.exe
58
0
| Information | Value |
|---|---|
| ID | #323 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-AssignedAccess/Operational" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:03:05, Reason: Child Process |
| Unmonitor | End Time: 00:03:06, Reason: Self Terminated |
| Monitor Duration | 00:00:01 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x6e8 |
| Parent PID | 0x8dc (c:\programdata\safe.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
3D4
0x
CB8
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000530000 | 0x00530000 | 0x0054ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000530000 | 0x00530000 | 0x0053ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000540000 | 0x00540000 | 0x00543fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000550000 | 0x00550000 | 0x00551fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000550000 | 0x00550000 | 0x00553fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000560000 | 0x00560000 | 0x00573fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000580000 | 0x00580000 | 0x005bffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000005c0000 | 0x005c0000 | 0x006bffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000006c0000 | 0x006c0000 | 0x006c3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000006d0000 | 0x006d0000 | 0x006d0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000006e0000 | 0x006e0000 | 0x006e1fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x006f0000 | 0x007adfff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000007b0000 | 0x007b0000 | 0x007effff | Private Memory | rw |
|
|
|
- |
| private_0x00000000008d0000 | 0x008d0000 | 0x008dffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000008e0000 | 0x008e0000 | 0x009dffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000a40000 | 0x00a40000 | 0x00b3ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000d30000 | 0x00d30000 | 0x00d3ffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x00d40000 | 0x01076fff | Memory Mapped File | r |
|
|
|
- |
| cmd.exe | 0x01140000 | 0x0118ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000001190000 | 0x01190000 | 0x0518ffff | Pagefile Backed Memory | - |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74d30000 | 0x74ea5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75130000 | 0x7521ffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x778d0000 | 0x7798dfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007e0e0000 | 0x7e0e0000 | 0x7e1dffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007e1e0000 | 0x7e1e0000 | 0x7e202fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007e204000 | 0x7e204000 | 0x7e204fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007e209000 | 0x7e209000 | 0x7e20bfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007e20c000 | 0x7e20c000 | 0x7e20efff | Private Memory | rw |
|
|
|
- |
| private_0x000000007e20f000 | 0x7e20f000 | 0x7e20ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (11)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Windows\SysWOW64 | type = file_attributes |
|
2 | |
| Get Info | wevtutil.exe | type = file_attributes |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
5 | |
| Open | STD_INPUT_HANDLE | - |
|
3 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 144, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\SysWOW64\wevtutil.exe | os_pid = 0xf48, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x1140000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75130000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x75172780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x7514fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7514a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x74e435c0 |
|
1 |
Environment (19)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
2 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Windows\SysWOW64 |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000000 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #325: wevtutil.exe
0
0
| Information | Value |
|---|---|
| ID | #325 |
| File Name | c:\windows\syswow64\wevtutil.exe |
| Command Line | wevtutil.exe clear-log "Microsoft-Windows-AssignedAccess/Operational" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:03:05, Reason: Child Process |
| Unmonitor | End Time: 00:03:06, Reason: Self Terminated |
| Monitor Duration | 00:00:01 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xf48 |
| Parent PID | 0x6e8 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
974
0x
FE4
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000150000 | 0x00150000 | 0x0016ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000170000 | 0x00170000 | 0x00171fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000180000 | 0x00180000 | 0x00193fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000001a0000 | 0x001a0000 | 0x001dffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000001e0000 | 0x001e0000 | 0x0021ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000220000 | 0x00220000 | 0x00223fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000230000 | 0x00230000 | 0x00230fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000240000 | 0x00240000 | 0x00241fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000250000 | 0x00250000 | 0x0025ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000003c0000 | 0x003c0000 | 0x004bffff | Private Memory | rw |
|
|
|
- |
| wevtutil.exe | 0x00b40000 | 0x00b6efff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000b70000 | 0x00b70000 | 0x04b6ffff | Pagefile Backed Memory | - |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007f1b0000 | 0x7f1b0000 | 0x7f1d2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f1da000 | 0x7f1da000 | 0x7f1dcfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f1dd000 | 0x7f1dd000 | 0x7f1ddfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f1de000 | 0x7f1de000 | 0x7f1defff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Process #326: cmd.exe
58
0
| Information | Value |
|---|---|
| ID | #326 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-AssignedAccessBroker/Admin" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:03:05, Reason: Child Process |
| Unmonitor | End Time: 00:03:07, Reason: Self Terminated |
| Monitor Duration | 00:00:02 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xd0c |
| Parent PID | 0x8dc (c:\programdata\safe.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
F10
0x
380
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000470000 | 0x00470000 | 0x0048ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000470000 | 0x00470000 | 0x0047ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000480000 | 0x00480000 | 0x0048ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000490000 | 0x00490000 | 0x00491fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000490000 | 0x00490000 | 0x00493fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000004a0000 | 0x004a0000 | 0x004b3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000004c0000 | 0x004c0000 | 0x004fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000500000 | 0x00500000 | 0x005fffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000600000 | 0x00600000 | 0x00603fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000610000 | 0x00610000 | 0x00610fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000620000 | 0x00620000 | 0x00621fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00630000 | 0x006edfff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000006f0000 | 0x006f0000 | 0x006f3fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000720000 | 0x00720000 | 0x0072ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000730000 | 0x00730000 | 0x0076ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000007d0000 | 0x007d0000 | 0x008cffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000008d0000 | 0x008d0000 | 0x009cffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x009d0000 | 0x00d06fff | Memory Mapped File | r |
|
|
|
- |
| cmd.exe | 0x01140000 | 0x0118ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000001190000 | 0x01190000 | 0x0518ffff | Pagefile Backed Memory | - |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74d30000 | 0x74ea5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75130000 | 0x7521ffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x778d0000 | 0x7798dfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007eef0000 | 0x7eef0000 | 0x7efeffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007eff0000 | 0x7eff0000 | 0x7f012fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f017000 | 0x7f017000 | 0x7f017fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f019000 | 0x7f019000 | 0x7f01bfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f01c000 | 0x7f01c000 | 0x7f01efff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f01f000 | 0x7f01f000 | 0x7f01ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (11)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Windows\SysWOW64 | type = file_attributes |
|
2 | |
| Get Info | wevtutil.exe | type = file_attributes |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
5 | |
| Open | STD_INPUT_HANDLE | - |
|
3 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 33, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\SysWOW64\wevtutil.exe | os_pid = 0x7f8, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x1140000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75130000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x75172780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x7514fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7514a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x74e435c0 |
|
1 |
Environment (19)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
2 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Windows\SysWOW64 |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000000 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #328: wevtutil.exe
0
0
| Information | Value |
|---|---|
| ID | #328 |
| File Name | c:\windows\syswow64\wevtutil.exe |
| Command Line | wevtutil.exe clear-log "Microsoft-Windows-AssignedAccessBroker/Admin" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:03:06, Reason: Child Process |
| Unmonitor | End Time: 00:03:07, Reason: Self Terminated |
| Monitor Duration | 00:00:01 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x7f8 |
| Parent PID | 0xd0c (c:\windows\syswow64\wevtutil.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
D14
0x
E70
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000a70000 | 0x00a70000 | 0x00a8ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000a90000 | 0x00a90000 | 0x00a91fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000aa0000 | 0x00aa0000 | 0x00ab3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000ac0000 | 0x00ac0000 | 0x00afffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000b00000 | 0x00b00000 | 0x00b3ffff | Private Memory | rw |
|
|
|
- |
| wevtutil.exe | 0x00b40000 | 0x00b6efff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000b70000 | 0x00b70000 | 0x04b6ffff | Pagefile Backed Memory | - |
|
|
|
- |
| pagefile_0x0000000004b70000 | 0x04b70000 | 0x04b73fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000004b80000 | 0x04b80000 | 0x04b80fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000004b90000 | 0x04b90000 | 0x04b91fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004c80000 | 0x04c80000 | 0x04c8ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004db0000 | 0x04db0000 | 0x04eaffff | Private Memory | rw |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007f5a0000 | 0x7f5a0000 | 0x7f5c2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f5c6000 | 0x7f5c6000 | 0x7f5c6fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f5cc000 | 0x7f5cc000 | 0x7f5cefff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f5cf000 | 0x7f5cf000 | 0x7f5cffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Process #329: cmd.exe
58
0
| Information | Value |
|---|---|
| ID | #329 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-AssignedAccessBroker/Operational" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:03:07, Reason: Child Process |
| Unmonitor | End Time: 00:03:08, Reason: Self Terminated |
| Monitor Duration | 00:00:01 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xf14 |
| Parent PID | 0x8dc (c:\programdata\safe.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
18C
0x
844
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000f80000 | 0x00f80000 | 0x00f9ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000f80000 | 0x00f80000 | 0x00f8ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000f90000 | 0x00f90000 | 0x00f93fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000fa0000 | 0x00fa0000 | 0x00fa1fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000fa0000 | 0x00fa0000 | 0x00fa3fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000fb0000 | 0x00fb0000 | 0x00fc3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000fd0000 | 0x00fd0000 | 0x0100ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001010000 | 0x01010000 | 0x0110ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000001110000 | 0x01110000 | 0x01113fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000001120000 | 0x01120000 | 0x01120fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000001130000 | 0x01130000 | 0x01131fff | Private Memory | rw |
|
|
|
- |
| cmd.exe | 0x01140000 | 0x0118ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000001190000 | 0x01190000 | 0x0518ffff | Pagefile Backed Memory | - |
|
|
|
- |
| locale.nls | 0x05190000 | 0x0524dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000005250000 | 0x05250000 | 0x0525ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005280000 | 0x05280000 | 0x0537ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005380000 | 0x05380000 | 0x053bffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000053c0000 | 0x053c0000 | 0x054bffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000054f0000 | 0x054f0000 | 0x054fffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x05500000 | 0x05836fff | Memory Mapped File | r |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74d30000 | 0x74ea5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75130000 | 0x7521ffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x778d0000 | 0x7798dfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007f170000 | 0x7f170000 | 0x7f26ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007f270000 | 0x7f270000 | 0x7f292fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f297000 | 0x7f297000 | 0x7f299fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f29a000 | 0x7f29a000 | 0x7f29afff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f29c000 | 0x7f29c000 | 0x7f29efff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f29f000 | 0x7f29f000 | 0x7f29ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (11)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Windows\SysWOW64 | type = file_attributes |
|
2 | |
| Get Info | wevtutil.exe | type = file_attributes |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
5 | |
| Open | STD_INPUT_HANDLE | - |
|
3 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 40, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\SysWOW64\wevtutil.exe | os_pid = 0xe4c, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x1140000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75130000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x75172780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x7514fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7514a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x74e435c0 |
|
1 |
Environment (19)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
2 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Windows\SysWOW64 |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000000 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #331: wevtutil.exe
0
0
| Information | Value |
|---|---|
| ID | #331 |
| File Name | c:\windows\syswow64\wevtutil.exe |
| Command Line | wevtutil.exe clear-log "Microsoft-Windows-AssignedAccessBroker/Operational" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:03:07, Reason: Child Process |
| Unmonitor | End Time: 00:03:08, Reason: Self Terminated |
| Monitor Duration | 00:00:01 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xe4c |
| Parent PID | 0xf14 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
D58
0x
B30
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x00000000005c0000 | 0x005c0000 | 0x005dffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000005e0000 | 0x005e0000 | 0x005e1fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000005f0000 | 0x005f0000 | 0x00603fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000610000 | 0x00610000 | 0x0064ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000650000 | 0x00650000 | 0x0068ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000690000 | 0x00690000 | 0x00693fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000006a0000 | 0x006a0000 | 0x006a0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000006b0000 | 0x006b0000 | 0x006b1fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000007b0000 | 0x007b0000 | 0x007bffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000007c0000 | 0x007c0000 | 0x008bffff | Private Memory | rw |
|
|
|
- |
| wevtutil.exe | 0x00b40000 | 0x00b6efff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000b70000 | 0x00b70000 | 0x04b6ffff | Pagefile Backed Memory | - |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007f4e0000 | 0x7f4e0000 | 0x7f502fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f505000 | 0x7f505000 | 0x7f505fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f50a000 | 0x7f50a000 | 0x7f50cfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f50d000 | 0x7f50d000 | 0x7f50dfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Process #332: cmd.exe
58
0
| Information | Value |
|---|---|
| ID | #332 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-AsynchronousCausality/Causality" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:03:07, Reason: Child Process |
| Unmonitor | End Time: 00:03:08, Reason: Self Terminated |
| Monitor Duration | 00:00:01 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xb28 |
| Parent PID | 0x8dc (c:\programdata\safe.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
D5C
0x
2D4
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x00000000005b0000 | 0x005b0000 | 0x005cffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000005b0000 | 0x005b0000 | 0x005bffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x00000000005c0000 | 0x005c0000 | 0x005c3fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000005d0000 | 0x005d0000 | 0x005d1fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000005d0000 | 0x005d0000 | 0x005d3fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000005e0000 | 0x005e0000 | 0x005f3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000600000 | 0x00600000 | 0x0063ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000640000 | 0x00640000 | 0x0073ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000740000 | 0x00740000 | 0x00743fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000750000 | 0x00750000 | 0x00750fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000760000 | 0x00760000 | 0x00761fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00770000 | 0x0082dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000850000 | 0x00850000 | 0x0085ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000860000 | 0x00860000 | 0x0089ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000980000 | 0x00980000 | 0x0098ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000990000 | 0x00990000 | 0x00a8ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000a90000 | 0x00a90000 | 0x00b8ffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x00b90000 | 0x00ec6fff | Memory Mapped File | r |
|
|
|
- |
| cmd.exe | 0x01140000 | 0x0118ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000001190000 | 0x01190000 | 0x0518ffff | Pagefile Backed Memory | - |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74d30000 | 0x74ea5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75130000 | 0x7521ffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x778d0000 | 0x7798dfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007f7b0000 | 0x7f7b0000 | 0x7f8affff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007f8b0000 | 0x7f8b0000 | 0x7f8d2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f8d7000 | 0x7f8d7000 | 0x7f8d7fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f8d9000 | 0x7f8d9000 | 0x7f8dbfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f8dc000 | 0x7f8dc000 | 0x7f8dcfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f8dd000 | 0x7f8dd000 | 0x7f8dffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (11)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Windows\SysWOW64 | type = file_attributes |
|
2 | |
| Get Info | wevtutil.exe | type = file_attributes |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
5 | |
| Open | STD_INPUT_HANDLE | - |
|
3 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 120, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\SysWOW64\wevtutil.exe | os_pid = 0x490, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x1140000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75130000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x75172780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x7514fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7514a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x74e435c0 |
|
1 |
Environment (19)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
2 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Windows\SysWOW64 |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000000 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #334: wevtutil.exe
0
0
| Information | Value |
|---|---|
| ID | #334 |
| File Name | c:\windows\syswow64\wevtutil.exe |
| Command Line | wevtutil.exe clear-log "Microsoft-Windows-AsynchronousCausality/Causality" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:03:07, Reason: Child Process |
| Unmonitor | End Time: 00:03:09, Reason: Self Terminated |
| Monitor Duration | 00:00:02 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x490 |
| Parent PID | 0xb28 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
818
0x
5D0
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| wevtutil.exe | 0x00b40000 | 0x00b6efff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000cd0000 | 0x00cd0000 | 0x04ccffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000004cd0000 | 0x04cd0000 | 0x04ceffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004cf0000 | 0x04cf0000 | 0x04cf1fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004d00000 | 0x04d00000 | 0x04d13fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000004d20000 | 0x04d20000 | 0x04d5ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004d60000 | 0x04d60000 | 0x04d9ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004da0000 | 0x04da0000 | 0x04da3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000004db0000 | 0x04db0000 | 0x04db0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000004dc0000 | 0x04dc0000 | 0x04dc1fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004ec0000 | 0x04ec0000 | 0x04ecffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004fd0000 | 0x04fd0000 | 0x050cffff | Private Memory | rw |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007f130000 | 0x7f130000 | 0x7f152fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f15b000 | 0x7f15b000 | 0x7f15bfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f15c000 | 0x7f15c000 | 0x7f15efff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f15f000 | 0x7f15f000 | 0x7f15ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Process #335: cmd.exe
58
0
| Information | Value |
|---|---|
| ID | #335 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-Audio/CaptureMonitor" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:03:08, Reason: Child Process |
| Unmonitor | End Time: 00:03:09, Reason: Self Terminated |
| Monitor Duration | 00:00:01 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x6c8 |
| Parent PID | 0x8dc (c:\programdata\safe.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
534
0x
F40
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000840000 | 0x00840000 | 0x0085ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000840000 | 0x00840000 | 0x0084ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000850000 | 0x00850000 | 0x00853fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000860000 | 0x00860000 | 0x00861fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000860000 | 0x00860000 | 0x00863fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000870000 | 0x00870000 | 0x00883fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000890000 | 0x00890000 | 0x008cffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000008d0000 | 0x008d0000 | 0x009cffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000009d0000 | 0x009d0000 | 0x009d3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000009e0000 | 0x009e0000 | 0x009e0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000009f0000 | 0x009f0000 | 0x009f1fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00a00000 | 0x00abdfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000ac0000 | 0x00ac0000 | 0x00acffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000ad0000 | 0x00ad0000 | 0x00b0ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000b50000 | 0x00b50000 | 0x00c4ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000c50000 | 0x00c50000 | 0x00d4ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000e40000 | 0x00e40000 | 0x00e4ffff | Private Memory | rw |
|
|
|
- |
| cmd.exe | 0x01140000 | 0x0118ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000001190000 | 0x01190000 | 0x0518ffff | Pagefile Backed Memory | - |
|
|
|
- |
| sortdefault.nls | 0x05190000 | 0x054c6fff | Memory Mapped File | r |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74d30000 | 0x74ea5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75130000 | 0x7521ffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x778d0000 | 0x7798dfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007e790000 | 0x7e790000 | 0x7e88ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007e890000 | 0x7e890000 | 0x7e8b2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007e8b7000 | 0x7e8b7000 | 0x7e8b9fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007e8ba000 | 0x7e8ba000 | 0x7e8bcfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007e8bd000 | 0x7e8bd000 | 0x7e8bdfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007e8bf000 | 0x7e8bf000 | 0x7e8bffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (11)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Windows\SysWOW64 | type = file_attributes |
|
2 | |
| Get Info | wevtutil.exe | type = file_attributes |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
5 | |
| Open | STD_INPUT_HANDLE | - |
|
3 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 248, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\SysWOW64\wevtutil.exe | os_pid = 0xbd8, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x1140000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75130000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x75172780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x7514fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7514a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x74e435c0 |
|
1 |
Environment (19)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
2 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Windows\SysWOW64 |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000000 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #337: wevtutil.exe
0
0
| Information | Value |
|---|---|
| ID | #337 |
| File Name | c:\windows\syswow64\wevtutil.exe |
| Command Line | wevtutil.exe clear-log "Microsoft-Windows-Audio/CaptureMonitor" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:03:08, Reason: Child Process |
| Unmonitor | End Time: 00:03:09, Reason: Self Terminated |
| Monitor Duration | 00:00:01 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xbd8 |
| Parent PID | 0x6c8 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
FA0
0x
510
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| wevtutil.exe | 0x00b40000 | 0x00b6efff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000c50000 | 0x00c50000 | 0x04c4ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000004c50000 | 0x04c50000 | 0x04c6ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004c70000 | 0x04c70000 | 0x04c71fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004c80000 | 0x04c80000 | 0x04c93fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000004ca0000 | 0x04ca0000 | 0x04cdffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004ce0000 | 0x04ce0000 | 0x04d1ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004d20000 | 0x04d20000 | 0x04d23fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000004d30000 | 0x04d30000 | 0x04d30fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000004d40000 | 0x04d40000 | 0x04d41fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004db0000 | 0x04db0000 | 0x04dbffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004f30000 | 0x04f30000 | 0x0502ffff | Private Memory | rw |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007f6a0000 | 0x7f6a0000 | 0x7f6c2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f6c8000 | 0x7f6c8000 | 0x7f6c8fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f6cc000 | 0x7f6cc000 | 0x7f6cefff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f6cf000 | 0x7f6cf000 | 0x7f6cffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Process #338: cmd.exe
58
0
| Information | Value |
|---|---|
| ID | #338 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-Audio/GlitchDetection" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:03:09, Reason: Child Process |
| Unmonitor | End Time: 00:03:09, Reason: Self Terminated |
| Monitor Duration | 00:00:00 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xf5c |
| Parent PID | 0x8dc (c:\programdata\safe.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
E58
0x
D44
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000540000 | 0x00540000 | 0x0055ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000540000 | 0x00540000 | 0x0054ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000550000 | 0x00550000 | 0x00553fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000560000 | 0x00560000 | 0x00561fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000560000 | 0x00560000 | 0x00563fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000570000 | 0x00570000 | 0x00583fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000590000 | 0x00590000 | 0x005cffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000005d0000 | 0x005d0000 | 0x006cffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000006d0000 | 0x006d0000 | 0x006d3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000006e0000 | 0x006e0000 | 0x006e0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000006f0000 | 0x006f0000 | 0x006f1fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00700000 | 0x007bdfff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000007f0000 | 0x007f0000 | 0x007fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000800000 | 0x00800000 | 0x0083ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000008a0000 | 0x008a0000 | 0x0099ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000009a0000 | 0x009a0000 | 0x00a9ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000b30000 | 0x00b30000 | 0x00b3ffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x00b40000 | 0x00e76fff | Memory Mapped File | r |
|
|
|
- |
| cmd.exe | 0x01140000 | 0x0118ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000001190000 | 0x01190000 | 0x0518ffff | Pagefile Backed Memory | - |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74d30000 | 0x74ea5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75130000 | 0x7521ffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x778d0000 | 0x7798dfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007ee10000 | 0x7ee10000 | 0x7ef0ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007ef10000 | 0x7ef10000 | 0x7ef32fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007ef34000 | 0x7ef34000 | 0x7ef34fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ef39000 | 0x7ef39000 | 0x7ef3bfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ef3c000 | 0x7ef3c000 | 0x7ef3efff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ef3f000 | 0x7ef3f000 | 0x7ef3ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (11)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Windows\SysWOW64 | type = file_attributes |
|
2 | |
| Get Info | wevtutil.exe | type = file_attributes |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
5 | |
| Open | STD_INPUT_HANDLE | - |
|
3 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 128, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\SysWOW64\wevtutil.exe | os_pid = 0x544, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x1140000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75130000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x75172780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x7514fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7514a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x74e435c0 |
|
1 |
Environment (19)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
2 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Windows\SysWOW64 |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000000 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #340: wevtutil.exe
0
0
| Information | Value |
|---|---|
| ID | #340 |
| File Name | c:\windows\syswow64\wevtutil.exe |
| Command Line | wevtutil.exe clear-log "Microsoft-Windows-Audio/GlitchDetection" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:03:09, Reason: Child Process |
| Unmonitor | End Time: 00:03:09, Reason: Self Terminated |
| Monitor Duration | 00:00:00 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x544 |
| Parent PID | 0xf5c (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
F7C
0x
E44
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000490000 | 0x00490000 | 0x004affff | Private Memory | rw |
|
|
|
- |
| private_0x00000000004b0000 | 0x004b0000 | 0x004b1fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000004c0000 | 0x004c0000 | 0x004d3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000004e0000 | 0x004e0000 | 0x0051ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000520000 | 0x00520000 | 0x0055ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000560000 | 0x00560000 | 0x00563fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000570000 | 0x00570000 | 0x00570fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000580000 | 0x00580000 | 0x00581fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000005e0000 | 0x005e0000 | 0x005effff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000770000 | 0x00770000 | 0x0086ffff | Private Memory | rw |
|
|
|
- |
| wevtutil.exe | 0x00b40000 | 0x00b6efff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000b70000 | 0x00b70000 | 0x04b6ffff | Pagefile Backed Memory | - |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007f9f0000 | 0x7f9f0000 | 0x7fa12fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007fa15000 | 0x7fa15000 | 0x7fa15fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007fa1c000 | 0x7fa1c000 | 0x7fa1efff | Private Memory | rw |
|
|
|
- |
| private_0x000000007fa1f000 | 0x7fa1f000 | 0x7fa1ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Process #341: cmd.exe
58
0
| Information | Value |
|---|---|
| ID | #341 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-Audio/Informational" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:03:09, Reason: Child Process |
| Unmonitor | End Time: 00:03:10, Reason: Self Terminated |
| Monitor Duration | 00:00:01 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x724 |
| Parent PID | 0x8dc (c:\programdata\safe.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
F78
0x
B3C
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000320000 | 0x00320000 | 0x0033ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000320000 | 0x00320000 | 0x0032ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000330000 | 0x00330000 | 0x00333fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000340000 | 0x00340000 | 0x00341fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000340000 | 0x00340000 | 0x00343fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000350000 | 0x00350000 | 0x00363fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000370000 | 0x00370000 | 0x003affff | Private Memory | rw |
|
|
|
- |
| private_0x00000000003b0000 | 0x003b0000 | 0x004affff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000004b0000 | 0x004b0000 | 0x004b3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000004c0000 | 0x004c0000 | 0x004c0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000004d0000 | 0x004d0000 | 0x004d1fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x004e0000 | 0x0059dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000005a0000 | 0x005a0000 | 0x005dffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000610000 | 0x00610000 | 0x0061ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000680000 | 0x00680000 | 0x0068ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000690000 | 0x00690000 | 0x0078ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000007f0000 | 0x007f0000 | 0x008effff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x008f0000 | 0x00c26fff | Memory Mapped File | r |
|
|
|
- |
| cmd.exe | 0x01140000 | 0x0118ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000001190000 | 0x01190000 | 0x0518ffff | Pagefile Backed Memory | - |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74d30000 | 0x74ea5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75130000 | 0x7521ffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x778d0000 | 0x7798dfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007eb30000 | 0x7eb30000 | 0x7ec2ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007ec30000 | 0x7ec30000 | 0x7ec52fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007ec56000 | 0x7ec56000 | 0x7ec58fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ec59000 | 0x7ec59000 | 0x7ec5bfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ec5c000 | 0x7ec5c000 | 0x7ec5cfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ec5f000 | 0x7ec5f000 | 0x7ec5ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (11)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Windows\SysWOW64 | type = file_attributes |
|
2 | |
| Get Info | wevtutil.exe | type = file_attributes |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
5 | |
| Open | STD_INPUT_HANDLE | - |
|
3 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 72, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\SysWOW64\wevtutil.exe | os_pid = 0xd38, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x1140000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75130000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x75172780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x7514fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7514a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x74e435c0 |
|
1 |
Environment (19)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
2 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Windows\SysWOW64 |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000000 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #343: wevtutil.exe
0
0
| Information | Value |
|---|---|
| ID | #343 |
| File Name | c:\windows\syswow64\wevtutil.exe |
| Command Line | wevtutil.exe clear-log "Microsoft-Windows-Audio/Informational" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:03:09, Reason: Child Process |
| Unmonitor | End Time: 00:03:10, Reason: Self Terminated |
| Monitor Duration | 00:00:01 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xd38 |
| Parent PID | 0x724 (c:\windows\syswow64\wevtutil.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
63C
0x
A74
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000700000 | 0x00700000 | 0x0071ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000720000 | 0x00720000 | 0x00721fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000730000 | 0x00730000 | 0x00743fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000750000 | 0x00750000 | 0x0078ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000790000 | 0x00790000 | 0x007cffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000007d0000 | 0x007d0000 | 0x007d3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000007e0000 | 0x007e0000 | 0x007e0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000007f0000 | 0x007f0000 | 0x007f1fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000800000 | 0x00800000 | 0x0080ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000880000 | 0x00880000 | 0x0097ffff | Private Memory | rw |
|
|
|
- |
| wevtutil.exe | 0x00b40000 | 0x00b6efff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000b70000 | 0x00b70000 | 0x04b6ffff | Pagefile Backed Memory | - |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007eea0000 | 0x7eea0000 | 0x7eec2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007eec6000 | 0x7eec6000 | 0x7eec6fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007eec8000 | 0x7eec8000 | 0x7eec8fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007eecd000 | 0x7eecd000 | 0x7eecffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Process #344: cmd.exe
58
0
| Information | Value |
|---|---|
| ID | #344 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-Audio/Operational" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:03:10, Reason: Child Process |
| Unmonitor | End Time: 00:03:10, Reason: Self Terminated |
| Monitor Duration | 00:00:00 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xe5c |
| Parent PID | 0x8dc (c:\programdata\safe.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
548
0x
1B4
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000fc0000 | 0x00fc0000 | 0x00fdffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000fc0000 | 0x00fc0000 | 0x00fcffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000fd0000 | 0x00fd0000 | 0x00fd3fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000fe0000 | 0x00fe0000 | 0x00fe1fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000fe0000 | 0x00fe0000 | 0x00fe3fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000ff0000 | 0x00ff0000 | 0x01003fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000001010000 | 0x01010000 | 0x0104ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000001050000 | 0x01050000 | 0x01053fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000001060000 | 0x01060000 | 0x01060fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000001070000 | 0x01070000 | 0x01071fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x01080000 | 0x0113dfff | Memory Mapped File | r |
|
|
|
- |
| cmd.exe | 0x01140000 | 0x0118ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000001190000 | 0x01190000 | 0x0518ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000005190000 | 0x05190000 | 0x0528ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005290000 | 0x05290000 | 0x052cffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005350000 | 0x05350000 | 0x0535ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005360000 | 0x05360000 | 0x0536ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005370000 | 0x05370000 | 0x0546ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005550000 | 0x05550000 | 0x0564ffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x05650000 | 0x05986fff | Memory Mapped File | r |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74d30000 | 0x74ea5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75130000 | 0x7521ffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x778d0000 | 0x7798dfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007ee40000 | 0x7ee40000 | 0x7ef3ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007ef40000 | 0x7ef40000 | 0x7ef62fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007ef67000 | 0x7ef67000 | 0x7ef69fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ef6a000 | 0x7ef6a000 | 0x7ef6afff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ef6c000 | 0x7ef6c000 | 0x7ef6efff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ef6f000 | 0x7ef6f000 | 0x7ef6ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (11)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Windows\SysWOW64 | type = file_attributes |
|
2 | |
| Get Info | wevtutil.exe | type = file_attributes |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
5 | |
| Open | STD_INPUT_HANDLE | - |
|
3 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 16, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\SysWOW64\wevtutil.exe | os_pid = 0xc04, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x1140000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75130000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x75172780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x7514fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7514a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x74e435c0 |
|
1 |
Environment (19)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
2 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Windows\SysWOW64 |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000000 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #346: wevtutil.exe
0
0
| Information | Value |
|---|---|
| ID | #346 |
| File Name | c:\windows\syswow64\wevtutil.exe |
| Command Line | wevtutil.exe clear-log "Microsoft-Windows-Audio/Operational" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:03:10, Reason: Child Process |
| Unmonitor | End Time: 00:03:10, Reason: Self Terminated |
| Monitor Duration | 00:00:00 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xc04 |
| Parent PID | 0xe5c (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
894
0x
94C
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| wevtutil.exe | 0x00b40000 | 0x00b6efff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000c60000 | 0x00c60000 | 0x04c5ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000004c60000 | 0x04c60000 | 0x04c7ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004c80000 | 0x04c80000 | 0x04c81fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004c90000 | 0x04c90000 | 0x04ca3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000004cb0000 | 0x04cb0000 | 0x04ceffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004cf0000 | 0x04cf0000 | 0x04d2ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004d30000 | 0x04d30000 | 0x04d33fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000004d40000 | 0x04d40000 | 0x04d40fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000004d50000 | 0x04d50000 | 0x04d51fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004e30000 | 0x04e30000 | 0x04e3ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004fe0000 | 0x04fe0000 | 0x050dffff | Private Memory | rw |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007f140000 | 0x7f140000 | 0x7f162fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f167000 | 0x7f167000 | 0x7f169fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f16a000 | 0x7f16a000 | 0x7f16afff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f16d000 | 0x7f16d000 | 0x7f16dfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Process #347: cmd.exe
58
0
| Information | Value |
|---|---|
| ID | #347 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-Audio/Performance" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:03:10, Reason: Child Process |
| Unmonitor | End Time: 00:03:11, Reason: Self Terminated |
| Monitor Duration | 00:00:01 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xb24 |
| Parent PID | 0x8dc (c:\programdata\safe.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
478
0x
C88
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x00000000005a0000 | 0x005a0000 | 0x005bffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000005a0000 | 0x005a0000 | 0x005affff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x00000000005b0000 | 0x005b0000 | 0x005b3fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000005c0000 | 0x005c0000 | 0x005c1fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000005c0000 | 0x005c0000 | 0x005c3fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000005d0000 | 0x005d0000 | 0x005e3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000005f0000 | 0x005f0000 | 0x0062ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000630000 | 0x00630000 | 0x0072ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000730000 | 0x00730000 | 0x00733fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000740000 | 0x00740000 | 0x00740fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000750000 | 0x00750000 | 0x00751fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000760000 | 0x00760000 | 0x0079ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000007d0000 | 0x007d0000 | 0x007dffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000830000 | 0x00830000 | 0x0092ffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00930000 | 0x009edfff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000009f0000 | 0x009f0000 | 0x00aeffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000c20000 | 0x00c20000 | 0x00c2ffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x00c30000 | 0x00f66fff | Memory Mapped File | r |
|
|
|
- |
| cmd.exe | 0x01140000 | 0x0118ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000001190000 | 0x01190000 | 0x0518ffff | Pagefile Backed Memory | - |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74d30000 | 0x74ea5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75130000 | 0x7521ffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x778d0000 | 0x7798dfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007f260000 | 0x7f260000 | 0x7f35ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007f360000 | 0x7f360000 | 0x7f382fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f385000 | 0x7f385000 | 0x7f385fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f388000 | 0x7f388000 | 0x7f388fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f38a000 | 0x7f38a000 | 0x7f38cfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f38d000 | 0x7f38d000 | 0x7f38ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (11)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Windows\SysWOW64 | type = file_attributes |
|
2 | |
| Get Info | wevtutil.exe | type = file_attributes |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
5 | |
| Open | STD_INPUT_HANDLE | - |
|
3 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 120, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\SysWOW64\wevtutil.exe | os_pid = 0xa68, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x1140000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75130000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x75172780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x7514fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7514a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x74e435c0 |
|
1 |
Environment (19)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
2 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Windows\SysWOW64 |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000000 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #349: wevtutil.exe
0
0
| Information | Value |
|---|---|
| ID | #349 |
| File Name | c:\windows\syswow64\wevtutil.exe |
| Command Line | wevtutil.exe clear-log "Microsoft-Windows-Audio/Performance" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:03:10, Reason: Child Process |
| Unmonitor | End Time: 00:03:11, Reason: Self Terminated |
| Monitor Duration | 00:00:01 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xa68 |
| Parent PID | 0xb24 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
850
0x
F4C
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000080000 | 0x00080000 | 0x0009ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000000a0000 | 0x000a0000 | 0x000a1fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000000b0000 | 0x000b0000 | 0x000c3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000000d0000 | 0x000d0000 | 0x0010ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000110000 | 0x00110000 | 0x0014ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000150000 | 0x00150000 | 0x00153fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000160000 | 0x00160000 | 0x00160fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000170000 | 0x00170000 | 0x00171fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000180000 | 0x00180000 | 0x0018ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000001a0000 | 0x001a0000 | 0x0029ffff | Private Memory | rw |
|
|
|
- |
| wevtutil.exe | 0x00b40000 | 0x00b6efff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000b70000 | 0x00b70000 | 0x04b6ffff | Pagefile Backed Memory | - |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007fb00000 | 0x7fb00000 | 0x7fb22fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007fb28000 | 0x7fb28000 | 0x7fb28fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007fb2b000 | 0x7fb2b000 | 0x7fb2dfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007fb2e000 | 0x7fb2e000 | 0x7fb2efff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Process #350: cmd.exe
58
0
| Information | Value |
|---|---|
| ID | #350 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-Audio/PlaybackManager" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:03:11, Reason: Child Process |
| Unmonitor | End Time: 00:03:12, Reason: Self Terminated |
| Monitor Duration | 00:00:01 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xf08 |
| Parent PID | 0x8dc (c:\programdata\safe.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
41C
0x
EC4
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x00000000004a0000 | 0x004a0000 | 0x004bffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000004a0000 | 0x004a0000 | 0x004affff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x00000000004b0000 | 0x004b0000 | 0x004b3fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000004c0000 | 0x004c0000 | 0x004c1fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000004c0000 | 0x004c0000 | 0x004c3fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000004d0000 | 0x004d0000 | 0x004e3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000004f0000 | 0x004f0000 | 0x0052ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000530000 | 0x00530000 | 0x0062ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000630000 | 0x00630000 | 0x00633fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000640000 | 0x00640000 | 0x00640fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000650000 | 0x00650000 | 0x00651fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00660000 | 0x0071dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000720000 | 0x00720000 | 0x0075ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000007a0000 | 0x007a0000 | 0x007affff | Private Memory | rw |
|
|
|
- |
| private_0x00000000007b0000 | 0x007b0000 | 0x008affff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000950000 | 0x00950000 | 0x00a4ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000b10000 | 0x00b10000 | 0x00b1ffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x00b20000 | 0x00e56fff | Memory Mapped File | r |
|
|
|
- |
| cmd.exe | 0x01140000 | 0x0118ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000001190000 | 0x01190000 | 0x0518ffff | Pagefile Backed Memory | - |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74d30000 | 0x74ea5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75130000 | 0x7521ffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x778d0000 | 0x7798dfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007e9c0000 | 0x7e9c0000 | 0x7eabffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007eac0000 | 0x7eac0000 | 0x7eae2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007eae5000 | 0x7eae5000 | 0x7eae5fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007eae7000 | 0x7eae7000 | 0x7eae7fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007eaea000 | 0x7eaea000 | 0x7eaecfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007eaed000 | 0x7eaed000 | 0x7eaeffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (11)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Windows\SysWOW64 | type = file_attributes |
|
2 | |
| Get Info | wevtutil.exe | type = file_attributes |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
5 | |
| Open | STD_INPUT_HANDLE | - |
|
3 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 159, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\SysWOW64\wevtutil.exe | os_pid = 0xe90, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x1140000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75130000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x75172780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x7514fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7514a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x74e435c0 |
|
1 |
Environment (19)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
2 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Windows\SysWOW64 |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000000 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #352: wevtutil.exe
0
0
| Information | Value |
|---|---|
| ID | #352 |
| File Name | c:\windows\syswow64\wevtutil.exe |
| Command Line | wevtutil.exe clear-log "Microsoft-Windows-Audio/PlaybackManager" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:03:11, Reason: Child Process |
| Unmonitor | End Time: 00:03:11, Reason: Self Terminated |
| Monitor Duration | 00:00:00 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xe90 |
| Parent PID | 0xf08 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
B4C
0x
EC0
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000430000 | 0x00430000 | 0x0044ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000450000 | 0x00450000 | 0x00451fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000460000 | 0x00460000 | 0x00473fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000480000 | 0x00480000 | 0x004bffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000004c0000 | 0x004c0000 | 0x004fffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000500000 | 0x00500000 | 0x00503fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000510000 | 0x00510000 | 0x00510fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000520000 | 0x00520000 | 0x00521fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000560000 | 0x00560000 | 0x0065ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000006f0000 | 0x006f0000 | 0x006fffff | Private Memory | rw |
|
|
|
- |
| wevtutil.exe | 0x00b40000 | 0x00b6efff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000b70000 | 0x00b70000 | 0x04b6ffff | Pagefile Backed Memory | - |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007ef30000 | 0x7ef30000 | 0x7ef52fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007ef54000 | 0x7ef54000 | 0x7ef54fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ef5b000 | 0x7ef5b000 | 0x7ef5bfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ef5d000 | 0x7ef5d000 | 0x7ef5ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Process #353: cmd.exe
58
0
| Information | Value |
|---|---|
| ID | #353 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-Audit/Analytic" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:03:11, Reason: Child Process |
| Unmonitor | End Time: 00:03:12, Reason: Self Terminated |
| Monitor Duration | 00:00:01 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xea4 |
| Parent PID | 0x8dc (c:\programdata\safe.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
EB4
0x
EF0
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000b40000 | 0x00b40000 | 0x00b5ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000b40000 | 0x00b40000 | 0x00b4ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000b50000 | 0x00b50000 | 0x00b53fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000b60000 | 0x00b60000 | 0x00b61fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000b60000 | 0x00b60000 | 0x00b63fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000b70000 | 0x00b70000 | 0x00b83fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000b90000 | 0x00b90000 | 0x00bcffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000bd0000 | 0x00bd0000 | 0x00ccffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000cd0000 | 0x00cd0000 | 0x00cd3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000ce0000 | 0x00ce0000 | 0x00ce0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000cf0000 | 0x00cf0000 | 0x00cf1fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00d00000 | 0x00dbdfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000dd0000 | 0x00dd0000 | 0x00ddffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000de0000 | 0x00de0000 | 0x00e1ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000e20000 | 0x00e20000 | 0x00f1ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000f70000 | 0x00f70000 | 0x0106ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001110000 | 0x01110000 | 0x0111ffff | Private Memory | rw |
|
|
|
- |
| cmd.exe | 0x01140000 | 0x0118ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000001190000 | 0x01190000 | 0x0518ffff | Pagefile Backed Memory | - |
|
|
|
- |
| sortdefault.nls | 0x05190000 | 0x054c6fff | Memory Mapped File | r |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74d30000 | 0x74ea5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75130000 | 0x7521ffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x778d0000 | 0x7798dfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007f180000 | 0x7f180000 | 0x7f27ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007f280000 | 0x7f280000 | 0x7f2a2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f2a5000 | 0x7f2a5000 | 0x7f2a5fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f2a9000 | 0x7f2a9000 | 0x7f2abfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f2ac000 | 0x7f2ac000 | 0x7f2aefff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f2af000 | 0x7f2af000 | 0x7f2affff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (11)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Windows\SysWOW64 | type = file_attributes |
|
2 | |
| Get Info | wevtutil.exe | type = file_attributes |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
5 | |
| Open | STD_INPUT_HANDLE | - |
|
3 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 112, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\SysWOW64\wevtutil.exe | os_pid = 0x994, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x1140000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75130000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x75172780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x7514fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7514a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x74e435c0 |
|
1 |
Environment (19)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
2 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Windows\SysWOW64 |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000000 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #355: wevtutil.exe
0
0
| Information | Value |
|---|---|
| ID | #355 |
| File Name | c:\windows\syswow64\wevtutil.exe |
| Command Line | wevtutil.exe clear-log "Microsoft-Windows-Audit/Analytic" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:03:12, Reason: Child Process |
| Unmonitor | End Time: 00:03:12, Reason: Self Terminated |
| Monitor Duration | 00:00:00 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x994 |
| Parent PID | 0xea4 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
990
0x
F9C
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x00000000002d0000 | 0x002d0000 | 0x002effff | Private Memory | rw |
|
|
|
- |
| private_0x00000000002f0000 | 0x002f0000 | 0x002f1fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000300000 | 0x00300000 | 0x00313fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000320000 | 0x00320000 | 0x0035ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000360000 | 0x00360000 | 0x0039ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000003a0000 | 0x003a0000 | 0x003a3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000003b0000 | 0x003b0000 | 0x003b0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000003c0000 | 0x003c0000 | 0x003c1fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000410000 | 0x00410000 | 0x0050ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000570000 | 0x00570000 | 0x0057ffff | Private Memory | rw |
|
|
|
- |
| wevtutil.exe | 0x00b40000 | 0x00b6efff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000b70000 | 0x00b70000 | 0x04b6ffff | Pagefile Backed Memory | - |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007f990000 | 0x7f990000 | 0x7f9b2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f9b6000 | 0x7f9b6000 | 0x7f9b6fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f9ba000 | 0x7f9ba000 | 0x7f9bafff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f9bd000 | 0x7f9bd000 | 0x7f9bffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Process #356: cmd.exe
58
0
| Information | Value |
|---|---|
| ID | #356 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-Authentication User Interface/Operational" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:03:12, Reason: Child Process |
| Unmonitor | End Time: 00:03:12, Reason: Self Terminated |
| Monitor Duration | 00:00:00 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xfa8 |
| Parent PID | 0x8dc (c:\programdata\safe.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
788
0x
968
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000d80000 | 0x00d80000 | 0x00d9ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000d80000 | 0x00d80000 | 0x00d8ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000d90000 | 0x00d90000 | 0x00d93fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000da0000 | 0x00da0000 | 0x00da1fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000da0000 | 0x00da0000 | 0x00da3fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000db0000 | 0x00db0000 | 0x00dc3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000dd0000 | 0x00dd0000 | 0x00e0ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000e10000 | 0x00e10000 | 0x00f0ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000f10000 | 0x00f10000 | 0x00f13fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000f20000 | 0x00f20000 | 0x00f20fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000f30000 | 0x00f30000 | 0x00f31fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000f40000 | 0x00f40000 | 0x00f7ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000f90000 | 0x00f90000 | 0x00f9ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000ff0000 | 0x00ff0000 | 0x010effff | Private Memory | rw |
|
|
|
- |
| cmd.exe | 0x01140000 | 0x0118ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000001190000 | 0x01190000 | 0x0518ffff | Pagefile Backed Memory | - |
|
|
|
- |
| locale.nls | 0x05190000 | 0x0524dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000005250000 | 0x05250000 | 0x0534ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000053c0000 | 0x053c0000 | 0x053cffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x053d0000 | 0x05706fff | Memory Mapped File | r |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74d30000 | 0x74ea5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75130000 | 0x7521ffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x778d0000 | 0x7798dfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007ec80000 | 0x7ec80000 | 0x7ed7ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007ed80000 | 0x7ed80000 | 0x7eda2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007eda7000 | 0x7eda7000 | 0x7eda9fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007edaa000 | 0x7edaa000 | 0x7edacfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007edad000 | 0x7edad000 | 0x7edadfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007edaf000 | 0x7edaf000 | 0x7edaffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (11)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Windows\SysWOW64 | type = file_attributes |
|
2 | |
| Get Info | wevtutil.exe | type = file_attributes |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
5 | |
| Open | STD_INPUT_HANDLE | - |
|
3 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 153, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\SysWOW64\wevtutil.exe | os_pid = 0x34c, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x1140000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75130000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x75172780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x7514fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7514a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x74e435c0 |
|
1 |
Environment (19)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
2 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Windows\SysWOW64 |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000000 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #358: wevtutil.exe
0
0
| Information | Value |
|---|---|
| ID | #358 |
| File Name | c:\windows\syswow64\wevtutil.exe |
| Command Line | wevtutil.exe clear-log "Microsoft-Windows-Authentication User Interface/Operational" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:03:12, Reason: Child Process |
| Unmonitor | End Time: 00:03:13, Reason: Self Terminated |
| Monitor Duration | 00:00:01 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x34c |
| Parent PID | 0xfa8 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
9E8
0x
FB0
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| wevtutil.exe | 0x00b40000 | 0x00b6efff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000f20000 | 0x00f20000 | 0x04f1ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000004f20000 | 0x04f20000 | 0x04f3ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004f40000 | 0x04f40000 | 0x04f41fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004f50000 | 0x04f50000 | 0x04f63fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000004f70000 | 0x04f70000 | 0x04faffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004fb0000 | 0x04fb0000 | 0x04feffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004ff0000 | 0x04ff0000 | 0x04ff3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000005000000 | 0x05000000 | 0x05000fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000005010000 | 0x05010000 | 0x05011fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005170000 | 0x05170000 | 0x0517ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005280000 | 0x05280000 | 0x0537ffff | Private Memory | rw |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007f0a0000 | 0x7f0a0000 | 0x7f0c2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f0c4000 | 0x7f0c4000 | 0x7f0c4fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f0cb000 | 0x7f0cb000 | 0x7f0cbfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f0cd000 | 0x7f0cd000 | 0x7f0cffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Process #359: cmd.exe
58
0
| Information | Value |
|---|---|
| ID | #359 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-Authentication/AuthenticationPolicyFailures-DomainController" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:03:12, Reason: Child Process |
| Unmonitor | End Time: 00:03:13, Reason: Self Terminated |
| Monitor Duration | 00:00:01 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xfcc |
| Parent PID | 0x8dc (c:\programdata\safe.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
920
0x
C48
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000fb0000 | 0x00fb0000 | 0x00fcffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000fb0000 | 0x00fb0000 | 0x00fbffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000fc0000 | 0x00fc0000 | 0x00fc3fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000fd0000 | 0x00fd0000 | 0x00fd1fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000fd0000 | 0x00fd0000 | 0x00fd3fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000fe0000 | 0x00fe0000 | 0x00ff3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000001000000 | 0x01000000 | 0x0103ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001040000 | 0x01040000 | 0x0113ffff | Private Memory | rw |
|
|
|
- |
| cmd.exe | 0x01140000 | 0x0118ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000001190000 | 0x01190000 | 0x0518ffff | Pagefile Backed Memory | - |
|
|
|
- |
| pagefile_0x0000000005190000 | 0x05190000 | 0x05193fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000051a0000 | 0x051a0000 | 0x051a0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000051b0000 | 0x051b0000 | 0x051b1fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x051c0000 | 0x0527dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000005280000 | 0x05280000 | 0x052bffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000053a0000 | 0x053a0000 | 0x053affff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005490000 | 0x05490000 | 0x0549ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000054a0000 | 0x054a0000 | 0x0559ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000055a0000 | 0x055a0000 | 0x0569ffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x056a0000 | 0x059d6fff | Memory Mapped File | r |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74d30000 | 0x74ea5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75130000 | 0x7521ffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x778d0000 | 0x7798dfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007e5a0000 | 0x7e5a0000 | 0x7e69ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007e6a0000 | 0x7e6a0000 | 0x7e6c2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007e6c7000 | 0x7e6c7000 | 0x7e6c7fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007e6c8000 | 0x7e6c8000 | 0x7e6cafff | Private Memory | rw |
|
|
|
- |
| private_0x000000007e6cb000 | 0x7e6cb000 | 0x7e6cdfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007e6ce000 | 0x7e6ce000 | 0x7e6cefff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (11)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Windows\SysWOW64 | type = file_attributes |
|
2 | |
| Get Info | wevtutil.exe | type = file_attributes |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
5 | |
| Open | STD_INPUT_HANDLE | - |
|
3 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 101, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\SysWOW64\wevtutil.exe | os_pid = 0xff4, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x1140000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75130000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x75172780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x7514fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7514a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x74e435c0 |
|
1 |
Environment (19)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
2 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Windows\SysWOW64 |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000000 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #361: wevtutil.exe
0
0
| Information | Value |
|---|---|
| ID | #361 |
| File Name | c:\windows\syswow64\wevtutil.exe |
| Command Line | wevtutil.exe clear-log "Microsoft-Windows-Authentication/AuthenticationPolicyFailures-DomainController" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:03:13, Reason: Child Process |
| Unmonitor | End Time: 00:03:13, Reason: Self Terminated |
| Monitor Duration | 00:00:00 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xff4 |
| Parent PID | 0xfcc (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
FF0
0x
C0C
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| wevtutil.exe | 0x00b40000 | 0x00b6efff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000fb0000 | 0x00fb0000 | 0x04faffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000004fb0000 | 0x04fb0000 | 0x04fcffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004fd0000 | 0x04fd0000 | 0x04fd1fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004fe0000 | 0x04fe0000 | 0x04ff3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000005000000 | 0x05000000 | 0x0503ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005040000 | 0x05040000 | 0x0507ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000005080000 | 0x05080000 | 0x05083fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000005090000 | 0x05090000 | 0x05090fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000050a0000 | 0x050a0000 | 0x050a1fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000051b0000 | 0x051b0000 | 0x051bffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000053b0000 | 0x053b0000 | 0x054affff | Private Memory | rw |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007ee30000 | 0x7ee30000 | 0x7ee52fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007ee5b000 | 0x7ee5b000 | 0x7ee5dfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ee5e000 | 0x7ee5e000 | 0x7ee5efff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ee5f000 | 0x7ee5f000 | 0x7ee5ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Process #362: cmd.exe
58
0
| Information | Value |
|---|---|
| ID | #362 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-Authentication/ProtectedUser-Client" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:03:13, Reason: Child Process |
| Unmonitor | End Time: 00:03:13, Reason: Self Terminated |
| Monitor Duration | 00:00:00 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x370 |
| Parent PID | 0x8dc (c:\programdata\safe.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
3D0
0x
FF8
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000f80000 | 0x00f80000 | 0x00f9ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000f80000 | 0x00f80000 | 0x00f8ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000f90000 | 0x00f90000 | 0x00f93fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000fa0000 | 0x00fa0000 | 0x00fa1fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000fa0000 | 0x00fa0000 | 0x00fa3fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000fb0000 | 0x00fb0000 | 0x00fc3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000fd0000 | 0x00fd0000 | 0x0100ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001010000 | 0x01010000 | 0x0110ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000001110000 | 0x01110000 | 0x01113fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000001120000 | 0x01120000 | 0x01120fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000001130000 | 0x01130000 | 0x01131fff | Private Memory | rw |
|
|
|
- |
| cmd.exe | 0x01140000 | 0x0118ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000001190000 | 0x01190000 | 0x0518ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000005190000 | 0x05190000 | 0x0528ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005290000 | 0x05290000 | 0x0529ffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x052a0000 | 0x0535dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000005360000 | 0x05360000 | 0x0539ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000053a0000 | 0x053a0000 | 0x0549ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000055d0000 | 0x055d0000 | 0x055dffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x055e0000 | 0x05916fff | Memory Mapped File | r |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74d30000 | 0x74ea5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75130000 | 0x7521ffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x778d0000 | 0x7798dfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007eee0000 | 0x7eee0000 | 0x7efdffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f002fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f004000 | 0x7f004000 | 0x7f006fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f007000 | 0x7f007000 | 0x7f009fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f00a000 | 0x7f00a000 | 0x7f00afff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f00d000 | 0x7f00d000 | 0x7f00dfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (11)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Windows\SysWOW64 | type = file_attributes |
|
2 | |
| Get Info | wevtutil.exe | type = file_attributes |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
5 | |
| Open | STD_INPUT_HANDLE | - |
|
3 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 168, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\SysWOW64\wevtutil.exe | os_pid = 0xc3c, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x1140000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75130000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x75172780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x7514fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7514a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x74e435c0 |
|
1 |
Environment (19)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
2 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Windows\SysWOW64 |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000000 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #364: wevtutil.exe
0
0
| Information | Value |
|---|---|
| ID | #364 |
| File Name | c:\windows\syswow64\wevtutil.exe |
| Command Line | wevtutil.exe clear-log "Microsoft-Windows-Authentication/ProtectedUser-Client" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:03:13, Reason: Child Process |
| Unmonitor | End Time: 00:03:14, Reason: Self Terminated |
| Monitor Duration | 00:00:01 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xc3c |
| Parent PID | 0x370 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
C80
0x
908
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x00000000003b0000 | 0x003b0000 | 0x003cffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000003d0000 | 0x003d0000 | 0x003d1fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000003e0000 | 0x003e0000 | 0x003f3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000400000 | 0x00400000 | 0x0043ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000440000 | 0x00440000 | 0x0047ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000480000 | 0x00480000 | 0x00483fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000490000 | 0x00490000 | 0x00490fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000004a0000 | 0x004a0000 | 0x004a1fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000004f0000 | 0x004f0000 | 0x005effff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000610000 | 0x00610000 | 0x0061ffff | Private Memory | rw |
|
|
|
- |
| wevtutil.exe | 0x00b40000 | 0x00b6efff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000b70000 | 0x00b70000 | 0x04b6ffff | Pagefile Backed Memory | - |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007e410000 | 0x7e410000 | 0x7e432fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007e437000 | 0x7e437000 | 0x7e437fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007e439000 | 0x7e439000 | 0x7e439fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007e43d000 | 0x7e43d000 | 0x7e43ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Process #365: cmd.exe
58
0
| Information | Value |
|---|---|
| ID | #365 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-Authentication/ProtectedUserFailures-DomainController" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:03:13, Reason: Child Process |
| Unmonitor | End Time: 00:03:14, Reason: Self Terminated |
| Monitor Duration | 00:00:01 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xc84 |
| Parent PID | 0x8dc (c:\programdata\safe.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
C58
0x
C78
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000ca0000 | 0x00ca0000 | 0x00cbffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000ca0000 | 0x00ca0000 | 0x00caffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000cb0000 | 0x00cb0000 | 0x00cb3fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000cc0000 | 0x00cc0000 | 0x00cc1fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000cc0000 | 0x00cc0000 | 0x00cc3fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000cd0000 | 0x00cd0000 | 0x00ce3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000cf0000 | 0x00cf0000 | 0x00d2ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000d30000 | 0x00d30000 | 0x00e2ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000e30000 | 0x00e30000 | 0x00e33fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000e40000 | 0x00e40000 | 0x00e40fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000e50000 | 0x00e50000 | 0x00e51fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00e60000 | 0x00f1dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000f50000 | 0x00f50000 | 0x00f5ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000f80000 | 0x00f80000 | 0x0107ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001080000 | 0x01080000 | 0x010bffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001120000 | 0x01120000 | 0x0112ffff | Private Memory | rw |
|
|
|
- |
| cmd.exe | 0x01140000 | 0x0118ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000001190000 | 0x01190000 | 0x0518ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000005190000 | 0x05190000 | 0x0528ffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x05290000 | 0x055c6fff | Memory Mapped File | r |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74d30000 | 0x74ea5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75130000 | 0x7521ffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x778d0000 | 0x7798dfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007f2f0000 | 0x7f2f0000 | 0x7f3effff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007f3f0000 | 0x7f3f0000 | 0x7f412fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f415000 | 0x7f415000 | 0x7f415fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f418000 | 0x7f418000 | 0x7f41afff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f41b000 | 0x7f41b000 | 0x7f41dfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f41e000 | 0x7f41e000 | 0x7f41efff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (11)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Windows\SysWOW64 | type = file_attributes |
|
2 | |
| Get Info | wevtutil.exe | type = file_attributes |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
5 | |
| Open | STD_INPUT_HANDLE | - |
|
3 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 232, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\SysWOW64\wevtutil.exe | os_pid = 0xed8, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x1140000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75130000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x75172780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x7514fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7514a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x74e435c0 |
|
1 |
Environment (19)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
2 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Windows\SysWOW64 |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000000 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #367: wevtutil.exe
0
0
| Information | Value |
|---|---|
| ID | #367 |
| File Name | c:\windows\syswow64\wevtutil.exe |
| Command Line | wevtutil.exe clear-log "Microsoft-Windows-Authentication/ProtectedUserFailures-DomainController" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:03:14, Reason: Child Process |
| Unmonitor | End Time: 00:03:14, Reason: Self Terminated |
| Monitor Duration | 00:00:00 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xed8 |
| Parent PID | 0xc84 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
578
0x
C90
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000330000 | 0x00330000 | 0x0034ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000350000 | 0x00350000 | 0x00351fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000360000 | 0x00360000 | 0x00373fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000380000 | 0x00380000 | 0x003bffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000003c0000 | 0x003c0000 | 0x003fffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000400000 | 0x00400000 | 0x00403fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000410000 | 0x00410000 | 0x00410fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000420000 | 0x00420000 | 0x00421fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000004e0000 | 0x004e0000 | 0x004effff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000500000 | 0x00500000 | 0x005fffff | Private Memory | rw |
|
|
|
- |
| wevtutil.exe | 0x00b40000 | 0x00b6efff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000b70000 | 0x00b70000 | 0x04b6ffff | Pagefile Backed Memory | - |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007f5e0000 | 0x7f5e0000 | 0x7f602fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f605000 | 0x7f605000 | 0x7f605fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f608000 | 0x7f608000 | 0x7f608fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f60d000 | 0x7f60d000 | 0x7f60ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Process #368: cmd.exe
58
0
| Information | Value |
|---|---|
| ID | #368 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-Authentication/ProtectedUserSuccesses-DomainController" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:03:14, Reason: Child Process |
| Unmonitor | End Time: 00:03:15, Reason: Self Terminated |
| Monitor Duration | 00:00:01 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x458 |
| Parent PID | 0x8dc (c:\programdata\safe.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
828
0x
538
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000e90000 | 0x00e90000 | 0x00eaffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000e90000 | 0x00e90000 | 0x00e9ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000ea0000 | 0x00ea0000 | 0x00ea3fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000eb0000 | 0x00eb0000 | 0x00eb1fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000eb0000 | 0x00eb0000 | 0x00eb3fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000ec0000 | 0x00ec0000 | 0x00ed3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000ee0000 | 0x00ee0000 | 0x00f1ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000f20000 | 0x00f20000 | 0x0101ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000001020000 | 0x01020000 | 0x01023fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000001030000 | 0x01030000 | 0x01030fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000001040000 | 0x01040000 | 0x01041fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x01050000 | 0x0110dfff | Memory Mapped File | r |
|
|
|
- |
| cmd.exe | 0x01140000 | 0x0118ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000001190000 | 0x01190000 | 0x0518ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000005190000 | 0x05190000 | 0x051cffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000051d0000 | 0x051d0000 | 0x052cffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005370000 | 0x05370000 | 0x0537ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000054b0000 | 0x054b0000 | 0x054bffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000054f0000 | 0x054f0000 | 0x055effff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x055f0000 | 0x05926fff | Memory Mapped File | r |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74d30000 | 0x74ea5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75130000 | 0x7521ffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x778d0000 | 0x7798dfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007f0e0000 | 0x7f0e0000 | 0x7f102fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f103000 | 0x7f103000 | 0x7f103fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f109000 | 0x7f109000 | 0x7f10bfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f10c000 | 0x7f10c000 | 0x7f10efff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f10f000 | 0x7f10f000 | 0x7f10ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (11)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Windows\SysWOW64 | type = file_attributes |
|
2 | |
| Get Info | wevtutil.exe | type = file_attributes |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
5 | |
| Open | STD_INPUT_HANDLE | - |
|
3 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 232, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\SysWOW64\wevtutil.exe | os_pid = 0xb20, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x1140000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75130000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x75172780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x7514fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7514a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x74e435c0 |
|
1 |
Environment (19)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
2 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Windows\SysWOW64 |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000000 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #370: wevtutil.exe
0
0
| Information | Value |
|---|---|
| ID | #370 |
| File Name | c:\windows\syswow64\wevtutil.exe |
| Command Line | wevtutil.exe clear-log "Microsoft-Windows-Authentication/ProtectedUserSuccesses-DomainController" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:03:14, Reason: Child Process |
| Unmonitor | End Time: 00:03:15, Reason: Self Terminated |
| Monitor Duration | 00:00:01 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xb20 |
| Parent PID | 0x458 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
580
0x
F20
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| wevtutil.exe | 0x00b40000 | 0x00b6efff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000fb0000 | 0x00fb0000 | 0x04faffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000004fb0000 | 0x04fb0000 | 0x04fcffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004fd0000 | 0x04fd0000 | 0x04fd1fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004fe0000 | 0x04fe0000 | 0x04ff3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000005000000 | 0x05000000 | 0x0503ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005040000 | 0x05040000 | 0x0507ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000005080000 | 0x05080000 | 0x05083fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000005090000 | 0x05090000 | 0x05090fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000050a0000 | 0x050a0000 | 0x050a1fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005250000 | 0x05250000 | 0x0525ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000053c0000 | 0x053c0000 | 0x054bffff | Private Memory | rw |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007f050000 | 0x7f050000 | 0x7f072fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f07a000 | 0x7f07a000 | 0x7f07cfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f07d000 | 0x7f07d000 | 0x7f07dfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f07f000 | 0x7f07f000 | 0x7f07ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Process #371: cmd.exe
58
0
| Information | Value |
|---|---|
| ID | #371 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-AxInstallService/Log" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:03:15, Reason: Child Process |
| Unmonitor | End Time: 00:03:15, Reason: Self Terminated |
| Monitor Duration | 00:00:00 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x2e8 |
| Parent PID | 0x8dc (c:\programdata\safe.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
BE4
0x
BF4
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000480000 | 0x00480000 | 0x0049ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000480000 | 0x00480000 | 0x0048ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000490000 | 0x00490000 | 0x00493fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000004a0000 | 0x004a0000 | 0x004a1fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000004a0000 | 0x004a0000 | 0x004a3fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000004b0000 | 0x004b0000 | 0x004c3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000004d0000 | 0x004d0000 | 0x0050ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000510000 | 0x00510000 | 0x0060ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000610000 | 0x00610000 | 0x00613fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000620000 | 0x00620000 | 0x00620fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000630000 | 0x00630000 | 0x00631fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000660000 | 0x00660000 | 0x0066ffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00670000 | 0x0072dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000730000 | 0x00730000 | 0x0076ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000007f0000 | 0x007f0000 | 0x008effff | Private Memory | rw |
|
|
|
- |
| private_0x00000000008f0000 | 0x008f0000 | 0x009effff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000a90000 | 0x00a90000 | 0x00a9ffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x00aa0000 | 0x00dd6fff | Memory Mapped File | r |
|
|
|
- |
| cmd.exe | 0x01140000 | 0x0118ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000001190000 | 0x01190000 | 0x0518ffff | Pagefile Backed Memory | - |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74d30000 | 0x74ea5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75130000 | 0x7521ffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x778d0000 | 0x7798dfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007ed20000 | 0x7ed20000 | 0x7ee1ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007ee20000 | 0x7ee20000 | 0x7ee42fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007ee44000 | 0x7ee44000 | 0x7ee44fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ee47000 | 0x7ee47000 | 0x7ee49fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ee4a000 | 0x7ee4a000 | 0x7ee4afff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ee4d000 | 0x7ee4d000 | 0x7ee4ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (11)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Windows\SysWOW64 | type = file_attributes |
|
2 | |
| Get Info | wevtutil.exe | type = file_attributes |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
5 | |
| Open | STD_INPUT_HANDLE | - |
|
3 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 248, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\SysWOW64\wevtutil.exe | os_pid = 0xfd4, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x1140000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75130000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x75172780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x7514fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7514a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x74e435c0 |
|
1 |
Environment (19)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
2 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Windows\SysWOW64 |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000000 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #373: wevtutil.exe
0
0
| Information | Value |
|---|---|
| ID | #373 |
| File Name | c:\windows\syswow64\wevtutil.exe |
| Command Line | wevtutil.exe clear-log "Microsoft-Windows-AxInstallService/Log" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:03:15, Reason: Child Process |
| Unmonitor | End Time: 00:03:15, Reason: Self Terminated |
| Monitor Duration | 00:00:00 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xfd4 |
| Parent PID | 0x2e8 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
EE8
0x
9E4
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x00000000007f0000 | 0x007f0000 | 0x0080ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000810000 | 0x00810000 | 0x00811fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000820000 | 0x00820000 | 0x00833fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000840000 | 0x00840000 | 0x0087ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000880000 | 0x00880000 | 0x008bffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000008c0000 | 0x008c0000 | 0x008c3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000008d0000 | 0x008d0000 | 0x008d0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000008e0000 | 0x008e0000 | 0x008e1fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000920000 | 0x00920000 | 0x0092ffff | Private Memory | rw |
|
|
|
- |
| wevtutil.exe | 0x00b40000 | 0x00b6efff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000b70000 | 0x00b70000 | 0x04b6ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000004d10000 | 0x04d10000 | 0x04e0ffff | Private Memory | rw |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007f1c0000 | 0x7f1c0000 | 0x7f1e2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f1ea000 | 0x7f1ea000 | 0x7f1eafff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f1ec000 | 0x7f1ec000 | 0x7f1eefff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f1ef000 | 0x7f1ef000 | 0x7f1effff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Process #374: cmd.exe
58
0
| Information | Value |
|---|---|
| ID | #374 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-BackgroundTaskInfrastructure/Diagnostic" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:03:15, Reason: Child Process |
| Unmonitor | End Time: 00:03:16, Reason: Self Terminated |
| Monitor Duration | 00:00:01 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xe00 |
| Parent PID | 0x8dc (c:\programdata\safe.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
688
0x
F44
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000430000 | 0x00430000 | 0x0044ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000430000 | 0x00430000 | 0x0043ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000440000 | 0x00440000 | 0x00443fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000450000 | 0x00450000 | 0x00451fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000450000 | 0x00450000 | 0x00453fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000460000 | 0x00460000 | 0x00473fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000480000 | 0x00480000 | 0x004bffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000004c0000 | 0x004c0000 | 0x005bffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000005c0000 | 0x005c0000 | 0x005c3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000005d0000 | 0x005d0000 | 0x005d0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000005e0000 | 0x005e0000 | 0x005e1fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x005f0000 | 0x006adfff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000006b0000 | 0x006b0000 | 0x006effff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000760000 | 0x00760000 | 0x0076ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000007e0000 | 0x007e0000 | 0x007effff | Private Memory | rw |
|
|
|
- |
| private_0x00000000007f0000 | 0x007f0000 | 0x008effff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000910000 | 0x00910000 | 0x00a0ffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x00a10000 | 0x00d46fff | Memory Mapped File | r |
|
|
|
- |
| cmd.exe | 0x01140000 | 0x0118ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000001190000 | 0x01190000 | 0x0518ffff | Pagefile Backed Memory | - |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74d30000 | 0x74ea5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75130000 | 0x7521ffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x778d0000 | 0x7798dfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007f1f0000 | 0x7f1f0000 | 0x7f2effff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007f2f0000 | 0x7f2f0000 | 0x7f312fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f315000 | 0x7f315000 | 0x7f315fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f318000 | 0x7f318000 | 0x7f318fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f31a000 | 0x7f31a000 | 0x7f31cfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f31d000 | 0x7f31d000 | 0x7f31ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (11)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Windows\SysWOW64 | type = file_attributes |
|
2 | |
| Get Info | wevtutil.exe | type = file_attributes |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
5 | |
| Open | STD_INPUT_HANDLE | - |
|
3 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 72, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\SysWOW64\wevtutil.exe | os_pid = 0xdf0, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x1140000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75130000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x75172780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x7514fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7514a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x74e435c0 |
|
1 |
Environment (19)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
2 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Windows\SysWOW64 |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000000 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #376: wevtutil.exe
0
0
| Information | Value |
|---|---|
| ID | #376 |
| File Name | c:\windows\syswow64\wevtutil.exe |
| Command Line | wevtutil.exe clear-log "Microsoft-Windows-BackgroundTaskInfrastructure/Diagnostic" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:03:15, Reason: Child Process |
| Unmonitor | End Time: 00:03:16, Reason: Self Terminated |
| Monitor Duration | 00:00:01 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xdf0 |
| Parent PID | 0xe00 (c:\windows\syswow64\wevtutil.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
444
0x
DFC
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000a70000 | 0x00a70000 | 0x00a8ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000a90000 | 0x00a90000 | 0x00a91fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000aa0000 | 0x00aa0000 | 0x00ab3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000ac0000 | 0x00ac0000 | 0x00afffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000b00000 | 0x00b00000 | 0x00b3ffff | Private Memory | rw |
|
|
|
- |
| wevtutil.exe | 0x00b40000 | 0x00b6efff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000b70000 | 0x00b70000 | 0x04b6ffff | Pagefile Backed Memory | - |
|
|
|
- |
| pagefile_0x0000000004b70000 | 0x04b70000 | 0x04b73fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000004b80000 | 0x04b80000 | 0x04b80fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000004b90000 | 0x04b90000 | 0x04b91fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004cd0000 | 0x04cd0000 | 0x04cdffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004d90000 | 0x04d90000 | 0x04e8ffff | Private Memory | rw |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007f6d0000 | 0x7f6d0000 | 0x7f6f2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f6fa000 | 0x7f6fa000 | 0x7f6fafff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f6fc000 | 0x7f6fc000 | 0x7f6fefff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f6ff000 | 0x7f6ff000 | 0x7f6fffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Process #377: cmd.exe
58
0
| Information | Value |
|---|---|
| ID | #377 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-BackgroundTaskInfrastructure/Operational" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:03:16, Reason: Child Process |
| Unmonitor | End Time: 00:03:16, Reason: Self Terminated |
| Monitor Duration | 00:00:00 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xca8 |
| Parent PID | 0x8dc (c:\programdata\safe.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
DA8
0x
DEC
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000470000 | 0x00470000 | 0x0048ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000470000 | 0x00470000 | 0x0047ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000480000 | 0x00480000 | 0x00483fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000490000 | 0x00490000 | 0x00491fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000490000 | 0x00490000 | 0x00493fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000004a0000 | 0x004a0000 | 0x004b3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000004c0000 | 0x004c0000 | 0x004fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000500000 | 0x00500000 | 0x005fffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000600000 | 0x00600000 | 0x00603fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000610000 | 0x00610000 | 0x00610fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000620000 | 0x00620000 | 0x00621fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000630000 | 0x00630000 | 0x0066ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000006e0000 | 0x006e0000 | 0x006effff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x006f0000 | 0x007adfff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000007b0000 | 0x007b0000 | 0x008affff | Private Memory | rw |
|
|
|
- |
| private_0x00000000008d0000 | 0x008d0000 | 0x009cffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000a70000 | 0x00a70000 | 0x00a7ffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x00a80000 | 0x00db6fff | Memory Mapped File | r |
|
|
|
- |
| cmd.exe | 0x01140000 | 0x0118ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000001190000 | 0x01190000 | 0x0518ffff | Pagefile Backed Memory | - |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74d30000 | 0x74ea5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75130000 | 0x7521ffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x778d0000 | 0x7798dfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007ee30000 | 0x7ee30000 | 0x7ef2ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007ef30000 | 0x7ef30000 | 0x7ef52fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007ef58000 | 0x7ef58000 | 0x7ef5afff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ef5b000 | 0x7ef5b000 | 0x7ef5dfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ef5e000 | 0x7ef5e000 | 0x7ef5efff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ef5f000 | 0x7ef5f000 | 0x7ef5ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (11)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Windows\SysWOW64 | type = file_attributes |
|
2 | |
| Get Info | wevtutil.exe | type = file_attributes |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
5 | |
| Open | STD_INPUT_HANDLE | - |
|
3 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 176, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\SysWOW64\wevtutil.exe | os_pid = 0xdf4, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x1140000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75130000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x75172780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x7514fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7514a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x74e435c0 |
|
1 |
Environment (19)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
2 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Windows\SysWOW64 |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000000 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #379: wevtutil.exe
0
0
| Information | Value |
|---|---|
| ID | #379 |
| File Name | c:\windows\syswow64\wevtutil.exe |
| Command Line | wevtutil.exe clear-log "Microsoft-Windows-BackgroundTaskInfrastructure/Operational" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:03:16, Reason: Child Process |
| Unmonitor | End Time: 00:03:17, Reason: Self Terminated |
| Monitor Duration | 00:00:01 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xdf4 |
| Parent PID | 0xca8 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
E18
0x
DD4
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x00000000006c0000 | 0x006c0000 | 0x006dffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000006e0000 | 0x006e0000 | 0x006e1fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000006f0000 | 0x006f0000 | 0x00703fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000710000 | 0x00710000 | 0x0074ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000750000 | 0x00750000 | 0x0078ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000790000 | 0x00790000 | 0x00793fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000007a0000 | 0x007a0000 | 0x007a0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000007b0000 | 0x007b0000 | 0x007b1fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000830000 | 0x00830000 | 0x0092ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000009a0000 | 0x009a0000 | 0x009affff | Private Memory | rw |
|
|
|
- |
| wevtutil.exe | 0x00b40000 | 0x00b6efff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000b70000 | 0x00b70000 | 0x04b6ffff | Pagefile Backed Memory | - |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007f040000 | 0x7f040000 | 0x7f062fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f064000 | 0x7f064000 | 0x7f064fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f06c000 | 0x7f06c000 | 0x7f06efff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f06f000 | 0x7f06f000 | 0x7f06ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Process #380: cmd.exe
58
0
| Information | Value |
|---|---|
| ID | #380 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-BackgroundTransfer-ContentPrefetcher/Operational" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:03:16, Reason: Child Process |
| Unmonitor | End Time: 00:03:17, Reason: Self Terminated |
| Monitor Duration | 00:00:01 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xd9c |
| Parent PID | 0x8dc (c:\programdata\safe.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
DC8
0x
B00
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x00000000002c0000 | 0x002c0000 | 0x002dffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000002c0000 | 0x002c0000 | 0x002cffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x00000000002d0000 | 0x002d0000 | 0x002d3fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000002e0000 | 0x002e0000 | 0x002e1fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000002e0000 | 0x002e0000 | 0x002e3fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000002f0000 | 0x002f0000 | 0x00303fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000310000 | 0x00310000 | 0x0034ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000350000 | 0x00350000 | 0x0044ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000450000 | 0x00450000 | 0x00453fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000460000 | 0x00460000 | 0x00460fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000470000 | 0x00470000 | 0x00471fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00480000 | 0x0053dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000560000 | 0x00560000 | 0x0056ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000570000 | 0x00570000 | 0x005affff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000640000 | 0x00640000 | 0x0064ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000006a0000 | 0x006a0000 | 0x0079ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000007a0000 | 0x007a0000 | 0x0089ffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x008a0000 | 0x00bd6fff | Memory Mapped File | r |
|
|
|
- |
| cmd.exe | 0x01140000 | 0x0118ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000001190000 | 0x01190000 | 0x0518ffff | Pagefile Backed Memory | - |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74d30000 | 0x74ea5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75130000 | 0x7521ffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x778d0000 | 0x7798dfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007e3a0000 | 0x7e3a0000 | 0x7e49ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007e4a0000 | 0x7e4a0000 | 0x7e4c2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007e4c7000 | 0x7e4c7000 | 0x7e4c7fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007e4c8000 | 0x7e4c8000 | 0x7e4c8fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007e4ca000 | 0x7e4ca000 | 0x7e4ccfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007e4cd000 | 0x7e4cd000 | 0x7e4cffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (11)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Windows\SysWOW64 | type = file_attributes |
|
2 | |
| Get Info | wevtutil.exe | type = file_attributes |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
5 | |
| Open | STD_INPUT_HANDLE | - |
|
3 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 88, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\SysWOW64\wevtutil.exe | os_pid = 0xdb0, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x1140000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75130000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x75172780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x7514fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7514a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x74e435c0 |
|
1 |
Environment (19)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
2 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Windows\SysWOW64 |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000000 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #382: wevtutil.exe
0
0
| Information | Value |
|---|---|
| ID | #382 |
| File Name | c:\windows\syswow64\wevtutil.exe |
| Command Line | wevtutil.exe clear-log "Microsoft-Windows-BackgroundTransfer-ContentPrefetcher/Operational" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:03:17, Reason: Child Process |
| Unmonitor | End Time: 00:03:17, Reason: Self Terminated |
| Monitor Duration | 00:00:00 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xdb0 |
| Parent PID | 0xd9c (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
CB4
0x
D74
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000530000 | 0x00530000 | 0x0054ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000550000 | 0x00550000 | 0x00551fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000560000 | 0x00560000 | 0x00573fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000580000 | 0x00580000 | 0x005bffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000005c0000 | 0x005c0000 | 0x005fffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000600000 | 0x00600000 | 0x00603fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000610000 | 0x00610000 | 0x00610fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000620000 | 0x00620000 | 0x00621fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000660000 | 0x00660000 | 0x0066ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000860000 | 0x00860000 | 0x0095ffff | Private Memory | rw |
|
|
|
- |
| wevtutil.exe | 0x00b40000 | 0x00b6efff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000b70000 | 0x00b70000 | 0x04b6ffff | Pagefile Backed Memory | - |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007ed50000 | 0x7ed50000 | 0x7ed72fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007ed75000 | 0x7ed75000 | 0x7ed75fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ed7c000 | 0x7ed7c000 | 0x7ed7efff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ed7f000 | 0x7ed7f000 | 0x7ed7ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Process #383: cmd.exe
58
0
| Information | Value |
|---|---|
| ID | #383 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-Backup" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:03:17, Reason: Child Process |
| Unmonitor | End Time: 00:03:17, Reason: Self Terminated |
| Monitor Duration | 00:00:00 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xca4 |
| Parent PID | 0x8dc (c:\programdata\safe.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
F6C
0x
D34
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x00000000007d0000 | 0x007d0000 | 0x007effff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000007d0000 | 0x007d0000 | 0x007dffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x00000000007e0000 | 0x007e0000 | 0x007e3fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000007f0000 | 0x007f0000 | 0x007f1fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000007f0000 | 0x007f0000 | 0x007f3fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000800000 | 0x00800000 | 0x00813fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000820000 | 0x00820000 | 0x0085ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000860000 | 0x00860000 | 0x0095ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000960000 | 0x00960000 | 0x00963fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000970000 | 0x00970000 | 0x00970fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000980000 | 0x00980000 | 0x00981fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00990000 | 0x00a4dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000a50000 | 0x00a50000 | 0x00a8ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000a90000 | 0x00a90000 | 0x00a9ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000b50000 | 0x00b50000 | 0x00c4ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000c50000 | 0x00c50000 | 0x00d4ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000f20000 | 0x00f20000 | 0x00f2ffff | Private Memory | rw |
|
|
|
- |
| cmd.exe | 0x01140000 | 0x0118ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000001190000 | 0x01190000 | 0x0518ffff | Pagefile Backed Memory | - |
|
|
|
- |
| sortdefault.nls | 0x05190000 | 0x054c6fff | Memory Mapped File | r |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74d30000 | 0x74ea5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75130000 | 0x7521ffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x778d0000 | 0x7798dfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007ea60000 | 0x7ea60000 | 0x7eb5ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007eb60000 | 0x7eb60000 | 0x7eb82fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007eb87000 | 0x7eb87000 | 0x7eb87fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007eb89000 | 0x7eb89000 | 0x7eb8bfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007eb8c000 | 0x7eb8c000 | 0x7eb8cfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007eb8d000 | 0x7eb8d000 | 0x7eb8ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (11)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Windows\SysWOW64 | type = file_attributes |
|
2 | |
| Get Info | wevtutil.exe | type = file_attributes |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
5 | |
| Open | STD_INPUT_HANDLE | - |
|
3 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 88, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\SysWOW64\wevtutil.exe | os_pid = 0xddc, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x1140000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75130000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x75172780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x7514fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7514a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x74e435c0 |
|
1 |
Environment (19)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
2 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Windows\SysWOW64 |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000000 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #385: wevtutil.exe
0
0
| Information | Value |
|---|---|
| ID | #385 |
| File Name | c:\windows\syswow64\wevtutil.exe |
| Command Line | wevtutil.exe clear-log "Microsoft-Windows-Backup" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:03:17, Reason: Child Process |
| Unmonitor | End Time: 00:03:17, Reason: Self Terminated |
| Monitor Duration | 00:00:00 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xddc |
| Parent PID | 0xca4 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
EF8
0x
350
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| wevtutil.exe | 0x00b40000 | 0x00b6efff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000f80000 | 0x00f80000 | 0x04f7ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000004f80000 | 0x04f80000 | 0x04f9ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004fa0000 | 0x04fa0000 | 0x04fa1fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004fb0000 | 0x04fb0000 | 0x04fc3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000004fd0000 | 0x04fd0000 | 0x0500ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005010000 | 0x05010000 | 0x0504ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000005050000 | 0x05050000 | 0x05053fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000005060000 | 0x05060000 | 0x05060fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000005070000 | 0x05070000 | 0x05071fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005270000 | 0x05270000 | 0x0527ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005390000 | 0x05390000 | 0x0548ffff | Private Memory | rw |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007fb20000 | 0x7fb20000 | 0x7fb42fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007fb45000 | 0x7fb45000 | 0x7fb45fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007fb49000 | 0x7fb49000 | 0x7fb49fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007fb4d000 | 0x7fb4d000 | 0x7fb4ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Process #386: cmd.exe
58
0
| Information | Value |
|---|---|
| ID | #386 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-Base-Filtering-Engine-Connections/Operational" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:03:17, Reason: Child Process |
| Unmonitor | End Time: 00:03:18, Reason: Self Terminated |
| Monitor Duration | 00:00:01 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xd18 |
| Parent PID | 0x8dc (c:\programdata\safe.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
D78
0x
C6C
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x00000000000b0000 | 0x000b0000 | 0x000cffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000000b0000 | 0x000b0000 | 0x000bffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x00000000000c0000 | 0x000c0000 | 0x000c3fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000000d0000 | 0x000d0000 | 0x000d1fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000000d0000 | 0x000d0000 | 0x000d3fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000000e0000 | 0x000e0000 | 0x000f3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000100000 | 0x00100000 | 0x0013ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000140000 | 0x00140000 | 0x0023ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000240000 | 0x00240000 | 0x00243fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000250000 | 0x00250000 | 0x00250fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000260000 | 0x00260000 | 0x00261fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00270000 | 0x0032dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000330000 | 0x00330000 | 0x0036ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000003e0000 | 0x003e0000 | 0x003effff | Private Memory | rw |
|
|
|
- |
| private_0x00000000004d0000 | 0x004d0000 | 0x005cffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000005d0000 | 0x005d0000 | 0x006cffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000007e0000 | 0x007e0000 | 0x007effff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x007f0000 | 0x00b26fff | Memory Mapped File | r |
|
|
|
- |
| cmd.exe | 0x01140000 | 0x0118ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000001190000 | 0x01190000 | 0x0518ffff | Pagefile Backed Memory | - |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74d30000 | 0x74ea5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75130000 | 0x7521ffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x778d0000 | 0x7798dfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007f050000 | 0x7f050000 | 0x7f14ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007f150000 | 0x7f150000 | 0x7f172fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f173000 | 0x7f173000 | 0x7f173fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f178000 | 0x7f178000 | 0x7f178fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f17a000 | 0x7f17a000 | 0x7f17cfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f17d000 | 0x7f17d000 | 0x7f17ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (11)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Windows\SysWOW64 | type = file_attributes |
|
2 | |
| Get Info | wevtutil.exe | type = file_attributes |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
5 | |
| Open | STD_INPUT_HANDLE | - |
|
3 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 87, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\SysWOW64\wevtutil.exe | os_pid = 0xd20, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x1140000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75130000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x75172780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x7514fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7514a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x74e435c0 |
|
1 |
Environment (19)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
2 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Windows\SysWOW64 |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000000 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #388: wevtutil.exe
0
0
| Information | Value |
|---|---|
| ID | #388 |
| File Name | c:\windows\syswow64\wevtutil.exe |
| Command Line | wevtutil.exe clear-log "Microsoft-Windows-Base-Filtering-Engine-Connections/Operational" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:03:18, Reason: Child Process |
| Unmonitor | End Time: 00:03:18, Reason: Self Terminated |
| Monitor Duration | 00:00:00 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xd20 |
| Parent PID | 0xd18 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
E50
0x
D24
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x00000000003a0000 | 0x003a0000 | 0x003bffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000003c0000 | 0x003c0000 | 0x003c1fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000003d0000 | 0x003d0000 | 0x003e3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000003f0000 | 0x003f0000 | 0x0042ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000430000 | 0x00430000 | 0x0046ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000470000 | 0x00470000 | 0x00473fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000480000 | 0x00480000 | 0x00480fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000490000 | 0x00490000 | 0x00491fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000500000 | 0x00500000 | 0x0050ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000006d0000 | 0x006d0000 | 0x007cffff | Private Memory | rw |
|
|
|
- |
| wevtutil.exe | 0x00b40000 | 0x00b6efff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000b70000 | 0x00b70000 | 0x04b6ffff | Pagefile Backed Memory | - |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007ecf0000 | 0x7ecf0000 | 0x7ed12fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007ed19000 | 0x7ed19000 | 0x7ed19fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ed1c000 | 0x7ed1c000 | 0x7ed1cfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ed1d000 | 0x7ed1d000 | 0x7ed1ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Process #389: cmd.exe
58
0
| Information | Value |
|---|---|
| ID | #389 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-Base-Filtering-Engine-Resource-Flows/Operational" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:03:18, Reason: Child Process |
| Unmonitor | End Time: 00:03:18, Reason: Self Terminated |
| Monitor Duration | 00:00:00 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x114 |
| Parent PID | 0x8dc (c:\programdata\safe.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
BE0
0x
324
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000d10000 | 0x00d10000 | 0x00d2ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000d10000 | 0x00d10000 | 0x00d1ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000d20000 | 0x00d20000 | 0x00d23fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000d30000 | 0x00d30000 | 0x00d31fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000d30000 | 0x00d30000 | 0x00d33fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000d40000 | 0x00d40000 | 0x00d53fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000d60000 | 0x00d60000 | 0x00d9ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000da0000 | 0x00da0000 | 0x00e9ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000ea0000 | 0x00ea0000 | 0x00ea3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000eb0000 | 0x00eb0000 | 0x00eb0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000ec0000 | 0x00ec0000 | 0x00ec1fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000ed0000 | 0x00ed0000 | 0x00edffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00ee0000 | 0x00f9dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000fd0000 | 0x00fd0000 | 0x010cffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000010d0000 | 0x010d0000 | 0x0110ffff | Private Memory | rw |
|
|
|
- |
| cmd.exe | 0x01140000 | 0x0118ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000001190000 | 0x01190000 | 0x0518ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000005190000 | 0x05190000 | 0x0528ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005400000 | 0x05400000 | 0x0540ffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x05410000 | 0x05746fff | Memory Mapped File | r |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74d30000 | 0x74ea5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75130000 | 0x7521ffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x778d0000 | 0x7798dfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007efc0000 | 0x7efc0000 | 0x7f0bffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007f0c0000 | 0x7f0c0000 | 0x7f0e2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f0e8000 | 0x7f0e8000 | 0x7f0eafff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f0eb000 | 0x7f0eb000 | 0x7f0ebfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f0ec000 | 0x7f0ec000 | 0x7f0eefff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f0ef000 | 0x7f0ef000 | 0x7f0effff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (11)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Windows\SysWOW64 | type = file_attributes |
|
2 | |
| Get Info | wevtutil.exe | type = file_attributes |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
5 | |
| Open | STD_INPUT_HANDLE | - |
|
3 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 216, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\SysWOW64\wevtutil.exe | os_pid = 0xe74, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x1140000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75130000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x75172780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x7514fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7514a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x74e435c0 |
|
1 |
Environment (19)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
2 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Windows\SysWOW64 |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000000 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #391: wevtutil.exe
0
0
| Information | Value |
|---|---|
| ID | #391 |
| File Name | c:\windows\syswow64\wevtutil.exe |
| Command Line | wevtutil.exe clear-log "Microsoft-Windows-Base-Filtering-Engine-Resource-Flows/Operational" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:03:18, Reason: Child Process |
| Unmonitor | End Time: 00:03:18, Reason: Self Terminated |
| Monitor Duration | 00:00:00 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xe74 |
| Parent PID | 0x114 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
E6C
0x
C64
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000800000 | 0x00800000 | 0x0081ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000820000 | 0x00820000 | 0x00821fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000830000 | 0x00830000 | 0x00843fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000850000 | 0x00850000 | 0x0088ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000890000 | 0x00890000 | 0x008cffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000008d0000 | 0x008d0000 | 0x008d3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000008e0000 | 0x008e0000 | 0x008e0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000008f0000 | 0x008f0000 | 0x008f1fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000a10000 | 0x00a10000 | 0x00a1ffff | Private Memory | rw |
|
|
|
- |
| wevtutil.exe | 0x00b40000 | 0x00b6efff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000b70000 | 0x00b70000 | 0x04b6ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000004ca0000 | 0x04ca0000 | 0x04d9ffff | Private Memory | rw |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007f180000 | 0x7f180000 | 0x7f1a2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f1a5000 | 0x7f1a5000 | 0x7f1a5fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f1a6000 | 0x7f1a6000 | 0x7f1a6fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f1ad000 | 0x7f1ad000 | 0x7f1affff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Process #392: cmd.exe
58
0
| Information | Value |
|---|---|
| ID | #392 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-Battery/Diagnostic" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:03:18, Reason: Child Process |
| Unmonitor | End Time: 00:03:19, Reason: Self Terminated |
| Monitor Duration | 00:00:01 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xdd0 |
| Parent PID | 0x8dc (c:\programdata\safe.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
E48
0x
CE0
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x00000000005e0000 | 0x005e0000 | 0x005fffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000005e0000 | 0x005e0000 | 0x005effff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x00000000005f0000 | 0x005f0000 | 0x005f3fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000600000 | 0x00600000 | 0x00601fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000600000 | 0x00600000 | 0x00603fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000610000 | 0x00610000 | 0x00623fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000630000 | 0x00630000 | 0x0066ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000670000 | 0x00670000 | 0x0076ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000770000 | 0x00770000 | 0x00773fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000780000 | 0x00780000 | 0x00780fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000790000 | 0x00790000 | 0x00791fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x007a0000 | 0x0085dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000860000 | 0x00860000 | 0x0089ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000008c0000 | 0x008c0000 | 0x008cffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000930000 | 0x00930000 | 0x00a2ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000a30000 | 0x00a30000 | 0x00b2ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000ba0000 | 0x00ba0000 | 0x00baffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x00bb0000 | 0x00ee6fff | Memory Mapped File | r |
|
|
|
- |
| cmd.exe | 0x01140000 | 0x0118ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000001190000 | 0x01190000 | 0x0518ffff | Pagefile Backed Memory | - |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74d30000 | 0x74ea5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75130000 | 0x7521ffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x778d0000 | 0x7798dfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007e170000 | 0x7e170000 | 0x7e26ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007e270000 | 0x7e270000 | 0x7e292fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007e297000 | 0x7e297000 | 0x7e297fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007e299000 | 0x7e299000 | 0x7e29bfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007e29c000 | 0x7e29c000 | 0x7e29efff | Private Memory | rw |
|
|
|
- |
| private_0x000000007e29f000 | 0x7e29f000 | 0x7e29ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (11)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Windows\SysWOW64 | type = file_attributes |
|
2 | |
| Get Info | wevtutil.exe | type = file_attributes |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
5 | |
| Open | STD_INPUT_HANDLE | - |
|
3 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 120, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\SysWOW64\wevtutil.exe | os_pid = 0xcb0, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x1140000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75130000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x75172780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x7514fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7514a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x74e435c0 |
|
1 |
Environment (19)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
2 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Windows\SysWOW64 |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000000 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #394: wevtutil.exe
0
0
| Information | Value |
|---|---|
| ID | #394 |
| File Name | c:\windows\syswow64\wevtutil.exe |
| Command Line | wevtutil.exe clear-log "Microsoft-Windows-Battery/Diagnostic" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:03:19, Reason: Child Process |
| Unmonitor | End Time: 00:03:19, Reason: Self Terminated |
| Monitor Duration | 00:00:00 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xcb0 |
| Parent PID | 0xdd0 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
AB4
0x
5F4
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x00000000000b0000 | 0x000b0000 | 0x000cffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000000d0000 | 0x000d0000 | 0x000d1fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000000e0000 | 0x000e0000 | 0x000f3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000100000 | 0x00100000 | 0x0013ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000140000 | 0x00140000 | 0x0017ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000180000 | 0x00180000 | 0x00183fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000190000 | 0x00190000 | 0x00190fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000001a0000 | 0x001a0000 | 0x001a1fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000310000 | 0x00310000 | 0x0031ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000480000 | 0x00480000 | 0x0057ffff | Private Memory | rw |
|
|
|
- |
| wevtutil.exe | 0x00b40000 | 0x00b6efff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000b70000 | 0x00b70000 | 0x04b6ffff | Pagefile Backed Memory | - |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007fc90000 | 0x7fc90000 | 0x7fcb2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007fcb9000 | 0x7fcb9000 | 0x7fcbbfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007fcbc000 | 0x7fcbc000 | 0x7fcbcfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007fcbd000 | 0x7fcbd000 | 0x7fcbdfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Process #395: cmd.exe
58
0
| Information | Value |
|---|---|
| ID | #395 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-Biometrics/Analytic" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:03:19, Reason: Child Process |
| Unmonitor | End Time: 00:03:19, Reason: Self Terminated |
| Monitor Duration | 00:00:00 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x1a0 |
| Parent PID | 0x8dc (c:\programdata\safe.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
D04
0x
590
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000a20000 | 0x00a20000 | 0x00a3ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000a20000 | 0x00a20000 | 0x00a2ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000a30000 | 0x00a30000 | 0x00a33fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000a40000 | 0x00a40000 | 0x00a41fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000a40000 | 0x00a40000 | 0x00a43fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000a50000 | 0x00a50000 | 0x00a63fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000a70000 | 0x00a70000 | 0x00aaffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000ab0000 | 0x00ab0000 | 0x00baffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000bb0000 | 0x00bb0000 | 0x00bb3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000bc0000 | 0x00bc0000 | 0x00bc0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000bd0000 | 0x00bd0000 | 0x00bd1fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000c10000 | 0x00c10000 | 0x00c1ffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00c20000 | 0x00cddfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000ce0000 | 0x00ce0000 | 0x00d1ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000db0000 | 0x00db0000 | 0x00eaffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000eb0000 | 0x00eb0000 | 0x00faffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001040000 | 0x01040000 | 0x0104ffff | Private Memory | rw |
|
|
|
- |
| cmd.exe | 0x01140000 | 0x0118ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000001190000 | 0x01190000 | 0x0518ffff | Pagefile Backed Memory | - |
|
|
|
- |
| sortdefault.nls | 0x05190000 | 0x054c6fff | Memory Mapped File | r |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74d30000 | 0x74ea5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75130000 | 0x7521ffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x778d0000 | 0x7798dfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007ef10000 | 0x7ef10000 | 0x7f00ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007f010000 | 0x7f010000 | 0x7f032fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f036000 | 0x7f036000 | 0x7f038fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f039000 | 0x7f039000 | 0x7f039fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f03c000 | 0x7f03c000 | 0x7f03efff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f03f000 | 0x7f03f000 | 0x7f03ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (11)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Windows\SysWOW64 | type = file_attributes |
|
2 | |
| Get Info | wevtutil.exe | type = file_attributes |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
5 | |
| Open | STD_INPUT_HANDLE | - |
|
3 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 136, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\SysWOW64\wevtutil.exe | os_pid = 0xe28, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x1140000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75130000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x75172780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x7514fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7514a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x74e435c0 |
|
1 |
Environment (19)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
2 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Windows\SysWOW64 |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000000 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #397: wevtutil.exe
0
0
| Information | Value |
|---|---|
| ID | #397 |
| File Name | c:\windows\syswow64\wevtutil.exe |
| Command Line | wevtutil.exe clear-log "Microsoft-Windows-Biometrics/Analytic" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:03:19, Reason: Child Process |
| Unmonitor | End Time: 00:03:19, Reason: Self Terminated |
| Monitor Duration | 00:00:00 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xe28 |
| Parent PID | 0x1a0 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
948
0x
7E8
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| wevtutil.exe | 0x00b40000 | 0x00b6efff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000ee0000 | 0x00ee0000 | 0x04edffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000004ee0000 | 0x04ee0000 | 0x04efffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004f00000 | 0x04f00000 | 0x04f01fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004f10000 | 0x04f10000 | 0x04f23fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000004f30000 | 0x04f30000 | 0x04f6ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004f70000 | 0x04f70000 | 0x04faffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004fb0000 | 0x04fb0000 | 0x04fb3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000004fc0000 | 0x04fc0000 | 0x04fc0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000004fd0000 | 0x04fd0000 | 0x04fd1fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005100000 | 0x05100000 | 0x0510ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005250000 | 0x05250000 | 0x0534ffff | Private Memory | rw |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007f470000 | 0x7f470000 | 0x7f492fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f495000 | 0x7f495000 | 0x7f495fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f49a000 | 0x7f49a000 | 0x7f49afff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f49d000 | 0x7f49d000 | 0x7f49ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Process #398: cmd.exe
58
0
| Information | Value |
|---|---|
| ID | #398 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-Biometrics/Operational" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:03:19, Reason: Child Process |
| Unmonitor | End Time: 00:03:20, Reason: Self Terminated |
| Monitor Duration | 00:00:01 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x81c |
| Parent PID | 0x8dc (c:\programdata\safe.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
554
0x
14C
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x00000000002e0000 | 0x002e0000 | 0x002fffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000002e0000 | 0x002e0000 | 0x002effff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x00000000002f0000 | 0x002f0000 | 0x002f3fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000300000 | 0x00300000 | 0x00301fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000300000 | 0x00300000 | 0x00303fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000310000 | 0x00310000 | 0x00323fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000330000 | 0x00330000 | 0x0036ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000370000 | 0x00370000 | 0x0046ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000470000 | 0x00470000 | 0x00473fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000480000 | 0x00480000 | 0x00480fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000490000 | 0x00490000 | 0x00491fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x004a0000 | 0x0055dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000560000 | 0x00560000 | 0x0059ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000610000 | 0x00610000 | 0x0061ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000710000 | 0x00710000 | 0x0080ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000810000 | 0x00810000 | 0x0090ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000ad0000 | 0x00ad0000 | 0x00adffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x00ae0000 | 0x00e16fff | Memory Mapped File | r |
|
|
|
- |
| cmd.exe | 0x01140000 | 0x0118ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000001190000 | 0x01190000 | 0x0518ffff | Pagefile Backed Memory | - |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74d30000 | 0x74ea5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75130000 | 0x7521ffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x778d0000 | 0x7798dfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007f500000 | 0x7f500000 | 0x7f5fffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007f600000 | 0x7f600000 | 0x7f622fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f628000 | 0x7f628000 | 0x7f628fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f629000 | 0x7f629000 | 0x7f62bfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f62c000 | 0x7f62c000 | 0x7f62efff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f62f000 | 0x7f62f000 | 0x7f62ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (11)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Windows\SysWOW64 | type = file_attributes |
|
2 | |
| Get Info | wevtutil.exe | type = file_attributes |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
5 | |
| Open | STD_INPUT_HANDLE | - |
|
3 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 136, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\SysWOW64\wevtutil.exe | os_pid = 0xc1c, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x1140000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75130000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x75172780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x7514fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7514a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x74e435c0 |
|
1 |
Environment (19)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
2 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Windows\SysWOW64 |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000000 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #400: wevtutil.exe
0
0
| Information | Value |
|---|---|
| ID | #400 |
| File Name | c:\windows\syswow64\wevtutil.exe |
| Command Line | wevtutil.exe clear-log "Microsoft-Windows-Biometrics/Operational" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:03:20, Reason: Child Process |
| Unmonitor | End Time: 00:03:20, Reason: Self Terminated |
| Monitor Duration | 00:00:00 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xc1c |
| Parent PID | 0x81c (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
E60
0x
520
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x00000000005f0000 | 0x005f0000 | 0x0060ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000610000 | 0x00610000 | 0x00611fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000620000 | 0x00620000 | 0x00633fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000640000 | 0x00640000 | 0x0067ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000680000 | 0x00680000 | 0x006bffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000006c0000 | 0x006c0000 | 0x006c3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000006d0000 | 0x006d0000 | 0x006d0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000006e0000 | 0x006e0000 | 0x006e1fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000860000 | 0x00860000 | 0x0086ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000980000 | 0x00980000 | 0x00a7ffff | Private Memory | rw |
|
|
|
- |
| wevtutil.exe | 0x00b40000 | 0x00b6efff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000b70000 | 0x00b70000 | 0x04b6ffff | Pagefile Backed Memory | - |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007ebb0000 | 0x7ebb0000 | 0x7ebd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007ebd7000 | 0x7ebd7000 | 0x7ebd7fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ebd9000 | 0x7ebd9000 | 0x7ebd9fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ebdd000 | 0x7ebdd000 | 0x7ebdffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Process #401: cmd.exe
58
0
| Information | Value |
|---|---|
| ID | #401 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-BitLocker-DrivePreparationTool/Admin" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:03:20, Reason: Child Process |
| Unmonitor | End Time: 00:03:20, Reason: Self Terminated |
| Monitor Duration | 00:00:00 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xf58 |
| Parent PID | 0x8dc (c:\programdata\safe.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
304
0x
804
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000160000 | 0x00160000 | 0x0017ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000160000 | 0x00160000 | 0x0016ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000170000 | 0x00170000 | 0x00173fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000180000 | 0x00180000 | 0x00181fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000180000 | 0x00180000 | 0x00183fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000190000 | 0x00190000 | 0x001a3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000001b0000 | 0x001b0000 | 0x001effff | Private Memory | rw |
|
|
|
- |
| private_0x00000000001f0000 | 0x001f0000 | 0x002effff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000002f0000 | 0x002f0000 | 0x002f3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000300000 | 0x00300000 | 0x00300fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000310000 | 0x00310000 | 0x00311fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000350000 | 0x00350000 | 0x0044ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000450000 | 0x00450000 | 0x0048ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000004c0000 | 0x004c0000 | 0x004cffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x004d0000 | 0x0058dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000590000 | 0x00590000 | 0x0068ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000820000 | 0x00820000 | 0x0082ffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x00830000 | 0x00b66fff | Memory Mapped File | r |
|
|
|
- |
| cmd.exe | 0x01140000 | 0x0118ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000001190000 | 0x01190000 | 0x0518ffff | Pagefile Backed Memory | - |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74d30000 | 0x74ea5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75130000 | 0x7521ffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x778d0000 | 0x7798dfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007ee50000 | 0x7ee50000 | 0x7ef4ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007ef50000 | 0x7ef50000 | 0x7ef72fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007ef76000 | 0x7ef76000 | 0x7ef76fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ef78000 | 0x7ef78000 | 0x7ef7afff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ef7b000 | 0x7ef7b000 | 0x7ef7bfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ef7d000 | 0x7ef7d000 | 0x7ef7ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (11)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Windows\SysWOW64 | type = file_attributes |
|
2 | |
| Get Info | wevtutil.exe | type = file_attributes |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
5 | |
| Open | STD_INPUT_HANDLE | - |
|
3 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 176, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\SysWOW64\wevtutil.exe | os_pid = 0xe7c, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x1140000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75130000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x75172780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x7514fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7514a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x74e435c0 |
|
1 |
Environment (19)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
2 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Windows\SysWOW64 |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000000 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #403: wevtutil.exe
0
0
| Information | Value |
|---|---|
| ID | #403 |
| File Name | c:\windows\syswow64\wevtutil.exe |
| Command Line | wevtutil.exe clear-log "Microsoft-Windows-BitLocker-DrivePreparationTool/Admin" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:03:20, Reason: Child Process |
| Unmonitor | End Time: 00:03:20, Reason: Self Terminated |
| Monitor Duration | 00:00:00 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xe7c |
| Parent PID | 0xf58 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
E9C
0x
BD0
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000140000 | 0x00140000 | 0x0015ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000160000 | 0x00160000 | 0x00161fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000170000 | 0x00170000 | 0x00183fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000190000 | 0x00190000 | 0x001cffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000001d0000 | 0x001d0000 | 0x0020ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000210000 | 0x00210000 | 0x00213fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000220000 | 0x00220000 | 0x00220fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000230000 | 0x00230000 | 0x00231fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000240000 | 0x00240000 | 0x0033ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000370000 | 0x00370000 | 0x0037ffff | Private Memory | rw |
|
|
|
- |
| wevtutil.exe | 0x00b40000 | 0x00b6efff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000b70000 | 0x00b70000 | 0x04b6ffff | Pagefile Backed Memory | - |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007ed20000 | 0x7ed20000 | 0x7ed42fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007ed44000 | 0x7ed44000 | 0x7ed44fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ed4b000 | 0x7ed4b000 | 0x7ed4bfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ed4d000 | 0x7ed4d000 | 0x7ed4ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Process #404: cmd.exe
58
0
| Information | Value |
|---|---|
| ID | #404 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-BitLocker-DrivePreparationTool/Operational" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:03:20, Reason: Child Process |
| Unmonitor | End Time: 00:03:23, Reason: Self Terminated |
| Monitor Duration | 00:00:03 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xb44 |
| Parent PID | 0x8dc (c:\programdata\safe.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
E68
0x
464
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x00000000000a0000 | 0x000a0000 | 0x000bffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000000a0000 | 0x000a0000 | 0x000affff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x00000000000b0000 | 0x000b0000 | 0x000b3fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000000c0000 | 0x000c0000 | 0x000c1fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000000c0000 | 0x000c0000 | 0x000c3fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000000d0000 | 0x000d0000 | 0x000e3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000000f0000 | 0x000f0000 | 0x0012ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000130000 | 0x00130000 | 0x0022ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000230000 | 0x00230000 | 0x00233fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000240000 | 0x00240000 | 0x00240fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000250000 | 0x00250000 | 0x00251fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00260000 | 0x0031dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000350000 | 0x00350000 | 0x0035ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000360000 | 0x00360000 | 0x0039ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000003a0000 | 0x003a0000 | 0x0049ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000530000 | 0x00530000 | 0x0062ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000800000 | 0x00800000 | 0x0080ffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x00810000 | 0x00b46fff | Memory Mapped File | r |
|
|
|
- |
| cmd.exe | 0x01140000 | 0x0118ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000001190000 | 0x01190000 | 0x0518ffff | Pagefile Backed Memory | - |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74d30000 | 0x74ea5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75130000 | 0x7521ffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x778d0000 | 0x7798dfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007ebb0000 | 0x7ebb0000 | 0x7ecaffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007ecb0000 | 0x7ecb0000 | 0x7ecd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007ecd8000 | 0x7ecd8000 | 0x7ecdafff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ecdb000 | 0x7ecdb000 | 0x7ecdbfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ecdc000 | 0x7ecdc000 | 0x7ecdefff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ecdf000 | 0x7ecdf000 | 0x7ecdffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (11)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Windows\SysWOW64 | type = file_attributes |
|
2 | |
| Get Info | wevtutil.exe | type = file_attributes |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
5 | |
| Open | STD_INPUT_HANDLE | - |
|
3 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 104, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\SysWOW64\wevtutil.exe | os_pid = 0x424, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x1140000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75130000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x75172780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x7514fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7514a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x74e435c0 |
|
1 |
Environment (19)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
2 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Windows\SysWOW64 |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000000 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #406: wevtutil.exe
0
0
| Information | Value |
|---|---|
| ID | #406 |
| File Name | c:\windows\syswow64\wevtutil.exe |
| Command Line | wevtutil.exe clear-log "Microsoft-Windows-BitLocker-DrivePreparationTool/Operational" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:03:21, Reason: Child Process |
| Unmonitor | End Time: 00:03:23, Reason: Self Terminated |
| Monitor Duration | 00:00:02 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x424 |
| Parent PID | 0xb44 (c:\windows\syswow64\wevtutil.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
830
0x
B38
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000a60000 | 0x00a60000 | 0x00a7ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000a80000 | 0x00a80000 | 0x00a81fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000a90000 | 0x00a90000 | 0x00aa3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000ab0000 | 0x00ab0000 | 0x00aeffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000af0000 | 0x00af0000 | 0x00b2ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000b30000 | 0x00b30000 | 0x00b33fff | Pagefile Backed Memory | r |
|
|
|
- |
| wevtutil.exe | 0x00b40000 | 0x00b6efff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000b70000 | 0x00b70000 | 0x04b6ffff | Pagefile Backed Memory | - |
|
|
|
- |
| pagefile_0x0000000004b70000 | 0x04b70000 | 0x04b70fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000004b80000 | 0x04b80000 | 0x04b81fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004c70000 | 0x04c70000 | 0x04c7ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004ca0000 | 0x04ca0000 | 0x04d9ffff | Private Memory | rw |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007f5b0000 | 0x7f5b0000 | 0x7f5d2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f5d8000 | 0x7f5d8000 | 0x7f5d8fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f5dc000 | 0x7f5dc000 | 0x7f5dcfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f5dd000 | 0x7f5dd000 | 0x7f5dffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Process #407: cmd.exe
58
0
| Information | Value |
|---|---|
| ID | #407 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-BitLocker-Driver-Performance/Operational" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:03:22, Reason: Child Process |
| Unmonitor | End Time: 00:03:23, Reason: Self Terminated |
| Monitor Duration | 00:00:01 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x48c |
| Parent PID | 0x8dc (c:\programdata\safe.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
754
0x
2E4
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000870000 | 0x00870000 | 0x0088ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000870000 | 0x00870000 | 0x0087ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000880000 | 0x00880000 | 0x00883fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000890000 | 0x00890000 | 0x00891fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000890000 | 0x00890000 | 0x00893fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000008a0000 | 0x008a0000 | 0x008b3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000008c0000 | 0x008c0000 | 0x008fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000900000 | 0x00900000 | 0x009fffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000a00000 | 0x00a00000 | 0x00a03fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000a10000 | 0x00a10000 | 0x00a10fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000a20000 | 0x00a20000 | 0x00a21fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000a30000 | 0x00a30000 | 0x00a6ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000a70000 | 0x00a70000 | 0x00a7ffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00a80000 | 0x00b3dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000ba0000 | 0x00ba0000 | 0x00c9ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000ca0000 | 0x00ca0000 | 0x00d9ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000f80000 | 0x00f80000 | 0x00f8ffff | Private Memory | rw |
|
|
|
- |
| cmd.exe | 0x01140000 | 0x0118ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000001190000 | 0x01190000 | 0x0518ffff | Pagefile Backed Memory | - |
|
|
|
- |
| sortdefault.nls | 0x05190000 | 0x054c6fff | Memory Mapped File | r |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74d30000 | 0x74ea5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75130000 | 0x7521ffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x778d0000 | 0x7798dfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007eb20000 | 0x7eb20000 | 0x7ec1ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007ec20000 | 0x7ec20000 | 0x7ec42fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007ec47000 | 0x7ec47000 | 0x7ec49fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ec4a000 | 0x7ec4a000 | 0x7ec4afff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ec4c000 | 0x7ec4c000 | 0x7ec4cfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ec4d000 | 0x7ec4d000 | 0x7ec4ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (11)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Windows\SysWOW64 | type = file_attributes |
|
2 | |
| Get Info | wevtutil.exe | type = file_attributes |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
5 | |
| Open | STD_INPUT_HANDLE | - |
|
3 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 104, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\SysWOW64\wevtutil.exe | os_pid = 0x2c0, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x1140000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75130000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x75172780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x7514fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7514a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x74e435c0 |
|
1 |
Environment (19)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
2 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Windows\SysWOW64 |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000000 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #409: wevtutil.exe
0
0
| Information | Value |
|---|---|
| ID | #409 |
| File Name | c:\windows\syswow64\wevtutil.exe |
| Command Line | wevtutil.exe clear-log "Microsoft-Windows-BitLocker-Driver-Performance/Operational" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:03:23, Reason: Child Process |
| Unmonitor | End Time: 00:03:23, Reason: Self Terminated |
| Monitor Duration | 00:00:00 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x2c0 |
| Parent PID | 0x48c (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
C08
0x
BF0
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000470000 | 0x00470000 | 0x0048ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000490000 | 0x00490000 | 0x00491fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000004a0000 | 0x004a0000 | 0x004b3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000004c0000 | 0x004c0000 | 0x004fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000500000 | 0x00500000 | 0x0053ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000540000 | 0x00540000 | 0x00543fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000550000 | 0x00550000 | 0x00550fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000560000 | 0x00560000 | 0x00561fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000740000 | 0x00740000 | 0x0074ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000860000 | 0x00860000 | 0x0095ffff | Private Memory | rw |
|
|
|
- |
| wevtutil.exe | 0x00b40000 | 0x00b6efff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000b70000 | 0x00b70000 | 0x04b6ffff | Pagefile Backed Memory | - |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007e380000 | 0x7e380000 | 0x7e3a2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007e3a8000 | 0x7e3a8000 | 0x7e3a8fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007e3ac000 | 0x7e3ac000 | 0x7e3aefff | Private Memory | rw |
|
|
|
- |
| private_0x000000007e3af000 | 0x7e3af000 | 0x7e3affff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Process #410: cmd.exe
58
0
| Information | Value |
|---|---|
| ID | #410 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-BitLocker/BitLocker Management" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:03:23, Reason: Child Process |
| Unmonitor | End Time: 00:03:23, Reason: Self Terminated |
| Monitor Duration | 00:00:00 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x740 |
| Parent PID | 0x8dc (c:\programdata\safe.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
974
0x
2EC
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000c40000 | 0x00c40000 | 0x00c5ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000c40000 | 0x00c40000 | 0x00c4ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000c50000 | 0x00c50000 | 0x00c5ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000c60000 | 0x00c60000 | 0x00c61fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000c60000 | 0x00c60000 | 0x00c63fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000c70000 | 0x00c70000 | 0x00c83fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000c90000 | 0x00c90000 | 0x00ccffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000cd0000 | 0x00cd0000 | 0x00dcffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000dd0000 | 0x00dd0000 | 0x00dd3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000de0000 | 0x00de0000 | 0x00de0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000df0000 | 0x00df0000 | 0x00df1fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00e00000 | 0x00ebdfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000ec0000 | 0x00ec0000 | 0x00efffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000f00000 | 0x00f00000 | 0x00f03fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000f70000 | 0x00f70000 | 0x00f7ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000f80000 | 0x00f80000 | 0x0107ffff | Private Memory | rw |
|
|
|
- |
| cmd.exe | 0x01140000 | 0x0118ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000001190000 | 0x01190000 | 0x0518ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000005340000 | 0x05340000 | 0x0543ffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x05440000 | 0x05776fff | Memory Mapped File | r |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74d30000 | 0x74ea5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75130000 | 0x7521ffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x778d0000 | 0x7798dfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007e5e0000 | 0x7e5e0000 | 0x7e6dffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007e6e0000 | 0x7e6e0000 | 0x7e702fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007e704000 | 0x7e704000 | 0x7e704fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007e708000 | 0x7e708000 | 0x7e70afff | Private Memory | rw |
|
|
|
- |
| private_0x000000007e70b000 | 0x7e70b000 | 0x7e70bfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007e70d000 | 0x7e70d000 | 0x7e70ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (11)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Windows\SysWOW64 | type = file_attributes |
|
2 | |
| Get Info | wevtutil.exe | type = file_attributes |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
5 | |
| Open | STD_INPUT_HANDLE | - |
|
3 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 136, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\SysWOW64\wevtutil.exe | os_pid = 0xf48, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x1140000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75130000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x75172780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x7514fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7514a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x74e435c0 |
|
1 |
Environment (19)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
2 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Windows\SysWOW64 |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000000 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #412: wevtutil.exe
0
0
| Information | Value |
|---|---|
| ID | #412 |
| File Name | c:\windows\syswow64\wevtutil.exe |
| Command Line | wevtutil.exe clear-log "Microsoft-Windows-BitLocker/BitLocker Management" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:03:23, Reason: Child Process |
| Unmonitor | End Time: 00:03:23, Reason: Self Terminated |
| Monitor Duration | 00:00:00 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xf48 |
| Parent PID | 0x740 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
6E8
0x
64C
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x00000000008b0000 | 0x008b0000 | 0x008cffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000008d0000 | 0x008d0000 | 0x008d1fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000008e0000 | 0x008e0000 | 0x008f3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000900000 | 0x00900000 | 0x0093ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000940000 | 0x00940000 | 0x0097ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000980000 | 0x00980000 | 0x00983fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000990000 | 0x00990000 | 0x00990fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000009a0000 | 0x009a0000 | 0x009a1fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000a10000 | 0x00a10000 | 0x00a1ffff | Private Memory | rw |
|
|
|
- |
| wevtutil.exe | 0x00b40000 | 0x00b6efff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000b70000 | 0x00b70000 | 0x04b6ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000004c30000 | 0x04c30000 | 0x04d2ffff | Private Memory | rw |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007e160000 | 0x7e160000 | 0x7e182fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007e185000 | 0x7e185000 | 0x7e185fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007e18c000 | 0x7e18c000 | 0x7e18efff | Private Memory | rw |
|
|
|
- |
| private_0x000000007e18f000 | 0x7e18f000 | 0x7e18ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Process #413: cmd.exe
58
0
| Information | Value |
|---|---|
| ID | #413 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-BitLocker/BitLocker Operational" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:03:23, Reason: Child Process |
| Unmonitor | End Time: 00:03:24, Reason: Self Terminated |
| Monitor Duration | 00:00:01 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xe98 |
| Parent PID | 0x8dc (c:\programdata\safe.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
F24
0x
380
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000320000 | 0x00320000 | 0x0033ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000320000 | 0x00320000 | 0x0032ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000330000 | 0x00330000 | 0x00333fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000340000 | 0x00340000 | 0x00341fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000340000 | 0x00340000 | 0x00343fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000350000 | 0x00350000 | 0x00363fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000370000 | 0x00370000 | 0x003affff | Private Memory | rw |
|
|
|
- |
| private_0x00000000003b0000 | 0x003b0000 | 0x004affff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000004b0000 | 0x004b0000 | 0x004b3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000004c0000 | 0x004c0000 | 0x004c0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000004d0000 | 0x004d0000 | 0x004d1fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000004f0000 | 0x004f0000 | 0x004fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000500000 | 0x00500000 | 0x005fffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00600000 | 0x006bdfff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000006c0000 | 0x006c0000 | 0x006fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000700000 | 0x00700000 | 0x007fffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000009a0000 | 0x009a0000 | 0x009affff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x009b0000 | 0x00ce6fff | Memory Mapped File | r |
|
|
|
- |
| cmd.exe | 0x01140000 | 0x0118ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000001190000 | 0x01190000 | 0x0518ffff | Pagefile Backed Memory | - |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74d30000 | 0x74ea5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75130000 | 0x7521ffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x778d0000 | 0x7798dfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007e840000 | 0x7e840000 | 0x7e93ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007e940000 | 0x7e940000 | 0x7e962fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007e967000 | 0x7e967000 | 0x7e967fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007e969000 | 0x7e969000 | 0x7e96bfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007e96c000 | 0x7e96c000 | 0x7e96efff | Private Memory | rw |
|
|
|
- |
| private_0x000000007e96f000 | 0x7e96f000 | 0x7e96ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (11)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Windows\SysWOW64 | type = file_attributes |
|
2 | |
| Get Info | wevtutil.exe | type = file_attributes |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
5 | |
| Open | STD_INPUT_HANDLE | - |
|
3 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 236, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\SysWOW64\wevtutil.exe | os_pid = 0xf2c, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x1140000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75130000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x75172780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x7514fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7514a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x74e435c0 |
|
1 |
Environment (19)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
2 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Windows\SysWOW64 |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000000 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #415: wevtutil.exe
0
0
| Information | Value |
|---|---|
| ID | #415 |
| File Name | c:\windows\syswow64\wevtutil.exe |
| Command Line | wevtutil.exe clear-log "Microsoft-Windows-BitLocker/BitLocker Operational" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:03:23, Reason: Child Process |
| Unmonitor | End Time: 00:03:24, Reason: Self Terminated |
| Monitor Duration | 00:00:01 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xf2c |
| Parent PID | 0xe98 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
F3C
0x
7F8
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x00000000003d0000 | 0x003d0000 | 0x003effff | Private Memory | rw |
|
|
|
- |
| private_0x00000000003f0000 | 0x003f0000 | 0x003f1fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000400000 | 0x00400000 | 0x00413fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000420000 | 0x00420000 | 0x0045ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000460000 | 0x00460000 | 0x0049ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000004a0000 | 0x004a0000 | 0x004a3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000004b0000 | 0x004b0000 | 0x004b0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000004c0000 | 0x004c0000 | 0x004c1fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000004e0000 | 0x004e0000 | 0x004effff | Private Memory | rw |
|
|
|
- |
| private_0x00000000005c0000 | 0x005c0000 | 0x006bffff | Private Memory | rw |
|
|
|
- |
| wevtutil.exe | 0x00b40000 | 0x00b6efff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000b70000 | 0x00b70000 | 0x04b6ffff | Pagefile Backed Memory | - |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007ef20000 | 0x7ef20000 | 0x7ef42fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007ef48000 | 0x7ef48000 | 0x7ef48fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ef4a000 | 0x7ef4a000 | 0x7ef4cfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ef4d000 | 0x7ef4d000 | 0x7ef4dfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Process #416: cmd.exe
58
0
| Information | Value |
|---|---|
| ID | #416 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-BitLocker/Tracing" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:03:24, Reason: Child Process |
| Unmonitor | End Time: 00:03:24, Reason: Self Terminated |
| Monitor Duration | 00:00:00 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xd0c |
| Parent PID | 0x8dc (c:\programdata\safe.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
A80
0x
D58
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x00000000006b0000 | 0x006b0000 | 0x006cffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000006b0000 | 0x006b0000 | 0x006bffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x00000000006c0000 | 0x006c0000 | 0x006c3fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000006d0000 | 0x006d0000 | 0x006d1fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000006d0000 | 0x006d0000 | 0x006dffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000006e0000 | 0x006e0000 | 0x006f3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000700000 | 0x00700000 | 0x0073ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000740000 | 0x00740000 | 0x0083ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000840000 | 0x00840000 | 0x00843fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000850000 | 0x00850000 | 0x00850fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000860000 | 0x00860000 | 0x00861fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000870000 | 0x00870000 | 0x0087ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000880000 | 0x00880000 | 0x00883fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000008a0000 | 0x008a0000 | 0x0099ffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x009a0000 | 0x00a5dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000a60000 | 0x00a60000 | 0x00a9ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000aa0000 | 0x00aa0000 | 0x00b9ffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x00ba0000 | 0x00ed6fff | Memory Mapped File | r |
|
|
|
- |
| cmd.exe | 0x01140000 | 0x0118ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000001190000 | 0x01190000 | 0x0518ffff | Pagefile Backed Memory | - |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74d30000 | 0x74ea5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75130000 | 0x7521ffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x778d0000 | 0x7798dfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007f500000 | 0x7f500000 | 0x7f5fffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007f600000 | 0x7f600000 | 0x7f622fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f625000 | 0x7f625000 | 0x7f627fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f628000 | 0x7f628000 | 0x7f62afff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f62b000 | 0x7f62b000 | 0x7f62bfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f62e000 | 0x7f62e000 | 0x7f62efff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (11)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Windows\SysWOW64 | type = file_attributes |
|
2 | |
| Get Info | wevtutil.exe | type = file_attributes |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
5 | |
| Open | STD_INPUT_HANDLE | - |
|
3 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 120, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\SysWOW64\wevtutil.exe | os_pid = 0xb30, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x1140000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75130000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x75172780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x7514fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7514a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x74e435c0 |
|
1 |
Environment (19)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
2 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Windows\SysWOW64 |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000000 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #418: wevtutil.exe
0
0
| Information | Value |
|---|---|
| ID | #418 |
| File Name | c:\windows\syswow64\wevtutil.exe |
| Command Line | wevtutil.exe clear-log "Microsoft-Windows-BitLocker/Tracing" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:03:24, Reason: Child Process |
| Unmonitor | End Time: 00:03:24, Reason: Self Terminated |
| Monitor Duration | 00:00:00 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xb30 |
| Parent PID | 0xd0c (c:\windows\syswow64\wevtutil.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
F8C
0x
18C
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| wevtutil.exe | 0x00b40000 | 0x00b6efff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000b70000 | 0x00b70000 | 0x04b6ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000004b70000 | 0x04b70000 | 0x04b8ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004b90000 | 0x04b90000 | 0x04b91fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004ba0000 | 0x04ba0000 | 0x04bb3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000004bc0000 | 0x04bc0000 | 0x04bfffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004c00000 | 0x04c00000 | 0x04c3ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004c40000 | 0x04c40000 | 0x04c43fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000004c50000 | 0x04c50000 | 0x04c50fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000004c60000 | 0x04c60000 | 0x04c61fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004cc0000 | 0x04cc0000 | 0x04ccffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004eb0000 | 0x04eb0000 | 0x04faffff | Private Memory | rw |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007f1f0000 | 0x7f1f0000 | 0x7f212fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f215000 | 0x7f215000 | 0x7f215fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f216000 | 0x7f216000 | 0x7f216fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f21d000 | 0x7f21d000 | 0x7f21ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Process #419: cmd.exe
58
0
| Information | Value |
|---|---|
| ID | #419 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-Bits-Client/Analytic" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:03:24, Reason: Child Process |
| Unmonitor | End Time: 00:03:24, Reason: Self Terminated |
| Monitor Duration | 00:00:00 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x844 |
| Parent PID | 0x8dc (c:\programdata\safe.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
3EC
0x
D5C
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000950000 | 0x00950000 | 0x0096ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000950000 | 0x00950000 | 0x0095ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000960000 | 0x00960000 | 0x00963fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000970000 | 0x00970000 | 0x00971fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000970000 | 0x00970000 | 0x00973fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000980000 | 0x00980000 | 0x00993fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000009a0000 | 0x009a0000 | 0x009dffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000009e0000 | 0x009e0000 | 0x00adffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000ae0000 | 0x00ae0000 | 0x00ae3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000af0000 | 0x00af0000 | 0x00af0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000b00000 | 0x00b00000 | 0x00b01fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000b10000 | 0x00b10000 | 0x00b4ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000b50000 | 0x00b50000 | 0x00b5ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000be0000 | 0x00be0000 | 0x00cdffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00ce0000 | 0x00d9dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000da0000 | 0x00da0000 | 0x00e9ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001000000 | 0x01000000 | 0x0100ffff | Private Memory | rw |
|
|
|
- |
| cmd.exe | 0x01140000 | 0x0118ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000001190000 | 0x01190000 | 0x0518ffff | Pagefile Backed Memory | - |
|
|
|
- |
| sortdefault.nls | 0x05190000 | 0x054c6fff | Memory Mapped File | r |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74d30000 | 0x74ea5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75130000 | 0x7521ffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x778d0000 | 0x7798dfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007f380000 | 0x7f380000 | 0x7f47ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007f480000 | 0x7f480000 | 0x7f4a2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f4a7000 | 0x7f4a7000 | 0x7f4a9fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f4aa000 | 0x7f4aa000 | 0x7f4aafff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f4ac000 | 0x7f4ac000 | 0x7f4acfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f4ad000 | 0x7f4ad000 | 0x7f4affff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (11)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Windows\SysWOW64 | type = file_attributes |
|
2 | |
| Get Info | wevtutil.exe | type = file_attributes |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
5 | |
| Open | STD_INPUT_HANDLE | - |
|
3 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 5, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\SysWOW64\wevtutil.exe | os_pid = 0x2d4, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x1140000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75130000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x75172780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x7514fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7514a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x74e435c0 |
|
1 |
Environment (19)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
2 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Windows\SysWOW64 |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000000 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #421: wevtutil.exe
0
0
| Information | Value |
|---|---|
| ID | #421 |
| File Name | c:\windows\syswow64\wevtutil.exe |
| Command Line | wevtutil.exe clear-log "Microsoft-Windows-Bits-Client/Analytic" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:03:24, Reason: Child Process |
| Unmonitor | End Time: 00:03:24, Reason: Self Terminated |
| Monitor Duration | 00:00:00 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x2d4 |
| Parent PID | 0x844 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
F64
0x
D64
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000580000 | 0x00580000 | 0x0059ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000580000 | 0x00580000 | 0x0058ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000590000 | 0x00590000 | 0x00593fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000005a0000 | 0x005a0000 | 0x005a1fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000005b0000 | 0x005b0000 | 0x005c3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000005d0000 | 0x005d0000 | 0x0060ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000610000 | 0x00610000 | 0x0064ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000650000 | 0x00650000 | 0x00653fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000660000 | 0x00660000 | 0x00660fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000670000 | 0x00670000 | 0x00671fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000680000 | 0x00680000 | 0x006bffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000006f0000 | 0x006f0000 | 0x006fffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00700000 | 0x007bdfff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000007c0000 | 0x007c0000 | 0x007fffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000008b0000 | 0x008b0000 | 0x009affff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000a70000 | 0x00a70000 | 0x00a7ffff | Private Memory | rw |
|
|
|
- |
| wevtutil.exe | 0x00b40000 | 0x00b6efff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000b70000 | 0x00b70000 | 0x04b6ffff | Pagefile Backed Memory | - |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| wevtapi.dll | 0x74220000 | 0x7426dfff | Memory Mapped File | rwx |
|
|
|
- |
| bcrypt.dll | 0x742a0000 | 0x742bafff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x74a30000 | 0x74a88fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x74a90000 | 0x74a99fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x74aa0000 | 0x74abdfff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x74c60000 | 0x74cdafff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74d30000 | 0x74ea5fff | Memory Mapped File | rwx |
|
|
|
- |
| combase.dll | 0x74f70000 | 0x75129fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75130000 | 0x7521ffff | Memory Mapped File | rwx |
|
|
|
- |
| oleaut32.dll | 0x76ce0000 | 0x76d71fff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x770b0000 | 0x770f2fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x772c0000 | 0x7736bfff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x778d0000 | 0x7798dfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007ee40000 | 0x7ee40000 | 0x7ef3ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007ef40000 | 0x7ef40000 | 0x7ef62fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007ef63000 | 0x7ef63000 | 0x7ef63fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ef69000 | 0x7ef69000 | 0x7ef6bfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ef6c000 | 0x7ef6c000 | 0x7ef6efff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ef6f000 | 0x7ef6f000 | 0x7ef6ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Process #422: cmd.exe
58
0
| Information | Value |
|---|---|
| ID | #422 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-Bits-Client/Operational" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:03:24, Reason: Child Process |
| Unmonitor | End Time: 00:03:25, Reason: Self Terminated |
| Monitor Duration | 00:00:01 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xe4c |
| Parent PID | 0x8dc (c:\programdata\safe.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
F14
0x
E04
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000ad0000 | 0x00ad0000 | 0x00aeffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000ad0000 | 0x00ad0000 | 0x00adffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000ae0000 | 0x00ae0000 | 0x00ae3fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000af0000 | 0x00af0000 | 0x00af1fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000af0000 | 0x00af0000 | 0x00af3fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000b00000 | 0x00b00000 | 0x00b13fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000b20000 | 0x00b20000 | 0x00b5ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000b60000 | 0x00b60000 | 0x00c5ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000c60000 | 0x00c60000 | 0x00c63fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000c70000 | 0x00c70000 | 0x00c70fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000c80000 | 0x00c80000 | 0x00c81fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00c90000 | 0x00d4dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000d50000 | 0x00d50000 | 0x00d8ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000e30000 | 0x00e30000 | 0x00e3ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000e40000 | 0x00e40000 | 0x00f3ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000f80000 | 0x00f80000 | 0x0107ffff | Private Memory | rw |
|
|
|
- |
| cmd.exe | 0x01140000 | 0x0118ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000001190000 | 0x01190000 | 0x0518ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000005350000 | 0x05350000 | 0x0535ffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x05360000 | 0x05696fff | Memory Mapped File | r |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74d30000 | 0x74ea5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75130000 | 0x7521ffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x778d0000 | 0x7798dfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007e660000 | 0x7e660000 | 0x7e75ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007e760000 | 0x7e760000 | 0x7e782fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007e788000 | 0x7e788000 | 0x7e788fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007e789000 | 0x7e789000 | 0x7e789fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007e78a000 | 0x7e78a000 | 0x7e78cfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007e78d000 | 0x7e78d000 | 0x7e78ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (11)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Windows\SysWOW64 | type = file_attributes |
|
2 | |
| Get Info | wevtutil.exe | type = file_attributes |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
5 | |
| Open | STD_INPUT_HANDLE | - |
|
3 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 232, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\SysWOW64\wevtutil.exe | os_pid = 0xfa0, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x1140000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75130000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x75172780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x7514fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7514a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x74e435c0 |
|
1 |
Environment (19)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
2 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Windows\SysWOW64 |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000000 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #424: wevtutil.exe
0
0
| Information | Value |
|---|---|
| ID | #424 |
| File Name | c:\windows\syswow64\wevtutil.exe |
| Command Line | wevtutil.exe clear-log "Microsoft-Windows-Bits-Client/Operational" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:03:25, Reason: Child Process |
| Unmonitor | End Time: 00:03:25, Reason: Self Terminated |
| Monitor Duration | 00:00:00 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xfa0 |
| Parent PID | 0xe4c (c:\windows\syswow64\wevtutil.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
510
0x
FAC
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000520000 | 0x00520000 | 0x0053ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000540000 | 0x00540000 | 0x00541fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000550000 | 0x00550000 | 0x00563fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000570000 | 0x00570000 | 0x005affff | Private Memory | rw |
|
|
|
- |
| private_0x00000000005b0000 | 0x005b0000 | 0x005effff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000005f0000 | 0x005f0000 | 0x005f3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000600000 | 0x00600000 | 0x00600fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000610000 | 0x00610000 | 0x00611fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000640000 | 0x00640000 | 0x0064ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000006a0000 | 0x006a0000 | 0x0079ffff | Private Memory | rw |
|
|
|
- |
| wevtutil.exe | 0x00b40000 | 0x00b6efff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000b70000 | 0x00b70000 | 0x04b6ffff | Pagefile Backed Memory | - |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007e150000 | 0x7e150000 | 0x7e172fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007e179000 | 0x7e179000 | 0x7e17bfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007e17c000 | 0x7e17c000 | 0x7e17cfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007e17d000 | 0x7e17d000 | 0x7e17dfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Process #425: cmd.exe
58
0
| Information | Value |
|---|---|
| ID | #425 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-Bluetooth-MTPEnum/Operational" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:03:25, Reason: Child Process |
| Unmonitor | End Time: 00:03:25, Reason: Self Terminated |
| Monitor Duration | 00:00:00 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x534 |
| Parent PID | 0x8dc (c:\programdata\safe.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
F40
0x
76C
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x00000000005a0000 | 0x005a0000 | 0x005bffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000005a0000 | 0x005a0000 | 0x005affff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x00000000005b0000 | 0x005b0000 | 0x005b3fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000005c0000 | 0x005c0000 | 0x005c1fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000005c0000 | 0x005c0000 | 0x005c3fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000005d0000 | 0x005d0000 | 0x005e3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000005f0000 | 0x005f0000 | 0x0062ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000630000 | 0x00630000 | 0x0072ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000730000 | 0x00730000 | 0x00733fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000740000 | 0x00740000 | 0x00740fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000750000 | 0x00750000 | 0x00751fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00760000 | 0x0081dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000830000 | 0x00830000 | 0x0083ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000840000 | 0x00840000 | 0x0087ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000920000 | 0x00920000 | 0x00a1ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000a20000 | 0x00a20000 | 0x00b1ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000c70000 | 0x00c70000 | 0x00c7ffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x00c80000 | 0x00fb6fff | Memory Mapped File | r |
|
|
|
- |
| cmd.exe | 0x01140000 | 0x0118ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000001190000 | 0x01190000 | 0x0518ffff | Pagefile Backed Memory | - |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74d30000 | 0x74ea5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75130000 | 0x7521ffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x778d0000 | 0x7798dfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007f0e0000 | 0x7f0e0000 | 0x7f102fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f103000 | 0x7f103000 | 0x7f103fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f104000 | 0x7f104000 | 0x7f104fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f10a000 | 0x7f10a000 | 0x7f10cfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f10d000 | 0x7f10d000 | 0x7f10ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (11)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Windows\SysWOW64 | type = file_attributes |
|
2 | |
| Get Info | wevtutil.exe | type = file_attributes |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
5 | |
| Open | STD_INPUT_HANDLE | - |
|
3 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 120, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\SysWOW64\wevtutil.exe | os_pid = 0xf7c, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x1140000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75130000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x75172780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x7514fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7514a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x74e435c0 |
|
1 |
Environment (19)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
2 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Windows\SysWOW64 |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000000 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #427: wevtutil.exe
0
0
| Information | Value |
|---|---|
| ID | #427 |
| File Name | c:\windows\syswow64\wevtutil.exe |
| Command Line | wevtutil.exe clear-log "Microsoft-Windows-Bluetooth-MTPEnum/Operational" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:03:25, Reason: Child Process |
| Unmonitor | End Time: 00:03:25, Reason: Self Terminated |
| Monitor Duration | 00:00:00 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xf7c |
| Parent PID | 0x534 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
E44
0x
C9C
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| wevtutil.exe | 0x00b40000 | 0x00b6efff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000d00000 | 0x00d00000 | 0x04cfffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000004d00000 | 0x04d00000 | 0x04d1ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004d20000 | 0x04d20000 | 0x04d21fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004d30000 | 0x04d30000 | 0x04d43fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000004d50000 | 0x04d50000 | 0x04d8ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004d90000 | 0x04d90000 | 0x04dcffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004dd0000 | 0x04dd0000 | 0x04dd3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000004de0000 | 0x04de0000 | 0x04de0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000004df0000 | 0x04df0000 | 0x04df1fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004ec0000 | 0x04ec0000 | 0x04fbffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004fc0000 | 0x04fc0000 | 0x04fcffff | Private Memory | rw |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007e710000 | 0x7e710000 | 0x7e732fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007e739000 | 0x7e739000 | 0x7e73bfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007e73c000 | 0x7e73c000 | 0x7e73cfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007e73d000 | 0x7e73d000 | 0x7e73dfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Process #428: cmd.exe
58
0
| Information | Value |
|---|---|
| ID | #428 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-BranchCache/Operational" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:03:25, Reason: Child Process |
| Unmonitor | End Time: 00:03:26, Reason: Self Terminated |
| Monitor Duration | 00:00:01 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xe58 |
| Parent PID | 0x8dc (c:\programdata\safe.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
D44
0x
2F0
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000120000 | 0x00120000 | 0x0013ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000120000 | 0x00120000 | 0x0012ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000130000 | 0x00130000 | 0x00133fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000140000 | 0x00140000 | 0x00141fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000140000 | 0x00140000 | 0x00143fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000150000 | 0x00150000 | 0x00163fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000170000 | 0x00170000 | 0x001affff | Private Memory | rw |
|
|
|
- |
| private_0x00000000001b0000 | 0x001b0000 | 0x002affff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000002b0000 | 0x002b0000 | 0x002b3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000002c0000 | 0x002c0000 | 0x002c0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000002d0000 | 0x002d0000 | 0x002d1fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x002e0000 | 0x0039dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000003c0000 | 0x003c0000 | 0x004bffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000004d0000 | 0x004d0000 | 0x004dffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000004e0000 | 0x004e0000 | 0x0051ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000520000 | 0x00520000 | 0x0061ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000006f0000 | 0x006f0000 | 0x006fffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x00700000 | 0x00a36fff | Memory Mapped File | r |
|
|
|
- |
| cmd.exe | 0x01140000 | 0x0118ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000001190000 | 0x01190000 | 0x0518ffff | Pagefile Backed Memory | - |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74d30000 | 0x74ea5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75130000 | 0x7521ffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x778d0000 | 0x7798dfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007ec10000 | 0x7ec10000 | 0x7ed0ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007ed10000 | 0x7ed10000 | 0x7ed32fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007ed35000 | 0x7ed35000 | 0x7ed37fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ed38000 | 0x7ed38000 | 0x7ed38fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ed3b000 | 0x7ed3b000 | 0x7ed3bfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ed3d000 | 0x7ed3d000 | 0x7ed3ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (11)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Windows\SysWOW64 | type = file_attributes |
|
2 | |
| Get Info | wevtutil.exe | type = file_attributes |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
5 | |
| Open | STD_INPUT_HANDLE | - |
|
3 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 190, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\SysWOW64\wevtutil.exe | os_pid = 0x63c, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x1140000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75130000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x75172780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x7514fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7514a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x74e435c0 |
|
1 |
Environment (19)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
2 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Windows\SysWOW64 |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000000 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #430: wevtutil.exe
0
0
| Information | Value |
|---|---|
| ID | #430 |
| File Name | c:\windows\syswow64\wevtutil.exe |
| Command Line | wevtutil.exe clear-log "Microsoft-Windows-BranchCache/Operational" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:03:26, Reason: Child Process |
| Unmonitor | End Time: 00:03:26, Reason: Self Terminated |
| Monitor Duration | 00:00:00 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x63c |
| Parent PID | 0xe58 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
A74
0x
5A8
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| wevtutil.exe | 0x00b40000 | 0x00b6efff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000fc0000 | 0x00fc0000 | 0x04fbffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000004fc0000 | 0x04fc0000 | 0x04fdffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004fe0000 | 0x04fe0000 | 0x04fe1fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004ff0000 | 0x04ff0000 | 0x05003fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000005010000 | 0x05010000 | 0x0504ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005050000 | 0x05050000 | 0x0508ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000005090000 | 0x05090000 | 0x05093fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000050a0000 | 0x050a0000 | 0x050a0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000050b0000 | 0x050b0000 | 0x050b1fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005150000 | 0x05150000 | 0x0515ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005200000 | 0x05200000 | 0x052fffff | Private Memory | rw |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007fb90000 | 0x7fb90000 | 0x7fbb2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007fbb3000 | 0x7fbb3000 | 0x7fbb3fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007fbbc000 | 0x7fbbc000 | 0x7fbbcfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007fbbd000 | 0x7fbbd000 | 0x7fbbffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Process #431: cmd.exe
58
0
| Information | Value |
|---|---|
| ID | #431 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-BranchCacheClientEventProvider/Diagnostic" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:03:26, Reason: Child Process |
| Unmonitor | End Time: 00:03:26, Reason: Self Terminated |
| Monitor Duration | 00:00:00 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xf78 |
| Parent PID | 0x8dc (c:\programdata\safe.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
B3C
0x
FB8
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000800000 | 0x00800000 | 0x0081ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000800000 | 0x00800000 | 0x0080ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000810000 | 0x00810000 | 0x00813fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000820000 | 0x00820000 | 0x00821fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000820000 | 0x00820000 | 0x00823fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000830000 | 0x00830000 | 0x00843fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000850000 | 0x00850000 | 0x0088ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000890000 | 0x00890000 | 0x0098ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000990000 | 0x00990000 | 0x00993fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000009a0000 | 0x009a0000 | 0x009a0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000009b0000 | 0x009b0000 | 0x009b1fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x009c0000 | 0x00a7dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000a90000 | 0x00a90000 | 0x00a9ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000aa0000 | 0x00aa0000 | 0x00adffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000b10000 | 0x00b10000 | 0x00b1ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000b20000 | 0x00b20000 | 0x00c1ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000c20000 | 0x00c20000 | 0x00d1ffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x00d20000 | 0x01056fff | Memory Mapped File | r |
|
|
|
- |
| cmd.exe | 0x01140000 | 0x0118ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000001190000 | 0x01190000 | 0x0518ffff | Pagefile Backed Memory | - |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74d30000 | 0x74ea5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75130000 | 0x7521ffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x778d0000 | 0x7798dfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007ebc0000 | 0x7ebc0000 | 0x7ecbffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007ecc0000 | 0x7ecc0000 | 0x7ece2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007ece6000 | 0x7ece6000 | 0x7ece8fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ece9000 | 0x7ece9000 | 0x7ece9fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ecec000 | 0x7ecec000 | 0x7eceefff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ecef000 | 0x7ecef000 | 0x7eceffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (11)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Windows\SysWOW64 | type = file_attributes |
|
2 | |
| Get Info | wevtutil.exe | type = file_attributes |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
5 | |
| Open | STD_INPUT_HANDLE | - |
|
3 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 71, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\SysWOW64\wevtutil.exe | os_pid = 0xfc0, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x1140000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75130000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x75172780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x7514fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7514a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x74e435c0 |
|
1 |
Environment (19)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
2 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Windows\SysWOW64 |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000000 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #433: wevtutil.exe
0
0
| Information | Value |
|---|---|
| ID | #433 |
| File Name | c:\windows\syswow64\wevtutil.exe |
| Command Line | wevtutil.exe clear-log "Microsoft-Windows-BranchCacheClientEventProvider/Diagnostic" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:03:26, Reason: Child Process |
| Unmonitor | End Time: 00:03:26, Reason: Self Terminated |
| Monitor Duration | 00:00:00 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xfc0 |
| Parent PID | 0xf78 (c:\windows\syswow64\wevtutil.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
FD8
0x
FC8
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x00000000000d0000 | 0x000d0000 | 0x000effff | Private Memory | rw |
|
|
|
- |
| private_0x00000000000f0000 | 0x000f0000 | 0x000f1fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000100000 | 0x00100000 | 0x00113fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000120000 | 0x00120000 | 0x0015ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000160000 | 0x00160000 | 0x0019ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000001a0000 | 0x001a0000 | 0x001a3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000001b0000 | 0x001b0000 | 0x001b0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000001c0000 | 0x001c0000 | 0x001c1fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000002c0000 | 0x002c0000 | 0x002cffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000490000 | 0x00490000 | 0x0058ffff | Private Memory | rw |
|
|
|
- |
| wevtutil.exe | 0x00b40000 | 0x00b6efff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000b70000 | 0x00b70000 | 0x04b6ffff | Pagefile Backed Memory | - |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007f3d0000 | 0x7f3d0000 | 0x7f3f2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f3fb000 | 0x7f3fb000 | 0x7f3fbfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f3fc000 | 0x7f3fc000 | 0x7f3fefff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f3ff000 | 0x7f3ff000 | 0x7f3fffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Process #434: cmd.exe
58
0
| Information | Value |
|---|---|
| ID | #434 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-BranchCacheEventProvider/Diagnostic" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:03:26, Reason: Child Process |
| Unmonitor | End Time: 00:03:27, Reason: Self Terminated |
| Monitor Duration | 00:00:01 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xfbc |
| Parent PID | 0x8dc (c:\programdata\safe.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
FC4
0x
1B4
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000e10000 | 0x00e10000 | 0x00e2ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000e10000 | 0x00e10000 | 0x00e1ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000e20000 | 0x00e20000 | 0x00e23fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000e30000 | 0x00e30000 | 0x00e31fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000e30000 | 0x00e30000 | 0x00e3ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000e40000 | 0x00e40000 | 0x00e53fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000e60000 | 0x00e60000 | 0x00e9ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000ea0000 | 0x00ea0000 | 0x00f9ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000fa0000 | 0x00fa0000 | 0x00fa3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000fb0000 | 0x00fb0000 | 0x00fb0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000fc0000 | 0x00fc0000 | 0x00fc1fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000fd0000 | 0x00fd0000 | 0x0100ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001010000 | 0x01010000 | 0x0110ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001110000 | 0x01110000 | 0x01113fff | Private Memory | rw |
|
|
|
- |
| cmd.exe | 0x01140000 | 0x0118ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000001190000 | 0x01190000 | 0x0518ffff | Pagefile Backed Memory | - |
|
|
|
- |
| locale.nls | 0x05190000 | 0x0524dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000005340000 | 0x05340000 | 0x0534ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005350000 | 0x05350000 | 0x0544ffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x05450000 | 0x05786fff | Memory Mapped File | r |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74d30000 | 0x74ea5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75130000 | 0x7521ffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x778d0000 | 0x7798dfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007e7c0000 | 0x7e7c0000 | 0x7e8bffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007e8c0000 | 0x7e8c0000 | 0x7e8e2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007e8e3000 | 0x7e8e3000 | 0x7e8e3fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007e8e4000 | 0x7e8e4000 | 0x7e8e4fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007e8ea000 | 0x7e8ea000 | 0x7e8ecfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007e8ed000 | 0x7e8ed000 | 0x7e8effff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (11)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Windows\SysWOW64 | type = file_attributes |
|
2 | |
| Get Info | wevtutil.exe | type = file_attributes |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
5 | |
| Open | STD_INPUT_HANDLE | - |
|
3 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 168, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\SysWOW64\wevtutil.exe | os_pid = 0xcbc, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x1140000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75130000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x75172780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x7514fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7514a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x74e435c0 |
|
1 |
Environment (19)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
2 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Windows\SysWOW64 |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000000 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #436: wevtutil.exe
0
0
| Information | Value |
|---|---|
| ID | #436 |
| File Name | c:\windows\syswow64\wevtutil.exe |
| Command Line | wevtutil.exe clear-log "Microsoft-Windows-BranchCacheEventProvider/Diagnostic" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:03:27, Reason: Child Process |
| Unmonitor | End Time: 00:03:27, Reason: Self Terminated |
| Monitor Duration | 00:00:00 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xcbc |
| Parent PID | 0xfbc (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
438
0x
5D4
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| wevtutil.exe | 0x00b40000 | 0x00b6efff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000f60000 | 0x00f60000 | 0x04f5ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000004f60000 | 0x04f60000 | 0x04f7ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004f80000 | 0x04f80000 | 0x04f81fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004f90000 | 0x04f90000 | 0x04fa3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000004fb0000 | 0x04fb0000 | 0x04feffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004ff0000 | 0x04ff0000 | 0x0502ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000005030000 | 0x05030000 | 0x05033fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000005040000 | 0x05040000 | 0x05040fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000005050000 | 0x05050000 | 0x05051fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005180000 | 0x05180000 | 0x0518ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005380000 | 0x05380000 | 0x0547ffff | Private Memory | rw |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007f360000 | 0x7f360000 | 0x7f382fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f387000 | 0x7f387000 | 0x7f387fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f38c000 | 0x7f38c000 | 0x7f38efff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f38f000 | 0x7f38f000 | 0x7f38ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Process #437: cmd.exe
58
0
| Information | Value |
|---|---|
| ID | #437 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-BranchCacheMonitoring/Analytic" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:03:27, Reason: Child Process |
| Unmonitor | End Time: 00:03:27, Reason: Self Terminated |
| Monitor Duration | 00:00:00 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xc04 |
| Parent PID | 0x8dc (c:\programdata\safe.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
E5C
0x
478
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000910000 | 0x00910000 | 0x0092ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000910000 | 0x00910000 | 0x0091ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000920000 | 0x00920000 | 0x0092ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000930000 | 0x00930000 | 0x00931fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000930000 | 0x00930000 | 0x00933fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000940000 | 0x00940000 | 0x00953fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000960000 | 0x00960000 | 0x0099ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000009a0000 | 0x009a0000 | 0x00a9ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000aa0000 | 0x00aa0000 | 0x00aa3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000ab0000 | 0x00ab0000 | 0x00ab0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000ac0000 | 0x00ac0000 | 0x00ac1fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000ad0000 | 0x00ad0000 | 0x00ad3fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000ae0000 | 0x00ae0000 | 0x00aeffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00af0000 | 0x00badfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000bb0000 | 0x00bb0000 | 0x00beffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000cb0000 | 0x00cb0000 | 0x00daffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000db0000 | 0x00db0000 | 0x00eaffff | Private Memory | rw |
|
|
|
- |
| cmd.exe | 0x01140000 | 0x0118ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000001190000 | 0x01190000 | 0x0518ffff | Pagefile Backed Memory | - |
|
|
|
- |
| sortdefault.nls | 0x05190000 | 0x054c6fff | Memory Mapped File | r |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74d30000 | 0x74ea5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75130000 | 0x7521ffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x778d0000 | 0x7798dfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007f030000 | 0x7f030000 | 0x7f12ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007f130000 | 0x7f130000 | 0x7f152fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f158000 | 0x7f158000 | 0x7f15afff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f15b000 | 0x7f15b000 | 0x7f15dfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f15e000 | 0x7f15e000 | 0x7f15efff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f15f000 | 0x7f15f000 | 0x7f15ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (11)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Windows\SysWOW64 | type = file_attributes |
|
2 | |
| Get Info | wevtutil.exe | type = file_attributes |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
5 | |
| Open | STD_INPUT_HANDLE | - |
|
3 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 160, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\SysWOW64\wevtutil.exe | os_pid = 0xc88, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x1140000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75130000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x75172780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x7514fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7514a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x74e435c0 |
|
1 |
Environment (19)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
2 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Windows\SysWOW64 |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000000 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #439: wevtutil.exe
0
0
| Information | Value |
|---|---|
| ID | #439 |
| File Name | c:\windows\syswow64\wevtutil.exe |
| Command Line | wevtutil.exe clear-log "Microsoft-Windows-BranchCacheMonitoring/Analytic" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:03:27, Reason: Child Process |
| Unmonitor | End Time: 00:03:27, Reason: Self Terminated |
| Monitor Duration | 00:00:00 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xc88 |
| Parent PID | 0xc04 (c:\windows\syswow64\wevtutil.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
D6C
0x
878
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000790000 | 0x00790000 | 0x007affff | Private Memory | rw |
|
|
|
- |
| private_0x00000000007b0000 | 0x007b0000 | 0x007b1fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000007c0000 | 0x007c0000 | 0x007d3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000007e0000 | 0x007e0000 | 0x0081ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000820000 | 0x00820000 | 0x0085ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000860000 | 0x00860000 | 0x00863fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000870000 | 0x00870000 | 0x00870fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000880000 | 0x00880000 | 0x00881fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000970000 | 0x00970000 | 0x0097ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000009e0000 | 0x009e0000 | 0x00adffff | Private Memory | rw |
|
|
|
- |
| wevtutil.exe | 0x00b40000 | 0x00b6efff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000b70000 | 0x00b70000 | 0x04b6ffff | Pagefile Backed Memory | - |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007f160000 | 0x7f160000 | 0x7f182fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f188000 | 0x7f188000 | 0x7f188fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f18a000 | 0x7f18a000 | 0x7f18afff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f18d000 | 0x7f18d000 | 0x7f18ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Process #440: cmd.exe
58
0
| Information | Value |
|---|---|
| ID | #440 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-BranchCacheSMB/Analytic" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:03:27, Reason: Child Process |
| Unmonitor | End Time: 00:03:28, Reason: Self Terminated |
| Monitor Duration | 00:00:01 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xa68 |
| Parent PID | 0x8dc (c:\programdata\safe.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
B24
0x
41C
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000ff0000 | 0x00ff0000 | 0x0100ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000ff0000 | 0x00ff0000 | 0x00ffffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000001000000 | 0x01000000 | 0x01003fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001010000 | 0x01010000 | 0x01011fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001010000 | 0x01010000 | 0x01013fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000001020000 | 0x01020000 | 0x01033fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000001040000 | 0x01040000 | 0x0107ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000001080000 | 0x01080000 | 0x01083fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000001090000 | 0x01090000 | 0x01090fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000010a0000 | 0x010a0000 | 0x010a1fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000010b0000 | 0x010b0000 | 0x010effff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001110000 | 0x01110000 | 0x0111ffff | Private Memory | rw |
|
|
|
- |
| cmd.exe | 0x01140000 | 0x0118ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000001190000 | 0x01190000 | 0x0518ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000005190000 | 0x05190000 | 0x0528ffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x05290000 | 0x0534dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000005350000 | 0x05350000 | 0x0544ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005450000 | 0x05450000 | 0x0554ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000056b0000 | 0x056b0000 | 0x056bffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x056c0000 | 0x059f6fff | Memory Mapped File | r |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74d30000 | 0x74ea5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75130000 | 0x7521ffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x778d0000 | 0x7798dfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007e850000 | 0x7e850000 | 0x7e94ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007e950000 | 0x7e950000 | 0x7e972fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007e977000 | 0x7e977000 | 0x7e979fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007e97a000 | 0x7e97a000 | 0x7e97afff | Private Memory | rw |
|
|
|
- |
| private_0x000000007e97b000 | 0x7e97b000 | 0x7e97bfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007e97d000 | 0x7e97d000 | 0x7e97ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (11)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Windows\SysWOW64 | type = file_attributes |
|
2 | |
| Get Info | wevtutil.exe | type = file_attributes |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
5 | |
| Open | STD_INPUT_HANDLE | - |
|
3 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 232, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\SysWOW64\wevtutil.exe | os_pid = 0xec4, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x1140000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75130000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x75172780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x7514fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7514a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x74e435c0 |
|
1 |
Environment (19)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
2 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Windows\SysWOW64 |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000000 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #442: wevtutil.exe
0
0
| Information | Value |
|---|---|
| ID | #442 |
| File Name | c:\windows\syswow64\wevtutil.exe |
| Command Line | wevtutil.exe clear-log "Microsoft-Windows-BranchCacheSMB/Analytic" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:03:27, Reason: Child Process |
| Unmonitor | End Time: 00:03:28, Reason: Self Terminated |
| Monitor Duration | 00:00:01 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xec4 |
| Parent PID | 0xa68 (c:\windows\syswow64\wevtutil.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
E78
0x
FA4
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x00000000003d0000 | 0x003d0000 | 0x003effff | Private Memory | rw |
|
|
|
- |
| private_0x00000000003f0000 | 0x003f0000 | 0x003f1fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000400000 | 0x00400000 | 0x00413fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000420000 | 0x00420000 | 0x0045ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000460000 | 0x00460000 | 0x0049ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000004a0000 | 0x004a0000 | 0x004a3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000004b0000 | 0x004b0000 | 0x004b0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000004c0000 | 0x004c0000 | 0x004c1fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000500000 | 0x00500000 | 0x0050ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000005e0000 | 0x005e0000 | 0x006dffff | Private Memory | rw |
|
|
|
- |
| wevtutil.exe | 0x00b40000 | 0x00b6efff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000b70000 | 0x00b70000 | 0x04b6ffff | Pagefile Backed Memory | - |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007f340000 | 0x7f340000 | 0x7f362fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f367000 | 0x7f367000 | 0x7f367fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f36c000 | 0x7f36c000 | 0x7f36efff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f36f000 | 0x7f36f000 | 0x7f36ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Process #443: cmd.exe
58
0
| Information | Value |
|---|---|
| ID | #443 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-BranchCacheSMB/Operational" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:03:28, Reason: Child Process |
| Unmonitor | End Time: 00:03:29, Reason: Self Terminated |
| Monitor Duration | 00:00:01 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xe90 |
| Parent PID | 0x8dc (c:\programdata\safe.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
F08
0x
EB4
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000770000 | 0x00770000 | 0x0078ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000770000 | 0x00770000 | 0x0077ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000780000 | 0x00780000 | 0x00783fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000790000 | 0x00790000 | 0x00791fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000790000 | 0x00790000 | 0x00793fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000007a0000 | 0x007a0000 | 0x007b3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000007c0000 | 0x007c0000 | 0x007fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000800000 | 0x00800000 | 0x008fffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000900000 | 0x00900000 | 0x00903fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000910000 | 0x00910000 | 0x00910fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000920000 | 0x00920000 | 0x00921fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000930000 | 0x00930000 | 0x0096ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000990000 | 0x00990000 | 0x0099ffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x009a0000 | 0x00a5dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000a70000 | 0x00a70000 | 0x00b6ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000b70000 | 0x00b70000 | 0x00c6ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000ca0000 | 0x00ca0000 | 0x00caffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x00cb0000 | 0x00fe6fff | Memory Mapped File | r |
|
|
|
- |
| cmd.exe | 0x01140000 | 0x0118ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000001190000 | 0x01190000 | 0x0518ffff | Pagefile Backed Memory | - |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74d30000 | 0x74ea5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75130000 | 0x7521ffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x778d0000 | 0x7798dfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007eee0000 | 0x7eee0000 | 0x7efdffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f002fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f005000 | 0x7f005000 | 0x7f005fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f009000 | 0x7f009000 | 0x7f00bfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f00c000 | 0x7f00c000 | 0x7f00efff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f00f000 | 0x7f00f000 | 0x7f00ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (11)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Windows\SysWOW64 | type = file_attributes |
|
2 | |
| Get Info | wevtutil.exe | type = file_attributes |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
5 | |
| Open | STD_INPUT_HANDLE | - |
|
3 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 144, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\SysWOW64\wevtutil.exe | os_pid = 0xef0, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x1140000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75130000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x75172780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x7514fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7514a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x74e435c0 |
|
1 |
Environment (19)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
2 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Windows\SysWOW64 |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000000 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #445: wevtutil.exe
0
0
| Information | Value |
|---|---|
| ID | #445 |
| File Name | c:\windows\syswow64\wevtutil.exe |
| Command Line | wevtutil.exe clear-log "Microsoft-Windows-BranchCacheSMB/Operational" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:03:28, Reason: Child Process |
| Unmonitor | End Time: 00:03:29, Reason: Self Terminated |
| Monitor Duration | 00:00:01 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xef0 |
| Parent PID | 0xe90 (c:\windows\syswow64\wevtutil.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
CC8
0x
904
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| wevtutil.exe | 0x00b40000 | 0x00b6efff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000fc0000 | 0x00fc0000 | 0x04fbffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000004fc0000 | 0x04fc0000 | 0x04fdffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004fe0000 | 0x04fe0000 | 0x04fe1fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004ff0000 | 0x04ff0000 | 0x05003fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000005010000 | 0x05010000 | 0x0504ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005050000 | 0x05050000 | 0x0508ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000005090000 | 0x05090000 | 0x05093fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000050a0000 | 0x050a0000 | 0x050a0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000050b0000 | 0x050b0000 | 0x050b1fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000051d0000 | 0x051d0000 | 0x051dffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005230000 | 0x05230000 | 0x0532ffff | Private Memory | rw |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007e900000 | 0x7e900000 | 0x7e922fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007e923000 | 0x7e923000 | 0x7e923fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007e92c000 | 0x7e92c000 | 0x7e92efff | Private Memory | rw |
|
|
|
- |
| private_0x000000007e92f000 | 0x7e92f000 | 0x7e92ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Process #446: cmd.exe
58
0
| Information | Value |
|---|---|
| ID | #446 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-CAPI2/Catalog Database Debug" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:03:29, Reason: Child Process |
| Unmonitor | End Time: 00:03:29, Reason: Self Terminated |
| Monitor Duration | 00:00:00 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x994 |
| Parent PID | 0x8dc (c:\programdata\safe.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
EA4
0x
788
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000c90000 | 0x00c90000 | 0x00caffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000c90000 | 0x00c90000 | 0x00c9ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000ca0000 | 0x00ca0000 | 0x00ca3fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000cb0000 | 0x00cb0000 | 0x00cb1fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000cb0000 | 0x00cb0000 | 0x00cb3fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000cc0000 | 0x00cc0000 | 0x00cd3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000ce0000 | 0x00ce0000 | 0x00d1ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000d20000 | 0x00d20000 | 0x00e1ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000e20000 | 0x00e20000 | 0x00e23fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000e30000 | 0x00e30000 | 0x00e30fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000e40000 | 0x00e40000 | 0x00e41fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00e50000 | 0x00f0dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000f10000 | 0x00f10000 | 0x00f4ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000f60000 | 0x00f60000 | 0x00f6ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000f70000 | 0x00f70000 | 0x0106ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000010d0000 | 0x010d0000 | 0x010dffff | Private Memory | rw |
|
|
|
- |
| cmd.exe | 0x01140000 | 0x0118ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000001190000 | 0x01190000 | 0x0518ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000005310000 | 0x05310000 | 0x0540ffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x05410000 | 0x05746fff | Memory Mapped File | r |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74d30000 | 0x74ea5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75130000 | 0x7521ffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x778d0000 | 0x7798dfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007f0a0000 | 0x7f0a0000 | 0x7f19ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007f1a0000 | 0x7f1a0000 | 0x7f1c2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f1c7000 | 0x7f1c7000 | 0x7f1c7fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f1c8000 | 0x7f1c8000 | 0x7f1cafff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f1cb000 | 0x7f1cb000 | 0x7f1cbfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f1cd000 | 0x7f1cd000 | 0x7f1cffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (11)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Windows\SysWOW64 | type = file_attributes |
|
2 | |
| Get Info | wevtutil.exe | type = file_attributes |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
5 | |
| Open | STD_INPUT_HANDLE | - |
|
3 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 120, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\SysWOW64\wevtutil.exe | os_pid = 0x968, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x1140000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75130000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x75172780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x7514fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7514a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x74e435c0 |
|
1 |
Environment (19)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
2 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Windows\SysWOW64 |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000000 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #448: wevtutil.exe
0
0
| Information | Value |
|---|---|
| ID | #448 |
| File Name | c:\windows\syswow64\wevtutil.exe |
| Command Line | wevtutil.exe clear-log "Microsoft-Windows-CAPI2/Catalog Database Debug" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:03:29, Reason: Child Process |
| Unmonitor | End Time: 00:03:29, Reason: Self Terminated |
| Monitor Duration | 00:00:00 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x968 |
| Parent PID | 0x994 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
AD0
0x
EC8
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x00000000004d0000 | 0x004d0000 | 0x004effff | Private Memory | rw |
|
|
|
- |
| private_0x00000000004f0000 | 0x004f0000 | 0x004f1fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000500000 | 0x00500000 | 0x00513fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000520000 | 0x00520000 | 0x0055ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000560000 | 0x00560000 | 0x0059ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000005a0000 | 0x005a0000 | 0x005a3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000005b0000 | 0x005b0000 | 0x005b0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000005c0000 | 0x005c0000 | 0x005c1fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000670000 | 0x00670000 | 0x0067ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000006b0000 | 0x006b0000 | 0x007affff | Private Memory | rw |
|
|
|
- |
| wevtutil.exe | 0x00b40000 | 0x00b6efff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000b70000 | 0x00b70000 | 0x04b6ffff | Pagefile Backed Memory | - |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007fb60000 | 0x7fb60000 | 0x7fb82fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007fb8a000 | 0x7fb8a000 | 0x7fb8afff | Private Memory | rw |
|
|
|
- |
| private_0x000000007fb8c000 | 0x7fb8c000 | 0x7fb8efff | Private Memory | rw |
|
|
|
- |
| private_0x000000007fb8f000 | 0x7fb8f000 | 0x7fb8ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Process #449: cmd.exe
58
0
| Information | Value |
|---|---|
| ID | #449 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-CAPI2/Operational" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:03:29, Reason: Child Process |
| Unmonitor | End Time: 00:03:30, Reason: Self Terminated |
| Monitor Duration | 00:00:01 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x34c |
| Parent PID | 0x8dc (c:\programdata\safe.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
FA8
0x
920
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000a80000 | 0x00a80000 | 0x00a9ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000a80000 | 0x00a80000 | 0x00a8ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000a90000 | 0x00a90000 | 0x00a93fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000aa0000 | 0x00aa0000 | 0x00aa1fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000aa0000 | 0x00aa0000 | 0x00aa3fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000ab0000 | 0x00ab0000 | 0x00ac3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000ad0000 | 0x00ad0000 | 0x00b0ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000b10000 | 0x00b10000 | 0x00c0ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000c10000 | 0x00c10000 | 0x00c13fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000c20000 | 0x00c20000 | 0x00c20fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000c30000 | 0x00c30000 | 0x00c31fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000c40000 | 0x00c40000 | 0x00c4ffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00c50000 | 0x00d0dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000d10000 | 0x00d10000 | 0x00d4ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000e20000 | 0x00e20000 | 0x00f1ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000f20000 | 0x00f20000 | 0x0101ffff | Private Memory | rw |
|
|
|
- |
| cmd.exe | 0x01140000 | 0x0118ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000001190000 | 0x01190000 | 0x0518ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x00000000052d0000 | 0x052d0000 | 0x052dffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x052e0000 | 0x05616fff | Memory Mapped File | r |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74d30000 | 0x74ea5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75130000 | 0x7521ffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x778d0000 | 0x7798dfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007f940000 | 0x7f940000 | 0x7fa3ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007fa40000 | 0x7fa40000 | 0x7fa62fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007fa66000 | 0x7fa66000 | 0x7fa68fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007fa69000 | 0x7fa69000 | 0x7fa69fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007fa6c000 | 0x7fa6c000 | 0x7fa6efff | Private Memory | rw |
|
|
|
- |
| private_0x000000007fa6f000 | 0x7fa6f000 | 0x7fa6ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (11)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Windows\SysWOW64 | type = file_attributes |
|
2 | |
| Get Info | wevtutil.exe | type = file_attributes |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
5 | |
| Open | STD_INPUT_HANDLE | - |
|
3 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 136, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\SysWOW64\wevtutil.exe | os_pid = 0xc48, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x1140000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75130000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x75172780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x7514fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7514a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x74e435c0 |
|
1 |
Environment (19)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
2 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Windows\SysWOW64 |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000000 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #451: wevtutil.exe
0
0
| Information | Value |
|---|---|
| ID | #451 |
| File Name | c:\windows\syswow64\wevtutil.exe |
| Command Line | wevtutil.exe clear-log "Microsoft-Windows-CAPI2/Operational" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:03:30, Reason: Child Process |
| Unmonitor | End Time: 00:03:30, Reason: Self Terminated |
| Monitor Duration | 00:00:00 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xc48 |
| Parent PID | 0x34c (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
F18
0x
7EC
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000140000 | 0x00140000 | 0x0015ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000160000 | 0x00160000 | 0x00161fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000170000 | 0x00170000 | 0x00183fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000190000 | 0x00190000 | 0x001cffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000001d0000 | 0x001d0000 | 0x0020ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000210000 | 0x00210000 | 0x00213fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000220000 | 0x00220000 | 0x00220fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000230000 | 0x00230000 | 0x00231fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000300000 | 0x00300000 | 0x0030ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000003e0000 | 0x003e0000 | 0x004dffff | Private Memory | rw |
|
|
|
- |
| wevtutil.exe | 0x00b40000 | 0x00b6efff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000b70000 | 0x00b70000 | 0x04b6ffff | Pagefile Backed Memory | - |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007f920000 | 0x7f920000 | 0x7f942fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f94b000 | 0x7f94b000 | 0x7f94dfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f94e000 | 0x7f94e000 | 0x7f94efff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f94f000 | 0x7f94f000 | 0x7f94ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Process #452: cmd.exe
58
0
| Information | Value |
|---|---|
| ID | #452 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-CDROM/Operational" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:03:30, Reason: Child Process |
| Unmonitor | End Time: 00:03:30, Reason: Self Terminated |
| Monitor Duration | 00:00:00 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xff4 |
| Parent PID | 0x8dc (c:\programdata\safe.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
FCC
0x
3D0
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000840000 | 0x00840000 | 0x0085ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000840000 | 0x00840000 | 0x0084ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000850000 | 0x00850000 | 0x00853fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000860000 | 0x00860000 | 0x00861fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000860000 | 0x00860000 | 0x00863fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000870000 | 0x00870000 | 0x00883fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000890000 | 0x00890000 | 0x008cffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000008d0000 | 0x008d0000 | 0x009cffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000009d0000 | 0x009d0000 | 0x009d3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000009e0000 | 0x009e0000 | 0x009e0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000009f0000 | 0x009f0000 | 0x009f1fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00a00000 | 0x00abdfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000ad0000 | 0x00ad0000 | 0x00adffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000ae0000 | 0x00ae0000 | 0x00b1ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000b20000 | 0x00b20000 | 0x00c1ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000c40000 | 0x00c40000 | 0x00d3ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000d70000 | 0x00d70000 | 0x00d7ffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x00d80000 | 0x010b6fff | Memory Mapped File | r |
|
|
|
- |
| cmd.exe | 0x01140000 | 0x0118ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000001190000 | 0x01190000 | 0x0518ffff | Pagefile Backed Memory | - |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74d30000 | 0x74ea5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75130000 | 0x7521ffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x778d0000 | 0x7798dfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007ea50000 | 0x7ea50000 | 0x7eb4ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007eb50000 | 0x7eb50000 | 0x7eb72fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007eb75000 | 0x7eb75000 | 0x7eb77fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007eb78000 | 0x7eb78000 | 0x7eb78fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007eb7b000 | 0x7eb7b000 | 0x7eb7bfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007eb7d000 | 0x7eb7d000 | 0x7eb7ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (11)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Windows\SysWOW64 | type = file_attributes |
|
2 | |
| Get Info | wevtutil.exe | type = file_attributes |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
5 | |
| Open | STD_INPUT_HANDLE | - |
|
3 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 35, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\SysWOW64\wevtutil.exe | os_pid = 0xff8, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x1140000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75130000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x75172780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x7514fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7514a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x74e435c0 |
|
1 |
Environment (19)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
2 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Windows\SysWOW64 |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000000 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #454: wevtutil.exe
0
0
| Information | Value |
|---|---|
| ID | #454 |
| File Name | c:\windows\syswow64\wevtutil.exe |
| Command Line | wevtutil.exe clear-log "Microsoft-Windows-CDROM/Operational" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:03:30, Reason: Child Process |
| Unmonitor | End Time: 00:03:30, Reason: Self Terminated |
| Monitor Duration | 00:00:00 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xff8 |
| Parent PID | 0xff4 (c:\windows\syswow64\wevtutil.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
FFC
0x
EDC
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000ab0000 | 0x00ab0000 | 0x00acffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000ad0000 | 0x00ad0000 | 0x00ad1fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000ae0000 | 0x00ae0000 | 0x00af3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000b00000 | 0x00b00000 | 0x00b3ffff | Private Memory | rw |
|
|
|
- |
| wevtutil.exe | 0x00b40000 | 0x00b6efff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000b70000 | 0x00b70000 | 0x04b6ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000004b70000 | 0x04b70000 | 0x04baffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004bb0000 | 0x04bb0000 | 0x04bb3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000004bc0000 | 0x04bc0000 | 0x04bc0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000004bd0000 | 0x04bd0000 | 0x04bd1fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004cc0000 | 0x04cc0000 | 0x04ccffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004e10000 | 0x04e10000 | 0x04f0ffff | Private Memory | rw |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007f310000 | 0x7f310000 | 0x7f332fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f335000 | 0x7f335000 | 0x7f335fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f33b000 | 0x7f33b000 | 0x7f33bfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f33d000 | 0x7f33d000 | 0x7f33ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Process #455: cmd.exe
58
0
| Information | Value |
|---|---|
| ID | #455 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-COM/Analytic" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:03:30, Reason: Child Process |
| Unmonitor | End Time: 00:03:31, Reason: Self Terminated |
| Monitor Duration | 00:00:01 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xc3c |
| Parent PID | 0x8dc (c:\programdata\safe.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
370
0x
C58
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000640000 | 0x00640000 | 0x0065ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000640000 | 0x00640000 | 0x0064ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000650000 | 0x00650000 | 0x00653fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000660000 | 0x00660000 | 0x00661fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000660000 | 0x00660000 | 0x00663fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000670000 | 0x00670000 | 0x00683fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000690000 | 0x00690000 | 0x006cffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000006d0000 | 0x006d0000 | 0x007cffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000007d0000 | 0x007d0000 | 0x007d3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000007e0000 | 0x007e0000 | 0x007e0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000007f0000 | 0x007f0000 | 0x007f1fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00800000 | 0x008bdfff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000008c0000 | 0x008c0000 | 0x008fffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000009e0000 | 0x009e0000 | 0x009effff | Private Memory | rw |
|
|
|
- |
| private_0x00000000009f0000 | 0x009f0000 | 0x00aeffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000b20000 | 0x00b20000 | 0x00c1ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000dd0000 | 0x00dd0000 | 0x00ddffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x00de0000 | 0x01116fff | Memory Mapped File | r |
|
|
|
- |
| cmd.exe | 0x01140000 | 0x0118ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000001190000 | 0x01190000 | 0x0518ffff | Pagefile Backed Memory | - |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74d30000 | 0x74ea5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75130000 | 0x7521ffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x778d0000 | 0x7798dfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007fcd0000 | 0x7fcd0000 | 0x7fdcffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007fdd0000 | 0x7fdd0000 | 0x7fdf2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007fdf5000 | 0x7fdf5000 | 0x7fdf5fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007fdf9000 | 0x7fdf9000 | 0x7fdfbfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007fdfc000 | 0x7fdfc000 | 0x7fdfcfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007fdfd000 | 0x7fdfd000 | 0x7fdfffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (11)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Windows\SysWOW64 | type = file_attributes |
|
2 | |
| Get Info | wevtutil.exe | type = file_attributes |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
5 | |
| Open | STD_INPUT_HANDLE | - |
|
3 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 104, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\SysWOW64\wevtutil.exe | os_pid = 0xc78, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x1140000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75130000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x75172780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x7514fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7514a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x74e435c0 |
|
1 |
Environment (19)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
2 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Windows\SysWOW64 |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000000 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #457: wevtutil.exe
0
0
| Information | Value |
|---|---|
| ID | #457 |
| File Name | c:\windows\syswow64\wevtutil.exe |
| Command Line | wevtutil.exe clear-log "Microsoft-Windows-COM/Analytic" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:03:30, Reason: Child Process |
| Unmonitor | End Time: 00:03:31, Reason: Self Terminated |
| Monitor Duration | 00:00:01 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xc78 |
| Parent PID | 0xc3c (c:\windows\syswow64\wevtutil.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
FE0
0x
C54
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000930000 | 0x00930000 | 0x0094ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000950000 | 0x00950000 | 0x00951fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000960000 | 0x00960000 | 0x00973fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000980000 | 0x00980000 | 0x009bffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000009c0000 | 0x009c0000 | 0x009fffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000a00000 | 0x00a00000 | 0x00a03fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000a10000 | 0x00a10000 | 0x00a10fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000a20000 | 0x00a20000 | 0x00a21fff | Private Memory | rw |
|
|
|
- |
| wevtutil.exe | 0x00b40000 | 0x00b6efff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000b70000 | 0x00b70000 | 0x04b6ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000004d40000 | 0x04d40000 | 0x04d4ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004e30000 | 0x04e30000 | 0x04f2ffff | Private Memory | rw |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007efb0000 | 0x7efb0000 | 0x7efd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007efd6000 | 0x7efd6000 | 0x7efd6fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efdc000 | 0x7efdc000 | 0x7efdefff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efdf000 | 0x7efdf000 | 0x7efdffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Process #458: cmd.exe
58
0
| Information | Value |
|---|---|
| ID | #458 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-COM/ApartmentInitialize" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:03:31, Reason: Child Process |
| Unmonitor | End Time: 00:03:31, Reason: Self Terminated |
| Monitor Duration | 00:00:00 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xed8 |
| Parent PID | 0x8dc (c:\programdata\safe.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
C84
0x
828
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x00000000004d0000 | 0x004d0000 | 0x004effff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000004d0000 | 0x004d0000 | 0x004dffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x00000000004e0000 | 0x004e0000 | 0x004e3fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000004f0000 | 0x004f0000 | 0x004f1fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000004f0000 | 0x004f0000 | 0x004f3fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000500000 | 0x00500000 | 0x00513fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000520000 | 0x00520000 | 0x0055ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000560000 | 0x00560000 | 0x0065ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000660000 | 0x00660000 | 0x00663fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000670000 | 0x00670000 | 0x00670fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000680000 | 0x00680000 | 0x00681fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000690000 | 0x00690000 | 0x006cffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000006f0000 | 0x006f0000 | 0x006fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000750000 | 0x00750000 | 0x0075ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000790000 | 0x00790000 | 0x0088ffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00890000 | 0x0094dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000950000 | 0x00950000 | 0x00a4ffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x00a50000 | 0x00d86fff | Memory Mapped File | r |
|
|
|
- |
| cmd.exe | 0x01140000 | 0x0118ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000001190000 | 0x01190000 | 0x0518ffff | Pagefile Backed Memory | - |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74d30000 | 0x74ea5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75130000 | 0x7521ffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x778d0000 | 0x7798dfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007e940000 | 0x7e940000 | 0x7ea3ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007ea40000 | 0x7ea40000 | 0x7ea62fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007ea66000 | 0x7ea66000 | 0x7ea66fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ea69000 | 0x7ea69000 | 0x7ea6bfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ea6c000 | 0x7ea6c000 | 0x7ea6efff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ea6f000 | 0x7ea6f000 | 0x7ea6ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (11)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Windows\SysWOW64 | type = file_attributes |
|
2 | |
| Get Info | wevtutil.exe | type = file_attributes |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
5 | |
| Open | STD_INPUT_HANDLE | - |
|
3 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 136, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\SysWOW64\wevtutil.exe | os_pid = 0x538, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x1140000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75130000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x75172780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x7514fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7514a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x74e435c0 |
|
1 |
Environment (19)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
2 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Windows\SysWOW64 |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000000 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #460: wevtutil.exe
0
0
| Information | Value |
|---|---|
| ID | #460 |
| File Name | c:\windows\syswow64\wevtutil.exe |
| Command Line | wevtutil.exe clear-log "Microsoft-Windows-COM/ApartmentInitialize" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:03:31, Reason: Child Process |
| Unmonitor | End Time: 00:03:31, Reason: Self Terminated |
| Monitor Duration | 00:00:00 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x538 |
| Parent PID | 0xed8 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
F88
0x
FDC
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x00000000004f0000 | 0x004f0000 | 0x0050ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000510000 | 0x00510000 | 0x00511fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000520000 | 0x00520000 | 0x00533fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000540000 | 0x00540000 | 0x0057ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000580000 | 0x00580000 | 0x005bffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000005c0000 | 0x005c0000 | 0x005c3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000005d0000 | 0x005d0000 | 0x005d0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000005e0000 | 0x005e0000 | 0x005e1fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000750000 | 0x00750000 | 0x0075ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000008e0000 | 0x008e0000 | 0x009dffff | Private Memory | rw |
|
|
|
- |
| wevtutil.exe | 0x00b40000 | 0x00b6efff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000b70000 | 0x00b70000 | 0x04b6ffff | Pagefile Backed Memory | - |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007f640000 | 0x7f640000 | 0x7f662fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f666000 | 0x7f666000 | 0x7f666fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f66b000 | 0x7f66b000 | 0x7f66bfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f66d000 | 0x7f66d000 | 0x7f66ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Process #461: cmd.exe
58
0
| Information | Value |
|---|---|
| ID | #461 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-COM/ApartmentUninitialize" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:03:31, Reason: Child Process |
| Unmonitor | End Time: 00:03:32, Reason: Self Terminated |
| Monitor Duration | 00:00:01 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xb20 |
| Parent PID | 0x8dc (c:\programdata\safe.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
458
0x
EE0
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000b60000 | 0x00b60000 | 0x00b7ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000b60000 | 0x00b60000 | 0x00b6ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000b70000 | 0x00b70000 | 0x00b73fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000b80000 | 0x00b80000 | 0x00b81fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000b80000 | 0x00b80000 | 0x00b83fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000b90000 | 0x00b90000 | 0x00ba3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000bb0000 | 0x00bb0000 | 0x00beffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000bf0000 | 0x00bf0000 | 0x00ceffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000cf0000 | 0x00cf0000 | 0x00cf3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000d00000 | 0x00d00000 | 0x00d00fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000d10000 | 0x00d10000 | 0x00d11fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00d20000 | 0x00dddfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000de0000 | 0x00de0000 | 0x00e1ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000e20000 | 0x00e20000 | 0x00e2ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000e30000 | 0x00e30000 | 0x00f2ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000f70000 | 0x00f70000 | 0x0106ffff | Private Memory | rw |
|
|
|
- |
| cmd.exe | 0x01140000 | 0x0118ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000001190000 | 0x01190000 | 0x0518ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x00000000052e0000 | 0x052e0000 | 0x052effff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x052f0000 | 0x05626fff | Memory Mapped File | r |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74d30000 | 0x74ea5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75130000 | 0x7521ffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x778d0000 | 0x7798dfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007e9e0000 | 0x7e9e0000 | 0x7eadffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007eae0000 | 0x7eae0000 | 0x7eb02fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007eb03000 | 0x7eb03000 | 0x7eb03fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007eb08000 | 0x7eb08000 | 0x7eb0afff | Private Memory | rw |
|
|
|
- |
| private_0x000000007eb0b000 | 0x7eb0b000 | 0x7eb0bfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007eb0d000 | 0x7eb0d000 | 0x7eb0ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (11)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Windows\SysWOW64 | type = file_attributes |
|
2 | |
| Get Info | wevtutil.exe | type = file_attributes |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
5 | |
| Open | STD_INPUT_HANDLE | - |
|
3 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 144, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\SysWOW64\wevtutil.exe | os_pid = 0xbe4, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x1140000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75130000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x75172780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x7514fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7514a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x74e435c0 |
|
1 |
Environment (19)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
2 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Windows\SysWOW64 |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000000 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #463: wevtutil.exe
0
0
| Information | Value |
|---|---|
| ID | #463 |
| File Name | c:\windows\syswow64\wevtutil.exe |
| Command Line | wevtutil.exe clear-log "Microsoft-Windows-COM/ApartmentUninitialize" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:03:31, Reason: Child Process |
| Unmonitor | End Time: 00:03:32, Reason: Self Terminated |
| Monitor Duration | 00:00:01 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xbe4 |
| Parent PID | 0xb20 (c:\windows\syswow64\wevtutil.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
BF4
0x
DB8
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000490000 | 0x00490000 | 0x004affff | Private Memory | rw |
|
|
|
- |
| private_0x00000000004b0000 | 0x004b0000 | 0x004b1fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000004c0000 | 0x004c0000 | 0x004d3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000004e0000 | 0x004e0000 | 0x0051ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000520000 | 0x00520000 | 0x0055ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000560000 | 0x00560000 | 0x00563fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000570000 | 0x00570000 | 0x00570fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000580000 | 0x00580000 | 0x00581fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000006d0000 | 0x006d0000 | 0x006dffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000008d0000 | 0x008d0000 | 0x009cffff | Private Memory | rw |
|
|
|
- |
| wevtutil.exe | 0x00b40000 | 0x00b6efff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000b70000 | 0x00b70000 | 0x04b6ffff | Pagefile Backed Memory | - |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007f330000 | 0x7f330000 | 0x7f352fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f353000 | 0x7f353000 | 0x7f353fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f359000 | 0x7f359000 | 0x7f359fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f35d000 | 0x7f35d000 | 0x7f35ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Process #464: cmd.exe
58
0
| Information | Value |
|---|---|
| ID | #464 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-COM/Call" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:03:31, Reason: Child Process |
| Unmonitor | End Time: 00:03:32, Reason: Self Terminated |
| Monitor Duration | 00:00:01 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xc74 |
| Parent PID | 0x8dc (c:\programdata\safe.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
FD4
0x
A24
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x00000000001d0000 | 0x001d0000 | 0x001effff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000001d0000 | 0x001d0000 | 0x001dffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x00000000001e0000 | 0x001e0000 | 0x001e3fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000001f0000 | 0x001f0000 | 0x001f1fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000001f0000 | 0x001f0000 | 0x001f3fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000200000 | 0x00200000 | 0x00213fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000220000 | 0x00220000 | 0x0025ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000260000 | 0x00260000 | 0x0035ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000360000 | 0x00360000 | 0x00363fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000370000 | 0x00370000 | 0x00370fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000380000 | 0x00380000 | 0x00381fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000390000 | 0x00390000 | 0x003cffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000003f0000 | 0x003f0000 | 0x003fffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00400000 | 0x004bdfff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000004c0000 | 0x004c0000 | 0x005bffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000005d0000 | 0x005d0000 | 0x006cffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000008b0000 | 0x008b0000 | 0x008bffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x008c0000 | 0x00bf6fff | Memory Mapped File | r |
|
|
|
- |
| cmd.exe | 0x01140000 | 0x0118ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000001190000 | 0x01190000 | 0x0518ffff | Pagefile Backed Memory | - |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74d30000 | 0x74ea5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75130000 | 0x7521ffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x778d0000 | 0x7798dfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007f820000 | 0x7f820000 | 0x7f91ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007f920000 | 0x7f920000 | 0x7f942fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f947000 | 0x7f947000 | 0x7f947fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f949000 | 0x7f949000 | 0x7f94bfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f94c000 | 0x7f94c000 | 0x7f94cfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f94d000 | 0x7f94d000 | 0x7f94ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (11)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Windows\SysWOW64 | type = file_attributes |
|
2 | |
| Get Info | wevtutil.exe | type = file_attributes |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
5 | |
| Open | STD_INPUT_HANDLE | - |
|
3 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 111, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\SysWOW64\wevtutil.exe | os_pid = 0x688, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x1140000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75130000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x75172780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x7514fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7514a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x74e435c0 |
|
1 |
Environment (19)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
2 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Windows\SysWOW64 |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000000 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #466: wevtutil.exe
0
0
| Information | Value |
|---|---|
| ID | #466 |
| File Name | c:\windows\syswow64\wevtutil.exe |
| Command Line | wevtutil.exe clear-log "Microsoft-Windows-COM/Call" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:03:32, Reason: Child Process |
| Unmonitor | End Time: 00:03:32, Reason: Self Terminated |
| Monitor Duration | 00:00:00 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x688 |
| Parent PID | 0xc74 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
F44
0x
57C
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| wevtutil.exe | 0x00b40000 | 0x00b6efff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000e50000 | 0x00e50000 | 0x04e4ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000004e50000 | 0x04e50000 | 0x04e6ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004e70000 | 0x04e70000 | 0x04e71fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004e80000 | 0x04e80000 | 0x04e93fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000004ea0000 | 0x04ea0000 | 0x04edffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004ee0000 | 0x04ee0000 | 0x04f1ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004f20000 | 0x04f20000 | 0x04f23fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000004f30000 | 0x04f30000 | 0x04f30fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000004f40000 | 0x04f40000 | 0x04f41fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004f50000 | 0x04f50000 | 0x04f5ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005130000 | 0x05130000 | 0x0522ffff | Private Memory | rw |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007f180000 | 0x7f180000 | 0x7f1a2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f1a4000 | 0x7f1a4000 | 0x7f1a4fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f1ac000 | 0x7f1ac000 | 0x7f1aefff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f1af000 | 0x7f1af000 | 0x7f1affff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Process #467: cmd.exe
58
0
| Information | Value |
|---|---|
| ID | #467 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-COM/CreateInstance" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:03:32, Reason: Child Process |
| Unmonitor | End Time: 00:03:33, Reason: Self Terminated |
| Monitor Duration | 00:00:01 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xe08 |
| Parent PID | 0x8dc (c:\programdata\safe.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
DF0
0x
DD4
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000880000 | 0x00880000 | 0x0089ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000880000 | 0x00880000 | 0x0088ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000890000 | 0x00890000 | 0x00893fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000008a0000 | 0x008a0000 | 0x008a1fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000008a0000 | 0x008a0000 | 0x008a3fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000008b0000 | 0x008b0000 | 0x008c3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000008d0000 | 0x008d0000 | 0x0090ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000910000 | 0x00910000 | 0x00a0ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000a10000 | 0x00a10000 | 0x00a13fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000a20000 | 0x00a20000 | 0x00a20fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000a30000 | 0x00a30000 | 0x00a31fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00a40000 | 0x00afdfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000b00000 | 0x00b00000 | 0x00b3ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000b60000 | 0x00b60000 | 0x00b6ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000ba0000 | 0x00ba0000 | 0x00baffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000bb0000 | 0x00bb0000 | 0x00caffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000cb0000 | 0x00cb0000 | 0x00daffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x00db0000 | 0x010e6fff | Memory Mapped File | r |
|
|
|
- |
| cmd.exe | 0x01140000 | 0x0118ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000001190000 | 0x01190000 | 0x0518ffff | Pagefile Backed Memory | - |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74d30000 | 0x74ea5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75130000 | 0x7521ffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x778d0000 | 0x7798dfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007eb60000 | 0x7eb60000 | 0x7ec5ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007ec60000 | 0x7ec60000 | 0x7ec82fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007ec86000 | 0x7ec86000 | 0x7ec88fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ec89000 | 0x7ec89000 | 0x7ec89fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ec8a000 | 0x7ec8a000 | 0x7ec8cfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ec8d000 | 0x7ec8d000 | 0x7ec8dfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (11)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Windows\SysWOW64 | type = file_attributes |
|
2 | |
| Get Info | wevtutil.exe | type = file_attributes |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
5 | |
| Open | STD_INPUT_HANDLE | - |
|
3 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 120, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\SysWOW64\wevtutil.exe | os_pid = 0x790, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x1140000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75130000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x75172780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x7514fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7514a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x74e435c0 |
|
1 |
Environment (19)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
2 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Windows\SysWOW64 |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000000 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #469: wevtutil.exe
0
0
| Information | Value |
|---|---|
| ID | #469 |
| File Name | c:\windows\syswow64\wevtutil.exe |
| Command Line | wevtutil.exe clear-log "Microsoft-Windows-COM/CreateInstance" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:03:32, Reason: Child Process |
| Unmonitor | End Time: 00:03:33, Reason: Self Terminated |
| Monitor Duration | 00:00:01 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x790 |
| Parent PID | 0xe08 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
DA8
0x
DEC
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x00000000001d0000 | 0x001d0000 | 0x001effff | Private Memory | rw |
|
|
|
- |
| private_0x00000000001f0000 | 0x001f0000 | 0x001f1fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000200000 | 0x00200000 | 0x00213fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000220000 | 0x00220000 | 0x0025ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000260000 | 0x00260000 | 0x0029ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000002a0000 | 0x002a0000 | 0x002a3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000002b0000 | 0x002b0000 | 0x002b0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000002c0000 | 0x002c0000 | 0x002c1fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000002e0000 | 0x002e0000 | 0x002effff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000390000 | 0x00390000 | 0x0048ffff | Private Memory | rw |
|
|
|
- |
| wevtutil.exe | 0x00b40000 | 0x00b6efff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000b70000 | 0x00b70000 | 0x04b6ffff | Pagefile Backed Memory | - |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007f910000 | 0x7f910000 | 0x7f932fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f937000 | 0x7f937000 | 0x7f937fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f93b000 | 0x7f93b000 | 0x7f93bfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f93d000 | 0x7f93d000 | 0x7f93ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Process #470: cmd.exe
58
0
| Information | Value |
|---|---|
| ID | #470 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-COM/ExtensionCatalog" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:03:32, Reason: Child Process |
| Unmonitor | End Time: 00:03:33, Reason: Self Terminated |
| Monitor Duration | 00:00:01 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x93c |
| Parent PID | 0x8dc (c:\programdata\safe.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
E14
0x
924
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000950000 | 0x00950000 | 0x0096ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000950000 | 0x00950000 | 0x0095ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000960000 | 0x00960000 | 0x00963fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000970000 | 0x00970000 | 0x00971fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000970000 | 0x00970000 | 0x00973fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000980000 | 0x00980000 | 0x00993fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000009a0000 | 0x009a0000 | 0x009dffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000009e0000 | 0x009e0000 | 0x00adffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000ae0000 | 0x00ae0000 | 0x00ae3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000af0000 | 0x00af0000 | 0x00af0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000b00000 | 0x00b00000 | 0x00b01fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000b30000 | 0x00b30000 | 0x00b3ffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00b40000 | 0x00bfdfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000c00000 | 0x00c00000 | 0x00c3ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000c60000 | 0x00c60000 | 0x00c6ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000cb0000 | 0x00cb0000 | 0x00daffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000db0000 | 0x00db0000 | 0x00eaffff | Private Memory | rw |
|
|
|
- |
| cmd.exe | 0x01140000 | 0x0118ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000001190000 | 0x01190000 | 0x0518ffff | Pagefile Backed Memory | - |
|
|
|
- |
| sortdefault.nls | 0x05190000 | 0x054c6fff | Memory Mapped File | r |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74d30000 | 0x74ea5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75130000 | 0x7521ffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x778d0000 | 0x7798dfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007e7e0000 | 0x7e7e0000 | 0x7e8dffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007e8e0000 | 0x7e8e0000 | 0x7e902fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007e908000 | 0x7e908000 | 0x7e90afff | Private Memory | rw |
|
|
|
- |
| private_0x000000007e90b000 | 0x7e90b000 | 0x7e90bfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007e90c000 | 0x7e90c000 | 0x7e90efff | Private Memory | rw |
|
|
|
- |
| private_0x000000007e90f000 | 0x7e90f000 | 0x7e90ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (11)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Windows\SysWOW64 | type = file_attributes |
|
2 | |
| Get Info | wevtutil.exe | type = file_attributes |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
5 | |
| Open | STD_INPUT_HANDLE | - |
|
3 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 72, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\SysWOW64\wevtutil.exe | os_pid = 0x70c, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x1140000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75130000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x75172780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x7514fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7514a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x74e435c0 |
|
1 |
Environment (19)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
2 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Windows\SysWOW64 |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000000 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #472: wevtutil.exe
0
0
| Information | Value |
|---|---|
| ID | #472 |
| File Name | c:\windows\syswow64\wevtutil.exe |
| Command Line | wevtutil.exe clear-log "Microsoft-Windows-COM/ExtensionCatalog" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:03:33, Reason: Child Process |
| Unmonitor | End Time: 00:03:33, Reason: Self Terminated |
| Monitor Duration | 00:00:00 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x70c |
| Parent PID | 0x93c (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
744
0x
584
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000270000 | 0x00270000 | 0x0028ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000290000 | 0x00290000 | 0x00291fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000002a0000 | 0x002a0000 | 0x002b3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000002c0000 | 0x002c0000 | 0x002fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000300000 | 0x00300000 | 0x0033ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000340000 | 0x00340000 | 0x00343fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000350000 | 0x00350000 | 0x00350fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000360000 | 0x00360000 | 0x00361fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000410000 | 0x00410000 | 0x0041ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000530000 | 0x00530000 | 0x0062ffff | Private Memory | rw |
|
|
|
- |
| wevtutil.exe | 0x00b40000 | 0x00b6efff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000b70000 | 0x00b70000 | 0x04b6ffff | Pagefile Backed Memory | - |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007e390000 | 0x7e390000 | 0x7e3b2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007e3b3000 | 0x7e3b3000 | 0x7e3b3fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007e3bb000 | 0x7e3bb000 | 0x7e3bdfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007e3be000 | 0x7e3be000 | 0x7e3befff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Process #473: cmd.exe
58
0
| Information | Value |
|---|---|
| ID | #473 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-COM/FreeUnusedLibrary" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:03:33, Reason: Child Process |
| Unmonitor | End Time: 00:03:33, Reason: Self Terminated |
| Monitor Duration | 00:00:00 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x72c |
| Parent PID | 0x8dc (c:\programdata\safe.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
3F0
0x
DCC
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000ac0000 | 0x00ac0000 | 0x00adffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000ac0000 | 0x00ac0000 | 0x00acffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000ad0000 | 0x00ad0000 | 0x00ad3fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000ae0000 | 0x00ae0000 | 0x00ae1fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000ae0000 | 0x00ae0000 | 0x00ae3fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000af0000 | 0x00af0000 | 0x00b03fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000b10000 | 0x00b10000 | 0x00b4ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000b50000 | 0x00b50000 | 0x00c4ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000c50000 | 0x00c50000 | 0x00c53fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000c60000 | 0x00c60000 | 0x00c60fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000c70000 | 0x00c70000 | 0x00c71fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00c80000 | 0x00d3dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000d50000 | 0x00d50000 | 0x00e4ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000e70000 | 0x00e70000 | 0x00e7ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000e80000 | 0x00e80000 | 0x00ebffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000ec0000 | 0x00ec0000 | 0x00fbffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001130000 | 0x01130000 | 0x0113ffff | Private Memory | rw |
|
|
|
- |
| cmd.exe | 0x01140000 | 0x0118ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000001190000 | 0x01190000 | 0x0518ffff | Pagefile Backed Memory | - |
|
|
|
- |
| sortdefault.nls | 0x05190000 | 0x054c6fff | Memory Mapped File | r |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74d30000 | 0x74ea5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75130000 | 0x7521ffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x778d0000 | 0x7798dfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007f090000 | 0x7f090000 | 0x7f18ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007f190000 | 0x7f190000 | 0x7f1b2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f1b4000 | 0x7f1b4000 | 0x7f1b4fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f1b5000 | 0x7f1b5000 | 0x7f1b5fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f1ba000 | 0x7f1ba000 | 0x7f1bcfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f1bd000 | 0x7f1bd000 | 0x7f1bffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (11)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Windows\SysWOW64 | type = file_attributes |
|
2 | |
| Get Info | wevtutil.exe | type = file_attributes |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
5 | |
| Open | STD_INPUT_HANDLE | - |
|
3 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 128, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\SysWOW64\wevtutil.exe | os_pid = 0xd80, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x1140000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75130000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x75172780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x7514fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7514a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x74e435c0 |
|
1 |
Environment (19)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
2 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Windows\SysWOW64 |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000000 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #475: wevtutil.exe
0
0
| Information | Value |
|---|---|
| ID | #475 |
| File Name | c:\windows\syswow64\wevtutil.exe |
| Command Line | wevtutil.exe clear-log "Microsoft-Windows-COM/FreeUnusedLibrary" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:03:33, Reason: Child Process |
| Unmonitor | End Time: 00:03:33, Reason: Self Terminated |
| Monitor Duration | 00:00:00 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xd80 |
| Parent PID | 0x72c (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
DB0
0x
D9C
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000170000 | 0x00170000 | 0x0018ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000170000 | 0x00170000 | 0x0017ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000180000 | 0x00180000 | 0x00183fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000190000 | 0x00190000 | 0x00191fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000001a0000 | 0x001a0000 | 0x001b3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000001c0000 | 0x001c0000 | 0x001fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000200000 | 0x00200000 | 0x0023ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000240000 | 0x00240000 | 0x00243fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000250000 | 0x00250000 | 0x00250fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000260000 | 0x00260000 | 0x00261fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000270000 | 0x00270000 | 0x002affff | Private Memory | rw |
|
|
|
- |
| private_0x00000000002b0000 | 0x002b0000 | 0x002effff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000310000 | 0x00310000 | 0x0031ffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00320000 | 0x003ddfff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000003f0000 | 0x003f0000 | 0x004effff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000640000 | 0x00640000 | 0x0064ffff | Private Memory | rw |
|
|
|
- |
| wevtutil.exe | 0x00b40000 | 0x00b6efff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000b70000 | 0x00b70000 | 0x04b6ffff | Pagefile Backed Memory | - |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| wevtapi.dll | 0x74220000 | 0x7426dfff | Memory Mapped File | rwx |
|
|
|
- |
| bcrypt.dll | 0x742a0000 | 0x742bafff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x74a30000 | 0x74a88fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x74a90000 | 0x74a99fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x74aa0000 | 0x74abdfff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x74c60000 | 0x74cdafff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74d30000 | 0x74ea5fff | Memory Mapped File | rwx |
|
|
|
- |
| combase.dll | 0x74f70000 | 0x75129fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75130000 | 0x7521ffff | Memory Mapped File | rwx |
|
|
|
- |
| oleaut32.dll | 0x76ce0000 | 0x76d71fff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x770b0000 | 0x770f2fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x772c0000 | 0x7736bfff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x778d0000 | 0x7798dfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007f400000 | 0x7f400000 | 0x7f4fffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007f500000 | 0x7f500000 | 0x7f522fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f525000 | 0x7f525000 | 0x7f525fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f529000 | 0x7f529000 | 0x7f52bfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f52c000 | 0x7f52c000 | 0x7f52efff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f52f000 | 0x7f52f000 | 0x7f52ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Process #476: cmd.exe
58
0
| Information | Value |
|---|---|
| ID | #476 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-COMRuntime/Activations" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:03:33, Reason: Child Process |
| Unmonitor | End Time: 00:03:34, Reason: Self Terminated |
| Monitor Duration | 00:00:01 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xd7c |
| Parent PID | 0x8dc (c:\programdata\safe.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
D1C
0x
674
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000380000 | 0x00380000 | 0x0039ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000380000 | 0x00380000 | 0x0038ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000390000 | 0x00390000 | 0x00393fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000003a0000 | 0x003a0000 | 0x003a1fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000003a0000 | 0x003a0000 | 0x003a3fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000003b0000 | 0x003b0000 | 0x003c3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000003d0000 | 0x003d0000 | 0x0040ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000410000 | 0x00410000 | 0x0050ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000510000 | 0x00510000 | 0x00513fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000520000 | 0x00520000 | 0x00520fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000530000 | 0x00530000 | 0x00531fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00540000 | 0x005fdfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000610000 | 0x00610000 | 0x0070ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000730000 | 0x00730000 | 0x0073ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000740000 | 0x00740000 | 0x0077ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000780000 | 0x00780000 | 0x0087ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000930000 | 0x00930000 | 0x0093ffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x00940000 | 0x00c76fff | Memory Mapped File | r |
|
|
|
- |
| cmd.exe | 0x01140000 | 0x0118ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000001190000 | 0x01190000 | 0x0518ffff | Pagefile Backed Memory | - |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74d30000 | 0x74ea5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75130000 | 0x7521ffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x778d0000 | 0x7798dfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007e4c0000 | 0x7e4c0000 | 0x7e5bffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007e5c0000 | 0x7e5c0000 | 0x7e5e2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007e5e8000 | 0x7e5e8000 | 0x7e5eafff | Private Memory | rw |
|
|
|
- |
| private_0x000000007e5eb000 | 0x7e5eb000 | 0x7e5edfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007e5ee000 | 0x7e5ee000 | 0x7e5eefff | Private Memory | rw |
|
|
|
- |
| private_0x000000007e5ef000 | 0x7e5ef000 | 0x7e5effff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (11)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Windows\SysWOW64 | type = file_attributes |
|
2 | |
| Get Info | wevtutil.exe | type = file_attributes |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
5 | |
| Open | STD_INPUT_HANDLE | - |
|
3 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 123, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\SysWOW64\wevtutil.exe | os_pid = 0xef8, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x1140000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75130000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x75172780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x7514fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7514a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x74e435c0 |
|
1 |
Environment (19)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
2 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Windows\SysWOW64 |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000000 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #478: wevtutil.exe
0
0
| Information | Value |
|---|---|
| ID | #478 |
| File Name | c:\windows\syswow64\wevtutil.exe |
| Command Line | wevtutil.exe clear-log "Microsoft-Windows-COMRuntime/Activations" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:03:34, Reason: Child Process |
| Unmonitor | End Time: 00:03:34, Reason: Self Terminated |
| Monitor Duration | 00:00:00 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xef8 |
| Parent PID | 0xd7c (c:\windows\syswow64\wevtutil.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
350
0x
E30
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000210000 | 0x00210000 | 0x0022ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000230000 | 0x00230000 | 0x00231fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000240000 | 0x00240000 | 0x00253fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000260000 | 0x00260000 | 0x0029ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000002a0000 | 0x002a0000 | 0x002dffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000002e0000 | 0x002e0000 | 0x002e3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000002f0000 | 0x002f0000 | 0x002f0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000300000 | 0x00300000 | 0x00301fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000003b0000 | 0x003b0000 | 0x003bffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000004d0000 | 0x004d0000 | 0x005cffff | Private Memory | rw |
|
|
|
- |
| wevtutil.exe | 0x00b40000 | 0x00b6efff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000b70000 | 0x00b70000 | 0x04b6ffff | Pagefile Backed Memory | - |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007f0c0000 | 0x7f0c0000 | 0x7f0e2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f0e9000 | 0x7f0e9000 | 0x7f0ebfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f0ec000 | 0x7f0ec000 | 0x7f0ecfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f0ef000 | 0x7f0ef000 | 0x7f0effff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Process #479: cmd.exe
58
0
| Information | Value |
|---|---|
| ID | #479 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-COMRuntime/MessageProcessing" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:03:34, Reason: Child Process |
| Unmonitor | End Time: 00:03:34, Reason: Self Terminated |
| Monitor Duration | 00:00:00 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xf6c |
| Parent PID | 0x8dc (c:\programdata\safe.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
D34
0x
224
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000190000 | 0x00190000 | 0x001affff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000190000 | 0x00190000 | 0x0019ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x00000000001a0000 | 0x001a0000 | 0x001a3fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000001b0000 | 0x001b0000 | 0x001b1fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000001b0000 | 0x001b0000 | 0x001b3fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000001c0000 | 0x001c0000 | 0x001d3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000001e0000 | 0x001e0000 | 0x0021ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000220000 | 0x00220000 | 0x0031ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000320000 | 0x00320000 | 0x00323fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000330000 | 0x00330000 | 0x00330fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000340000 | 0x00340000 | 0x00341fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000350000 | 0x00350000 | 0x0038ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000003f0000 | 0x003f0000 | 0x003fffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00400000 | 0x004bdfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000550000 | 0x00550000 | 0x0055ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000590000 | 0x00590000 | 0x0068ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000690000 | 0x00690000 | 0x0078ffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x00790000 | 0x00ac6fff | Memory Mapped File | r |
|
|
|
- |
| cmd.exe | 0x01140000 | 0x0118ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000001190000 | 0x01190000 | 0x0518ffff | Pagefile Backed Memory | - |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74d30000 | 0x74ea5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75130000 | 0x7521ffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x778d0000 | 0x7798dfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007e8e0000 | 0x7e8e0000 | 0x7e9dffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007e9e0000 | 0x7e9e0000 | 0x7ea02fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007ea07000 | 0x7ea07000 | 0x7ea07fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ea09000 | 0x7ea09000 | 0x7ea0bfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ea0c000 | 0x7ea0c000 | 0x7ea0efff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ea0f000 | 0x7ea0f000 | 0x7ea0ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (11)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Windows\SysWOW64 | type = file_attributes |
|
2 | |
| Get Info | wevtutil.exe | type = file_attributes |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
5 | |
| Open | STD_INPUT_HANDLE | - |
|
3 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 152, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\SysWOW64\wevtutil.exe | os_pid = 0x750, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x1140000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75130000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x75172780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x7514fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7514a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x74e435c0 |
|
1 |
Environment (19)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
2 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Windows\SysWOW64 |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000000 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #481: wevtutil.exe
0
0
| Information | Value |
|---|---|
| ID | #481 |
| File Name | c:\windows\syswow64\wevtutil.exe |
| Command Line | wevtutil.exe clear-log "Microsoft-Windows-COMRuntime/MessageProcessing" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:03:34, Reason: Child Process |
| Unmonitor | End Time: 00:03:34, Reason: Self Terminated |
| Monitor Duration | 00:00:00 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x750 |
| Parent PID | 0xf6c (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
640
0x
E50
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000210000 | 0x00210000 | 0x0022ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000230000 | 0x00230000 | 0x00231fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000240000 | 0x00240000 | 0x00253fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000260000 | 0x00260000 | 0x0029ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000002a0000 | 0x002a0000 | 0x002dffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000002e0000 | 0x002e0000 | 0x002e3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000002f0000 | 0x002f0000 | 0x002f0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000300000 | 0x00300000 | 0x00301fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000380000 | 0x00380000 | 0x0038ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000470000 | 0x00470000 | 0x0056ffff | Private Memory | rw |
|
|
|
- |
| wevtutil.exe | 0x00b40000 | 0x00b6efff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000b70000 | 0x00b70000 | 0x04b6ffff | Pagefile Backed Memory | - |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007f800000 | 0x7f800000 | 0x7f822fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f823000 | 0x7f823000 | 0x7f823fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f82c000 | 0x7f82c000 | 0x7f82efff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f82f000 | 0x7f82f000 | 0x7f82ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Process #482: cmd.exe
58
0
| Information | Value |
|---|---|
| ID | #482 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-COMRuntime/Tracing" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:03:34, Reason: Child Process |
| Unmonitor | End Time: 00:03:35, Reason: Self Terminated |
| Monitor Duration | 00:00:01 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xd24 |
| Parent PID | 0x8dc (c:\programdata\safe.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
768
0x
D18
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000a00000 | 0x00a00000 | 0x00a1ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000a00000 | 0x00a00000 | 0x00a0ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000a10000 | 0x00a10000 | 0x00a13fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000a20000 | 0x00a20000 | 0x00a21fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000a20000 | 0x00a20000 | 0x00a23fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000a30000 | 0x00a30000 | 0x00a43fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000a50000 | 0x00a50000 | 0x00a8ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000a90000 | 0x00a90000 | 0x00b8ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000b90000 | 0x00b90000 | 0x00b93fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000ba0000 | 0x00ba0000 | 0x00ba0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000bb0000 | 0x00bb0000 | 0x00bb1fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000bc0000 | 0x00bc0000 | 0x00bfffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000c20000 | 0x00c20000 | 0x00c2ffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00c30000 | 0x00cedfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000da0000 | 0x00da0000 | 0x00daffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000dd0000 | 0x00dd0000 | 0x00ecffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000ed0000 | 0x00ed0000 | 0x00fcffff | Private Memory | rw |
|
|
|
- |
| cmd.exe | 0x01140000 | 0x0118ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000001190000 | 0x01190000 | 0x0518ffff | Pagefile Backed Memory | - |
|
|
|
- |
| sortdefault.nls | 0x05190000 | 0x054c6fff | Memory Mapped File | r |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74d30000 | 0x74ea5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75130000 | 0x7521ffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x778d0000 | 0x7798dfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007f710000 | 0x7f710000 | 0x7f80ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007f810000 | 0x7f810000 | 0x7f832fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f835000 | 0x7f835000 | 0x7f835fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f838000 | 0x7f838000 | 0x7f838fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f83a000 | 0x7f83a000 | 0x7f83cfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f83d000 | 0x7f83d000 | 0x7f83ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (11)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Windows\SysWOW64 | type = file_attributes |
|
2 | |
| Get Info | wevtutil.exe | type = file_attributes |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
5 | |
| Open | STD_INPUT_HANDLE | - |
|
3 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 226, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\SysWOW64\wevtutil.exe | os_pid = 0xdc4, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x1140000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75130000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x75172780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x7514fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7514a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x74e435c0 |
|
1 |
Environment (19)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
2 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Windows\SysWOW64 |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000000 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #484: wevtutil.exe
0
0
| Information | Value |
|---|---|
| ID | #484 |
| File Name | c:\windows\syswow64\wevtutil.exe |
| Command Line | wevtutil.exe clear-log "Microsoft-Windows-COMRuntime/Tracing" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:03:34, Reason: Child Process |
| Unmonitor | End Time: 00:03:35, Reason: Self Terminated |
| Monitor Duration | 00:00:01 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xdc4 |
| Parent PID | 0xd24 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
6EC
0x
E6C
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000ae0000 | 0x00ae0000 | 0x00afffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000b00000 | 0x00b00000 | 0x00b01fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000b10000 | 0x00b10000 | 0x00b23fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000b30000 | 0x00b30000 | 0x00b33fff | Pagefile Backed Memory | r |
|
|
|
- |
| wevtutil.exe | 0x00b40000 | 0x00b6efff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000b70000 | 0x00b70000 | 0x04b6ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000004b70000 | 0x04b70000 | 0x04baffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004bb0000 | 0x04bb0000 | 0x04beffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004bf0000 | 0x04bf0000 | 0x04bf0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000004c00000 | 0x04c00000 | 0x04c01fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004d30000 | 0x04d30000 | 0x04d3ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004d90000 | 0x04d90000 | 0x04e8ffff | Private Memory | rw |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007f3a0000 | 0x7f3a0000 | 0x7f3c2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f3c9000 | 0x7f3c9000 | 0x7f3c9fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f3ca000 | 0x7f3ca000 | 0x7f3cafff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f3cd000 | 0x7f3cd000 | 0x7f3cffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Process #485: cmd.exe
58
0
| Information | Value |
|---|---|
| ID | #485 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-CertPoleEng/Operational" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:03:35, Reason: Child Process |
| Unmonitor | End Time: 00:03:35, Reason: Self Terminated |
| Monitor Duration | 00:00:00 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xc64 |
| Parent PID | 0x8dc (c:\programdata\safe.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
D8C
0x
114
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x00000000007d0000 | 0x007d0000 | 0x007effff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000007d0000 | 0x007d0000 | 0x007dffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x00000000007e0000 | 0x007e0000 | 0x007e3fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000007f0000 | 0x007f0000 | 0x007f1fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000007f0000 | 0x007f0000 | 0x007f3fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000800000 | 0x00800000 | 0x00813fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000820000 | 0x00820000 | 0x0085ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000860000 | 0x00860000 | 0x0095ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000960000 | 0x00960000 | 0x00963fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000970000 | 0x00970000 | 0x00970fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000980000 | 0x00980000 | 0x00981fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00990000 | 0x00a4dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000a50000 | 0x00a50000 | 0x00a8ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000a90000 | 0x00a90000 | 0x00a9ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000b20000 | 0x00b20000 | 0x00b2ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000b30000 | 0x00b30000 | 0x00c2ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000c30000 | 0x00c30000 | 0x00d2ffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x00d30000 | 0x01066fff | Memory Mapped File | r |
|
|
|
- |
| cmd.exe | 0x01140000 | 0x0118ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000001190000 | 0x01190000 | 0x0518ffff | Pagefile Backed Memory | - |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74d30000 | 0x74ea5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75130000 | 0x7521ffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x778d0000 | 0x7798dfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007e9f0000 | 0x7e9f0000 | 0x7eaeffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007eaf0000 | 0x7eaf0000 | 0x7eb12fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007eb15000 | 0x7eb15000 | 0x7eb15fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007eb19000 | 0x7eb19000 | 0x7eb1bfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007eb1c000 | 0x7eb1c000 | 0x7eb1efff | Private Memory | rw |
|
|
|
- |
| private_0x000000007eb1f000 | 0x7eb1f000 | 0x7eb1ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (11)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Windows\SysWOW64 | type = file_attributes |
|
2 | |
| Get Info | wevtutil.exe | type = file_attributes |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
5 | |
| Open | STD_INPUT_HANDLE | - |
|
3 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 216, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\SysWOW64\wevtutil.exe | os_pid = 0xcec, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x1140000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75130000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x75172780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x7514fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7514a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x74e435c0 |
|
1 |
Environment (19)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
2 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Windows\SysWOW64 |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000000 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #487: wevtutil.exe
0
0
| Information | Value |
|---|---|
| ID | #487 |
| File Name | c:\windows\syswow64\wevtutil.exe |
| Command Line | wevtutil.exe clear-log "Microsoft-Windows-CertPoleEng/Operational" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:03:35, Reason: Child Process |
| Unmonitor | End Time: 00:03:35, Reason: Self Terminated |
| Monitor Duration | 00:00:00 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xcec |
| Parent PID | 0xc64 (c:\windows\syswow64\wevtutil.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
E10
0x
D88
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000b30000 | 0x00b30000 | 0x00b31fff | Private Memory | rw |
|
|
|
- |
| wevtutil.exe | 0x00b40000 | 0x00b6efff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000b70000 | 0x00b70000 | 0x04b6ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000004b70000 | 0x04b70000 | 0x04b8ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004b90000 | 0x04b90000 | 0x04ba3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000004bb0000 | 0x04bb0000 | 0x04beffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004bf0000 | 0x04bf0000 | 0x04c2ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004c30000 | 0x04c30000 | 0x04c33fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000004c40000 | 0x04c40000 | 0x04c40fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000004c50000 | 0x04c50000 | 0x04c51fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004d60000 | 0x04d60000 | 0x04d6ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004ed0000 | 0x04ed0000 | 0x04fcffff | Private Memory | rw |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007f890000 | 0x7f890000 | 0x7f8b2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f8ba000 | 0x7f8ba000 | 0x7f8bcfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f8bd000 | 0x7f8bd000 | 0x7f8bdfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f8bf000 | 0x7f8bf000 | 0x7f8bffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Process #488: cmd.exe
58
0
| Information | Value |
|---|---|
| ID | #488 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-CertificateServicesClient-CredentialRoaming/Operational" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:03:35, Reason: Child Process |
| Unmonitor | End Time: 00:03:36, Reason: Self Terminated |
| Monitor Duration | 00:00:01 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x5f4 |
| Parent PID | 0x8dc (c:\programdata\safe.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
E1C
0x
DD0
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000240000 | 0x00240000 | 0x0025ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000240000 | 0x00240000 | 0x0024ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000250000 | 0x00250000 | 0x00253fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000260000 | 0x00260000 | 0x00261fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000260000 | 0x00260000 | 0x00263fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000270000 | 0x00270000 | 0x00283fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000290000 | 0x00290000 | 0x002cffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000002d0000 | 0x002d0000 | 0x003cffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000003d0000 | 0x003d0000 | 0x003d3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000003e0000 | 0x003e0000 | 0x003e0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000003f0000 | 0x003f0000 | 0x003f1fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000400000 | 0x00400000 | 0x0043ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000460000 | 0x00460000 | 0x0046ffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00470000 | 0x0052dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000005c0000 | 0x005c0000 | 0x006bffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000006c0000 | 0x006c0000 | 0x007bffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000920000 | 0x00920000 | 0x0092ffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x00930000 | 0x00c66fff | Memory Mapped File | r |
|
|
|
- |
| cmd.exe | 0x01140000 | 0x0118ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000001190000 | 0x01190000 | 0x0518ffff | Pagefile Backed Memory | - |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74d30000 | 0x74ea5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75130000 | 0x7521ffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x778d0000 | 0x7798dfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007e530000 | 0x7e530000 | 0x7e62ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007e630000 | 0x7e630000 | 0x7e652fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007e657000 | 0x7e657000 | 0x7e657fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007e659000 | 0x7e659000 | 0x7e65bfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007e65c000 | 0x7e65c000 | 0x7e65efff | Private Memory | rw |
|
|
|
- |
| private_0x000000007e65f000 | 0x7e65f000 | 0x7e65ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (11)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Windows\SysWOW64 | type = file_attributes |
|
2 | |
| Get Info | wevtutil.exe | type = file_attributes |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
5 | |
| Open | STD_INPUT_HANDLE | - |
|
3 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 232, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\SysWOW64\wevtutil.exe | os_pid = 0xde0, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x1140000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75130000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x75172780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x7514fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7514a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x74e435c0 |
|
1 |
Environment (19)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
2 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Windows\SysWOW64 |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000000 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #490: wevtutil.exe
0
0
| Information | Value |
|---|---|
| ID | #490 |
| File Name | c:\windows\syswow64\wevtutil.exe |
| Command Line | wevtutil.exe clear-log "Microsoft-Windows-CertificateServicesClient-CredentialRoaming/Operational" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:03:35, Reason: Child Process |
| Unmonitor | End Time: 00:03:36, Reason: Self Terminated |
| Monitor Duration | 00:00:01 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xde0 |
| Parent PID | 0x5f4 (c:\windows\syswow64\wevtutil.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
E34
0x
948
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| wevtutil.exe | 0x00b40000 | 0x00b6efff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000c90000 | 0x00c90000 | 0x04c8ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000004c90000 | 0x04c90000 | 0x04caffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004cb0000 | 0x04cb0000 | 0x04cb1fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004cc0000 | 0x04cc0000 | 0x04cd3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000004ce0000 | 0x04ce0000 | 0x04d1ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004d20000 | 0x04d20000 | 0x04d5ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004d60000 | 0x04d60000 | 0x04d63fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000004d70000 | 0x04d70000 | 0x04d70fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000004d80000 | 0x04d80000 | 0x04d81fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004e20000 | 0x04e20000 | 0x04f1ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004f50000 | 0x04f50000 | 0x04f5ffff | Private Memory | rw |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007f310000 | 0x7f310000 | 0x7f332fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f333000 | 0x7f333000 | 0x7f333fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f33c000 | 0x7f33c000 | 0x7f33efff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f33f000 | 0x7f33f000 | 0x7f33ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Process #491: cmd.exe
58
0
| Information | Value |
|---|---|
| ID | #491 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-CertificateServicesClient-Lifecycle-System/Operational" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:03:36, Reason: Child Process |
| Unmonitor | End Time: 00:03:36, Reason: Self Terminated |
| Monitor Duration | 00:00:00 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x7e8 |
| Parent PID | 0x8dc (c:\programdata\safe.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
DE4
0x
1A0
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000860000 | 0x00860000 | 0x0087ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000860000 | 0x00860000 | 0x0086ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000870000 | 0x00870000 | 0x00873fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000880000 | 0x00880000 | 0x00881fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000880000 | 0x00880000 | 0x00883fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000890000 | 0x00890000 | 0x008a3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000008b0000 | 0x008b0000 | 0x008effff | Private Memory | rw |
|
|
|
- |
| private_0x00000000008f0000 | 0x008f0000 | 0x009effff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000009f0000 | 0x009f0000 | 0x009f3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000a00000 | 0x00a00000 | 0x00a00fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000a10000 | 0x00a10000 | 0x00a11fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00a20000 | 0x00addfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000ae0000 | 0x00ae0000 | 0x00b1ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000c00000 | 0x00c00000 | 0x00c0ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000c10000 | 0x00c10000 | 0x00d0ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000d30000 | 0x00d30000 | 0x00e2ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000fa0000 | 0x00fa0000 | 0x00faffff | Private Memory | rw |
|
|
|
- |
| cmd.exe | 0x01140000 | 0x0118ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000001190000 | 0x01190000 | 0x0518ffff | Pagefile Backed Memory | - |
|
|
|
- |
| sortdefault.nls | 0x05190000 | 0x054c6fff | Memory Mapped File | r |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74d30000 | 0x74ea5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75130000 | 0x7521ffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x778d0000 | 0x7798dfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007ea60000 | 0x7ea60000 | 0x7eb5ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007eb60000 | 0x7eb60000 | 0x7eb82fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007eb84000 | 0x7eb84000 | 0x7eb84fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007eb88000 | 0x7eb88000 | 0x7eb8afff | Private Memory | rw |
|
|
|
- |
| private_0x000000007eb8b000 | 0x7eb8b000 | 0x7eb8bfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007eb8d000 | 0x7eb8d000 | 0x7eb8ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (11)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Windows\SysWOW64 | type = file_attributes |
|
2 | |
| Get Info | wevtutil.exe | type = file_attributes |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
5 | |
| Open | STD_INPUT_HANDLE | - |
|
3 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 184, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\SysWOW64\wevtutil.exe | os_pid = 0x348, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x1140000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75130000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x75172780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x7514fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7514a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x74e435c0 |
|
1 |
Environment (19)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
2 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Windows\SysWOW64 |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000000 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #493: wevtutil.exe
0
0
| Information | Value |
|---|---|
| ID | #493 |
| File Name | c:\windows\syswow64\wevtutil.exe |
| Command Line | wevtutil.exe clear-log "Microsoft-Windows-CertificateServicesClient-Lifecycle-System/Operational" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:03:36, Reason: Child Process |
| Unmonitor | End Time: 00:03:36, Reason: Self Terminated |
| Monitor Duration | 00:00:00 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x348 |
| Parent PID | 0x7e8 (c:\windows\syswow64\wevtutil.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
954
0x
E38
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| wevtutil.exe | 0x00b40000 | 0x00b6efff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000d60000 | 0x00d60000 | 0x04d5ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000004d60000 | 0x04d60000 | 0x04d7ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004d80000 | 0x04d80000 | 0x04d81fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004d90000 | 0x04d90000 | 0x04da3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000004db0000 | 0x04db0000 | 0x04deffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004df0000 | 0x04df0000 | 0x04e2ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004e30000 | 0x04e30000 | 0x04e33fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000004e40000 | 0x04e40000 | 0x04e40fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000004e50000 | 0x04e50000 | 0x04e51fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004f20000 | 0x04f20000 | 0x04f2ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005090000 | 0x05090000 | 0x0518ffff | Private Memory | rw |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007ebf0000 | 0x7ebf0000 | 0x7ec12fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007ec1b000 | 0x7ec1b000 | 0x7ec1dfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ec1e000 | 0x7ec1e000 | 0x7ec1efff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ec1f000 | 0x7ec1f000 | 0x7ec1ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Process #494: cmd.exe
58
0
| Information | Value |
|---|---|
| ID | #494 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-CertificateServicesClient-Lifecycle-User/Operational" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:03:36, Reason: Child Process |
| Unmonitor | End Time: 00:03:37, Reason: Self Terminated |
| Monitor Duration | 00:00:01 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xe60 |
| Parent PID | 0x8dc (c:\programdata\safe.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
520
0x
C1C
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000600000 | 0x00600000 | 0x0061ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000600000 | 0x00600000 | 0x0060ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000610000 | 0x00610000 | 0x00613fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000620000 | 0x00620000 | 0x00621fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000620000 | 0x00620000 | 0x00623fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000630000 | 0x00630000 | 0x00643fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000650000 | 0x00650000 | 0x0068ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000690000 | 0x00690000 | 0x0078ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000790000 | 0x00790000 | 0x00793fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000007a0000 | 0x007a0000 | 0x007a0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000007b0000 | 0x007b0000 | 0x007b1fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000007e0000 | 0x007e0000 | 0x007effff | Private Memory | rw |
|
|
|
- |
| private_0x00000000007f0000 | 0x007f0000 | 0x0082ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000860000 | 0x00860000 | 0x0095ffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00960000 | 0x00a1dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000a20000 | 0x00a20000 | 0x00b1ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000bb0000 | 0x00bb0000 | 0x00bbffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x00bc0000 | 0x00ef6fff | Memory Mapped File | r |
|
|
|
- |
| cmd.exe | 0x01140000 | 0x0118ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000001190000 | 0x01190000 | 0x0518ffff | Pagefile Backed Memory | - |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74d30000 | 0x74ea5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75130000 | 0x7521ffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x778d0000 | 0x7798dfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007e3d0000 | 0x7e3d0000 | 0x7e4cffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007e4d0000 | 0x7e4d0000 | 0x7e4f2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007e4f5000 | 0x7e4f5000 | 0x7e4f7fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007e4f8000 | 0x7e4f8000 | 0x7e4f8fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007e4fb000 | 0x7e4fb000 | 0x7e4fdfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007e4fe000 | 0x7e4fe000 | 0x7e4fefff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (11)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Windows\SysWOW64 | type = file_attributes |
|
2 | |
| Get Info | wevtutil.exe | type = file_attributes |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
5 | |
| Open | STD_INPUT_HANDLE | - |
|
3 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 224, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\SysWOW64\wevtutil.exe | os_pid = 0x81c, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x1140000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75130000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x75172780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x7514fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7514a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x74e435c0 |
|
1 |
Environment (19)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
2 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Windows\SysWOW64 |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000000 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #496: wevtutil.exe
0
0
| Information | Value |
|---|---|
| ID | #496 |
| File Name | c:\windows\syswow64\wevtutil.exe |
| Command Line | wevtutil.exe clear-log "Microsoft-Windows-CertificateServicesClient-Lifecycle-User/Operational" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:03:36, Reason: Child Process |
| Unmonitor | End Time: 00:03:37, Reason: Self Terminated |
| Monitor Duration | 00:00:01 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x81c |
| Parent PID | 0xe60 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
B48
0x
B0
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000b20000 | 0x00b20000 | 0x00b3ffff | Private Memory | rw |
|
|
|
- |
| wevtutil.exe | 0x00b40000 | 0x00b6efff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000b70000 | 0x00b70000 | 0x04b6ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000004b70000 | 0x04b70000 | 0x04b71fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004b80000 | 0x04b80000 | 0x04b93fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000004ba0000 | 0x04ba0000 | 0x04bdffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004be0000 | 0x04be0000 | 0x04c1ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004c20000 | 0x04c20000 | 0x04c23fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000004c30000 | 0x04c30000 | 0x04c30fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000004c40000 | 0x04c40000 | 0x04c41fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004d20000 | 0x04d20000 | 0x04d2ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004e30000 | 0x04e30000 | 0x04f2ffff | Private Memory | rw |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007f560000 | 0x7f560000 | 0x7f582fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f584000 | 0x7f584000 | 0x7f584fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f58c000 | 0x7f58c000 | 0x7f58efff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f58f000 | 0x7f58f000 | 0x7f58ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Process #497: cmd.exe
58
0
| Information | Value |
|---|---|
| ID | #497 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-ClearTypeTextTuner/Diagnostic" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:03:37, Reason: Child Process |
| Unmonitor | End Time: 00:03:37, Reason: Self Terminated |
| Monitor Duration | 00:00:00 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xe9c |
| Parent PID | 0x8dc (c:\programdata\safe.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
BD0
0x
E7C
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000230000 | 0x00230000 | 0x0024ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000230000 | 0x00230000 | 0x0023ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000240000 | 0x00240000 | 0x00243fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000250000 | 0x00250000 | 0x00251fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000250000 | 0x00250000 | 0x00253fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000260000 | 0x00260000 | 0x00273fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000280000 | 0x00280000 | 0x002bffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000002c0000 | 0x002c0000 | 0x003bffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000003c0000 | 0x003c0000 | 0x003c3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000003d0000 | 0x003d0000 | 0x003d0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000003e0000 | 0x003e0000 | 0x003e1fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x003f0000 | 0x004adfff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000004b0000 | 0x004b0000 | 0x004effff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000550000 | 0x00550000 | 0x0055ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000005e0000 | 0x005e0000 | 0x006dffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000006e0000 | 0x006e0000 | 0x007dffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000009b0000 | 0x009b0000 | 0x009bffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x009c0000 | 0x00cf6fff | Memory Mapped File | r |
|
|
|
- |
| cmd.exe | 0x01140000 | 0x0118ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000001190000 | 0x01190000 | 0x0518ffff | Pagefile Backed Memory | - |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74d30000 | 0x74ea5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75130000 | 0x7521ffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x778d0000 | 0x7798dfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007ef70000 | 0x7ef70000 | 0x7f06ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007f070000 | 0x7f070000 | 0x7f092fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f097000 | 0x7f097000 | 0x7f099fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f09a000 | 0x7f09a000 | 0x7f09afff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f09c000 | 0x7f09c000 | 0x7f09efff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f09f000 | 0x7f09f000 | 0x7f09ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (11)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Windows\SysWOW64 | type = file_attributes |
|
2 | |
| Get Info | wevtutil.exe | type = file_attributes |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
5 | |
| Open | STD_INPUT_HANDLE | - |
|
3 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 62, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\SysWOW64\wevtutil.exe | os_pid = 0xf58, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x1140000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75130000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x75172780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x7514fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7514a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x74e435c0 |
|
1 |
Environment (19)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
2 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Windows\SysWOW64 |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000000 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #499: wevtutil.exe
0
0
| Information | Value |
|---|---|
| ID | #499 |
| File Name | c:\windows\syswow64\wevtutil.exe |
| Command Line | wevtutil.exe clear-log "Microsoft-Windows-ClearTypeTextTuner/Diagnostic" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:03:37, Reason: Child Process |
| Unmonitor | End Time: 00:03:37, Reason: Self Terminated |
| Monitor Duration | 00:00:00 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xf58 |
| Parent PID | 0xe9c (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
6FC
0x
D30
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000a20000 | 0x00a20000 | 0x00a3ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000a40000 | 0x00a40000 | 0x00a41fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000a50000 | 0x00a50000 | 0x00a63fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000a70000 | 0x00a70000 | 0x00aaffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000ab0000 | 0x00ab0000 | 0x00aeffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000af0000 | 0x00af0000 | 0x00af3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000b00000 | 0x00b00000 | 0x00b00fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000b10000 | 0x00b10000 | 0x00b11fff | Private Memory | rw |
|
|
|
- |
| wevtutil.exe | 0x00b40000 | 0x00b6efff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000b70000 | 0x00b70000 | 0x04b6ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000004c60000 | 0x04c60000 | 0x04c6ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004d20000 | 0x04d20000 | 0x04e1ffff | Private Memory | rw |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007ed20000 | 0x7ed20000 | 0x7ed42fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007ed46000 | 0x7ed46000 | 0x7ed46fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ed48000 | 0x7ed48000 | 0x7ed48fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ed4d000 | 0x7ed4d000 | 0x7ed4ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Process #500: cmd.exe
58
0
| Information | Value |
|---|---|
| ID | #500 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-CloudStorageWizard/Analytic" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:03:37, Reason: Child Process |
| Unmonitor | End Time: 00:03:38, Reason: Self Terminated |
| Monitor Duration | 00:00:01 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x6e0 |
| Parent PID | 0x8dc (c:\programdata\safe.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
A34
0x
E3C
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000490000 | 0x00490000 | 0x004affff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000490000 | 0x00490000 | 0x0049ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x00000000004a0000 | 0x004a0000 | 0x004a3fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000004b0000 | 0x004b0000 | 0x004b1fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000004b0000 | 0x004b0000 | 0x004b3fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000004c0000 | 0x004c0000 | 0x004d3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000004e0000 | 0x004e0000 | 0x0051ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000520000 | 0x00520000 | 0x0061ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000620000 | 0x00620000 | 0x00623fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000630000 | 0x00630000 | 0x00630fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000640000 | 0x00640000 | 0x00641fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000650000 | 0x00650000 | 0x0065ffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00660000 | 0x0071dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000720000 | 0x00720000 | 0x0075ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000810000 | 0x00810000 | 0x0090ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000910000 | 0x00910000 | 0x00a0ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000b30000 | 0x00b30000 | 0x00b3ffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x00b40000 | 0x00e76fff | Memory Mapped File | r |
|
|
|
- |
| cmd.exe | 0x01140000 | 0x0118ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000001190000 | 0x01190000 | 0x0518ffff | Pagefile Backed Memory | - |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74d30000 | 0x74ea5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75130000 | 0x7521ffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x778d0000 | 0x7798dfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007f8d0000 | 0x7f8d0000 | 0x7f9cffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007f9d0000 | 0x7f9d0000 | 0x7f9f2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f9f6000 | 0x7f9f6000 | 0x7f9f6fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f9f8000 | 0x7f9f8000 | 0x7f9f8fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f9fa000 | 0x7f9fa000 | 0x7f9fcfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f9fd000 | 0x7f9fd000 | 0x7f9fffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (11)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Windows\SysWOW64 | type = file_attributes |
|
2 | |
| Get Info | wevtutil.exe | type = file_attributes |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
5 | |
| Open | STD_INPUT_HANDLE | - |
|
3 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 144, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\SysWOW64\wevtutil.exe | os_pid = 0x218, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x1140000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75130000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x75172780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x7514fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7514a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x74e435c0 |
|
1 |
Environment (19)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
2 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Windows\SysWOW64 |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000000 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #502: wevtutil.exe
0
0
| Information | Value |
|---|---|
| ID | #502 |
| File Name | c:\windows\syswow64\wevtutil.exe |
| Command Line | wevtutil.exe clear-log "Microsoft-Windows-CloudStorageWizard/Analytic" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:03:37, Reason: Child Process |
| Unmonitor | End Time: 00:03:38, Reason: Self Terminated |
| Monitor Duration | 00:00:01 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x218 |
| Parent PID | 0x6e0 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
428
0x
8EC
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000840000 | 0x00840000 | 0x0085ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000860000 | 0x00860000 | 0x00861fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000870000 | 0x00870000 | 0x00883fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000890000 | 0x00890000 | 0x008cffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000008d0000 | 0x008d0000 | 0x0090ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000910000 | 0x00910000 | 0x00913fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000920000 | 0x00920000 | 0x00920fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000930000 | 0x00930000 | 0x00931fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000980000 | 0x00980000 | 0x00a7ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000b20000 | 0x00b20000 | 0x00b2ffff | Private Memory | rw |
|
|
|
- |
| wevtutil.exe | 0x00b40000 | 0x00b6efff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000b70000 | 0x00b70000 | 0x04b6ffff | Pagefile Backed Memory | - |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007f830000 | 0x7f830000 | 0x7f852fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f853000 | 0x7f853000 | 0x7f853fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f85b000 | 0x7f85b000 | 0x7f85bfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f85d000 | 0x7f85d000 | 0x7f85ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Process #503: cmd.exe
58
0
| Information | Value |
|---|---|
| ID | #503 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-CloudStorageWizard/Operational" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:03:38, Reason: Child Process |
| Unmonitor | End Time: 00:03:38, Reason: Self Terminated |
| Monitor Duration | 00:00:00 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xbdc |
| Parent PID | 0x8dc (c:\programdata\safe.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
C98
0x
E2C
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x00000000000a0000 | 0x000a0000 | 0x000bffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000000a0000 | 0x000a0000 | 0x000affff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x00000000000b0000 | 0x000b0000 | 0x000b3fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000000c0000 | 0x000c0000 | 0x000c1fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000000c0000 | 0x000c0000 | 0x000c3fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000000d0000 | 0x000d0000 | 0x000e3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000000f0000 | 0x000f0000 | 0x0012ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000130000 | 0x00130000 | 0x0022ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000230000 | 0x00230000 | 0x00233fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000240000 | 0x00240000 | 0x00240fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000250000 | 0x00250000 | 0x00251fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000260000 | 0x00260000 | 0x0029ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000002a0000 | 0x002a0000 | 0x0039ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000003c0000 | 0x003c0000 | 0x003cffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x003d0000 | 0x0048dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000490000 | 0x00490000 | 0x0058ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000600000 | 0x00600000 | 0x0060ffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x00610000 | 0x00946fff | Memory Mapped File | r |
|
|
|
- |
| cmd.exe | 0x01140000 | 0x0118ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000001190000 | 0x01190000 | 0x0518ffff | Pagefile Backed Memory | - |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74d30000 | 0x74ea5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75130000 | 0x7521ffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x778d0000 | 0x7798dfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007ea00000 | 0x7ea00000 | 0x7eafffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007eb00000 | 0x7eb00000 | 0x7eb22fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007eb26000 | 0x7eb26000 | 0x7eb28fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007eb29000 | 0x7eb29000 | 0x7eb29fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007eb2c000 | 0x7eb2c000 | 0x7eb2efff | Private Memory | rw |
|
|
|
- |
| private_0x000000007eb2f000 | 0x7eb2f000 | 0x7eb2ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (11)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Windows\SysWOW64 | type = file_attributes |
|
2 | |
| Get Info | wevtutil.exe | type = file_attributes |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
5 | |
| Open | STD_INPUT_HANDLE | - |
|
3 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 72, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\SysWOW64\wevtutil.exe | os_pid = 0xe68, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x1140000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75130000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x75172780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x7514fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7514a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x74e435c0 |
|
1 |
Environment (19)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
2 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Windows\SysWOW64 |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000000 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #505: wevtutil.exe
0
0
| Information | Value |
|---|---|
| ID | #505 |
| File Name | c:\windows\syswow64\wevtutil.exe |
| Command Line | wevtutil.exe clear-log "Microsoft-Windows-CloudStorageWizard/Operational" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:03:38, Reason: Child Process |
| Unmonitor | End Time: 00:03:38, Reason: Self Terminated |
| Monitor Duration | 00:00:00 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xe68 |
| Parent PID | 0xbdc (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
464
0x
B04
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000190000 | 0x00190000 | 0x001affff | Private Memory | rw |
|
|
|
- |
| private_0x00000000001b0000 | 0x001b0000 | 0x001b1fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000001c0000 | 0x001c0000 | 0x001d3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000001e0000 | 0x001e0000 | 0x0021ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000220000 | 0x00220000 | 0x0025ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000260000 | 0x00260000 | 0x00263fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000270000 | 0x00270000 | 0x00270fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000280000 | 0x00280000 | 0x00281fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000320000 | 0x00320000 | 0x0032ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000390000 | 0x00390000 | 0x0048ffff | Private Memory | rw |
|
|
|
- |
| wevtutil.exe | 0x00b40000 | 0x00b6efff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000b70000 | 0x00b70000 | 0x04b6ffff | Pagefile Backed Memory | - |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007f2b0000 | 0x7f2b0000 | 0x7f2d2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f2d5000 | 0x7f2d5000 | 0x7f2d5fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f2db000 | 0x7f2db000 | 0x7f2ddfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f2de000 | 0x7f2de000 | 0x7f2defff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Process #506: cmd.exe
58
0
| Information | Value |
|---|---|
| ID | #506 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-CmiSetup/Analytic" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:03:38, Reason: Child Process |
| Unmonitor | End Time: 00:03:39, Reason: Self Terminated |
| Monitor Duration | 00:00:01 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x6c0 |
| Parent PID | 0x8dc (c:\programdata\safe.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
424
0x
C34
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x00000000003c0000 | 0x003c0000 | 0x003dffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000003c0000 | 0x003c0000 | 0x003cffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x00000000003d0000 | 0x003d0000 | 0x003d3fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000003e0000 | 0x003e0000 | 0x003e1fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000003e0000 | 0x003e0000 | 0x003e3fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000003f0000 | 0x003f0000 | 0x00403fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000410000 | 0x00410000 | 0x0044ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000450000 | 0x00450000 | 0x0054ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000550000 | 0x00550000 | 0x00553fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000560000 | 0x00560000 | 0x00560fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000570000 | 0x00570000 | 0x00571fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00580000 | 0x0063dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000640000 | 0x00640000 | 0x0067ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000700000 | 0x00700000 | 0x0070ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000730000 | 0x00730000 | 0x0073ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000740000 | 0x00740000 | 0x0083ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000900000 | 0x00900000 | 0x009fffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x00a00000 | 0x00d36fff | Memory Mapped File | r |
|
|
|
- |
| cmd.exe | 0x01140000 | 0x0118ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000001190000 | 0x01190000 | 0x0518ffff | Pagefile Backed Memory | - |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74d30000 | 0x74ea5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75130000 | 0x7521ffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x778d0000 | 0x7798dfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007e8c0000 | 0x7e8c0000 | 0x7e9bffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007e9c0000 | 0x7e9c0000 | 0x7e9e2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007e9e8000 | 0x7e9e8000 | 0x7e9eafff | Private Memory | rw |
|
|
|
- |
| private_0x000000007e9eb000 | 0x7e9eb000 | 0x7e9ebfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007e9ec000 | 0x7e9ec000 | 0x7e9ecfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007e9ed000 | 0x7e9ed000 | 0x7e9effff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (11)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Windows\SysWOW64 | type = file_attributes |
|
2 | |
| Get Info | wevtutil.exe | type = file_attributes |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
5 | |
| Open | STD_INPUT_HANDLE | - |
|
3 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 104, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\SysWOW64\wevtutil.exe | os_pid = 0x754, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x1140000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75130000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x75172780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x7514fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7514a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x74e435c0 |
|
1 |
Environment (19)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
2 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Windows\SysWOW64 |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000000 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #508: wevtutil.exe
0
0
| Information | Value |
|---|---|
| ID | #508 |
| File Name | c:\windows\syswow64\wevtutil.exe |
| Command Line | wevtutil.exe clear-log "Microsoft-Windows-CmiSetup/Analytic" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:03:38, Reason: Child Process |
| Unmonitor | End Time: 00:03:39, Reason: Self Terminated |
| Monitor Duration | 00:00:01 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x754 |
| Parent PID | 0x6c0 (c:\windows\syswow64\wevtutil.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
2E4
0x
960
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| wevtutil.exe | 0x00b40000 | 0x00b6efff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000c10000 | 0x00c10000 | 0x04c0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000004c10000 | 0x04c10000 | 0x04c2ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004c30000 | 0x04c30000 | 0x04c31fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004c40000 | 0x04c40000 | 0x04c53fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000004c60000 | 0x04c60000 | 0x04c9ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004ca0000 | 0x04ca0000 | 0x04cdffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004ce0000 | 0x04ce0000 | 0x04ce3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000004cf0000 | 0x04cf0000 | 0x04cf0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000004d00000 | 0x04d00000 | 0x04d01fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004dc0000 | 0x04dc0000 | 0x04dcffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004ed0000 | 0x04ed0000 | 0x04fcffff | Private Memory | rw |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007f630000 | 0x7f630000 | 0x7f652fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f656000 | 0x7f656000 | 0x7f656fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f657000 | 0x7f657000 | 0x7f657fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f65d000 | 0x7f65d000 | 0x7f65ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Process #509: cmd.exe
58
0
| Information | Value |
|---|---|
| ID | #509 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-CodeIntegrity/Operational" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:03:39, Reason: Child Process |
| Unmonitor | End Time: 00:03:39, Reason: Self Terminated |
| Monitor Duration | 00:00:00 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xf84 |
| Parent PID | 0x8dc (c:\programdata\safe.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
48C
0x
CB8
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000400000 | 0x00400000 | 0x0041ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000400000 | 0x00400000 | 0x0040ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000410000 | 0x00410000 | 0x00413fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000420000 | 0x00420000 | 0x00421fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000420000 | 0x00420000 | 0x00423fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000430000 | 0x00430000 | 0x00443fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000450000 | 0x00450000 | 0x0048ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000490000 | 0x00490000 | 0x0058ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000590000 | 0x00590000 | 0x00593fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000005a0000 | 0x005a0000 | 0x005a0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000005b0000 | 0x005b0000 | 0x005b1fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x005c0000 | 0x0067dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000680000 | 0x00680000 | 0x006bffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000720000 | 0x00720000 | 0x0072ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000730000 | 0x00730000 | 0x0082ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000880000 | 0x00880000 | 0x0097ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000a10000 | 0x00a10000 | 0x00a1ffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x00a20000 | 0x00d56fff | Memory Mapped File | r |
|
|
|
- |
| cmd.exe | 0x01140000 | 0x0118ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000001190000 | 0x01190000 | 0x0518ffff | Pagefile Backed Memory | - |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74d30000 | 0x74ea5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75130000 | 0x7521ffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x778d0000 | 0x7798dfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007ef90000 | 0x7ef90000 | 0x7f08ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007f090000 | 0x7f090000 | 0x7f0b2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f0b3000 | 0x7f0b3000 | 0x7f0b3fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f0b8000 | 0x7f0b8000 | 0x7f0bafff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f0bb000 | 0x7f0bb000 | 0x7f0bbfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f0bd000 | 0x7f0bd000 | 0x7f0bffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (11)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Windows\SysWOW64 | type = file_attributes |
|
2 | |
| Get Info | wevtutil.exe | type = file_attributes |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
5 | |
| Open | STD_INPUT_HANDLE | - |
|
3 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 72, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\SysWOW64\wevtutil.exe | os_pid = 0x974, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x1140000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75130000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x75172780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x7514fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7514a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x74e435c0 |
|
1 |
Environment (19)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
2 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Windows\SysWOW64 |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000000 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #511: wevtutil.exe
0
0
| Information | Value |
|---|---|
| ID | #511 |
| File Name | c:\windows\syswow64\wevtutil.exe |
| Command Line | wevtutil.exe clear-log "Microsoft-Windows-CodeIntegrity/Operational" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:03:39, Reason: Child Process |
| Unmonitor | End Time: 00:03:39, Reason: Self Terminated |
| Monitor Duration | 00:00:00 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x974 |
| Parent PID | 0xf84 (c:\windows\syswow64\wevtutil.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
2EC
0x
278
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| wevtutil.exe | 0x00b40000 | 0x00b6efff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000f70000 | 0x00f70000 | 0x04f6ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000004f70000 | 0x04f70000 | 0x04f8ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004f90000 | 0x04f90000 | 0x04f91fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004fa0000 | 0x04fa0000 | 0x04fb3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000004fc0000 | 0x04fc0000 | 0x04ffffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005000000 | 0x05000000 | 0x0503ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000005040000 | 0x05040000 | 0x05043fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000005050000 | 0x05050000 | 0x05050fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000005060000 | 0x05060000 | 0x05061fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000050e0000 | 0x050e0000 | 0x050effff | Private Memory | rw |
|
|
|
- |
| private_0x00000000051e0000 | 0x051e0000 | 0x052dffff | Private Memory | rw |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007f210000 | 0x7f210000 | 0x7f232fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f236000 | 0x7f236000 | 0x7f236fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f23b000 | 0x7f23b000 | 0x7f23dfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f23e000 | 0x7f23e000 | 0x7f23efff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Process #512: cmd.exe
58
0
| Information | Value |
|---|---|
| ID | #512 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-CodeIntegrity/Verbose" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:03:39, Reason: Child Process |
| Unmonitor | End Time: 00:03:40, Reason: Self Terminated |
| Monitor Duration | 00:00:01 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x3d4 |
| Parent PID | 0x8dc (c:\programdata\safe.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
F48
0x
F00
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x00000000000d0000 | 0x000d0000 | 0x000effff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000000d0000 | 0x000d0000 | 0x000dffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x00000000000e0000 | 0x000e0000 | 0x000e3fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000000f0000 | 0x000f0000 | 0x000f1fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000000f0000 | 0x000f0000 | 0x000f3fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000100000 | 0x00100000 | 0x00113fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000120000 | 0x00120000 | 0x0015ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000160000 | 0x00160000 | 0x0025ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000260000 | 0x00260000 | 0x00263fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000270000 | 0x00270000 | 0x00270fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000280000 | 0x00280000 | 0x00281fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00290000 | 0x0034dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000350000 | 0x00350000 | 0x0035ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000360000 | 0x00360000 | 0x0039ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000003a0000 | 0x003a0000 | 0x0049ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000540000 | 0x00540000 | 0x0063ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000720000 | 0x00720000 | 0x0072ffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x00730000 | 0x00a66fff | Memory Mapped File | r |
|
|
|
- |
| cmd.exe | 0x01140000 | 0x0118ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000001190000 | 0x01190000 | 0x0518ffff | Pagefile Backed Memory | - |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74d30000 | 0x74ea5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75130000 | 0x7521ffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x778d0000 | 0x7798dfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007ea10000 | 0x7ea10000 | 0x7eb0ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007eb10000 | 0x7eb10000 | 0x7eb32fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007eb36000 | 0x7eb36000 | 0x7eb36fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007eb38000 | 0x7eb38000 | 0x7eb38fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007eb3a000 | 0x7eb3a000 | 0x7eb3cfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007eb3d000 | 0x7eb3d000 | 0x7eb3ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (11)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Windows\SysWOW64 | type = file_attributes |
|
2 | |
| Get Info | wevtutil.exe | type = file_attributes |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
5 | |
| Open | STD_INPUT_HANDLE | - |
|
3 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 135, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\SysWOW64\wevtutil.exe | os_pid = 0xf24, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x1140000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75130000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x75172780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x7514fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7514a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x74e435c0 |
|
1 |
Environment (19)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
2 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Windows\SysWOW64 |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000000 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #514: wevtutil.exe
0
0
| Information | Value |
|---|---|
| ID | #514 |
| File Name | c:\windows\syswow64\wevtutil.exe |
| Command Line | wevtutil.exe clear-log "Microsoft-Windows-CodeIntegrity/Verbose" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:03:39, Reason: Child Process |
| Unmonitor | End Time: 00:03:40, Reason: Self Terminated |
| Monitor Duration | 00:00:01 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xf24 |
| Parent PID | 0x3d4 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
380
0x
F10
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000980000 | 0x00980000 | 0x0099ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000009a0000 | 0x009a0000 | 0x009a1fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000009b0000 | 0x009b0000 | 0x009c3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000009d0000 | 0x009d0000 | 0x00a0ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000a10000 | 0x00a10000 | 0x00a4ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000a50000 | 0x00a50000 | 0x00a53fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000a60000 | 0x00a60000 | 0x00a60fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000a70000 | 0x00a70000 | 0x00a71fff | Private Memory | rw |
|
|
|
- |
| wevtutil.exe | 0x00b40000 | 0x00b6efff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000b70000 | 0x00b70000 | 0x04b6ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000004c50000 | 0x04c50000 | 0x04c5ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004d00000 | 0x04d00000 | 0x04dfffff | Private Memory | rw |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007f600000 | 0x7f600000 | 0x7f622fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f628000 | 0x7f628000 | 0x7f628fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f62c000 | 0x7f62c000 | 0x7f62efff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f62f000 | 0x7f62f000 | 0x7f62ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Process #515: cmd.exe
58
0
| Information | Value |
|---|---|
| ID | #515 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-ComDlg32/Analytic" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:03:40, Reason: Child Process |
| Unmonitor | End Time: 00:03:40, Reason: Self Terminated |
| Monitor Duration | 00:00:00 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xe70 |
| Parent PID | 0x8dc (c:\programdata\safe.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
F2C
0x
C40
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x00000000008d0000 | 0x008d0000 | 0x008effff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000008d0000 | 0x008d0000 | 0x008dffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x00000000008e0000 | 0x008e0000 | 0x008e3fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000008f0000 | 0x008f0000 | 0x008f1fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000008f0000 | 0x008f0000 | 0x008f3fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000900000 | 0x00900000 | 0x00913fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000920000 | 0x00920000 | 0x0095ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000960000 | 0x00960000 | 0x00a5ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000a60000 | 0x00a60000 | 0x00a63fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000a70000 | 0x00a70000 | 0x00a70fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000a80000 | 0x00a80000 | 0x00a81fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000a90000 | 0x00a90000 | 0x00b8ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000ba0000 | 0x00ba0000 | 0x00baffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00bb0000 | 0x00c6dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000c70000 | 0x00c70000 | 0x00caffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000cb0000 | 0x00cb0000 | 0x00daffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000f80000 | 0x00f80000 | 0x00f8ffff | Private Memory | rw |
|
|
|
- |
| cmd.exe | 0x01140000 | 0x0118ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000001190000 | 0x01190000 | 0x0518ffff | Pagefile Backed Memory | - |
|
|
|
- |
| sortdefault.nls | 0x05190000 | 0x054c6fff | Memory Mapped File | r |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74d30000 | 0x74ea5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75130000 | 0x7521ffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x778d0000 | 0x7798dfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007f7c0000 | 0x7f7c0000 | 0x7f8bffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007f8c0000 | 0x7f8c0000 | 0x7f8e2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f8e4000 | 0x7f8e4000 | 0x7f8e4fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f8e5000 | 0x7f8e5000 | 0x7f8e5fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f8ea000 | 0x7f8ea000 | 0x7f8ecfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f8ed000 | 0x7f8ed000 | 0x7f8effff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (11)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Windows\SysWOW64 | type = file_attributes |
|
2 | |
| Get Info | wevtutil.exe | type = file_attributes |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
5 | |
| Open | STD_INPUT_HANDLE | - |
|
3 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 40, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\SysWOW64\wevtutil.exe | os_pid = 0xa80, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x1140000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75130000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x75172780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x7514fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7514a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x74e435c0 |
|
1 |
Environment (19)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
2 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Windows\SysWOW64 |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000000 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #517: wevtutil.exe
0
0
| Information | Value |
|---|---|
| ID | #517 |
| File Name | c:\windows\syswow64\wevtutil.exe |
| Command Line | wevtutil.exe clear-log "Microsoft-Windows-ComDlg32/Analytic" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:03:40, Reason: Child Process |
| Unmonitor | End Time: 00:03:40, Reason: Self Terminated |
| Monitor Duration | 00:00:00 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xa80 |
| Parent PID | 0xe70 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
D58
0x
BF8
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000600000 | 0x00600000 | 0x0061ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000620000 | 0x00620000 | 0x00621fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000630000 | 0x00630000 | 0x00643fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000650000 | 0x00650000 | 0x0068ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000690000 | 0x00690000 | 0x006cffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000006d0000 | 0x006d0000 | 0x006d3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000006e0000 | 0x006e0000 | 0x006e0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000006f0000 | 0x006f0000 | 0x006f1fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000760000 | 0x00760000 | 0x0076ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000900000 | 0x00900000 | 0x009fffff | Private Memory | rw |
|
|
|
- |
| wevtutil.exe | 0x00b40000 | 0x00b6efff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000b70000 | 0x00b70000 | 0x04b6ffff | Pagefile Backed Memory | - |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007f040000 | 0x7f040000 | 0x7f062fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f06b000 | 0x7f06b000 | 0x7f06bfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f06c000 | 0x7f06c000 | 0x7f06efff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f06f000 | 0x7f06f000 | 0x7f06ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Process #518: cmd.exe
58
0
| Information | Value |
|---|---|
| ID | #518 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-ComDlg32/Debug" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:03:40, Reason: Child Process |
| Unmonitor | End Time: 00:03:40, Reason: Self Terminated |
| Monitor Duration | 00:00:00 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xefc |
| Parent PID | 0x8dc (c:\programdata\safe.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
B30
0x
5D0
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000270000 | 0x00270000 | 0x0028ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000270000 | 0x00270000 | 0x0027ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000280000 | 0x00280000 | 0x00283fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000290000 | 0x00290000 | 0x00291fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000290000 | 0x00290000 | 0x0029ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000002a0000 | 0x002a0000 | 0x002b3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000002c0000 | 0x002c0000 | 0x002fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000300000 | 0x00300000 | 0x003fffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000400000 | 0x00400000 | 0x00403fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000410000 | 0x00410000 | 0x00410fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000420000 | 0x00420000 | 0x00421fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00430000 | 0x004edfff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000004f0000 | 0x004f0000 | 0x0052ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000530000 | 0x00530000 | 0x00533fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000550000 | 0x00550000 | 0x0055ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000560000 | 0x00560000 | 0x0065ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000680000 | 0x00680000 | 0x0077ffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x00780000 | 0x00ab6fff | Memory Mapped File | r |
|
|
|
- |
| cmd.exe | 0x01140000 | 0x0118ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000001190000 | 0x01190000 | 0x0518ffff | Pagefile Backed Memory | - |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74d30000 | 0x74ea5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75130000 | 0x7521ffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x778d0000 | 0x7798dfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007fb70000 | 0x7fb70000 | 0x7fc6ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007fc70000 | 0x7fc70000 | 0x7fc92fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007fc93000 | 0x7fc93000 | 0x7fc93fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007fc99000 | 0x7fc99000 | 0x7fc9bfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007fc9c000 | 0x7fc9c000 | 0x7fc9efff | Private Memory | rw |
|
|
|
- |
| private_0x000000007fc9f000 | 0x7fc9f000 | 0x7fc9ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (11)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Windows\SysWOW64 | type = file_attributes |
|
2 | |
| Get Info | wevtutil.exe | type = file_attributes |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
5 | |
| Open | STD_INPUT_HANDLE | - |
|
3 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 26, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\SysWOW64\wevtutil.exe | os_pid = 0x3ec, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x1140000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75130000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x75172780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x7514fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7514a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x74e435c0 |
|
1 |
Environment (19)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
2 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Windows\SysWOW64 |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000000 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #520: wevtutil.exe
0
0
| Information | Value |
|---|---|
| ID | #520 |
| File Name | c:\windows\syswow64\wevtutil.exe |
| Command Line | wevtutil.exe clear-log "Microsoft-Windows-ComDlg32/Debug" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:03:40, Reason: Child Process |
| Unmonitor | End Time: 00:03:40, Reason: Self Terminated |
| Monitor Duration | 00:00:00 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x3ec |
| Parent PID | 0xefc (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
D5C
0x
D54
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000700000 | 0x00700000 | 0x0071ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000720000 | 0x00720000 | 0x00721fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000730000 | 0x00730000 | 0x00743fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000750000 | 0x00750000 | 0x0078ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000790000 | 0x00790000 | 0x007cffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000007d0000 | 0x007d0000 | 0x007d3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000007e0000 | 0x007e0000 | 0x007e0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000007f0000 | 0x007f0000 | 0x007f1fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000820000 | 0x00820000 | 0x0082ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000840000 | 0x00840000 | 0x0093ffff | Private Memory | rw |
|
|
|
- |
| wevtutil.exe | 0x00b40000 | 0x00b6efff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000b70000 | 0x00b70000 | 0x04b6ffff | Pagefile Backed Memory | - |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f002fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f003000 | 0x7f003000 | 0x7f003fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f008000 | 0x7f008000 | 0x7f008fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f00d000 | 0x7f00d000 | 0x7f00ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Process #521: cmd.exe
58
0
| Information | Value |
|---|---|
| ID | #521 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-Compat-Appraiser/Analytic" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:03:40, Reason: Child Process |
| Unmonitor | End Time: 00:03:41, Reason: Self Terminated |
| Monitor Duration | 00:00:01 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x818 |
| Parent PID | 0x8dc (c:\programdata\safe.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
2D4
0x
D60
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000200000 | 0x00200000 | 0x0021ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000200000 | 0x00200000 | 0x0020ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000210000 | 0x00210000 | 0x00213fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000220000 | 0x00220000 | 0x00221fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000220000 | 0x00220000 | 0x00223fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000230000 | 0x00230000 | 0x00243fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000250000 | 0x00250000 | 0x0028ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000290000 | 0x00290000 | 0x0038ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000390000 | 0x00390000 | 0x00393fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000003a0000 | 0x003a0000 | 0x003a0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000003b0000 | 0x003b0000 | 0x003b1fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000003c0000 | 0x003c0000 | 0x003fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000420000 | 0x00420000 | 0x0042ffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00430000 | 0x004edfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000540000 | 0x00540000 | 0x0063ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000640000 | 0x00640000 | 0x0073ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000008a0000 | 0x008a0000 | 0x008affff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x008b0000 | 0x00be6fff | Memory Mapped File | r |
|
|
|
- |
| cmd.exe | 0x01140000 | 0x0118ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000001190000 | 0x01190000 | 0x0518ffff | Pagefile Backed Memory | - |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74d30000 | 0x74ea5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75130000 | 0x7521ffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x778d0000 | 0x7798dfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007f380000 | 0x7f380000 | 0x7f47ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007f480000 | 0x7f480000 | 0x7f4a2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f4a4000 | 0x7f4a4000 | 0x7f4a6fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f4a7000 | 0x7f4a7000 | 0x7f4a7fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f4aa000 | 0x7f4aa000 | 0x7f4acfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f4ad000 | 0x7f4ad000 | 0x7f4adfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (11)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Windows\SysWOW64 | type = file_attributes |
|
2 | |
| Get Info | wevtutil.exe | type = file_attributes |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
5 | |
| Open | STD_INPUT_HANDLE | - |
|
3 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 72, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\SysWOW64\wevtutil.exe | os_pid = 0xf14, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x1140000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75130000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x75172780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x7514fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7514a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x74e435c0 |
|
1 |
Environment (19)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
2 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Windows\SysWOW64 |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000000 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #523: wevtutil.exe
0
0
| Information | Value |
|---|---|
| ID | #523 |
| File Name | c:\windows\syswow64\wevtutil.exe |
| Command Line | wevtutil.exe clear-log "Microsoft-Windows-Compat-Appraiser/Analytic" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:03:41, Reason: Child Process |
| Unmonitor | End Time: 00:03:41, Reason: Self Terminated |
| Monitor Duration | 00:00:00 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xf14 |
| Parent PID | 0x818 (c:\windows\syswow64\wevtutil.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
E04
0x
ADC
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000550000 | 0x00550000 | 0x0056ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000570000 | 0x00570000 | 0x00571fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000580000 | 0x00580000 | 0x00593fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000005a0000 | 0x005a0000 | 0x005dffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000005e0000 | 0x005e0000 | 0x0061ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000620000 | 0x00620000 | 0x00623fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000630000 | 0x00630000 | 0x00630fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000640000 | 0x00640000 | 0x00641fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000750000 | 0x00750000 | 0x0075ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000920000 | 0x00920000 | 0x00a1ffff | Private Memory | rw |
|
|
|
- |
| wevtutil.exe | 0x00b40000 | 0x00b6efff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000b70000 | 0x00b70000 | 0x04b6ffff | Pagefile Backed Memory | - |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007f0d0000 | 0x7f0d0000 | 0x7f0f2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f0f3000 | 0x7f0f3000 | 0x7f0f3fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f0f7000 | 0x7f0f7000 | 0x7f0f7fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f0fd000 | 0x7f0fd000 | 0x7f0fffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Process #524: cmd.exe
58
0
| Information | Value |
|---|---|
| ID | #524 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-Compat-Appraiser/Operational" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:03:41, Reason: Child Process |
| Unmonitor | End Time: 00:03:41, Reason: Self Terminated |
| Monitor Duration | 00:00:00 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xb28 |
| Parent PID | 0x8dc (c:\programdata\safe.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
FA0
0x
6C8
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x00000000005c0000 | 0x005c0000 | 0x005dffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000005c0000 | 0x005c0000 | 0x005cffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x00000000005d0000 | 0x005d0000 | 0x005d3fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000005e0000 | 0x005e0000 | 0x005e1fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000005e0000 | 0x005e0000 | 0x005e3fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000005f0000 | 0x005f0000 | 0x00603fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000610000 | 0x00610000 | 0x0064ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000650000 | 0x00650000 | 0x0074ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000750000 | 0x00750000 | 0x00753fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000760000 | 0x00760000 | 0x00760fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000770000 | 0x00770000 | 0x00771fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000780000 | 0x00780000 | 0x007bffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000820000 | 0x00820000 | 0x0082ffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00830000 | 0x008edfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000950000 | 0x00950000 | 0x00a4ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000a50000 | 0x00a50000 | 0x00b4ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000d40000 | 0x00d40000 | 0x00d4ffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x00d50000 | 0x01086fff | Memory Mapped File | r |
|
|
|
- |
| cmd.exe | 0x01140000 | 0x0118ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000001190000 | 0x01190000 | 0x0518ffff | Pagefile Backed Memory | - |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74d30000 | 0x74ea5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75130000 | 0x7521ffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x778d0000 | 0x7798dfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007f590000 | 0x7f590000 | 0x7f68ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007f690000 | 0x7f690000 | 0x7f6b2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f6b6000 | 0x7f6b6000 | 0x7f6b6fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f6b7000 | 0x7f6b7000 | 0x7f6b7fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f6ba000 | 0x7f6ba000 | 0x7f6bcfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f6bd000 | 0x7f6bd000 | 0x7f6bffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (11)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Windows\SysWOW64 | type = file_attributes |
|
2 | |
| Get Info | wevtutil.exe | type = file_attributes |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
5 | |
| Open | STD_INPUT_HANDLE | - |
|
3 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 152, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\SysWOW64\wevtutil.exe | os_pid = 0xf40, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x1140000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75130000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x75172780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x7514fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7514a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x74e435c0 |
|
1 |
Environment (19)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
2 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Windows\SysWOW64 |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000000 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #526: wevtutil.exe
0
0
| Information | Value |
|---|---|
| ID | #526 |
| File Name | c:\windows\syswow64\wevtutil.exe |
| Command Line | wevtutil.exe clear-log "Microsoft-Windows-Compat-Appraiser/Operational" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:03:41, Reason: Child Process |
| Unmonitor | End Time: 00:03:41, Reason: Self Terminated |
| Monitor Duration | 00:00:00 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xf40 |
| Parent PID | 0xb28 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
76C
0x
7BC
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| wevtutil.exe | 0x00b40000 | 0x00b6efff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000ca0000 | 0x00ca0000 | 0x04c9ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000004ca0000 | 0x04ca0000 | 0x04cbffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004cc0000 | 0x04cc0000 | 0x04cc1fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004cd0000 | 0x04cd0000 | 0x04ce3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000004cf0000 | 0x04cf0000 | 0x04d2ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004d30000 | 0x04d30000 | 0x04d6ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004d70000 | 0x04d70000 | 0x04d73fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000004d80000 | 0x04d80000 | 0x04d80fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000004d90000 | 0x04d90000 | 0x04d91fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004de0000 | 0x04de0000 | 0x04edffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004f70000 | 0x04f70000 | 0x04f7ffff | Private Memory | rw |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007f950000 | 0x7f950000 | 0x7f972fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f977000 | 0x7f977000 | 0x7f977fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f97c000 | 0x7f97c000 | 0x7f97efff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f97f000 | 0x7f97f000 | 0x7f97ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Process #527: cmd.exe
58
0
| Information | Value |
|---|---|
| ID | #527 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-Connected-Search/Analytic" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:03:41, Reason: Child Process |
| Unmonitor | End Time: 00:03:42, Reason: Self Terminated |
| Monitor Duration | 00:00:01 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xbd8 |
| Parent PID | 0x8dc (c:\programdata\safe.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
F7C
0x
F5C
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000c80000 | 0x00c80000 | 0x00c9ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000c80000 | 0x00c80000 | 0x00c8ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000c90000 | 0x00c90000 | 0x00c93fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000ca0000 | 0x00ca0000 | 0x00ca1fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000ca0000 | 0x00ca0000 | 0x00ca3fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000cb0000 | 0x00cb0000 | 0x00cc3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000cd0000 | 0x00cd0000 | 0x00d0ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000d10000 | 0x00d10000 | 0x00e0ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000e10000 | 0x00e10000 | 0x00e13fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000e20000 | 0x00e20000 | 0x00e20fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000e30000 | 0x00e30000 | 0x00e31fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000e40000 | 0x00e40000 | 0x00e4ffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00e50000 | 0x00f0dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000f10000 | 0x00f10000 | 0x00f4ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000f80000 | 0x00f80000 | 0x00f8ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000fb0000 | 0x00fb0000 | 0x010affff | Private Memory | rw |
|
|
|
- |
| cmd.exe | 0x01140000 | 0x0118ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000001190000 | 0x01190000 | 0x0518ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000005190000 | 0x05190000 | 0x0528ffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x05290000 | 0x055c6fff | Memory Mapped File | r |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74d30000 | 0x74ea5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75130000 | 0x7521ffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x778d0000 | 0x7798dfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007eaf0000 | 0x7eaf0000 | 0x7ebeffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007ebf0000 | 0x7ebf0000 | 0x7ec12fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007ec17000 | 0x7ec17000 | 0x7ec19fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ec1a000 | 0x7ec1a000 | 0x7ec1cfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ec1d000 | 0x7ec1d000 | 0x7ec1dfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ec1f000 | 0x7ec1f000 | 0x7ec1ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (11)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Windows\SysWOW64 | type = file_attributes |
|
2 | |
| Get Info | wevtutil.exe | type = file_attributes |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
5 | |
| Open | STD_INPUT_HANDLE | - |
|
3 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 72, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\SysWOW64\wevtutil.exe | os_pid = 0xd44, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x1140000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75130000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x75172780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x7514fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7514a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x74e435c0 |
|
1 |
Environment (19)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
2 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Windows\SysWOW64 |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000000 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #529: wevtutil.exe
0
0
| Information | Value |
|---|---|
| ID | #529 |
| File Name | c:\windows\syswow64\wevtutil.exe |
| Command Line | wevtutil.exe clear-log "Microsoft-Windows-Connected-Search/Analytic" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:03:42, Reason: Child Process |
| Unmonitor | End Time: 00:03:42, Reason: Self Terminated |
| Monitor Duration | 00:00:00 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xd44 |
| Parent PID | 0xbd8 (c:\windows\syswow64\wevtutil.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
2F0
0x
A2C
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x00000000009c0000 | 0x009c0000 | 0x009dffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000009e0000 | 0x009e0000 | 0x009e1fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000009f0000 | 0x009f0000 | 0x00a03fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000a10000 | 0x00a10000 | 0x00a4ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000a50000 | 0x00a50000 | 0x00a8ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000a90000 | 0x00a90000 | 0x00a93fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000aa0000 | 0x00aa0000 | 0x00aa0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000ab0000 | 0x00ab0000 | 0x00ab1fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000b10000 | 0x00b10000 | 0x00b1ffff | Private Memory | rw |
|
|
|
- |
| wevtutil.exe | 0x00b40000 | 0x00b6efff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000b70000 | 0x00b70000 | 0x04b6ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000004b80000 | 0x04b80000 | 0x04c7ffff | Private Memory | rw |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007e200000 | 0x7e200000 | 0x7e222fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007e227000 | 0x7e227000 | 0x7e227fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007e228000 | 0x7e228000 | 0x7e228fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007e22d000 | 0x7e22d000 | 0x7e22ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Process #530: cmd.exe
58
0
| Information | Value |
|---|---|
| ID | #530 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-Connected-Search/Debug" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:03:42, Reason: Child Process |
| Unmonitor | End Time: 00:03:42, Reason: Self Terminated |
| Monitor Duration | 00:00:00 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x544 |
| Parent PID | 0x8dc (c:\programdata\safe.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
63C
0x
724
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000130000 | 0x00130000 | 0x0014ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000130000 | 0x00130000 | 0x0013ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000140000 | 0x00140000 | 0x00143fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000150000 | 0x00150000 | 0x00151fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000150000 | 0x00150000 | 0x00153fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000160000 | 0x00160000 | 0x00173fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000180000 | 0x00180000 | 0x001bffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000001c0000 | 0x001c0000 | 0x002bffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000002c0000 | 0x002c0000 | 0x002c3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000002d0000 | 0x002d0000 | 0x002d0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000002e0000 | 0x002e0000 | 0x002e1fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x002f0000 | 0x003adfff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000003b0000 | 0x003b0000 | 0x003effff | Private Memory | rw |
|
|
|
- |
| private_0x00000000003f0000 | 0x003f0000 | 0x003fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000420000 | 0x00420000 | 0x0051ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000520000 | 0x00520000 | 0x0061ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000650000 | 0x00650000 | 0x0065ffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x00660000 | 0x00996fff | Memory Mapped File | r |
|
|
|
- |
| cmd.exe | 0x01140000 | 0x0118ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000001190000 | 0x01190000 | 0x0518ffff | Pagefile Backed Memory | - |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74d30000 | 0x74ea5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75130000 | 0x7521ffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x778d0000 | 0x7798dfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007e500000 | 0x7e500000 | 0x7e5fffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007e600000 | 0x7e600000 | 0x7e622fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007e626000 | 0x7e626000 | 0x7e628fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007e629000 | 0x7e629000 | 0x7e629fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007e62c000 | 0x7e62c000 | 0x7e62cfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007e62d000 | 0x7e62d000 | 0x7e62ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (11)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Windows\SysWOW64 | type = file_attributes |
|
2 | |
| Get Info | wevtutil.exe | type = file_attributes |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
5 | |
| Open | STD_INPUT_HANDLE | - |
|
3 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 128, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\SysWOW64\wevtutil.exe | os_pid = 0xb3c, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x1140000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75130000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x75172780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x7514fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7514a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x74e435c0 |
|
1 |
Environment (19)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
2 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Windows\SysWOW64 |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000000 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #532: wevtutil.exe
0
0
| Information | Value |
|---|---|
| ID | #532 |
| File Name | c:\windows\syswow64\wevtutil.exe |
| Command Line | wevtutil.exe clear-log "Microsoft-Windows-Connected-Search/Debug" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:03:42, Reason: Child Process |
| Unmonitor | End Time: 00:03:42, Reason: Self Terminated |
| Monitor Duration | 00:00:00 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xb3c |
| Parent PID | 0x544 (c:\windows\syswow64\wevtutil.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
FB8
0x
D3C
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000a10000 | 0x00a10000 | 0x00a2ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000a10000 | 0x00a10000 | 0x00a1ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000a20000 | 0x00a20000 | 0x00a23fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000a30000 | 0x00a30000 | 0x00a31fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000a40000 | 0x00a40000 | 0x00a53fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000a60000 | 0x00a60000 | 0x00a9ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000aa0000 | 0x00aa0000 | 0x00adffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000ae0000 | 0x00ae0000 | 0x00ae3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000af0000 | 0x00af0000 | 0x00af0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000b00000 | 0x00b00000 | 0x00b01fff | Private Memory | rw |
|
|
|
- |
| wevtutil.exe | 0x00b40000 | 0x00b6efff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000b70000 | 0x00b70000 | 0x04b6ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000004b70000 | 0x04b70000 | 0x04baffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004bb0000 | 0x04bb0000 | 0x04beffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004c20000 | 0x04c20000 | 0x04d1ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004d30000 | 0x04d30000 | 0x04d3ffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x04d40000 | 0x04dfdfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000004f50000 | 0x04f50000 | 0x04f5ffff | Private Memory | rw |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| wevtapi.dll | 0x74220000 | 0x7426dfff | Memory Mapped File | rwx |
|
|
|
- |
| bcrypt.dll | 0x742a0000 | 0x742bafff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x74a30000 | 0x74a88fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x74a90000 | 0x74a99fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x74aa0000 | 0x74abdfff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x74c60000 | 0x74cdafff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74d30000 | 0x74ea5fff | Memory Mapped File | rwx |
|
|
|
- |
| combase.dll | 0x74f70000 | 0x75129fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75130000 | 0x7521ffff | Memory Mapped File | rwx |
|
|
|
- |
| oleaut32.dll | 0x76ce0000 | 0x76d71fff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x770b0000 | 0x770f2fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x772c0000 | 0x7736bfff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x778d0000 | 0x7798dfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007ea30000 | 0x7ea30000 | 0x7eb2ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007eb30000 | 0x7eb30000 | 0x7eb52fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007eb56000 | 0x7eb56000 | 0x7eb56fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007eb59000 | 0x7eb59000 | 0x7eb5bfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007eb5c000 | 0x7eb5c000 | 0x7eb5cfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007eb5d000 | 0x7eb5d000 | 0x7eb5ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Process #533: cmd.exe
58
0
| Information | Value |
|---|---|
| ID | #533 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-Connected-Search/Operational" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:03:42, Reason: Child Process |
| Unmonitor | End Time: 00:03:43, Reason: Self Terminated |
| Monitor Duration | 00:00:01 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xd38 |
| Parent PID | 0x8dc (c:\programdata\safe.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
FC0
0x
404
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000660000 | 0x00660000 | 0x0067ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000660000 | 0x00660000 | 0x0066ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000670000 | 0x00670000 | 0x00673fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000680000 | 0x00680000 | 0x00681fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000680000 | 0x00680000 | 0x00683fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000690000 | 0x00690000 | 0x006a3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000006b0000 | 0x006b0000 | 0x006effff | Private Memory | rw |
|
|
|
- |
| private_0x00000000006f0000 | 0x006f0000 | 0x007effff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000007f0000 | 0x007f0000 | 0x007f3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000800000 | 0x00800000 | 0x00800fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000810000 | 0x00810000 | 0x00811fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000820000 | 0x00820000 | 0x0085ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000860000 | 0x00860000 | 0x0095ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000a10000 | 0x00a10000 | 0x00a1ffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00a20000 | 0x00addfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000ae0000 | 0x00ae0000 | 0x00bdffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000d00000 | 0x00d00000 | 0x00d0ffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x00d10000 | 0x01046fff | Memory Mapped File | r |
|
|
|
- |
| cmd.exe | 0x01140000 | 0x0118ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000001190000 | 0x01190000 | 0x0518ffff | Pagefile Backed Memory | - |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74d30000 | 0x74ea5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75130000 | 0x7521ffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x778d0000 | 0x7798dfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007ebf0000 | 0x7ebf0000 | 0x7eceffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007ecf0000 | 0x7ecf0000 | 0x7ed12fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007ed13000 | 0x7ed13000 | 0x7ed13fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ed18000 | 0x7ed18000 | 0x7ed1afff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ed1b000 | 0x7ed1b000 | 0x7ed1bfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ed1d000 | 0x7ed1d000 | 0x7ed1ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (11)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Windows\SysWOW64 | type = file_attributes |
|
2 | |
| Get Info | wevtutil.exe | type = file_attributes |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
5 | |
| Open | STD_INPUT_HANDLE | - |
|
3 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 119, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\SysWOW64\wevtutil.exe | os_pid = 0xfc4, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x1140000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75130000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x75172780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x7514fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7514a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x74e435c0 |
|
1 |
Environment (19)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
2 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Windows\SysWOW64 |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000000 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #535: wevtutil.exe
0
0
| Information | Value |
|---|---|
| ID | #535 |
| File Name | c:\windows\syswow64\wevtutil.exe |
| Command Line | wevtutil.exe clear-log "Microsoft-Windows-Connected-Search/Operational" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:03:43, Reason: Child Process |
| Unmonitor | End Time: 00:03:43, Reason: Self Terminated |
| Monitor Duration | 00:00:00 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xfc4 |
| Parent PID | 0xd38 (c:\windows\syswow64\wevtutil.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
1B4
0x
548
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x00000000002b0000 | 0x002b0000 | 0x002cffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000002d0000 | 0x002d0000 | 0x002d1fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000002e0000 | 0x002e0000 | 0x002f3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000300000 | 0x00300000 | 0x0033ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000340000 | 0x00340000 | 0x0037ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000380000 | 0x00380000 | 0x00383fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000390000 | 0x00390000 | 0x00390fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000003a0000 | 0x003a0000 | 0x003a1fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000400000 | 0x00400000 | 0x004fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000500000 | 0x00500000 | 0x0050ffff | Private Memory | rw |
|
|
|
- |
| wevtutil.exe | 0x00b40000 | 0x00b6efff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000b70000 | 0x00b70000 | 0x04b6ffff | Pagefile Backed Memory | - |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007f040000 | 0x7f040000 | 0x7f062fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f06b000 | 0x7f06b000 | 0x7f06dfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f06e000 | 0x7f06e000 | 0x7f06efff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f06f000 | 0x7f06f000 | 0x7f06ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Process #536: cmd.exe
58
0
| Information | Value |
|---|---|
| ID | #536 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-CoreApplication/Diagnostic" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:03:43, Reason: Child Process |
| Unmonitor | End Time: 00:03:43, Reason: Self Terminated |
| Monitor Duration | 00:00:00 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x94c |
| Parent PID | 0x8dc (c:\programdata\safe.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
CBC
0x
F4C
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000040000 | 0x00040000 | 0x0005ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000040000 | 0x00040000 | 0x0004ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000050000 | 0x00050000 | 0x00053fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000060000 | 0x00060000 | 0x00061fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000060000 | 0x00060000 | 0x00063fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000070000 | 0x00070000 | 0x00083fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000090000 | 0x00090000 | 0x000cffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000000d0000 | 0x000d0000 | 0x001cffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000001d0000 | 0x001d0000 | 0x001d3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000001e0000 | 0x001e0000 | 0x001e0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000001f0000 | 0x001f0000 | 0x001f1fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00200000 | 0x002bdfff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000002e0000 | 0x002e0000 | 0x002effff | Private Memory | rw |
|
|
|
- |
| private_0x00000000002f0000 | 0x002f0000 | 0x0032ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000003b0000 | 0x003b0000 | 0x004affff | Private Memory | rw |
|
|
|
- |
| private_0x00000000004b0000 | 0x004b0000 | 0x005affff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000720000 | 0x00720000 | 0x0072ffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x00730000 | 0x00a66fff | Memory Mapped File | r |
|
|
|
- |
| cmd.exe | 0x01140000 | 0x0118ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000001190000 | 0x01190000 | 0x0518ffff | Pagefile Backed Memory | - |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74d30000 | 0x74ea5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75130000 | 0x7521ffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x778d0000 | 0x7798dfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007ea90000 | 0x7ea90000 | 0x7eb8ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007eb90000 | 0x7eb90000 | 0x7ebb2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007ebb8000 | 0x7ebb8000 | 0x7ebbafff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ebbb000 | 0x7ebbb000 | 0x7ebbbfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ebbc000 | 0x7ebbc000 | 0x7ebbefff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ebbf000 | 0x7ebbf000 | 0x7ebbffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (11)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Windows\SysWOW64 | type = file_attributes |
|
2 | |
| Get Info | wevtutil.exe | type = file_attributes |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
5 | |
| Open | STD_INPUT_HANDLE | - |
|
3 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 56, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\SysWOW64\wevtutil.exe | os_pid = 0xe5c, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x1140000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75130000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x75172780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x7514fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7514a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x74e435c0 |
|
1 |
Environment (19)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
2 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Windows\SysWOW64 |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000000 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #538: wevtutil.exe
0
0
| Information | Value |
|---|---|
| ID | #538 |
| File Name | c:\windows\syswow64\wevtutil.exe |
| Command Line | wevtutil.exe clear-log "Microsoft-Windows-CoreApplication/Diagnostic" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:03:43, Reason: Child Process |
| Unmonitor | End Time: 00:03:43, Reason: Self Terminated |
| Monitor Duration | 00:00:00 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xe5c |
| Parent PID | 0x94c (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
478
0x
9C4
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000040000 | 0x00040000 | 0x0005ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000060000 | 0x00060000 | 0x00061fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000070000 | 0x00070000 | 0x00083fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000090000 | 0x00090000 | 0x000cffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000000d0000 | 0x000d0000 | 0x0010ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000110000 | 0x00110000 | 0x00113fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000120000 | 0x00120000 | 0x00120fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000130000 | 0x00130000 | 0x00131fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000250000 | 0x00250000 | 0x0025ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000340000 | 0x00340000 | 0x0043ffff | Private Memory | rw |
|
|
|
- |
| wevtutil.exe | 0x00b40000 | 0x00b6efff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000b70000 | 0x00b70000 | 0x04b6ffff | Pagefile Backed Memory | - |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007e360000 | 0x7e360000 | 0x7e382fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007e383000 | 0x7e383000 | 0x7e383fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007e385000 | 0x7e385000 | 0x7e385fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007e38d000 | 0x7e38d000 | 0x7e38ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Process #539: cmd.exe
58
0
| Information | Value |
|---|---|
| ID | #539 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-CoreApplication/Operational" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:03:43, Reason: Child Process |
| Unmonitor | End Time: 00:03:44, Reason: Self Terminated |
| Monitor Duration | 00:00:01 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x850 |
| Parent PID | 0x8dc (c:\programdata\safe.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
C88
0x
EC0
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x00000000003c0000 | 0x003c0000 | 0x003dffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000003c0000 | 0x003c0000 | 0x003cffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x00000000003d0000 | 0x003d0000 | 0x003d3fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000003e0000 | 0x003e0000 | 0x003e1fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000003e0000 | 0x003e0000 | 0x003e3fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000003f0000 | 0x003f0000 | 0x00403fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000410000 | 0x00410000 | 0x0044ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000450000 | 0x00450000 | 0x0054ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000550000 | 0x00550000 | 0x00553fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000560000 | 0x00560000 | 0x00560fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000570000 | 0x00570000 | 0x00571fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000580000 | 0x00580000 | 0x005bffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000005c0000 | 0x005c0000 | 0x005cffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000640000 | 0x00640000 | 0x0073ffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00740000 | 0x007fdfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000800000 | 0x00800000 | 0x008fffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000009b0000 | 0x009b0000 | 0x009bffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x009c0000 | 0x00cf6fff | Memory Mapped File | r |
|
|
|
- |
| cmd.exe | 0x01140000 | 0x0118ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000001190000 | 0x01190000 | 0x0518ffff | Pagefile Backed Memory | - |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74d30000 | 0x74ea5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75130000 | 0x7521ffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x778d0000 | 0x7798dfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007fa10000 | 0x7fa10000 | 0x7fb0ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007fb10000 | 0x7fb10000 | 0x7fb32fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007fb37000 | 0x7fb37000 | 0x7fb39fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007fb3a000 | 0x7fb3a000 | 0x7fb3afff | Private Memory | rw |
|
|
|
- |
| private_0x000000007fb3c000 | 0x7fb3c000 | 0x7fb3efff | Private Memory | rw |
|
|
|
- |
| private_0x000000007fb3f000 | 0x7fb3f000 | 0x7fb3ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (11)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Windows\SysWOW64 | type = file_attributes |
|
2 | |
| Get Info | wevtutil.exe | type = file_attributes |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
5 | |
| Open | STD_INPUT_HANDLE | - |
|
3 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 159, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\SysWOW64\wevtutil.exe | os_pid = 0xb24, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x1140000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75130000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x75172780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x7514fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7514a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x74e435c0 |
|
1 |
Environment (19)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
2 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Windows\SysWOW64 |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000000 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #541: wevtutil.exe
0
0
| Information | Value |
|---|---|
| ID | #541 |
| File Name | c:\windows\syswow64\wevtutil.exe |
| Command Line | wevtutil.exe clear-log "Microsoft-Windows-CoreApplication/Operational" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:03:44, Reason: Child Process |
| Unmonitor | End Time: 00:03:44, Reason: Self Terminated |
| Monitor Duration | 00:00:00 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xb24 |
| Parent PID | 0x850 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
41C
0x
C18
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x00000000006d0000 | 0x006d0000 | 0x006effff | Private Memory | rw |
|
|
|
- |
| private_0x00000000006f0000 | 0x006f0000 | 0x006f1fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000700000 | 0x00700000 | 0x00713fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000720000 | 0x00720000 | 0x0075ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000760000 | 0x00760000 | 0x0079ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000007a0000 | 0x007a0000 | 0x007a3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000007b0000 | 0x007b0000 | 0x007b0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000007c0000 | 0x007c0000 | 0x007c1fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000830000 | 0x00830000 | 0x0092ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000980000 | 0x00980000 | 0x0098ffff | Private Memory | rw |
|
|
|
- |
| wevtutil.exe | 0x00b40000 | 0x00b6efff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000b70000 | 0x00b70000 | 0x04b6ffff | Pagefile Backed Memory | - |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007ed10000 | 0x7ed10000 | 0x7ed32fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007ed34000 | 0x7ed34000 | 0x7ed34fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ed3c000 | 0x7ed3c000 | 0x7ed3efff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ed3f000 | 0x7ed3f000 | 0x7ed3ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Process #542: cmd.exe
58
0
| Information | Value |
|---|---|
| ID | #542 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-CoreApplication/Tracing" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:03:44, Reason: Child Process |
| Unmonitor | End Time: 00:03:44, Reason: Self Terminated |
| Monitor Duration | 00:00:00 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xb4c |
| Parent PID | 0x8dc (c:\programdata\safe.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
A68
0x
904
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x00000000006e0000 | 0x006e0000 | 0x006fffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000006e0000 | 0x006e0000 | 0x006effff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x00000000006f0000 | 0x006f0000 | 0x006f3fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000700000 | 0x00700000 | 0x00701fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000700000 | 0x00700000 | 0x00703fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000710000 | 0x00710000 | 0x00723fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000730000 | 0x00730000 | 0x0076ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000770000 | 0x00770000 | 0x0086ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000870000 | 0x00870000 | 0x00873fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000880000 | 0x00880000 | 0x00880fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000890000 | 0x00890000 | 0x00891fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000008a0000 | 0x008a0000 | 0x008dffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000920000 | 0x00920000 | 0x0092ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000940000 | 0x00940000 | 0x0094ffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00950000 | 0x00a0dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000ad0000 | 0x00ad0000 | 0x00bcffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000bd0000 | 0x00bd0000 | 0x00ccffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x00cd0000 | 0x01006fff | Memory Mapped File | r |
|
|
|
- |
| cmd.exe | 0x01140000 | 0x0118ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000001190000 | 0x01190000 | 0x0518ffff | Pagefile Backed Memory | - |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74d30000 | 0x74ea5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75130000 | 0x7521ffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x778d0000 | 0x7798dfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007ee40000 | 0x7ee40000 | 0x7ef3ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007ef40000 | 0x7ef40000 | 0x7ef62fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007ef64000 | 0x7ef64000 | 0x7ef64fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ef69000 | 0x7ef69000 | 0x7ef6bfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ef6c000 | 0x7ef6c000 | 0x7ef6efff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ef6f000 | 0x7ef6f000 | 0x7ef6ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (11)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Windows\SysWOW64 | type = file_attributes |
|
2 | |
| Get Info | wevtutil.exe | type = file_attributes |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
5 | |
| Open | STD_INPUT_HANDLE | - |
|
3 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 104, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\SysWOW64\wevtutil.exe | os_pid = 0xf9c, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x1140000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75130000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x75172780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x7514fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7514a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x74e435c0 |
|
1 |
Environment (19)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
2 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Windows\SysWOW64 |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000000 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #544: wevtutil.exe
0
0
| Information | Value |
|---|---|
| ID | #544 |
| File Name | c:\windows\syswow64\wevtutil.exe |
| Command Line | wevtutil.exe clear-log "Microsoft-Windows-CoreApplication/Tracing" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:03:44, Reason: Child Process |
| Unmonitor | End Time: 00:03:44, Reason: Self Terminated |
| Monitor Duration | 00:00:00 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xf9c |
| Parent PID | 0xb4c (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
F08
0x
EB4
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x00000000001b0000 | 0x001b0000 | 0x001cffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000001d0000 | 0x001d0000 | 0x001d1fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000001e0000 | 0x001e0000 | 0x001f3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000200000 | 0x00200000 | 0x0023ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000240000 | 0x00240000 | 0x0027ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000280000 | 0x00280000 | 0x00283fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000290000 | 0x00290000 | 0x00290fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000002a0000 | 0x002a0000 | 0x002a1fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000004a0000 | 0x004a0000 | 0x004affff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000610000 | 0x00610000 | 0x0070ffff | Private Memory | rw |
|
|
|
- |
| wevtutil.exe | 0x00b40000 | 0x00b6efff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000b70000 | 0x00b70000 | 0x04b6ffff | Pagefile Backed Memory | - |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007f4e0000 | 0x7f4e0000 | 0x7f502fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f506000 | 0x7f506000 | 0x7f506fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f508000 | 0x7f508000 | 0x7f508fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f50d000 | 0x7f50d000 | 0x7f50ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Process #545: cmd.exe
58
0
| Information | Value |
|---|---|
| ID | #545 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-CoreSystem-SmsRouter-Events/Debug" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:03:44, Reason: Child Process |
| Unmonitor | End Time: 00:03:45, Reason: Self Terminated |
| Monitor Duration | 00:00:01 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xf94 |
| Parent PID | 0x8dc (c:\programdata\safe.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
990
0x
EC8
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000e80000 | 0x00e80000 | 0x00e9ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000e80000 | 0x00e80000 | 0x00e8ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000e90000 | 0x00e90000 | 0x00e93fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000ea0000 | 0x00ea0000 | 0x00ea1fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000ea0000 | 0x00ea0000 | 0x00ea3fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000eb0000 | 0x00eb0000 | 0x00ec3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000ed0000 | 0x00ed0000 | 0x00f0ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000f10000 | 0x00f10000 | 0x0100ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000001010000 | 0x01010000 | 0x01013fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000001020000 | 0x01020000 | 0x01020fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000001030000 | 0x01030000 | 0x01031fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001040000 | 0x01040000 | 0x0107ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000010b0000 | 0x010b0000 | 0x010bffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000010d0000 | 0x010d0000 | 0x010dffff | Private Memory | rw |
|
|
|
- |
| cmd.exe | 0x01140000 | 0x0118ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000001190000 | 0x01190000 | 0x0518ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x00000000051b0000 | 0x051b0000 | 0x052affff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x052b0000 | 0x0536dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000005370000 | 0x05370000 | 0x0546ffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x05470000 | 0x057a6fff | Memory Mapped File | r |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74d30000 | 0x74ea5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75130000 | 0x7521ffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x778d0000 | 0x7798dfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007ead0000 | 0x7ead0000 | 0x7ebcffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007ebd0000 | 0x7ebd0000 | 0x7ebf2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007ebf5000 | 0x7ebf5000 | 0x7ebf5fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ebf9000 | 0x7ebf9000 | 0x7ebf9fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ebfa000 | 0x7ebfa000 | 0x7ebfcfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ebfd000 | 0x7ebfd000 | 0x7ebfffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (11)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Windows\SysWOW64 | type = file_attributes |
|
2 | |
| Get Info | wevtutil.exe | type = file_attributes |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
5 | |
| Open | STD_INPUT_HANDLE | - |
|
3 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 17, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\SysWOW64\wevtutil.exe | os_pid = 0xfb0, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x1140000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75130000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x75172780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x7514fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7514a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x74e435c0 |
|
1 |
Environment (19)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
2 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Windows\SysWOW64 |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000000 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #547: wevtutil.exe
0
0
| Information | Value |
|---|---|
| ID | #547 |
| File Name | c:\windows\syswow64\wevtutil.exe |
| Command Line | wevtutil.exe clear-log "Microsoft-Windows-CoreSystem-SmsRouter-Events/Debug" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:03:45, Reason: Child Process |
| Unmonitor | End Time: 00:03:45, Reason: Self Terminated |
| Monitor Duration | 00:00:00 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xfb0 |
| Parent PID | 0xf94 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
EA4
0x
788
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000890000 | 0x00890000 | 0x008affff | Private Memory | rw |
|
|
|
- |
| private_0x00000000008b0000 | 0x008b0000 | 0x008b1fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000008c0000 | 0x008c0000 | 0x008d3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000008e0000 | 0x008e0000 | 0x0091ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000920000 | 0x00920000 | 0x0095ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000960000 | 0x00960000 | 0x00963fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000970000 | 0x00970000 | 0x00970fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000980000 | 0x00980000 | 0x00981fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000a70000 | 0x00a70000 | 0x00a7ffff | Private Memory | rw |
|
|
|
- |
| wevtutil.exe | 0x00b40000 | 0x00b6efff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000b70000 | 0x00b70000 | 0x04b6ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000004c10000 | 0x04c10000 | 0x04d0ffff | Private Memory | rw |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007eed0000 | 0x7eed0000 | 0x7eef2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007eef5000 | 0x7eef5000 | 0x7eef5fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007eef7000 | 0x7eef7000 | 0x7eef7fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007eefd000 | 0x7eefd000 | 0x7eefffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Process #548: cmd.exe
58
0
| Information | Value |
|---|---|
| ID | #548 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-CoreSystem-SmsRouter-Events/Operational" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:03:45, Reason: Child Process |
| Unmonitor | End Time: 00:03:45, Reason: Self Terminated |
| Monitor Duration | 00:00:00 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xb58 |
| Parent PID | 0x8dc (c:\programdata\safe.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
9E8
0x
7EC
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000490000 | 0x00490000 | 0x004affff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000490000 | 0x00490000 | 0x0049ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x00000000004a0000 | 0x004a0000 | 0x004a3fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000004b0000 | 0x004b0000 | 0x004b1fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000004b0000 | 0x004b0000 | 0x004b3fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000004c0000 | 0x004c0000 | 0x004d3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000004e0000 | 0x004e0000 | 0x0051ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000520000 | 0x00520000 | 0x0061ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000620000 | 0x00620000 | 0x00623fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000630000 | 0x00630000 | 0x00630fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000640000 | 0x00640000 | 0x00641fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00650000 | 0x0070dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000710000 | 0x00710000 | 0x0074ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000770000 | 0x00770000 | 0x0077ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000810000 | 0x00810000 | 0x0081ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000820000 | 0x00820000 | 0x0091ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000009b0000 | 0x009b0000 | 0x00aaffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x00ab0000 | 0x00de6fff | Memory Mapped File | r |
|
|
|
- |
| cmd.exe | 0x01140000 | 0x0118ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000001190000 | 0x01190000 | 0x0518ffff | Pagefile Backed Memory | - |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74d30000 | 0x74ea5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75130000 | 0x7521ffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x778d0000 | 0x7798dfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007ec00000 | 0x7ec00000 | 0x7ecfffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007ed00000 | 0x7ed00000 | 0x7ed22fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007ed26000 | 0x7ed26000 | 0x7ed26fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ed29000 | 0x7ed29000 | 0x7ed2bfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ed2c000 | 0x7ed2c000 | 0x7ed2efff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ed2f000 | 0x7ed2f000 | 0x7ed2ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (11)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Windows\SysWOW64 | type = file_attributes |
|
2 | |
| Get Info | wevtutil.exe | type = file_attributes |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
5 | |
| Open | STD_INPUT_HANDLE | - |
|
3 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 184, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\SysWOW64\wevtutil.exe | os_pid = 0xc0c, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x1140000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75130000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x75172780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x7514fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7514a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x74e435c0 |
|
1 |
Environment (19)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
2 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Windows\SysWOW64 |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000000 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #550: wevtutil.exe
0
0
| Information | Value |
|---|---|
| ID | #550 |
| File Name | c:\windows\syswow64\wevtutil.exe |
| Command Line | wevtutil.exe clear-log "Microsoft-Windows-CoreSystem-SmsRouter-Events/Operational" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:03:45, Reason: Child Process |
| Unmonitor | End Time: 00:03:45, Reason: Self Terminated |
| Monitor Duration | 00:00:00 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xc0c |
| Parent PID | 0xb58 (c:\windows\syswow64\wevtutil.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
FA8
0x
920
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| wevtutil.exe | 0x00b40000 | 0x00b6efff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000f20000 | 0x00f20000 | 0x04f1ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000004f20000 | 0x04f20000 | 0x04f3ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004f40000 | 0x04f40000 | 0x04f41fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004f50000 | 0x04f50000 | 0x04f63fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000004f70000 | 0x04f70000 | 0x04faffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004fb0000 | 0x04fb0000 | 0x04feffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004ff0000 | 0x04ff0000 | 0x04ff3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000005000000 | 0x05000000 | 0x05000fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000005010000 | 0x05010000 | 0x05011fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000050a0000 | 0x050a0000 | 0x050affff | Private Memory | rw |
|
|
|
- |
| private_0x00000000051c0000 | 0x051c0000 | 0x052bffff | Private Memory | rw |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007f260000 | 0x7f260000 | 0x7f282fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f289000 | 0x7f289000 | 0x7f28bfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f28c000 | 0x7f28c000 | 0x7f28cfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f28f000 | 0x7f28f000 | 0x7f28ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Process #551: cmd.exe
58
0
| Information | Value |
|---|---|
| ID | #551 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-CoreWindow/Analytic" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:03:45, Reason: Child Process |
| Unmonitor | End Time: 00:03:46, Reason: Self Terminated |
| Monitor Duration | 00:00:01 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xf98 |
| Parent PID | 0x8dc (c:\programdata\safe.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
FF0
0x
EDC
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000940000 | 0x00940000 | 0x0095ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000940000 | 0x00940000 | 0x0094ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000950000 | 0x00950000 | 0x00953fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000960000 | 0x00960000 | 0x00961fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000960000 | 0x00960000 | 0x00963fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000970000 | 0x00970000 | 0x00983fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000990000 | 0x00990000 | 0x009cffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000009d0000 | 0x009d0000 | 0x00acffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000ad0000 | 0x00ad0000 | 0x00ad3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000ae0000 | 0x00ae0000 | 0x00ae0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000af0000 | 0x00af0000 | 0x00af1fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000b10000 | 0x00b10000 | 0x00c0ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000c10000 | 0x00c10000 | 0x00c4ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000ca0000 | 0x00ca0000 | 0x00caffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00cb0000 | 0x00d6dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000d70000 | 0x00d70000 | 0x00e6ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001060000 | 0x01060000 | 0x0106ffff | Private Memory | rw |
|
|
|
- |
| cmd.exe | 0x01140000 | 0x0118ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000001190000 | 0x01190000 | 0x0518ffff | Pagefile Backed Memory | - |
|
|
|
- |
| sortdefault.nls | 0x05190000 | 0x054c6fff | Memory Mapped File | r |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74d30000 | 0x74ea5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75130000 | 0x7521ffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x778d0000 | 0x7798dfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007ea60000 | 0x7ea60000 | 0x7eb5ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007eb60000 | 0x7eb60000 | 0x7eb82fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007eb86000 | 0x7eb86000 | 0x7eb86fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007eb88000 | 0x7eb88000 | 0x7eb8afff | Private Memory | rw |
|
|
|
- |
| private_0x000000007eb8b000 | 0x7eb8b000 | 0x7eb8bfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007eb8d000 | 0x7eb8d000 | 0x7eb8ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (11)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Windows\SysWOW64 | type = file_attributes |
|
2 | |
| Get Info | wevtutil.exe | type = file_attributes |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
5 | |
| Open | STD_INPUT_HANDLE | - |
|
3 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 248, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\SysWOW64\wevtutil.exe | os_pid = 0x908, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x1140000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75130000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x75172780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x7514fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7514a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x74e435c0 |
|
1 |
Environment (19)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
2 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Windows\SysWOW64 |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000000 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #553: wevtutil.exe
0
0
| Information | Value |
|---|---|
| ID | #553 |
| File Name | c:\windows\syswow64\wevtutil.exe |
| Command Line | wevtutil.exe clear-log "Microsoft-Windows-CoreWindow/Analytic" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:03:45, Reason: Child Process |
| Unmonitor | End Time: 00:03:46, Reason: Self Terminated |
| Monitor Duration | 00:00:01 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x908 |
| Parent PID | 0xf98 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
FCC
0x
3D0
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x00000000005c0000 | 0x005c0000 | 0x005dffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000005e0000 | 0x005e0000 | 0x005e1fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000005f0000 | 0x005f0000 | 0x00603fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000610000 | 0x00610000 | 0x0064ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000650000 | 0x00650000 | 0x0068ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000690000 | 0x00690000 | 0x00693fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000006a0000 | 0x006a0000 | 0x006a0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000006b0000 | 0x006b0000 | 0x006b1fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000006c0000 | 0x006c0000 | 0x006cffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000800000 | 0x00800000 | 0x008fffff | Private Memory | rw |
|
|
|
- |
| wevtutil.exe | 0x00b40000 | 0x00b6efff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000b70000 | 0x00b70000 | 0x04b6ffff | Pagefile Backed Memory | - |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007e830000 | 0x7e830000 | 0x7e852fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007e858000 | 0x7e858000 | 0x7e858fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007e85c000 | 0x7e85c000 | 0x7e85efff | Private Memory | rw |
|
|
|
- |
| private_0x000000007e85f000 | 0x7e85f000 | 0x7e85ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Process #554: cmd.exe
58
0
| Information | Value |
|---|---|
| ID | #554 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-CoreWindow/Debug" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:03:46, Reason: Child Process |
| Unmonitor | End Time: 00:03:46, Reason: Self Terminated |
| Monitor Duration | 00:00:00 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xc2c |
| Parent PID | 0x8dc (c:\programdata\safe.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
C80
0x
C54
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000650000 | 0x00650000 | 0x0066ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000650000 | 0x00650000 | 0x0065ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000660000 | 0x00660000 | 0x00663fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000670000 | 0x00670000 | 0x00671fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000670000 | 0x00670000 | 0x00673fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000680000 | 0x00680000 | 0x00693fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000006a0000 | 0x006a0000 | 0x006dffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000006e0000 | 0x006e0000 | 0x007dffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000007e0000 | 0x007e0000 | 0x007e3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000007f0000 | 0x007f0000 | 0x007f0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000800000 | 0x00800000 | 0x00801fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00810000 | 0x008cdfff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000008d0000 | 0x008d0000 | 0x0090ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000950000 | 0x00950000 | 0x0095ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000009f0000 | 0x009f0000 | 0x009fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000a20000 | 0x00a20000 | 0x00b1ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000b20000 | 0x00b20000 | 0x00c1ffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x00c20000 | 0x00f56fff | Memory Mapped File | r |
|
|
|
- |
| cmd.exe | 0x01140000 | 0x0118ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000001190000 | 0x01190000 | 0x0518ffff | Pagefile Backed Memory | - |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74d30000 | 0x74ea5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75130000 | 0x7521ffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x778d0000 | 0x7798dfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007f260000 | 0x7f260000 | 0x7f35ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007f360000 | 0x7f360000 | 0x7f382fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f386000 | 0x7f386000 | 0x7f386fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f389000 | 0x7f389000 | 0x7f389fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f38a000 | 0x7f38a000 | 0x7f38cfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f38d000 | 0x7f38d000 | 0x7f38ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (11)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Windows\SysWOW64 | type = file_attributes |
|
2 | |
| Get Info | wevtutil.exe | type = file_attributes |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
5 | |
| Open | STD_INPUT_HANDLE | - |
|
3 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 104, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\SysWOW64\wevtutil.exe | os_pid = 0xc90, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x1140000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75130000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x75172780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x7514fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7514a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x74e435c0 |
|
1 |
Environment (19)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
2 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Windows\SysWOW64 |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000000 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #556: wevtutil.exe
0
0
| Information | Value |
|---|---|
| ID | #556 |
| File Name | c:\windows\syswow64\wevtutil.exe |
| Command Line | wevtutil.exe clear-log "Microsoft-Windows-CoreWindow/Debug" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:03:46, Reason: Child Process |
| Unmonitor | End Time: 00:03:46, Reason: Self Terminated |
| Monitor Duration | 00:00:00 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xc90 |
| Parent PID | 0xc2c (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
370
0x
C58
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000a60000 | 0x00a60000 | 0x00a7ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000a80000 | 0x00a80000 | 0x00a81fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000a90000 | 0x00a90000 | 0x00aa3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000ab0000 | 0x00ab0000 | 0x00aeffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000af0000 | 0x00af0000 | 0x00b2ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000b30000 | 0x00b30000 | 0x00b33fff | Pagefile Backed Memory | r |
|
|
|
- |
| wevtutil.exe | 0x00b40000 | 0x00b6efff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000b70000 | 0x00b70000 | 0x04b6ffff | Pagefile Backed Memory | - |
|
|
|
- |
| pagefile_0x0000000004b70000 | 0x04b70000 | 0x04b70fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000004b80000 | 0x04b80000 | 0x04b81fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004c00000 | 0x04c00000 | 0x04c0ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004da0000 | 0x04da0000 | 0x04e9ffff | Private Memory | rw |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007e1f0000 | 0x7e1f0000 | 0x7e212fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007e218000 | 0x7e218000 | 0x7e218fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007e21c000 | 0x7e21c000 | 0x7e21efff | Private Memory | rw |
|
|
|
- |
| private_0x000000007e21f000 | 0x7e21f000 | 0x7e21ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Process #557: cmd.exe
58
0
| Information | Value |
|---|---|
| ID | #557 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-CorruptedFileRecovery-Client/Operational" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:03:46, Reason: Child Process |
| Unmonitor | End Time: 00:03:47, Reason: Self Terminated |
| Monitor Duration | 00:00:01 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xfe8 |
| Parent PID | 0x8dc (c:\programdata\safe.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
578
0x
F88
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000b60000 | 0x00b60000 | 0x00b7ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000b60000 | 0x00b60000 | 0x00b6ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000b70000 | 0x00b70000 | 0x00b73fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000b80000 | 0x00b80000 | 0x00b81fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000b80000 | 0x00b80000 | 0x00b83fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000b90000 | 0x00b90000 | 0x00ba3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000bb0000 | 0x00bb0000 | 0x00beffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000bf0000 | 0x00bf0000 | 0x00ceffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000cf0000 | 0x00cf0000 | 0x00cf3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000d00000 | 0x00d00000 | 0x00d00fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000d10000 | 0x00d10000 | 0x00d11fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000d20000 | 0x00d20000 | 0x00d5ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000d70000 | 0x00d70000 | 0x00e6ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000f10000 | 0x00f10000 | 0x00f1ffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00f20000 | 0x00fddfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000fe0000 | 0x00fe0000 | 0x010dffff | Private Memory | rw |
|
|
|
- |
| cmd.exe | 0x01140000 | 0x0118ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000001190000 | 0x01190000 | 0x0518ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000005270000 | 0x05270000 | 0x0527ffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x05280000 | 0x055b6fff | Memory Mapped File | r |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74d30000 | 0x74ea5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75130000 | 0x7521ffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x778d0000 | 0x7798dfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007f020000 | 0x7f020000 | 0x7f11ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007f120000 | 0x7f120000 | 0x7f142fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f144000 | 0x7f144000 | 0x7f144fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f149000 | 0x7f149000 | 0x7f14bfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f14c000 | 0x7f14c000 | 0x7f14cfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f14d000 | 0x7f14d000 | 0x7f14ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (11)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Windows\SysWOW64 | type = file_attributes |
|
2 | |
| Get Info | wevtutil.exe | type = file_attributes |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
5 | |
| Open | STD_INPUT_HANDLE | - |
|
3 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 72, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\SysWOW64\wevtutil.exe | os_pid = 0xfdc, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x1140000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75130000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x75172780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x7514fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7514a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x74e435c0 |
|
1 |
Environment (19)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
2 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Windows\SysWOW64 |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000000 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #559: wevtutil.exe
0
0
| Information | Value |
|---|---|
| ID | #559 |
| File Name | c:\windows\syswow64\wevtutil.exe |
| Command Line | wevtutil.exe clear-log "Microsoft-Windows-CorruptedFileRecovery-Client/Operational" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:03:46, Reason: Child Process |
| Unmonitor | End Time: 00:03:47, Reason: Self Terminated |
| Monitor Duration | 00:00:01 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xfdc |
| Parent PID | 0xfe8 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
F20
0x
C84
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| wevtutil.exe | 0x00b40000 | 0x00b6efff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000c90000 | 0x00c90000 | 0x04c8ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000004c90000 | 0x04c90000 | 0x04caffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004cb0000 | 0x04cb0000 | 0x04cb1fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004cc0000 | 0x04cc0000 | 0x04cd3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000004ce0000 | 0x04ce0000 | 0x04d1ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004d20000 | 0x04d20000 | 0x04d5ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004d60000 | 0x04d60000 | 0x04d63fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000004d70000 | 0x04d70000 | 0x04d70fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000004d80000 | 0x04d80000 | 0x04d81fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004e90000 | 0x04e90000 | 0x04e9ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004fd0000 | 0x04fd0000 | 0x050cffff | Private Memory | rw |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007ef70000 | 0x7ef70000 | 0x7ef92fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007ef94000 | 0x7ef94000 | 0x7ef94fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ef95000 | 0x7ef95000 | 0x7ef95fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ef9d000 | 0x7ef9d000 | 0x7ef9ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Process #560: cmd.exe
58
0
| Information | Value |
|---|---|
| ID | #560 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-CorruptedFileRecovery-Server/Operational" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:03:47, Reason: Child Process |
| Unmonitor | End Time: 00:03:47, Reason: Self Terminated |
| Monitor Duration | 00:00:00 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x828 |
| Parent PID | 0x8dc (c:\programdata\safe.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
704
0x
BF4
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000580000 | 0x00580000 | 0x0059ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000580000 | 0x00580000 | 0x0058ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000590000 | 0x00590000 | 0x00593fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000005a0000 | 0x005a0000 | 0x005a1fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000005a0000 | 0x005a0000 | 0x005a3fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000005b0000 | 0x005b0000 | 0x005c3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000005d0000 | 0x005d0000 | 0x0060ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000610000 | 0x00610000 | 0x0070ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000710000 | 0x00710000 | 0x00713fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000720000 | 0x00720000 | 0x00720fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000730000 | 0x00730000 | 0x00731fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000740000 | 0x00740000 | 0x0077ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000007a0000 | 0x007a0000 | 0x007affff | Private Memory | rw |
|
|
|
- |
| private_0x00000000007b0000 | 0x007b0000 | 0x008affff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x008b0000 | 0x0096dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000970000 | 0x00970000 | 0x00a6ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000ba0000 | 0x00ba0000 | 0x00baffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x00bb0000 | 0x00ee6fff | Memory Mapped File | r |
|
|
|
- |
| cmd.exe | 0x01140000 | 0x0118ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000001190000 | 0x01190000 | 0x0518ffff | Pagefile Backed Memory | - |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74d30000 | 0x74ea5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75130000 | 0x7521ffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x778d0000 | 0x7798dfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007f770000 | 0x7f770000 | 0x7f86ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007f870000 | 0x7f870000 | 0x7f892fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f897000 | 0x7f897000 | 0x7f897fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f898000 | 0x7f898000 | 0x7f898fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f89a000 | 0x7f89a000 | 0x7f89cfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f89d000 | 0x7f89d000 | 0x7f89ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (11)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Windows\SysWOW64 | type = file_attributes |
|
2 | |
| Get Info | wevtutil.exe | type = file_attributes |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
5 | |
| Open | STD_INPUT_HANDLE | - |
|
3 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 254, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\SysWOW64\wevtutil.exe | os_pid = 0xdb8, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x1140000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75130000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x75172780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x7514fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7514a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x74e435c0 |
|
1 |
Environment (19)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
2 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Windows\SysWOW64 |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000000 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #562: wevtutil.exe
0
0
| Information | Value |
|---|---|
| ID | #562 |
| File Name | c:\windows\syswow64\wevtutil.exe |
| Command Line | wevtutil.exe clear-log "Microsoft-Windows-CorruptedFileRecovery-Server/Operational" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:03:47, Reason: Child Process |
| Unmonitor | End Time: 00:03:47, Reason: Self Terminated |
| Monitor Duration | 00:00:00 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xdb8 |
| Parent PID | 0x828 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
EE8
0x
458
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000130000 | 0x00130000 | 0x0014ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000150000 | 0x00150000 | 0x00151fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000160000 | 0x00160000 | 0x00173fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000180000 | 0x00180000 | 0x001bffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000001c0000 | 0x001c0000 | 0x001fffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000200000 | 0x00200000 | 0x00203fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000210000 | 0x00210000 | 0x00210fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000220000 | 0x00220000 | 0x00221fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000003f0000 | 0x003f0000 | 0x003fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000530000 | 0x00530000 | 0x0062ffff | Private Memory | rw |
|
|
|
- |
| wevtutil.exe | 0x00b40000 | 0x00b6efff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000b70000 | 0x00b70000 | 0x04b6ffff | Pagefile Backed Memory | - |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007f600000 | 0x7f600000 | 0x7f622fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f625000 | 0x7f625000 | 0x7f625fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f62c000 | 0x7f62c000 | 0x7f62cfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f62d000 | 0x7f62d000 | 0x7f62ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Process #563: cmd.exe
58
0
| Information | Value |
|---|---|
| ID | #563 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-Crashdump/Operational" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:03:47, Reason: Child Process |
| Unmonitor | End Time: 00:03:48, Reason: Self Terminated |
| Monitor Duration | 00:00:01 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xee0 |
| Parent PID | 0x8dc (c:\programdata\safe.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
9E4
0x
F44
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000780000 | 0x00780000 | 0x0079ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000780000 | 0x00780000 | 0x0078ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000790000 | 0x00790000 | 0x00793fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000007a0000 | 0x007a0000 | 0x007a1fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000007a0000 | 0x007a0000 | 0x007a3fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000007b0000 | 0x007b0000 | 0x007c3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000007d0000 | 0x007d0000 | 0x0080ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000810000 | 0x00810000 | 0x0090ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000910000 | 0x00910000 | 0x00913fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000920000 | 0x00920000 | 0x00920fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000930000 | 0x00930000 | 0x00931fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00940000 | 0x009fdfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000a10000 | 0x00a10000 | 0x00a1ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000a20000 | 0x00a20000 | 0x00a5ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000a60000 | 0x00a60000 | 0x00b5ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000c10000 | 0x00c10000 | 0x00d0ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000e20000 | 0x00e20000 | 0x00e2ffff | Private Memory | rw |
|
|
|
- |
| cmd.exe | 0x01140000 | 0x0118ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000001190000 | 0x01190000 | 0x0518ffff | Pagefile Backed Memory | - |
|
|
|
- |
| sortdefault.nls | 0x05190000 | 0x054c6fff | Memory Mapped File | r |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74d30000 | 0x74ea5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75130000 | 0x7521ffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x778d0000 | 0x7798dfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007fb10000 | 0x7fb10000 | 0x7fc0ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007fc10000 | 0x7fc10000 | 0x7fc32fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007fc36000 | 0x7fc36000 | 0x7fc38fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007fc39000 | 0x7fc39000 | 0x7fc39fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007fc3c000 | 0x7fc3c000 | 0x7fc3efff | Private Memory | rw |
|
|
|
- |
| private_0x000000007fc3f000 | 0x7fc3f000 | 0x7fc3ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (11)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Windows\SysWOW64 | type = file_attributes |
|
2 | |
| Get Info | wevtutil.exe | type = file_attributes |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
5 | |
| Open | STD_INPUT_HANDLE | - |
|
3 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 88, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\SysWOW64\wevtutil.exe | os_pid = 0x57c, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x1140000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75130000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x75172780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x7514fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7514a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x74e435c0 |
|
1 |
Environment (19)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
2 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Windows\SysWOW64 |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000000 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #565: wevtutil.exe
0
0
| Information | Value |
|---|---|
| ID | #565 |
| File Name | c:\windows\syswow64\wevtutil.exe |
| Command Line | wevtutil.exe clear-log "Microsoft-Windows-Crashdump/Operational" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:03:47, Reason: Child Process |
| Unmonitor | End Time: 00:03:48, Reason: Self Terminated |
| Monitor Duration | 00:00:01 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x57c |
| Parent PID | 0xee0 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
444
0x
FD4
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000700000 | 0x00700000 | 0x0071ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000720000 | 0x00720000 | 0x00721fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000730000 | 0x00730000 | 0x00743fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000750000 | 0x00750000 | 0x0078ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000790000 | 0x00790000 | 0x007cffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000007d0000 | 0x007d0000 | 0x007d3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000007e0000 | 0x007e0000 | 0x007e0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000007f0000 | 0x007f0000 | 0x007f1fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000970000 | 0x00970000 | 0x0097ffff | Private Memory | rw |
|
|
|
- |
| wevtutil.exe | 0x00b40000 | 0x00b6efff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000b70000 | 0x00b70000 | 0x04b6ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000004c70000 | 0x04c70000 | 0x04d6ffff | Private Memory | rw |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007f0d0000 | 0x7f0d0000 | 0x7f0f2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f0fb000 | 0x7f0fb000 | 0x7f0fbfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f0fc000 | 0x7f0fc000 | 0x7f0fefff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f0ff000 | 0x7f0ff000 | 0x7f0fffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Process #566: cmd.exe
58
0
| Information | Value |
|---|---|
| ID | #566 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-CredProvHost/Debug" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:03:48, Reason: Child Process |
| Unmonitor | End Time: 00:03:48, Reason: Self Terminated |
| Monitor Duration | 00:00:00 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xa24 |
| Parent PID | 0x8dc (c:\programdata\safe.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
DFC
0x
DA8
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x00000000000e0000 | 0x000e0000 | 0x000fffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000000e0000 | 0x000e0000 | 0x000effff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x00000000000f0000 | 0x000f0000 | 0x000f3fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000100000 | 0x00100000 | 0x00101fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000100000 | 0x00100000 | 0x00103fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000110000 | 0x00110000 | 0x00123fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000130000 | 0x00130000 | 0x0016ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000170000 | 0x00170000 | 0x0026ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000270000 | 0x00270000 | 0x00273fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000280000 | 0x00280000 | 0x00280fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000290000 | 0x00290000 | 0x00291fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x002a0000 | 0x0035dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000360000 | 0x00360000 | 0x0039ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000440000 | 0x00440000 | 0x0044ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000450000 | 0x00450000 | 0x0054ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000005b0000 | 0x005b0000 | 0x006affff | Private Memory | rw |
|
|
|
- |
| private_0x00000000007e0000 | 0x007e0000 | 0x007effff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x007f0000 | 0x00b26fff | Memory Mapped File | r |
|
|
|
- |
| cmd.exe | 0x01140000 | 0x0118ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000001190000 | 0x01190000 | 0x0518ffff | Pagefile Backed Memory | - |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74d30000 | 0x74ea5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75130000 | 0x7521ffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x778d0000 | 0x7798dfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007f070000 | 0x7f070000 | 0x7f16ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007f170000 | 0x7f170000 | 0x7f192fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f197000 | 0x7f197000 | 0x7f199fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f19a000 | 0x7f19a000 | 0x7f19cfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f19d000 | 0x7f19d000 | 0x7f19dfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f19f000 | 0x7f19f000 | 0x7f19ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (11)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Windows\SysWOW64 | type = file_attributes |
|
2 | |
| Get Info | wevtutil.exe | type = file_attributes |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
5 | |
| Open | STD_INPUT_HANDLE | - |
|
3 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 120, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\SysWOW64\wevtutil.exe | os_pid = 0xdec, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x1140000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75130000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x75172780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x7514fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7514a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x74e435c0 |
|
1 |
Environment (19)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
2 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Windows\SysWOW64 |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000000 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #568: wevtutil.exe
0
0
| Information | Value |
|---|---|
| ID | #568 |
| File Name | c:\windows\syswow64\wevtutil.exe |
| Command Line | wevtutil.exe clear-log "Microsoft-Windows-CredProvHost/Debug" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:03:48, Reason: Child Process |
| Unmonitor | End Time: 00:03:48, Reason: Self Terminated |
| Monitor Duration | 00:00:00 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xdec |
| Parent PID | 0xa24 (c:\windows\syswow64\wevtutil.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
550
0x
DF0
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000530000 | 0x00530000 | 0x0054ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000550000 | 0x00550000 | 0x00551fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000560000 | 0x00560000 | 0x00573fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000580000 | 0x00580000 | 0x005bffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000005c0000 | 0x005c0000 | 0x005fffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000600000 | 0x00600000 | 0x00603fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000610000 | 0x00610000 | 0x00610fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000620000 | 0x00620000 | 0x00621fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000680000 | 0x00680000 | 0x0077ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000007a0000 | 0x007a0000 | 0x007affff | Private Memory | rw |
|
|
|
- |
| wevtutil.exe | 0x00b40000 | 0x00b6efff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000b70000 | 0x00b70000 | 0x04b6ffff | Pagefile Backed Memory | - |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007f8b0000 | 0x7f8b0000 | 0x7f8d2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f8db000 | 0x7f8db000 | 0x7f8ddfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f8de000 | 0x7f8de000 | 0x7f8defff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f8df000 | 0x7f8df000 | 0x7f8dffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Process #569: cmd.exe
58
0
| Information | Value |
|---|---|
| ID | #569 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-CredUI/Diagnostic" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:03:48, Reason: Child Process |
| Unmonitor | End Time: 00:03:49, Reason: Self Terminated |
| Monitor Duration | 00:00:01 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xdd4 |
| Parent PID | 0x8dc (c:\programdata\safe.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
E18
0x
744
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000f80000 | 0x00f80000 | 0x00f9ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000f80000 | 0x00f80000 | 0x00f8ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000f90000 | 0x00f90000 | 0x00f93fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000fa0000 | 0x00fa0000 | 0x00fa1fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000fa0000 | 0x00fa0000 | 0x00fa3fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000fb0000 | 0x00fb0000 | 0x00fc3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000fd0000 | 0x00fd0000 | 0x0100ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001010000 | 0x01010000 | 0x0110ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000001110000 | 0x01110000 | 0x01113fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000001120000 | 0x01120000 | 0x01120fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000001130000 | 0x01130000 | 0x01131fff | Private Memory | rw |
|
|
|
- |
| cmd.exe | 0x01140000 | 0x0118ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000001190000 | 0x01190000 | 0x0518ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000005190000 | 0x05190000 | 0x051cffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005230000 | 0x05230000 | 0x0523ffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x05240000 | 0x052fdfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000005300000 | 0x05300000 | 0x053fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005410000 | 0x05410000 | 0x0550ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005640000 | 0x05640000 | 0x0564ffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x05650000 | 0x05986fff | Memory Mapped File | r |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74d30000 | 0x74ea5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75130000 | 0x7521ffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x778d0000 | 0x7798dfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007f3a0000 | 0x7f3a0000 | 0x7f49ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007f4a0000 | 0x7f4a0000 | 0x7f4c2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f4c8000 | 0x7f4c8000 | 0x7f4cafff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f4cb000 | 0x7f4cb000 | 0x7f4cdfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f4ce000 | 0x7f4ce000 | 0x7f4cefff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f4cf000 | 0x7f4cf000 | 0x7f4cffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (11)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Windows\SysWOW64 | type = file_attributes |
|
2 | |
| Get Info | wevtutil.exe | type = file_attributes |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
5 | |
| Open | STD_INPUT_HANDLE | - |
|
3 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 120, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\SysWOW64\wevtutil.exe | os_pid = 0x584, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x1140000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75130000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x75172780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x7514fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7514a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x74e435c0 |
|
1 |
Environment (19)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
2 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Windows\SysWOW64 |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000000 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #571: wevtutil.exe
0
0
| Information | Value |
|---|---|
| ID | #571 |
| File Name | c:\windows\syswow64\wevtutil.exe |
| Command Line | wevtutil.exe clear-log "Microsoft-Windows-CredUI/Diagnostic" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:03:48, Reason: Child Process |
| Unmonitor | End Time: 00:03:49, Reason: Self Terminated |
| Monitor Duration | 00:00:01 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x584 |
| Parent PID | 0xdd4 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
638
0x
E14
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x00000000007c0000 | 0x007c0000 | 0x007dffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000007e0000 | 0x007e0000 | 0x007e1fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000007f0000 | 0x007f0000 | 0x00803fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000810000 | 0x00810000 | 0x0084ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000850000 | 0x00850000 | 0x0088ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000890000 | 0x00890000 | 0x00893fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000008a0000 | 0x008a0000 | 0x008a0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000008b0000 | 0x008b0000 | 0x008b1fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000950000 | 0x00950000 | 0x00a4ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000ab0000 | 0x00ab0000 | 0x00abffff | Private Memory | rw |
|
|
|
- |
| wevtutil.exe | 0x00b40000 | 0x00b6efff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000b70000 | 0x00b70000 | 0x04b6ffff | Pagefile Backed Memory | - |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007e5c0000 | 0x7e5c0000 | 0x7e5e2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007e5e9000 | 0x7e5e9000 | 0x7e5ebfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007e5ec000 | 0x7e5ec000 | 0x7e5ecfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007e5ef000 | 0x7e5ef000 | 0x7e5effff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Process #572: cmd.exe
58
0
| Information | Value |
|---|---|
| ID | #572 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-CredentialProviders/Debug" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:03:49, Reason: Child Process |
| Unmonitor | End Time: 00:03:49, Reason: Self Terminated |
| Monitor Duration | 00:00:00 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x924 |
| Parent PID | 0x8dc (c:\programdata\safe.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
DF8
0x
DB0
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x00000000002a0000 | 0x002a0000 | 0x002bffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000002a0000 | 0x002a0000 | 0x002affff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x00000000002b0000 | 0x002b0000 | 0x002b3fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000002c0000 | 0x002c0000 | 0x002c1fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000002c0000 | 0x002c0000 | 0x002c3fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000002d0000 | 0x002d0000 | 0x002e3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000002f0000 | 0x002f0000 | 0x0032ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000330000 | 0x00330000 | 0x0042ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000430000 | 0x00430000 | 0x00433fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000440000 | 0x00440000 | 0x00440fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000450000 | 0x00450000 | 0x00451fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00460000 | 0x0051dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000520000 | 0x00520000 | 0x0055ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000580000 | 0x00580000 | 0x0058ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000005c0000 | 0x005c0000 | 0x006bffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000006c0000 | 0x006c0000 | 0x007bffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000940000 | 0x00940000 | 0x0094ffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x00950000 | 0x00c86fff | Memory Mapped File | r |
|
|
|
- |
| cmd.exe | 0x01140000 | 0x0118ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000001190000 | 0x01190000 | 0x0518ffff | Pagefile Backed Memory | - |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74d30000 | 0x74ea5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75130000 | 0x7521ffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x778d0000 | 0x7798dfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007ebf0000 | 0x7ebf0000 | 0x7eceffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007ecf0000 | 0x7ecf0000 | 0x7ed12fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007ed15000 | 0x7ed15000 | 0x7ed17fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ed18000 | 0x7ed18000 | 0x7ed18fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ed1a000 | 0x7ed1a000 | 0x7ed1afff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ed1d000 | 0x7ed1d000 | 0x7ed1ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (11)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Windows\SysWOW64 | type = file_attributes |
|
2 | |
| Get Info | wevtutil.exe | type = file_attributes |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
5 | |
| Open | STD_INPUT_HANDLE | - |
|
3 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 144, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\SysWOW64\wevtutil.exe | os_pid = 0xd9c, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x1140000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75130000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x75172780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x7514fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7514a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x74e435c0 |
|
1 |
Environment (19)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
2 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Windows\SysWOW64 |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000000 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #574: wevtutil.exe
0
0
| Information | Value |
|---|---|
| ID | #574 |
| File Name | c:\windows\syswow64\wevtutil.exe |
| Command Line | wevtutil.exe clear-log "Microsoft-Windows-CredentialProviders/Debug" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:03:49, Reason: Child Process |
| Unmonitor | End Time: 00:03:49, Reason: Self Terminated |
| Monitor Duration | 00:00:00 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xd9c |
| Parent PID | 0x924 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
DC8
0x
3F0
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x00000000003c0000 | 0x003c0000 | 0x003dffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000003e0000 | 0x003e0000 | 0x003e1fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000003f0000 | 0x003f0000 | 0x00403fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000410000 | 0x00410000 | 0x0044ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000450000 | 0x00450000 | 0x0048ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000490000 | 0x00490000 | 0x00493fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000004a0000 | 0x004a0000 | 0x004a0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000004b0000 | 0x004b0000 | 0x004b1fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000004c0000 | 0x004c0000 | 0x004cffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000540000 | 0x00540000 | 0x0063ffff | Private Memory | rw |
|
|
|
- |
| wevtutil.exe | 0x00b40000 | 0x00b6efff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000b70000 | 0x00b70000 | 0x04b6ffff | Pagefile Backed Memory | - |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007f3c0000 | 0x7f3c0000 | 0x7f3e2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f3e3000 | 0x7f3e3000 | 0x7f3e3fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f3e8000 | 0x7f3e8000 | 0x7f3e8fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f3ed000 | 0x7f3ed000 | 0x7f3effff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Process #575: cmd.exe
58
0
| Information | Value |
|---|---|
| ID | #575 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-Crypto-BCRYPT/Analytic" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:03:49, Reason: Child Process |
| Unmonitor | End Time: 00:03:50, Reason: Self Terminated |
| Monitor Duration | 00:00:01 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xdcc |
| Parent PID | 0x8dc (c:\programdata\safe.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
B00
0x
350
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000020000 | 0x00020000 | 0x0003ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000020000 | 0x00020000 | 0x0002ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00033fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000040000 | 0x00040000 | 0x00041fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000040000 | 0x00040000 | 0x00043fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000050000 | 0x00050000 | 0x00063fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000070000 | 0x00070000 | 0x000affff | Private Memory | rw |
|
|
|
- |
| private_0x00000000000b0000 | 0x000b0000 | 0x001affff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000001b0000 | 0x001b0000 | 0x001b3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000001c0000 | 0x001c0000 | 0x001c0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000001d0000 | 0x001d0000 | 0x001d1fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x001e0000 | 0x0029dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000002a0000 | 0x002a0000 | 0x002dffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000340000 | 0x00340000 | 0x0034ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000380000 | 0x00380000 | 0x0038ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000390000 | 0x00390000 | 0x0048ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000530000 | 0x00530000 | 0x0062ffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x00630000 | 0x00966fff | Memory Mapped File | r |
|
|
|
- |
| cmd.exe | 0x01140000 | 0x0118ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000001190000 | 0x01190000 | 0x0518ffff | Pagefile Backed Memory | - |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74d30000 | 0x74ea5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75130000 | 0x7521ffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x778d0000 | 0x7798dfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007e8a0000 | 0x7e8a0000 | 0x7e99ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007e9a0000 | 0x7e9a0000 | 0x7e9c2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007e9c7000 | 0x7e9c7000 | 0x7e9c9fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007e9ca000 | 0x7e9ca000 | 0x7e9cafff | Private Memory | rw |
|
|
|
- |
| private_0x000000007e9cc000 | 0x7e9cc000 | 0x7e9ccfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007e9cd000 | 0x7e9cd000 | 0x7e9cffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (11)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Windows\SysWOW64 | type = file_attributes |
|
2 | |
| Get Info | wevtutil.exe | type = file_attributes |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
5 | |
| Open | STD_INPUT_HANDLE | - |
|
3 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 216, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\SysWOW64\wevtutil.exe | os_pid = 0xe30, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x1140000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75130000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x75172780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x7514fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7514a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x74e435c0 |
|
1 |
Environment (19)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
2 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Windows\SysWOW64 |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000000 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #577: wevtutil.exe
0
0
| Information | Value |
|---|---|
| ID | #577 |
| File Name | c:\windows\syswow64\wevtutil.exe |
| Command Line | wevtutil.exe clear-log "Microsoft-Windows-Crypto-BCRYPT/Analytic" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:03:49, Reason: Child Process |
| Unmonitor | End Time: 00:03:50, Reason: Self Terminated |
| Monitor Duration | 00:00:01 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xe30 |
| Parent PID | 0xdcc (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
69C
0x
D1C
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000270000 | 0x00270000 | 0x0028ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000290000 | 0x00290000 | 0x00291fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000002a0000 | 0x002a0000 | 0x002b3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000002c0000 | 0x002c0000 | 0x002fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000300000 | 0x00300000 | 0x0033ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000340000 | 0x00340000 | 0x00343fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000350000 | 0x00350000 | 0x00350fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000360000 | 0x00360000 | 0x00361fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000003e0000 | 0x003e0000 | 0x003effff | Private Memory | rw |
|
|
|
- |
| private_0x00000000004b0000 | 0x004b0000 | 0x005affff | Private Memory | rw |
|
|
|
- |
| wevtutil.exe | 0x00b40000 | 0x00b6efff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000b70000 | 0x00b70000 | 0x04b6ffff | Pagefile Backed Memory | - |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007ed50000 | 0x7ed50000 | 0x7ed72fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007ed73000 | 0x7ed73000 | 0x7ed73fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ed77000 | 0x7ed77000 | 0x7ed77fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ed7d000 | 0x7ed7d000 | 0x7ed7ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Process #578: cmd.exe
58
0
| Information | Value |
|---|---|
| ID | #578 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-Crypto-CNG/Analytic" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:03:50, Reason: Child Process |
| Unmonitor | End Time: 00:03:50, Reason: Self Terminated |
| Monitor Duration | 00:00:00 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x674 |
| Parent PID | 0x8dc (c:\programdata\safe.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
42C
0x
640
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000270000 | 0x00270000 | 0x0028ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000270000 | 0x00270000 | 0x0027ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000280000 | 0x00280000 | 0x00283fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000290000 | 0x00290000 | 0x00291fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000290000 | 0x00290000 | 0x00293fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000002a0000 | 0x002a0000 | 0x002b3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000002c0000 | 0x002c0000 | 0x002fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000300000 | 0x00300000 | 0x003fffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000400000 | 0x00400000 | 0x00403fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000410000 | 0x00410000 | 0x00410fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000420000 | 0x00420000 | 0x00421fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000430000 | 0x00430000 | 0x0046ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000480000 | 0x00480000 | 0x0048ffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00490000 | 0x0054dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000600000 | 0x00600000 | 0x006fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000700000 | 0x00700000 | 0x007fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000900000 | 0x00900000 | 0x0090ffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x00910000 | 0x00c46fff | Memory Mapped File | r |
|
|
|
- |
| cmd.exe | 0x01140000 | 0x0118ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000001190000 | 0x01190000 | 0x0518ffff | Pagefile Backed Memory | - |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74d30000 | 0x74ea5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75130000 | 0x7521ffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x778d0000 | 0x7798dfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007f420000 | 0x7f420000 | 0x7f51ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007f520000 | 0x7f520000 | 0x7f542fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f545000 | 0x7f545000 | 0x7f545fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f549000 | 0x7f549000 | 0x7f54bfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f54c000 | 0x7f54c000 | 0x7f54cfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f54d000 | 0x7f54d000 | 0x7f54ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (11)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Windows\SysWOW64 | type = file_attributes |
|
2 | |
| Get Info | wevtutil.exe | type = file_attributes |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
5 | |
| Open | STD_INPUT_HANDLE | - |
|
3 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 209, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\SysWOW64\wevtutil.exe | os_pid = 0xe50, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x1140000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75130000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x75172780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x7514fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7514a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x74e435c0 |
|
1 |
Environment (19)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
2 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Windows\SysWOW64 |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000000 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #580: wevtutil.exe
0
0
| Information | Value |
|---|---|
| ID | #580 |
| File Name | c:\windows\syswow64\wevtutil.exe |
| Command Line | wevtutil.exe clear-log "Microsoft-Windows-Crypto-CNG/Analytic" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:03:50, Reason: Child Process |
| Unmonitor | End Time: 00:03:50, Reason: Self Terminated |
| Monitor Duration | 00:00:00 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xe50 |
| Parent PID | 0x674 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
CA4
0x
D34
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000a10000 | 0x00a10000 | 0x00a2ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000a30000 | 0x00a30000 | 0x00a31fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000a40000 | 0x00a40000 | 0x00a53fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000a60000 | 0x00a60000 | 0x00a9ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000aa0000 | 0x00aa0000 | 0x00adffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000ae0000 | 0x00ae0000 | 0x00ae3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000af0000 | 0x00af0000 | 0x00af0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000b00000 | 0x00b00000 | 0x00b01fff | Private Memory | rw |
|
|
|
- |
| wevtutil.exe | 0x00b40000 | 0x00b6efff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000b70000 | 0x00b70000 | 0x04b6ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000004c50000 | 0x04c50000 | 0x04d4ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004d50000 | 0x04d50000 | 0x04d5ffff | Private Memory | rw |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007f950000 | 0x7f950000 | 0x7f972fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f976000 | 0x7f976000 | 0x7f976fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f97c000 | 0x7f97c000 | 0x7f97efff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f97f000 | 0x7f97f000 | 0x7f97ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Process #581: cmd.exe
58
0
| Information | Value |
|---|---|
| ID | #581 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-Crypto-DPAPI/BackUpKeySvc" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:03:50, Reason: Child Process |
| Unmonitor | End Time: 00:03:51, Reason: Self Terminated |
| Monitor Duration | 00:00:01 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x224 |
| Parent PID | 0x8dc (c:\programdata\safe.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
6D8
0x
6EC
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000170000 | 0x00170000 | 0x0018ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000170000 | 0x00170000 | 0x0017ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000180000 | 0x00180000 | 0x00183fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000190000 | 0x00190000 | 0x00191fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000190000 | 0x00190000 | 0x00193fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000001a0000 | 0x001a0000 | 0x001b3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000001c0000 | 0x001c0000 | 0x001fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000200000 | 0x00200000 | 0x002fffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000300000 | 0x00300000 | 0x00303fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000310000 | 0x00310000 | 0x00310fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000320000 | 0x00320000 | 0x00321fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000330000 | 0x00330000 | 0x0036ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000003b0000 | 0x003b0000 | 0x003bffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000450000 | 0x00450000 | 0x0054ffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00550000 | 0x0060dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000610000 | 0x00610000 | 0x0070ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000008b0000 | 0x008b0000 | 0x008bffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x008c0000 | 0x00bf6fff | Memory Mapped File | r |
|
|
|
- |
| cmd.exe | 0x01140000 | 0x0118ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000001190000 | 0x01190000 | 0x0518ffff | Pagefile Backed Memory | - |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74d30000 | 0x74ea5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75130000 | 0x7521ffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x778d0000 | 0x7798dfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007fc40000 | 0x7fc40000 | 0x7fd3ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007fd40000 | 0x7fd40000 | 0x7fd62fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007fd66000 | 0x7fd66000 | 0x7fd66fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007fd69000 | 0x7fd69000 | 0x7fd6bfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007fd6c000 | 0x7fd6c000 | 0x7fd6cfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007fd6d000 | 0x7fd6d000 | 0x7fd6ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (11)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Windows\SysWOW64 | type = file_attributes |
|
2 | |
| Get Info | wevtutil.exe | type = file_attributes |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
5 | |
| Open | STD_INPUT_HANDLE | - |
|
3 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 87, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\SysWOW64\wevtutil.exe | os_pid = 0xe6c, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x1140000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75130000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x75172780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x7514fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7514a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x74e435c0 |
|
1 |
Environment (19)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
2 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Windows\SysWOW64 |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000000 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #583: wevtutil.exe
0
0
| Information | Value |
|---|---|
| ID | #583 |
| File Name | c:\windows\syswow64\wevtutil.exe |
| Command Line | wevtutil.exe clear-log "Microsoft-Windows-Crypto-DPAPI/BackUpKeySvc" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:03:50, Reason: Child Process |
| Unmonitor | End Time: 00:03:51, Reason: Self Terminated |
| Monitor Duration | 00:00:01 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xe6c |
| Parent PID | 0x224 (c:\windows\syswow64\wevtutil.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
CF8
0x
768
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| wevtutil.exe | 0x00b40000 | 0x00b6efff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000dc0000 | 0x00dc0000 | 0x04dbffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000004dc0000 | 0x04dc0000 | 0x04ddffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004de0000 | 0x04de0000 | 0x04de1fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004df0000 | 0x04df0000 | 0x04e03fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000004e10000 | 0x04e10000 | 0x04e4ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004e50000 | 0x04e50000 | 0x04e8ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004e90000 | 0x04e90000 | 0x04e93fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000004ea0000 | 0x04ea0000 | 0x04ea0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000004eb0000 | 0x04eb0000 | 0x04eb1fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005060000 | 0x05060000 | 0x0506ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005140000 | 0x05140000 | 0x0523ffff | Private Memory | rw |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f002fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f00b000 | 0x7f00b000 | 0x7f00bfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f00c000 | 0x7f00c000 | 0x7f00efff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f00f000 | 0x7f00f000 | 0x7f00ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Process #584: cmd.exe
58
0
| Information | Value |
|---|---|
| ID | #584 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-Crypto-DPAPI/Debug" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:03:51, Reason: Child Process |
| Unmonitor | End Time: 00:03:51, Reason: Self Terminated |
| Monitor Duration | 00:00:00 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xd18 |
| Parent PID | 0x8dc (c:\programdata\safe.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
D20
0x
F38
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000370000 | 0x00370000 | 0x0038ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000370000 | 0x00370000 | 0x0037ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000380000 | 0x00380000 | 0x00383fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000390000 | 0x00390000 | 0x00391fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000390000 | 0x00390000 | 0x00393fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000003a0000 | 0x003a0000 | 0x003b3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000003c0000 | 0x003c0000 | 0x003fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000400000 | 0x00400000 | 0x004fffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000500000 | 0x00500000 | 0x00503fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000510000 | 0x00510000 | 0x00510fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000520000 | 0x00520000 | 0x00521fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00530000 | 0x005edfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000600000 | 0x00600000 | 0x0060ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000610000 | 0x00610000 | 0x0064ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000650000 | 0x00650000 | 0x0074ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000007c0000 | 0x007c0000 | 0x008bffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000a50000 | 0x00a50000 | 0x00a5ffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x00a60000 | 0x00d96fff | Memory Mapped File | r |
|
|
|
- |
| cmd.exe | 0x01140000 | 0x0118ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000001190000 | 0x01190000 | 0x0518ffff | Pagefile Backed Memory | - |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74d30000 | 0x74ea5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75130000 | 0x7521ffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x778d0000 | 0x7798dfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007e690000 | 0x7e690000 | 0x7e78ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007e790000 | 0x7e790000 | 0x7e7b2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007e7b6000 | 0x7e7b6000 | 0x7e7b8fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007e7b9000 | 0x7e7b9000 | 0x7e7b9fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007e7bc000 | 0x7e7bc000 | 0x7e7befff | Private Memory | rw |
|
|
|
- |
| private_0x000000007e7bf000 | 0x7e7bf000 | 0x7e7bffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (11)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Windows\SysWOW64 | type = file_attributes |
|
2 | |
| Get Info | wevtutil.exe | type = file_attributes |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
5 | |
| Open | STD_INPUT_HANDLE | - |
|
3 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 120, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\SysWOW64\wevtutil.exe | os_pid = 0xe10, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x1140000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75130000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x75172780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x7514fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7514a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x74e435c0 |
|
1 |
Environment (19)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
2 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Windows\SysWOW64 |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000000 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #586: wevtutil.exe
0
0
| Information | Value |
|---|---|
| ID | #586 |
| File Name | c:\windows\syswow64\wevtutil.exe |
| Command Line | wevtutil.exe clear-log "Microsoft-Windows-Crypto-DPAPI/Debug" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:03:51, Reason: Child Process |
| Unmonitor | End Time: 00:03:51, Reason: Self Terminated |
| Monitor Duration | 00:00:00 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xe10 |
| Parent PID | 0xd18 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
D88
0x
7F0
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x00000000002a0000 | 0x002a0000 | 0x002bffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000002c0000 | 0x002c0000 | 0x002c1fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000002d0000 | 0x002d0000 | 0x002e3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000002f0000 | 0x002f0000 | 0x0032ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000330000 | 0x00330000 | 0x0036ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000370000 | 0x00370000 | 0x00373fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000380000 | 0x00380000 | 0x00380fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000390000 | 0x00390000 | 0x00391fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000003b0000 | 0x003b0000 | 0x003bffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000003e0000 | 0x003e0000 | 0x004dffff | Private Memory | rw |
|
|
|
- |
| wevtutil.exe | 0x00b40000 | 0x00b6efff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000b70000 | 0x00b70000 | 0x04b6ffff | Pagefile Backed Memory | - |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007edd0000 | 0x7edd0000 | 0x7edf2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007edfb000 | 0x7edfb000 | 0x7edfdfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007edfe000 | 0x7edfe000 | 0x7edfefff | Private Memory | rw |
|
|
|
- |
| private_0x000000007edff000 | 0x7edff000 | 0x7edfffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Process #587: cmd.exe
58
0
| Information | Value |
|---|---|
| ID | #587 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-Crypto-DPAPI/Operational" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:03:51, Reason: Child Process |
| Unmonitor | End Time: 00:03:52, Reason: Self Terminated |
| Monitor Duration | 00:00:01 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x114 |
| Parent PID | 0x8dc (c:\programdata\safe.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
D8C
0x
AF8
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x00000000002c0000 | 0x002c0000 | 0x002dffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000002c0000 | 0x002c0000 | 0x002cffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x00000000002d0000 | 0x002d0000 | 0x002d3fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000002e0000 | 0x002e0000 | 0x002e1fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000002e0000 | 0x002e0000 | 0x002e3fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000002f0000 | 0x002f0000 | 0x00303fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000310000 | 0x00310000 | 0x0034ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000350000 | 0x00350000 | 0x0044ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000450000 | 0x00450000 | 0x00453fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000460000 | 0x00460000 | 0x00460fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000470000 | 0x00470000 | 0x00471fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000480000 | 0x00480000 | 0x004bffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000004e0000 | 0x004e0000 | 0x005dffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000600000 | 0x00600000 | 0x0060ffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00610000 | 0x006cdfff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000006d0000 | 0x006d0000 | 0x007cffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000009b0000 | 0x009b0000 | 0x009bffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x009c0000 | 0x00cf6fff | Memory Mapped File | r |
|
|
|
- |
| cmd.exe | 0x01140000 | 0x0118ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000001190000 | 0x01190000 | 0x0518ffff | Pagefile Backed Memory | - |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74d30000 | 0x74ea5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75130000 | 0x7521ffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x778d0000 | 0x7798dfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007fb80000 | 0x7fb80000 | 0x7fc7ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007fc80000 | 0x7fc80000 | 0x7fca2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007fca3000 | 0x7fca3000 | 0x7fca3fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007fca9000 | 0x7fca9000 | 0x7fcabfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007fcac000 | 0x7fcac000 | 0x7fcacfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007fcad000 | 0x7fcad000 | 0x7fcaffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (11)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Windows\SysWOW64 | type = file_attributes |
|
2 | |
| Get Info | wevtutil.exe | type = file_attributes |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
5 | |
| Open | STD_INPUT_HANDLE | - |
|
3 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 88, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\SysWOW64\wevtutil.exe | os_pid = 0xce0, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x1140000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75130000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x75172780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x7514fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7514a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x74e435c0 |
|
1 |
Environment (19)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
2 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Windows\SysWOW64 |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000000 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #589: wevtutil.exe
0
0
| Information | Value |
|---|---|
| ID | #589 |
| File Name | c:\windows\syswow64\wevtutil.exe |
| Command Line | wevtutil.exe clear-log "Microsoft-Windows-Crypto-DPAPI/Operational" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:03:51, Reason: Child Process |
| Unmonitor | End Time: 00:03:52, Reason: Self Terminated |
| Monitor Duration | 00:00:01 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xce0 |
| Parent PID | 0x114 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
E34
0x
948
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x00000000001b0000 | 0x001b0000 | 0x001cffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000001d0000 | 0x001d0000 | 0x001d1fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000001e0000 | 0x001e0000 | 0x001f3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000200000 | 0x00200000 | 0x0023ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000240000 | 0x00240000 | 0x0027ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000280000 | 0x00280000 | 0x00283fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000290000 | 0x00290000 | 0x00290fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000002a0000 | 0x002a0000 | 0x002a1fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000002b0000 | 0x002b0000 | 0x003affff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000420000 | 0x00420000 | 0x0042ffff | Private Memory | rw |
|
|
|
- |
| wevtutil.exe | 0x00b40000 | 0x00b6efff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000b70000 | 0x00b70000 | 0x04b6ffff | Pagefile Backed Memory | - |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007ee60000 | 0x7ee60000 | 0x7ee82fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007ee88000 | 0x7ee88000 | 0x7ee88fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ee8c000 | 0x7ee8c000 | 0x7ee8efff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ee8f000 | 0x7ee8f000 | 0x7ee8ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Process #590: cmd.exe
58
0
| Information | Value |
|---|---|
| ID | #590 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-Crypto-DSSEnh/Analytic" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:03:52, Reason: Child Process |
| Unmonitor | End Time: 00:03:52, Reason: Self Terminated |
| Monitor Duration | 00:00:00 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xdd8 |
| Parent PID | 0x8dc (c:\programdata\safe.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
E1C
0x
E48
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000860000 | 0x00860000 | 0x0087ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000860000 | 0x00860000 | 0x0086ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000870000 | 0x00870000 | 0x00873fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000880000 | 0x00880000 | 0x00881fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000880000 | 0x00880000 | 0x00883fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000890000 | 0x00890000 | 0x008a3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000008b0000 | 0x008b0000 | 0x008effff | Private Memory | rw |
|
|
|
- |
| private_0x00000000008f0000 | 0x008f0000 | 0x009effff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000009f0000 | 0x009f0000 | 0x009f3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000a00000 | 0x00a00000 | 0x00a00fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000a10000 | 0x00a10000 | 0x00a11fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00a20000 | 0x00addfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000ae0000 | 0x00ae0000 | 0x00b1ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000b20000 | 0x00b20000 | 0x00b2ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000c10000 | 0x00c10000 | 0x00d0ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000d10000 | 0x00d10000 | 0x00e0ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000f60000 | 0x00f60000 | 0x00f6ffff | Private Memory | rw |
|
|
|
- |
| cmd.exe | 0x01140000 | 0x0118ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000001190000 | 0x01190000 | 0x0518ffff | Pagefile Backed Memory | - |
|
|
|
- |
| sortdefault.nls | 0x05190000 | 0x054c6fff | Memory Mapped File | r |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74d30000 | 0x74ea5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75130000 | 0x7521ffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x778d0000 | 0x7798dfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007ebd0000 | 0x7ebd0000 | 0x7eccffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007ecd0000 | 0x7ecd0000 | 0x7ecf2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007ecf6000 | 0x7ecf6000 | 0x7ecf6fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ecf7000 | 0x7ecf7000 | 0x7ecf7fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ecfa000 | 0x7ecfa000 | 0x7ecfcfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ecfd000 | 0x7ecfd000 | 0x7ecfffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (11)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Windows\SysWOW64 | type = file_attributes |
|
2 | |
| Get Info | wevtutil.exe | type = file_attributes |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
5 | |
| Open | STD_INPUT_HANDLE | - |
|
3 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 136, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\SysWOW64\wevtutil.exe | os_pid = 0x590, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x1140000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75130000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x75172780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x7514fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7514a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x74e435c0 |
|
1 |
Environment (19)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
2 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Windows\SysWOW64 |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000000 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #592: wevtutil.exe
0
0
| Information | Value |
|---|---|
| ID | #592 |
| File Name | c:\windows\syswow64\wevtutil.exe |
| Command Line | wevtutil.exe clear-log "Microsoft-Windows-Crypto-DSSEnh/Analytic" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:03:52, Reason: Child Process |
| Unmonitor | End Time: 00:03:52, Reason: Self Terminated |
| Monitor Duration | 00:00:00 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x590 |
| Parent PID | 0xdd8 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
954
0x
E38
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000450000 | 0x00450000 | 0x0046ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000470000 | 0x00470000 | 0x00471fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000480000 | 0x00480000 | 0x00493fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000004a0000 | 0x004a0000 | 0x004dffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000004e0000 | 0x004e0000 | 0x0051ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000520000 | 0x00520000 | 0x00523fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000530000 | 0x00530000 | 0x00530fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000540000 | 0x00540000 | 0x00541fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000660000 | 0x00660000 | 0x0066ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000007a0000 | 0x007a0000 | 0x0089ffff | Private Memory | rw |
|
|
|
- |
| wevtutil.exe | 0x00b40000 | 0x00b6efff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000b70000 | 0x00b70000 | 0x04b6ffff | Pagefile Backed Memory | - |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007fb00000 | 0x7fb00000 | 0x7fb22fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007fb28000 | 0x7fb28000 | 0x7fb28fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007fb2b000 | 0x7fb2b000 | 0x7fb2bfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007fb2d000 | 0x7fb2d000 | 0x7fb2ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Process #594: cmd.exe
58
0
| Information | Value |
|---|---|
| ID | #594 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-Crypto-NCrypt/Operational" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:03:52, Reason: Child Process |
| Unmonitor | End Time: 00:03:53, Reason: Self Terminated |
| Monitor Duration | 00:00:01 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x1a0 |
| Parent PID | 0x8dc (c:\programdata\safe.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
E28
0x
B48
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000c20000 | 0x00c20000 | 0x00c3ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000c20000 | 0x00c20000 | 0x00c2ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000c30000 | 0x00c30000 | 0x00c33fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000c40000 | 0x00c40000 | 0x00c41fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000c40000 | 0x00c40000 | 0x00c4ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000c50000 | 0x00c50000 | 0x00c63fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000c70000 | 0x00c70000 | 0x00caffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000cb0000 | 0x00cb0000 | 0x00daffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000db0000 | 0x00db0000 | 0x00db3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000dc0000 | 0x00dc0000 | 0x00dc0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000dd0000 | 0x00dd0000 | 0x00dd1fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00de0000 | 0x00e9dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000ea0000 | 0x00ea0000 | 0x00ea3fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000ec0000 | 0x00ec0000 | 0x00ecffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000ed0000 | 0x00ed0000 | 0x00f0ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000f10000 | 0x00f10000 | 0x0100ffff | Private Memory | rw |
|
|
|
- |
| cmd.exe | 0x01140000 | 0x0118ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000001190000 | 0x01190000 | 0x0518ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000005330000 | 0x05330000 | 0x0542ffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x05430000 | 0x05766fff | Memory Mapped File | r |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74d30000 | 0x74ea5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75130000 | 0x7521ffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x778d0000 | 0x7798dfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007eca0000 | 0x7eca0000 | 0x7ed9ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007eda0000 | 0x7eda0000 | 0x7edc2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007edc4000 | 0x7edc4000 | 0x7edc4fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007edc5000 | 0x7edc5000 | 0x7edc5fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007edca000 | 0x7edca000 | 0x7edccfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007edcd000 | 0x7edcd000 | 0x7edcffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (11)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Windows\SysWOW64 | type = file_attributes |
|
2 | |
| Get Info | wevtutil.exe | type = file_attributes |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
5 | |
| Open | STD_INPUT_HANDLE | - |
|
3 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 216, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\SysWOW64\wevtutil.exe | os_pid = 0xb0, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x1140000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75130000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x75172780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x7514fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7514a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x74e435c0 |
|
1 |
Environment (19)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
2 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Windows\SysWOW64 |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000000 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #596: wevtutil.exe
0
0
| Information | Value |
|---|---|
| ID | #596 |
| File Name | c:\windows\syswow64\wevtutil.exe |
| Command Line | wevtutil.exe clear-log "Microsoft-Windows-Crypto-NCrypt/Operational" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:03:52, Reason: Child Process |
| Unmonitor | End Time: 00:03:53, Reason: Self Terminated |
| Monitor Duration | 00:00:01 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xb0 |
| Parent PID | 0x1a0 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
604
0x
520
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x00000000008c0000 | 0x008c0000 | 0x008dffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000008e0000 | 0x008e0000 | 0x008e1fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000008f0000 | 0x008f0000 | 0x00903fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000910000 | 0x00910000 | 0x0094ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000950000 | 0x00950000 | 0x0098ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000990000 | 0x00990000 | 0x00993fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000009a0000 | 0x009a0000 | 0x009a0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000009b0000 | 0x009b0000 | 0x009b1fff | Private Memory | rw |
|
|
|
- |
| wevtutil.exe | 0x00b40000 | 0x00b6efff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000b70000 | 0x00b70000 | 0x04b6ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000004c60000 | 0x04c60000 | 0x04d5ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004d60000 | 0x04d60000 | 0x04d6ffff | Private Memory | rw |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007fa10000 | 0x7fa10000 | 0x7fa32fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007fa3b000 | 0x7fa3b000 | 0x7fa3dfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007fa3e000 | 0x7fa3e000 | 0x7fa3efff | Private Memory | rw |
|
|
|
- |
| private_0x000000007fa3f000 | 0x7fa3f000 | 0x7fa3ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Process #597: cmd.exe
58
0
| Information | Value |
|---|---|
| ID | #597 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-Crypto-RNG/Analytic" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:03:53, Reason: Child Process |
| Unmonitor | End Time: 00:03:53, Reason: Self Terminated |
| Monitor Duration | 00:00:00 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x304 |
| Parent PID | 0x8dc (c:\programdata\safe.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
D50
0x
C38
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000460000 | 0x00460000 | 0x0047ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000460000 | 0x00460000 | 0x0046ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000470000 | 0x00470000 | 0x00473fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000480000 | 0x00480000 | 0x00481fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000480000 | 0x00480000 | 0x00483fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000490000 | 0x00490000 | 0x004a3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000004b0000 | 0x004b0000 | 0x004effff | Private Memory | rw |
|
|
|
- |
| private_0x00000000004f0000 | 0x004f0000 | 0x005effff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000005f0000 | 0x005f0000 | 0x005f3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000600000 | 0x00600000 | 0x00600fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000610000 | 0x00610000 | 0x00611fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00620000 | 0x006ddfff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000006e0000 | 0x006e0000 | 0x0071ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000007e0000 | 0x007e0000 | 0x007effff | Private Memory | rw |
|
|
|
- |
| private_0x00000000007f0000 | 0x007f0000 | 0x008effff | Private Memory | rw |
|
|
|
- |
| private_0x00000000009c0000 | 0x009c0000 | 0x00abffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000c90000 | 0x00c90000 | 0x00c9ffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x00ca0000 | 0x00fd6fff | Memory Mapped File | r |
|
|
|
- |
| cmd.exe | 0x01140000 | 0x0118ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000001190000 | 0x01190000 | 0x0518ffff | Pagefile Backed Memory | - |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74d30000 | 0x74ea5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75130000 | 0x7521ffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x778d0000 | 0x7798dfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007f020000 | 0x7f020000 | 0x7f11ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007f120000 | 0x7f120000 | 0x7f142fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f144000 | 0x7f144000 | 0x7f144fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f148000 | 0x7f148000 | 0x7f14afff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f14b000 | 0x7f14b000 | 0x7f14dfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f14e000 | 0x7f14e000 | 0x7f14efff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (11)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Windows\SysWOW64 | type = file_attributes |
|
2 | |
| Get Info | wevtutil.exe | type = file_attributes |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
5 | |
| Open | STD_INPUT_HANDLE | - |
|
3 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 24, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\SysWOW64\wevtutil.exe | os_pid = 0x804, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x1140000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75130000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x75172780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x7514fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7514a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x74e435c0 |
|
1 |
Environment (19)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
2 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Windows\SysWOW64 |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000000 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #599: wevtutil.exe
0
0
| Information | Value |
|---|---|
| ID | #599 |
| File Name | c:\windows\syswow64\wevtutil.exe |
| Command Line | wevtutil.exe clear-log "Microsoft-Windows-Crypto-RNG/Analytic" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:03:53, Reason: Child Process |
| Unmonitor | End Time: 00:03:53, Reason: Self Terminated |
| Monitor Duration | 00:00:00 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x804 |
| Parent PID | 0x304 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
F58
0x
E9C
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| wevtutil.exe | 0x00b40000 | 0x00b6efff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000dd0000 | 0x00dd0000 | 0x04dcffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000004dd0000 | 0x04dd0000 | 0x04deffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004df0000 | 0x04df0000 | 0x04df1fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004e00000 | 0x04e00000 | 0x04e13fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000004e20000 | 0x04e20000 | 0x04e5ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004e60000 | 0x04e60000 | 0x04e9ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004ea0000 | 0x04ea0000 | 0x04ea3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000004eb0000 | 0x04eb0000 | 0x04eb0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000004ec0000 | 0x04ec0000 | 0x04ec1fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004f20000 | 0x04f20000 | 0x04f2ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004f90000 | 0x04f90000 | 0x0508ffff | Private Memory | rw |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007e3a0000 | 0x7e3a0000 | 0x7e3c2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007e3c3000 | 0x7e3c3000 | 0x7e3c3fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007e3cc000 | 0x7e3cc000 | 0x7e3cefff | Private Memory | rw |
|
|
|
- |
| private_0x000000007e3cf000 | 0x7e3cf000 | 0x7e3cffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Process #600: cmd.exe
58
0
| Information | Value |
|---|---|
| ID | #600 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-Crypto-RSAEnh/Analytic" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:03:53, Reason: Child Process |
| Unmonitor | End Time: 00:03:54, Reason: Self Terminated |
| Monitor Duration | 00:00:01 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x15c |
| Parent PID | 0x8dc (c:\programdata\safe.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
CE8
0x
E3C
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x00000000003a0000 | 0x003a0000 | 0x003bffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000003a0000 | 0x003a0000 | 0x003affff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x00000000003b0000 | 0x003b0000 | 0x003b3fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000003c0000 | 0x003c0000 | 0x003c1fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000003c0000 | 0x003c0000 | 0x003c3fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000003d0000 | 0x003d0000 | 0x003e3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000003f0000 | 0x003f0000 | 0x0042ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000430000 | 0x00430000 | 0x0052ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000530000 | 0x00530000 | 0x00533fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000540000 | 0x00540000 | 0x00540fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000550000 | 0x00550000 | 0x00551fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000560000 | 0x00560000 | 0x0056ffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00570000 | 0x0062dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000630000 | 0x00630000 | 0x0066ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000006c0000 | 0x006c0000 | 0x007bffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000007c0000 | 0x007c0000 | 0x008bffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000009d0000 | 0x009d0000 | 0x009dffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x009e0000 | 0x00d16fff | Memory Mapped File | r |
|
|
|
- |
| cmd.exe | 0x01140000 | 0x0118ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000001190000 | 0x01190000 | 0x0518ffff | Pagefile Backed Memory | - |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74d30000 | 0x74ea5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75130000 | 0x7521ffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x778d0000 | 0x7798dfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007ef50000 | 0x7ef50000 | 0x7f04ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007f050000 | 0x7f050000 | 0x7f072fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f075000 | 0x7f075000 | 0x7f077fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f078000 | 0x7f078000 | 0x7f078fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f07a000 | 0x7f07a000 | 0x7f07cfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f07d000 | 0x7f07d000 | 0x7f07dfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (11)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Windows\SysWOW64 | type = file_attributes |
|
2 | |
| Get Info | wevtutil.exe | type = file_attributes |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
5 | |
| Open | STD_INPUT_HANDLE | - |
|
3 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 248, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\SysWOW64\wevtutil.exe | os_pid = 0x468, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x1140000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75130000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x75172780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x7514fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7514a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x74e435c0 |
|
1 |
Environment (19)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
2 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Windows\SysWOW64 |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000000 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #602: wevtutil.exe
0
0
| Information | Value |
|---|---|
| ID | #602 |
| File Name | c:\windows\syswow64\wevtutil.exe |
| Command Line | wevtutil.exe clear-log "Microsoft-Windows-Crypto-RSAEnh/Analytic" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:03:53, Reason: Child Process |
| Unmonitor | End Time: 00:03:54, Reason: Self Terminated |
| Monitor Duration | 00:00:01 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x468 |
| Parent PID | 0x15c (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
FB4
0x
218
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| wevtutil.exe | 0x00b40000 | 0x00b6efff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000b80000 | 0x00b80000 | 0x04b7ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000004b80000 | 0x04b80000 | 0x04b9ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004ba0000 | 0x04ba0000 | 0x04ba1fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004bb0000 | 0x04bb0000 | 0x04bc3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000004bd0000 | 0x04bd0000 | 0x04c0ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004c10000 | 0x04c10000 | 0x04c4ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004c50000 | 0x04c50000 | 0x04c53fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000004c60000 | 0x04c60000 | 0x04c60fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000004c70000 | 0x04c70000 | 0x04c71fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004d80000 | 0x04d80000 | 0x04d8ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004dc0000 | 0x04dc0000 | 0x04ebffff | Private Memory | rw |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007f030000 | 0x7f030000 | 0x7f052fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f059000 | 0x7f059000 | 0x7f059fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f05b000 | 0x7f05b000 | 0x7f05bfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f05d000 | 0x7f05d000 | 0x7f05ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Process #603: cmd.exe
58
0
| Information | Value |
|---|---|
| ID | #603 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-D3D10Level9/Analytic" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:03:54, Reason: Child Process |
| Unmonitor | End Time: 00:03:54, Reason: Self Terminated |
| Monitor Duration | 00:00:00 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x6e0 |
| Parent PID | 0x8dc (c:\programdata\safe.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
A54
0x
E2C
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000260000 | 0x00260000 | 0x0027ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000260000 | 0x00260000 | 0x0026ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000270000 | 0x00270000 | 0x00273fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000280000 | 0x00280000 | 0x00281fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000280000 | 0x00280000 | 0x00283fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000290000 | 0x00290000 | 0x002a3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000002b0000 | 0x002b0000 | 0x002effff | Private Memory | rw |
|
|
|
- |
| private_0x00000000002f0000 | 0x002f0000 | 0x003effff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000003f0000 | 0x003f0000 | 0x003f3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000400000 | 0x00400000 | 0x00400fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000410000 | 0x00410000 | 0x00411fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00420000 | 0x004ddfff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000004f0000 | 0x004f0000 | 0x004fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000500000 | 0x00500000 | 0x0053ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000005e0000 | 0x005e0000 | 0x006dffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000006e0000 | 0x006e0000 | 0x007dffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000008f0000 | 0x008f0000 | 0x008fffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x00900000 | 0x00c36fff | Memory Mapped File | r |
|
|
|
- |
| cmd.exe | 0x01140000 | 0x0118ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000001190000 | 0x01190000 | 0x0518ffff | Pagefile Backed Memory | - |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74d30000 | 0x74ea5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75130000 | 0x7521ffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x778d0000 | 0x7798dfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007ebc0000 | 0x7ebc0000 | 0x7ecbffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007ecc0000 | 0x7ecc0000 | 0x7ece2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007ece7000 | 0x7ece7000 | 0x7ece9fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ecea000 | 0x7ecea000 | 0x7ececfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007eced000 | 0x7eced000 | 0x7ecedfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ecee000 | 0x7ecee000 | 0x7eceefff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (11)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Windows\SysWOW64 | type = file_attributes |
|
2 | |
| Get Info | wevtutil.exe | type = file_attributes |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
5 | |
| Open | STD_INPUT_HANDLE | - |
|
3 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 104, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\SysWOW64\wevtutil.exe | os_pid = 0xb38, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x1140000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75130000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x75172780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x7514fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7514a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x74e435c0 |
|
1 |
Environment (19)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
2 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Windows\SysWOW64 |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000000 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #605: wevtutil.exe
0
0
| Information | Value |
|---|---|
| ID | #605 |
| File Name | c:\windows\syswow64\wevtutil.exe |
| Command Line | wevtutil.exe clear-log "Microsoft-Windows-D3D10Level9/Analytic" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:03:54, Reason: Child Process |
| Unmonitor | End Time: 00:03:54, Reason: Self Terminated |
| Monitor Duration | 00:00:00 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xb38 |
| Parent PID | 0x6e0 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
888
0x
E68
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000150000 | 0x00150000 | 0x0016ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000170000 | 0x00170000 | 0x00171fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000180000 | 0x00180000 | 0x00193fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000001a0000 | 0x001a0000 | 0x001dffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000001e0000 | 0x001e0000 | 0x0021ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000220000 | 0x00220000 | 0x00223fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000230000 | 0x00230000 | 0x00230fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000240000 | 0x00240000 | 0x00241fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000250000 | 0x00250000 | 0x0034ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000003d0000 | 0x003d0000 | 0x003dffff | Private Memory | rw |
|
|
|
- |
| wevtutil.exe | 0x00b40000 | 0x00b6efff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000b70000 | 0x00b70000 | 0x04b6ffff | Pagefile Backed Memory | - |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007e820000 | 0x7e820000 | 0x7e842fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007e843000 | 0x7e843000 | 0x7e843fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007e84b000 | 0x7e84b000 | 0x7e84dfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007e84e000 | 0x7e84e000 | 0x7e84efff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Process #606: cmd.exe
58
0
| Information | Value |
|---|---|
| ID | #606 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-D3D10Level9/PerfTiming" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:03:54, Reason: Child Process |
| Unmonitor | End Time: 00:03:55, Reason: Self Terminated |
| Monitor Duration | 00:00:01 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xbdc |
| Parent PID | 0x8dc (c:\programdata\safe.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
5DC
0x
C34
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000740000 | 0x00740000 | 0x0075ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000740000 | 0x00740000 | 0x0074ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000750000 | 0x00750000 | 0x00753fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000760000 | 0x00760000 | 0x00761fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000760000 | 0x00760000 | 0x00763fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000770000 | 0x00770000 | 0x00783fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000790000 | 0x00790000 | 0x007cffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000007d0000 | 0x007d0000 | 0x008cffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000008d0000 | 0x008d0000 | 0x008d3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000008e0000 | 0x008e0000 | 0x008e0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000008f0000 | 0x008f0000 | 0x008f1fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000910000 | 0x00910000 | 0x0091ffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00920000 | 0x009ddfff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000009e0000 | 0x009e0000 | 0x00a1ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000a80000 | 0x00a80000 | 0x00b7ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000b80000 | 0x00b80000 | 0x00c7ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000d00000 | 0x00d00000 | 0x00d0ffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x00d10000 | 0x01046fff | Memory Mapped File | r |
|
|
|
- |
| cmd.exe | 0x01140000 | 0x0118ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000001190000 | 0x01190000 | 0x0518ffff | Pagefile Backed Memory | - |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74d30000 | 0x74ea5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75130000 | 0x7521ffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x778d0000 | 0x7798dfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007ef40000 | 0x7ef40000 | 0x7f03ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007f040000 | 0x7f040000 | 0x7f062fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f068000 | 0x7f068000 | 0x7f068fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f069000 | 0x7f069000 | 0x7f06bfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f06c000 | 0x7f06c000 | 0x7f06efff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f06f000 | 0x7f06f000 | 0x7f06ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (11)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Windows\SysWOW64 | type = file_attributes |
|
2 | |
| Get Info | wevtutil.exe | type = file_attributes |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
5 | |
| Open | STD_INPUT_HANDLE | - |
|
3 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 170, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\SysWOW64\wevtutil.exe | os_pid = 0xbf0, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x1140000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75130000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x75172780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x7514fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7514a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x74e435c0 |
|
1 |
Environment (19)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
2 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Windows\SysWOW64 |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000000 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #608: wevtutil.exe
0
0
| Information | Value |
|---|---|
| ID | #608 |
| File Name | c:\windows\syswow64\wevtutil.exe |
| Command Line | wevtutil.exe clear-log "Microsoft-Windows-D3D10Level9/PerfTiming" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:03:54, Reason: Child Process |
| Unmonitor | End Time: 00:03:55, Reason: Self Terminated |
| Monitor Duration | 00:00:01 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xbf0 |
| Parent PID | 0xbdc (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
ECC
0x
754
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000510000 | 0x00510000 | 0x0052ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000530000 | 0x00530000 | 0x00531fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000540000 | 0x00540000 | 0x00553fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000560000 | 0x00560000 | 0x0059ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000005a0000 | 0x005a0000 | 0x005dffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000005e0000 | 0x005e0000 | 0x005e3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000005f0000 | 0x005f0000 | 0x005f0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000600000 | 0x00600000 | 0x00601fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000680000 | 0x00680000 | 0x0068ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000750000 | 0x00750000 | 0x0084ffff | Private Memory | rw |
|
|
|
- |
| wevtutil.exe | 0x00b40000 | 0x00b6efff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000b70000 | 0x00b70000 | 0x04b6ffff | Pagefile Backed Memory | - |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007e190000 | 0x7e190000 | 0x7e1b2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007e1b7000 | 0x7e1b7000 | 0x7e1b9fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007e1ba000 | 0x7e1ba000 | 0x7e1bafff | Private Memory | rw |
|
|
|
- |
| private_0x000000007e1bd000 | 0x7e1bd000 | 0x7e1bdfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Process #610: cmd.exe
58
0
| Information | Value |
|---|---|
| ID | #610 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-DAL-Provider/Analytic" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:03:55, Reason: Child Process |
| Unmonitor | End Time: 00:03:56, Reason: Self Terminated |
| Monitor Duration | 00:00:01 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xb44 |
| Parent PID | 0x8dc (c:\programdata\safe.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
2C0
0x
64C
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000dc0000 | 0x00dc0000 | 0x00ddffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000dc0000 | 0x00dc0000 | 0x00dcffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000dd0000 | 0x00dd0000 | 0x00dd3fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000de0000 | 0x00de0000 | 0x00de1fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000de0000 | 0x00de0000 | 0x00de3fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000df0000 | 0x00df0000 | 0x00e03fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000e10000 | 0x00e10000 | 0x00e4ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000e50000 | 0x00e50000 | 0x00f4ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000f50000 | 0x00f50000 | 0x00f53fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000f60000 | 0x00f60000 | 0x00f60fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000f70000 | 0x00f70000 | 0x00f71fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000f80000 | 0x00f80000 | 0x00fbffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001020000 | 0x01020000 | 0x0102ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001030000 | 0x01030000 | 0x0103ffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x01040000 | 0x010fdfff | Memory Mapped File | r |
|
|
|
- |
| cmd.exe | 0x01140000 | 0x0118ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000001190000 | 0x01190000 | 0x0518ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000005190000 | 0x05190000 | 0x0528ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000052e0000 | 0x052e0000 | 0x053dffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x053e0000 | 0x05716fff | Memory Mapped File | r |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74d30000 | 0x74ea5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75130000 | 0x7521ffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x778d0000 | 0x7798dfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007e610000 | 0x7e610000 | 0x7e70ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007e710000 | 0x7e710000 | 0x7e732fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007e734000 | 0x7e734000 | 0x7e734fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007e739000 | 0x7e739000 | 0x7e73bfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007e73c000 | 0x7e73c000 | 0x7e73efff | Private Memory | rw |
|
|
|
- |
| private_0x000000007e73f000 | 0x7e73f000 | 0x7e73ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (11)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Windows\SysWOW64 | type = file_attributes |
|
2 | |
| Get Info | wevtutil.exe | type = file_attributes |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
5 | |
| Open | STD_INPUT_HANDLE | - |
|
3 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 128, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\SysWOW64\wevtutil.exe | os_pid = 0x5e8, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x1140000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75130000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x75172780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x7514fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7514a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x74e435c0 |
|
1 |
Environment (19)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
2 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Windows\SysWOW64 |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000000 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #612: wevtutil.exe
0
0
| Information | Value |
|---|---|
| ID | #612 |
| File Name | c:\windows\syswow64\wevtutil.exe |
| Command Line | wevtutil.exe clear-log "Microsoft-Windows-DAL-Provider/Analytic" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:03:55, Reason: Child Process |
| Unmonitor | End Time: 00:03:56, Reason: Self Terminated |
| Monitor Duration | 00:00:01 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x5e8 |
| Parent PID | 0xb44 (c:\windows\syswow64\wevtutil.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
974
0x
F84
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000af0000 | 0x00af0000 | 0x00b0ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000b10000 | 0x00b10000 | 0x00b11fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000b20000 | 0x00b20000 | 0x00b33fff | Pagefile Backed Memory | r |
|
|
|
- |
| wevtutil.exe | 0x00b40000 | 0x00b6efff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000b70000 | 0x00b70000 | 0x04b6ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000004b70000 | 0x04b70000 | 0x04baffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004bb0000 | 0x04bb0000 | 0x04beffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004bf0000 | 0x04bf0000 | 0x04bf3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000004c00000 | 0x04c00000 | 0x04c00fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000004c10000 | 0x04c10000 | 0x04c11fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004cd0000 | 0x04cd0000 | 0x04cdffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004ea0000 | 0x04ea0000 | 0x04f9ffff | Private Memory | rw |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007e640000 | 0x7e640000 | 0x7e662fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007e669000 | 0x7e669000 | 0x7e669fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007e66b000 | 0x7e66b000 | 0x7e66dfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007e66e000 | 0x7e66e000 | 0x7e66efff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Process #613: cmd.exe
58
0
| Information | Value |
|---|---|
| ID | #613 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-DAL-Provider/Operational" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:03:56, Reason: Child Process |
| Unmonitor | End Time: 00:03:58, Reason: Self Terminated |
| Monitor Duration | 00:00:02 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xf34 |
| Parent PID | 0x8dc (c:\programdata\safe.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
FE4
0x
7F8
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000c10000 | 0x00c10000 | 0x00c2ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000c10000 | 0x00c10000 | 0x00c1ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000c20000 | 0x00c20000 | 0x00c23fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000c30000 | 0x00c30000 | 0x00c31fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000c30000 | 0x00c30000 | 0x00c33fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000c40000 | 0x00c40000 | 0x00c53fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000c60000 | 0x00c60000 | 0x00c9ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000ca0000 | 0x00ca0000 | 0x00d9ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000da0000 | 0x00da0000 | 0x00da3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000db0000 | 0x00db0000 | 0x00db0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000dc0000 | 0x00dc0000 | 0x00dc1fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00dd0000 | 0x00e8dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000e90000 | 0x00e90000 | 0x00ecffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000f40000 | 0x00f40000 | 0x00f4ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000f50000 | 0x00f50000 | 0x0104ffff | Private Memory | rw |
|
|
|
- |
| cmd.exe | 0x01140000 | 0x0118ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000001190000 | 0x01190000 | 0x0518ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000005310000 | 0x05310000 | 0x0531ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005380000 | 0x05380000 | 0x0547ffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x05480000 | 0x057b6fff | Memory Mapped File | r |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74d30000 | 0x74ea5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75130000 | 0x7521ffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x778d0000 | 0x7798dfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007eab0000 | 0x7eab0000 | 0x7ebaffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007ebb0000 | 0x7ebb0000 | 0x7ebd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007ebd8000 | 0x7ebd8000 | 0x7ebdafff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ebdb000 | 0x7ebdb000 | 0x7ebdbfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ebdc000 | 0x7ebdc000 | 0x7ebdefff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ebdf000 | 0x7ebdf000 | 0x7ebdffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (11)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Windows\SysWOW64 | type = file_attributes |
|
2 | |
| Get Info | wevtutil.exe | type = file_attributes |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
5 | |
| Open | STD_INPUT_HANDLE | - |
|
3 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 168, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\SysWOW64\wevtutil.exe | os_pid = 0xd14, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x1140000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75130000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x75172780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x7514fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7514a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x74e435c0 |
|
1 |
Environment (19)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
2 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Windows\SysWOW64 |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000000 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #615: wevtutil.exe
0
0
| Information | Value |
|---|---|
| ID | #615 |
| File Name | c:\windows\syswow64\wevtutil.exe |
| Command Line | wevtutil.exe clear-log "Microsoft-Windows-DAL-Provider/Operational" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:03:56, Reason: Child Process |
| Unmonitor | End Time: 00:03:58, Reason: Self Terminated |
| Monitor Duration | 00:00:02 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xd14 |
| Parent PID | 0xf34 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
F24
0x
3D4
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000360000 | 0x00360000 | 0x0037ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000380000 | 0x00380000 | 0x00381fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000390000 | 0x00390000 | 0x003a3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000003b0000 | 0x003b0000 | 0x003effff | Private Memory | rw |
|
|
|
- |
| private_0x00000000003f0000 | 0x003f0000 | 0x0042ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000430000 | 0x00430000 | 0x00433fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000440000 | 0x00440000 | 0x00440fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000450000 | 0x00450000 | 0x00451fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000004a0000 | 0x004a0000 | 0x004affff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000510000 | 0x00510000 | 0x0060ffff | Private Memory | rw |
|
|
|
- |
| wevtutil.exe | 0x00b40000 | 0x00b6efff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000b70000 | 0x00b70000 | 0x04b6ffff | Pagefile Backed Memory | - |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007f300000 | 0x7f300000 | 0x7f322fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f326000 | 0x7f326000 | 0x7f326fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f32a000 | 0x7f32a000 | 0x7f32afff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f32d000 | 0x7f32d000 | 0x7f32ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Process #616: cmd.exe
58
0
| Information | Value |
|---|---|
| ID | #616 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-DAMM/Diagnostic" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:03:57, Reason: Child Process |
| Unmonitor | End Time: 00:03:58, Reason: Self Terminated |
| Monitor Duration | 00:00:01 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x740 |
| Parent PID | 0x8dc (c:\programdata\safe.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
E94
0x
18C
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000a10000 | 0x00a10000 | 0x00a2ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000a10000 | 0x00a10000 | 0x00a1ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000a20000 | 0x00a20000 | 0x00a23fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000a30000 | 0x00a30000 | 0x00a31fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000a30000 | 0x00a30000 | 0x00a33fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000a40000 | 0x00a40000 | 0x00a53fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000a60000 | 0x00a60000 | 0x00a9ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000aa0000 | 0x00aa0000 | 0x00b9ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000ba0000 | 0x00ba0000 | 0x00ba3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000bb0000 | 0x00bb0000 | 0x00bb0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000bc0000 | 0x00bc0000 | 0x00bc1fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000bd0000 | 0x00bd0000 | 0x00c0ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000c20000 | 0x00c20000 | 0x00c2ffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00c30000 | 0x00cedfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000d40000 | 0x00d40000 | 0x00e3ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000e40000 | 0x00e40000 | 0x00f3ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001110000 | 0x01110000 | 0x0111ffff | Private Memory | rw |
|
|
|
- |
| cmd.exe | 0x01140000 | 0x0118ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000001190000 | 0x01190000 | 0x0518ffff | Pagefile Backed Memory | - |
|
|
|
- |
| sortdefault.nls | 0x05190000 | 0x054c6fff | Memory Mapped File | r |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74d30000 | 0x74ea5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75130000 | 0x7521ffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x778d0000 | 0x7798dfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007f490000 | 0x7f490000 | 0x7f58ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007f590000 | 0x7f590000 | 0x7f5b2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f5b8000 | 0x7f5b8000 | 0x7f5bafff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f5bb000 | 0x7f5bb000 | 0x7f5bbfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f5bc000 | 0x7f5bc000 | 0x7f5bcfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f5bd000 | 0x7f5bd000 | 0x7f5bffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (11)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Windows\SysWOW64 | type = file_attributes |
|
2 | |
| Get Info | wevtutil.exe | type = file_attributes |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
5 | |
| Open | STD_INPUT_HANDLE | - |
|
3 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 196, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\SysWOW64\wevtutil.exe | os_pid = 0xeb8, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x1140000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75130000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x75172780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x7514fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7514a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x74e435c0 |
|
1 |
Environment (19)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
2 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Windows\SysWOW64 |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000000 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #618: wevtutil.exe
0
0
| Information | Value |
|---|---|
| ID | #618 |
| File Name | c:\windows\syswow64\wevtutil.exe |
| Command Line | wevtutil.exe clear-log "Microsoft-Windows-DAMM/Diagnostic" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:03:57, Reason: Child Process |
| Unmonitor | End Time: 00:03:58, Reason: Self Terminated |
| Monitor Duration | 00:00:01 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xeb8 |
| Parent PID | 0x740 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
A80
0x
E70
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000190000 | 0x00190000 | 0x001affff | Private Memory | rw |
|
|
|
- |
| private_0x00000000001b0000 | 0x001b0000 | 0x001b1fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000001c0000 | 0x001c0000 | 0x001d3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000001e0000 | 0x001e0000 | 0x0021ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000220000 | 0x00220000 | 0x0025ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000260000 | 0x00260000 | 0x00263fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000270000 | 0x00270000 | 0x00270fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000280000 | 0x00280000 | 0x00281fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000003c0000 | 0x003c0000 | 0x003cffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000450000 | 0x00450000 | 0x0054ffff | Private Memory | rw |
|
|
|
- |
| wevtutil.exe | 0x00b40000 | 0x00b6efff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000b70000 | 0x00b70000 | 0x04b6ffff | Pagefile Backed Memory | - |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007e970000 | 0x7e970000 | 0x7e992fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007e997000 | 0x7e997000 | 0x7e997fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007e99c000 | 0x7e99c000 | 0x7e99efff | Private Memory | rw |
|
|
|
- |
| private_0x000000007e99f000 | 0x7e99f000 | 0x7e99ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Process #619: cmd.exe
58
0
| Information | Value |
|---|---|
| ID | #619 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-DCLocator/Debug" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:03:57, Reason: Child Process |
| Unmonitor | End Time: 00:03:59, Reason: Self Terminated |
| Monitor Duration | 00:00:02 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xe98 |
| Parent PID | 0x8dc (c:\programdata\safe.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
EBC
0x
D64
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000780000 | 0x00780000 | 0x0079ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000780000 | 0x00780000 | 0x0078ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000790000 | 0x00790000 | 0x00793fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000007a0000 | 0x007a0000 | 0x007a1fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000007a0000 | 0x007a0000 | 0x007a3fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000007b0000 | 0x007b0000 | 0x007c3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000007d0000 | 0x007d0000 | 0x0080ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000810000 | 0x00810000 | 0x0090ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000910000 | 0x00910000 | 0x00913fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000920000 | 0x00920000 | 0x00920fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000930000 | 0x00930000 | 0x00931fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00940000 | 0x009fdfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000a00000 | 0x00a00000 | 0x00a3ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000b20000 | 0x00b20000 | 0x00b2ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000b30000 | 0x00b30000 | 0x00c2ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000cc0000 | 0x00cc0000 | 0x00dbffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000f90000 | 0x00f90000 | 0x00f9ffff | Private Memory | rw |
|
|
|
- |
| cmd.exe | 0x01140000 | 0x0118ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000001190000 | 0x01190000 | 0x0518ffff | Pagefile Backed Memory | - |
|
|
|
- |
| sortdefault.nls | 0x05190000 | 0x054c6fff | Memory Mapped File | r |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74d30000 | 0x74ea5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75130000 | 0x7521ffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x778d0000 | 0x7798dfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007eb70000 | 0x7eb70000 | 0x7ec6ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007ec70000 | 0x7ec70000 | 0x7ec92fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007ec93000 | 0x7ec93000 | 0x7ec93fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ec99000 | 0x7ec99000 | 0x7ec9bfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ec9c000 | 0x7ec9c000 | 0x7ec9efff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ec9f000 | 0x7ec9f000 | 0x7ec9ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (11)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Windows\SysWOW64 | type = file_attributes |
|
2 | |
| Get Info | wevtutil.exe | type = file_attributes |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
5 | |
| Open | STD_INPUT_HANDLE | - |
|
3 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 205, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\SysWOW64\wevtutil.exe | os_pid = 0xd48, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x1140000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75130000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x75172780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x7514fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7514a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x74e435c0 |
|
1 |
Environment (19)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
2 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Windows\SysWOW64 |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000000 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #621: wevtutil.exe
0
0
| Information | Value |
|---|---|
| ID | #621 |
| File Name | c:\windows\syswow64\wevtutil.exe |
| Command Line | wevtutil.exe clear-log "Microsoft-Windows-DCLocator/Debug" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:03:58, Reason: Child Process |
| Unmonitor | End Time: 00:03:59, Reason: Self Terminated |
| Monitor Duration | 00:00:01 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xd48 |
| Parent PID | 0xe98 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
3EC
0x
EFC
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000370000 | 0x00370000 | 0x0038ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000390000 | 0x00390000 | 0x00391fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000003a0000 | 0x003a0000 | 0x003b3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000003c0000 | 0x003c0000 | 0x003fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000400000 | 0x00400000 | 0x0043ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000440000 | 0x00440000 | 0x00443fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000450000 | 0x00450000 | 0x00450fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000460000 | 0x00460000 | 0x00461fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000004d0000 | 0x004d0000 | 0x004dffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000610000 | 0x00610000 | 0x0070ffff | Private Memory | rw |
|
|
|
- |
| wevtutil.exe | 0x00b40000 | 0x00b6efff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000b70000 | 0x00b70000 | 0x04b6ffff | Pagefile Backed Memory | - |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007eb10000 | 0x7eb10000 | 0x7eb32fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007eb37000 | 0x7eb37000 | 0x7eb37fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007eb3b000 | 0x7eb3b000 | 0x7eb3bfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007eb3d000 | 0x7eb3d000 | 0x7eb3ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Process #622: cmd.exe
58
0
| Information | Value |
|---|---|
| ID | #622 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-DLNA-Namespace/Analytic" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:03:58, Reason: Child Process |
| Unmonitor | End Time: 00:03:59, Reason: Self Terminated |
| Monitor Duration | 00:00:01 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xd0c |
| Parent PID | 0x8dc (c:\programdata\safe.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
118
0x
FAC
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000cb0000 | 0x00cb0000 | 0x00ccffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000cb0000 | 0x00cb0000 | 0x00cbffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000cc0000 | 0x00cc0000 | 0x00cc3fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000cd0000 | 0x00cd0000 | 0x00cd1fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000cd0000 | 0x00cd0000 | 0x00cd3fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000ce0000 | 0x00ce0000 | 0x00cf3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000d00000 | 0x00d00000 | 0x00d3ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000d40000 | 0x00d40000 | 0x00e3ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000e40000 | 0x00e40000 | 0x00e43fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000e50000 | 0x00e50000 | 0x00e50fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000e60000 | 0x00e60000 | 0x00e61fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000e80000 | 0x00e80000 | 0x00e8ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000ec0000 | 0x00ec0000 | 0x00fbffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00fc0000 | 0x0107dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000001080000 | 0x01080000 | 0x010bffff | Private Memory | rw |
|
|
|
- |
| cmd.exe | 0x01140000 | 0x0118ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000001190000 | 0x01190000 | 0x0518ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000005190000 | 0x05190000 | 0x0528ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005420000 | 0x05420000 | 0x0542ffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x05430000 | 0x05766fff | Memory Mapped File | r |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74d30000 | 0x74ea5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75130000 | 0x7521ffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x778d0000 | 0x7798dfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007e700000 | 0x7e700000 | 0x7e7fffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007e800000 | 0x7e800000 | 0x7e822fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007e826000 | 0x7e826000 | 0x7e828fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007e829000 | 0x7e829000 | 0x7e829fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007e82c000 | 0x7e82c000 | 0x7e82efff | Private Memory | rw |
|
|
|
- |
| private_0x000000007e82f000 | 0x7e82f000 | 0x7e82ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (11)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Windows\SysWOW64 | type = file_attributes |
|
2 | |
| Get Info | wevtutil.exe | type = file_attributes |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
5 | |
| Open | STD_INPUT_HANDLE | - |
|
3 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 113, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\SysWOW64\wevtutil.exe | os_pid = 0x490, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x1140000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75130000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x75172780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x7514fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7514a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x74e435c0 |
|
1 |
Environment (19)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
2 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Windows\SysWOW64 |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000000 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #624: wevtutil.exe
0
0
| Information | Value |
|---|---|
| ID | #624 |
| File Name | c:\windows\syswow64\wevtutil.exe |
| Command Line | wevtutil.exe clear-log "Microsoft-Windows-DLNA-Namespace/Analytic" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:03:58, Reason: Child Process |
| Unmonitor | End Time: 00:03:59, Reason: Self Terminated |
| Monitor Duration | 00:00:01 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x490 |
| Parent PID | 0xd0c (c:\windows\syswow64\wevtutil.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
F14
0x
818
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000180000 | 0x00180000 | 0x0019ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000001a0000 | 0x001a0000 | 0x001a1fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000001b0000 | 0x001b0000 | 0x001c3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000001d0000 | 0x001d0000 | 0x0020ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000210000 | 0x00210000 | 0x0024ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000250000 | 0x00250000 | 0x00253fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000260000 | 0x00260000 | 0x00260fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000270000 | 0x00270000 | 0x00271fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000002b0000 | 0x002b0000 | 0x003affff | Private Memory | rw |
|
|
|
- |
| private_0x00000000003d0000 | 0x003d0000 | 0x003dffff | Private Memory | rw |
|
|
|
- |
| wevtutil.exe | 0x00b40000 | 0x00b6efff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000b70000 | 0x00b70000 | 0x04b6ffff | Pagefile Backed Memory | - |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007fd80000 | 0x7fd80000 | 0x7fda2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007fda4000 | 0x7fda4000 | 0x7fda4fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007fdac000 | 0x7fdac000 | 0x7fdaefff | Private Memory | rw |
|
|
|
- |
| private_0x000000007fdaf000 | 0x7fdaf000 | 0x7fdaffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Process #625: cmd.exe
58
0
| Information | Value |
|---|---|
| ID | #625 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-DNS-Client/Operational" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:03:58, Reason: Child Process |
| Unmonitor | End Time: 00:04:00, Reason: Self Terminated |
| Monitor Duration | 00:00:02 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x844 |
| Parent PID | 0x8dc (c:\programdata\safe.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
F04
0x
C9C
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000450000 | 0x00450000 | 0x0046ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000450000 | 0x00450000 | 0x0045ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000460000 | 0x00460000 | 0x00463fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000470000 | 0x00470000 | 0x00471fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000470000 | 0x00470000 | 0x00473fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000480000 | 0x00480000 | 0x00493fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000004a0000 | 0x004a0000 | 0x004dffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000004e0000 | 0x004e0000 | 0x005dffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000005e0000 | 0x005e0000 | 0x005e3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000005f0000 | 0x005f0000 | 0x005f0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000600000 | 0x00600000 | 0x00601fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00610000 | 0x006cdfff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000006e0000 | 0x006e0000 | 0x006effff | Private Memory | rw |
|
|
|
- |
| private_0x00000000006f0000 | 0x006f0000 | 0x0072ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000730000 | 0x00730000 | 0x0082ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000880000 | 0x00880000 | 0x0097ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000a20000 | 0x00a20000 | 0x00a2ffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x00a30000 | 0x00d66fff | Memory Mapped File | r |
|
|
|
- |
| cmd.exe | 0x01140000 | 0x0118ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000001190000 | 0x01190000 | 0x0518ffff | Pagefile Backed Memory | - |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74d30000 | 0x74ea5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75130000 | 0x7521ffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x778d0000 | 0x7798dfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007e090000 | 0x7e090000 | 0x7e18ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007e190000 | 0x7e190000 | 0x7e1b2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007e1b7000 | 0x7e1b7000 | 0x7e1b7fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007e1b8000 | 0x7e1b8000 | 0x7e1bafff | Private Memory | rw |
|
|
|
- |
| private_0x000000007e1bb000 | 0x7e1bb000 | 0x7e1bdfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007e1be000 | 0x7e1be000 | 0x7e1befff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (11)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Windows\SysWOW64 | type = file_attributes |
|
2 | |
| Get Info | wevtutil.exe | type = file_attributes |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
5 | |
| Open | STD_INPUT_HANDLE | - |
|
3 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 124, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\SysWOW64\wevtutil.exe | os_pid = 0x364, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x1140000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75130000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x75172780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x7514fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7514a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x74e435c0 |
|
1 |
Environment (19)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
2 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Windows\SysWOW64 |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000000 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #627: wevtutil.exe
0
0
| Information | Value |
|---|---|
| ID | #627 |
| File Name | c:\windows\syswow64\wevtutil.exe |
| Command Line | wevtutil.exe clear-log "Microsoft-Windows-DNS-Client/Operational" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:03:59, Reason: Child Process |
| Unmonitor | End Time: 00:03:59, Reason: Self Terminated |
| Monitor Duration | 00:00:00 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x364 |
| Parent PID | 0x844 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
F40
0x
B28
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| wevtutil.exe | 0x00b40000 | 0x00b6efff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000cd0000 | 0x00cd0000 | 0x04ccffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000004cd0000 | 0x04cd0000 | 0x04ceffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004cf0000 | 0x04cf0000 | 0x04cf1fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004d00000 | 0x04d00000 | 0x04d13fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000004d20000 | 0x04d20000 | 0x04d5ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004d60000 | 0x04d60000 | 0x04d9ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004da0000 | 0x04da0000 | 0x04da3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000004db0000 | 0x04db0000 | 0x04db0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000004dc0000 | 0x04dc0000 | 0x04dc1fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004f10000 | 0x04f10000 | 0x04f1ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005110000 | 0x05110000 | 0x0520ffff | Private Memory | rw |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007e9b0000 | 0x7e9b0000 | 0x7e9d2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007e9d9000 | 0x7e9d9000 | 0x7e9d9fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007e9db000 | 0x7e9db000 | 0x7e9dbfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007e9dd000 | 0x7e9dd000 | 0x7e9dffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Process #628: cmd.exe
58
0
| Information | Value |
|---|---|
| ID | #628 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-DSC/Admin" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:03:59, Reason: Child Process |
| Unmonitor | End Time: 00:04:00, Reason: Self Terminated |
| Monitor Duration | 00:00:01 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xe4c |
| Parent PID | 0x8dc (c:\programdata\safe.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
148
0x
5A8
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000720000 | 0x00720000 | 0x0073ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000720000 | 0x00720000 | 0x0072ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000730000 | 0x00730000 | 0x00733fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000740000 | 0x00740000 | 0x00741fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000740000 | 0x00740000 | 0x00743fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000750000 | 0x00750000 | 0x00763fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000770000 | 0x00770000 | 0x007affff | Private Memory | rw |
|
|
|
- |
| private_0x00000000007b0000 | 0x007b0000 | 0x008affff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000008b0000 | 0x008b0000 | 0x008b3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000008c0000 | 0x008c0000 | 0x008c0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000008d0000 | 0x008d0000 | 0x008d1fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000910000 | 0x00910000 | 0x00a0ffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00a10000 | 0x00acdfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000ad0000 | 0x00ad0000 | 0x00adffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000ae0000 | 0x00ae0000 | 0x00b1ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000b20000 | 0x00b20000 | 0x00c1ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000de0000 | 0x00de0000 | 0x00deffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x00df0000 | 0x01126fff | Memory Mapped File | r |
|
|
|
- |
| cmd.exe | 0x01140000 | 0x0118ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000001190000 | 0x01190000 | 0x0518ffff | Pagefile Backed Memory | - |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74d30000 | 0x74ea5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75130000 | 0x7521ffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x778d0000 | 0x7798dfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007ee30000 | 0x7ee30000 | 0x7ef2ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007ef30000 | 0x7ef30000 | 0x7ef52fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007ef54000 | 0x7ef54000 | 0x7ef54fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ef59000 | 0x7ef59000 | 0x7ef5bfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ef5c000 | 0x7ef5c000 | 0x7ef5efff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ef5f000 | 0x7ef5f000 | 0x7ef5ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (11)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Windows\SysWOW64 | type = file_attributes |
|
2 | |
| Get Info | wevtutil.exe | type = file_attributes |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
5 | |
| Open | STD_INPUT_HANDLE | - |
|
3 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 96, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\SysWOW64\wevtutil.exe | os_pid = 0x950, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x1140000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75130000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x75172780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x7514fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7514a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x74e435c0 |
|
1 |
Environment (19)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
2 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Windows\SysWOW64 |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000000 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #630: wevtutil.exe
0
0
| Information | Value |
|---|---|
| ID | #630 |
| File Name | c:\windows\syswow64\wevtutil.exe |
| Command Line | wevtutil.exe clear-log "Microsoft-Windows-DSC/Admin" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:03:59, Reason: Child Process |
| Unmonitor | End Time: 00:04:00, Reason: Self Terminated |
| Monitor Duration | 00:00:01 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x950 |
| Parent PID | 0xe4c (c:\windows\syswow64\wevtutil.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
D44
0x
BD8
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000100000 | 0x00100000 | 0x0011ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000100000 | 0x00100000 | 0x0010ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000110000 | 0x00110000 | 0x00113fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000120000 | 0x00120000 | 0x00121fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000120000 | 0x00120000 | 0x00123fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000130000 | 0x00130000 | 0x00143fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000150000 | 0x00150000 | 0x0018ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000190000 | 0x00190000 | 0x001cffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000001d0000 | 0x001d0000 | 0x001d3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000001e0000 | 0x001e0000 | 0x001e0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000001f0000 | 0x001f0000 | 0x001f1fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00200000 | 0x002bdfff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000002c0000 | 0x002c0000 | 0x002cffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000002d0000 | 0x002d0000 | 0x003cffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000003d0000 | 0x003d0000 | 0x0040ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000410000 | 0x00410000 | 0x0044ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000005f0000 | 0x005f0000 | 0x005fffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x00600000 | 0x00936fff | Memory Mapped File | r |
|
|
|
- |
| wevtutil.exe | 0x00b40000 | 0x00b6efff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000b70000 | 0x00b70000 | 0x04b6ffff | Pagefile Backed Memory | - |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| wevtapi.dll | 0x74220000 | 0x7426dfff | Memory Mapped File | rwx |
|
|
|
- |
| bcrypt.dll | 0x742a0000 | 0x742bafff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x74a30000 | 0x74a88fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x74a90000 | 0x74a99fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x74aa0000 | 0x74abdfff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x74c60000 | 0x74cdafff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74d30000 | 0x74ea5fff | Memory Mapped File | rwx |
|
|
|
- |
| combase.dll | 0x74f70000 | 0x75129fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75130000 | 0x7521ffff | Memory Mapped File | rwx |
|
|
|
- |
| oleaut32.dll | 0x76ce0000 | 0x76d71fff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x770b0000 | 0x770f2fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x772c0000 | 0x7736bfff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x778d0000 | 0x7798dfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007f5e0000 | 0x7f5e0000 | 0x7f6dffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007f6e0000 | 0x7f6e0000 | 0x7f702fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f705000 | 0x7f705000 | 0x7f705fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f709000 | 0x7f709000 | 0x7f70bfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f70c000 | 0x7f70c000 | 0x7f70efff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f70f000 | 0x7f70f000 | 0x7f70ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Process #631: cmd.exe
58
0
| Information | Value |
|---|---|
| ID | #631 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-DSC/Analytic" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:03:59, Reason: Child Process |
| Unmonitor | End Time: 00:04:00, Reason: Self Terminated |
| Monitor Duration | 00:00:01 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x534 |
| Parent PID | 0x8dc (c:\programdata\safe.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
EEC
0x
FC8
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000c60000 | 0x00c60000 | 0x00c7ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000c60000 | 0x00c60000 | 0x00c6ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000c70000 | 0x00c70000 | 0x00c73fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000c80000 | 0x00c80000 | 0x00c81fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000c80000 | 0x00c80000 | 0x00c83fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000c90000 | 0x00c90000 | 0x00ca3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000cb0000 | 0x00cb0000 | 0x00ceffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000cf0000 | 0x00cf0000 | 0x00deffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000df0000 | 0x00df0000 | 0x00df3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000e00000 | 0x00e00000 | 0x00e00fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000e10000 | 0x00e10000 | 0x00e11fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000e20000 | 0x00e20000 | 0x00e5ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000eb0000 | 0x00eb0000 | 0x00ebffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00ec0000 | 0x00f7dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000f80000 | 0x00f80000 | 0x0107ffff | Private Memory | rw |
|
|
|
- |
| cmd.exe | 0x01140000 | 0x0118ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000001190000 | 0x01190000 | 0x0518ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000005280000 | 0x05280000 | 0x0528ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005350000 | 0x05350000 | 0x0544ffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x05450000 | 0x05786fff | Memory Mapped File | r |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74d30000 | 0x74ea5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75130000 | 0x7521ffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x778d0000 | 0x7798dfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007e710000 | 0x7e710000 | 0x7e80ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007e810000 | 0x7e810000 | 0x7e832fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007e838000 | 0x7e838000 | 0x7e838fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007e839000 | 0x7e839000 | 0x7e83bfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007e83c000 | 0x7e83c000 | 0x7e83efff | Private Memory | rw |
|
|
|
- |
| private_0x000000007e83f000 | 0x7e83f000 | 0x7e83ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (11)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Windows\SysWOW64 | type = file_attributes |
|
2 | |
| Get Info | wevtutil.exe | type = file_attributes |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
5 | |
| Open | STD_INPUT_HANDLE | - |
|
3 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 67, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\SysWOW64\wevtutil.exe | os_pid = 0xd08, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x1140000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75130000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x75172780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x7514fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7514a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x74e435c0 |
|
1 |
Environment (19)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
2 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Windows\SysWOW64 |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000000 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #633: wevtutil.exe
0
0
| Information | Value |
|---|---|
| ID | #633 |
| File Name | c:\windows\syswow64\wevtutil.exe |
| Command Line | wevtutil.exe clear-log "Microsoft-Windows-DSC/Analytic" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:04:00, Reason: Child Process |
| Unmonitor | End Time: 00:04:00, Reason: Self Terminated |
| Monitor Duration | 00:00:00 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xd08 |
| Parent PID | 0x534 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
B3C
0x
544
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x00000000009d0000 | 0x009d0000 | 0x009effff | Private Memory | rw |
|
|
|
- |
| private_0x00000000009f0000 | 0x009f0000 | 0x009f1fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000a00000 | 0x00a00000 | 0x00a13fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000a20000 | 0x00a20000 | 0x00a5ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000a60000 | 0x00a60000 | 0x00a9ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000aa0000 | 0x00aa0000 | 0x00aa3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000ab0000 | 0x00ab0000 | 0x00ab0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000ac0000 | 0x00ac0000 | 0x00ac1fff | Private Memory | rw |
|
|
|
- |
| wevtutil.exe | 0x00b40000 | 0x00b6efff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000b70000 | 0x00b70000 | 0x04b6ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000004c00000 | 0x04c00000 | 0x04c0ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004c10000 | 0x04c10000 | 0x04d0ffff | Private Memory | rw |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007eb40000 | 0x7eb40000 | 0x7eb62fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007eb63000 | 0x7eb63000 | 0x7eb63fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007eb67000 | 0x7eb67000 | 0x7eb67fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007eb6d000 | 0x7eb6d000 | 0x7eb6ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Process #634: cmd.exe
58
0
| Information | Value |
|---|---|
| ID | #634 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-DSC/Debug" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:04:00, Reason: Child Process |
| Unmonitor | End Time: 00:04:01, Reason: Self Terminated |
| Monitor Duration | 00:00:01 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xe58 |
| Parent PID | 0x8dc (c:\programdata\safe.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
190
0x
5D4
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000ec0000 | 0x00ec0000 | 0x00edffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000ec0000 | 0x00ec0000 | 0x00ecffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000ed0000 | 0x00ed0000 | 0x00ed3fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000ee0000 | 0x00ee0000 | 0x00ee1fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000ee0000 | 0x00ee0000 | 0x00ee3fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000ef0000 | 0x00ef0000 | 0x00f03fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000f10000 | 0x00f10000 | 0x00f4ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000f50000 | 0x00f50000 | 0x0104ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000001050000 | 0x01050000 | 0x01053fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000001060000 | 0x01060000 | 0x01060fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000001070000 | 0x01070000 | 0x01071fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x01080000 | 0x0113dfff | Memory Mapped File | r |
|
|
|
- |
| cmd.exe | 0x01140000 | 0x0118ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000001190000 | 0x01190000 | 0x0518ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000005190000 | 0x05190000 | 0x051cffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000051d0000 | 0x051d0000 | 0x052cffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005330000 | 0x05330000 | 0x0533ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005340000 | 0x05340000 | 0x0534ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005480000 | 0x05480000 | 0x0557ffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x05580000 | 0x058b6fff | Memory Mapped File | r |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74d30000 | 0x74ea5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75130000 | 0x7521ffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x778d0000 | 0x7798dfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007ee30000 | 0x7ee30000 | 0x7ef2ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007ef30000 | 0x7ef30000 | 0x7ef52fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007ef56000 | 0x7ef56000 | 0x7ef56fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ef59000 | 0x7ef59000 | 0x7ef5bfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ef5c000 | 0x7ef5c000 | 0x7ef5efff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ef5f000 | 0x7ef5f000 | 0x7ef5ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (11)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Windows\SysWOW64 | type = file_attributes |
|
2 | |
| Get Info | wevtutil.exe | type = file_attributes |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
5 | |
| Open | STD_INPUT_HANDLE | - |
|
3 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 120, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\SysWOW64\wevtutil.exe | os_pid = 0x894, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x1140000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75130000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x75172780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x7514fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7514a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x74e435c0 |
|
1 |
Environment (19)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
2 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Windows\SysWOW64 |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000000 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #636: wevtutil.exe
0
0
| Information | Value |
|---|---|
| ID | #636 |
| File Name | c:\windows\syswow64\wevtutil.exe |
| Command Line | wevtutil.exe clear-log "Microsoft-Windows-DSC/Debug" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:04:00, Reason: Child Process |
| Unmonitor | End Time: 00:04:01, Reason: Self Terminated |
| Monitor Duration | 00:00:01 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x894 |
| Parent PID | 0xe58 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
FC4
0x
D38
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| wevtutil.exe | 0x00b40000 | 0x00b6efff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000c30000 | 0x00c30000 | 0x04c2ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000004c30000 | 0x04c30000 | 0x04c4ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004c50000 | 0x04c50000 | 0x04c51fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004c60000 | 0x04c60000 | 0x04c73fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000004c80000 | 0x04c80000 | 0x04cbffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004cc0000 | 0x04cc0000 | 0x04cfffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004d00000 | 0x04d00000 | 0x04d03fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000004d10000 | 0x04d10000 | 0x04d10fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000004d20000 | 0x04d20000 | 0x04d21fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004df0000 | 0x04df0000 | 0x04dfffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004e20000 | 0x04e20000 | 0x04f1ffff | Private Memory | rw |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007f590000 | 0x7f590000 | 0x7f5b2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f5b3000 | 0x7f5b3000 | 0x7f5b3fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f5bc000 | 0x7f5bc000 | 0x7f5bcfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f5bd000 | 0x7f5bd000 | 0x7f5bffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Process #637: cmd.exe
58
0
| Information | Value |
|---|---|
| ID | #637 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-DSC/Operational" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:04:00, Reason: Child Process |
| Unmonitor | End Time: 00:04:01, Reason: Self Terminated |
| Monitor Duration | 00:00:01 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xf78 |
| Parent PID | 0x8dc (c:\programdata\safe.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
1A4
0x
878
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000b00000 | 0x00b00000 | 0x00b1ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000b00000 | 0x00b00000 | 0x00b0ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000b10000 | 0x00b10000 | 0x00b13fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000b20000 | 0x00b20000 | 0x00b21fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000b20000 | 0x00b20000 | 0x00b23fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000b30000 | 0x00b30000 | 0x00b43fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000b50000 | 0x00b50000 | 0x00b8ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000b90000 | 0x00b90000 | 0x00c8ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000c90000 | 0x00c90000 | 0x00c93fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000ca0000 | 0x00ca0000 | 0x00ca0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000cb0000 | 0x00cb0000 | 0x00cb1fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000cd0000 | 0x00cd0000 | 0x00cdffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00ce0000 | 0x00d9dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000da0000 | 0x00da0000 | 0x00ddffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000e50000 | 0x00e50000 | 0x00f4ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000f50000 | 0x00f50000 | 0x0104ffff | Private Memory | rw |
|
|
|
- |
| cmd.exe | 0x01140000 | 0x0118ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000001190000 | 0x01190000 | 0x0518ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000005300000 | 0x05300000 | 0x0530ffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x05310000 | 0x05646fff | Memory Mapped File | r |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74d30000 | 0x74ea5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75130000 | 0x7521ffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x778d0000 | 0x7798dfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007e7b0000 | 0x7e7b0000 | 0x7e8affff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007e8b0000 | 0x7e8b0000 | 0x7e8d2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007e8d3000 | 0x7e8d3000 | 0x7e8d3fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007e8d9000 | 0x7e8d9000 | 0x7e8dbfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007e8dc000 | 0x7e8dc000 | 0x7e8defff | Private Memory | rw |
|
|
|
- |
| private_0x000000007e8df000 | 0x7e8df000 | 0x7e8dffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (11)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Windows\SysWOW64 | type = file_attributes |
|
2 | |
| Get Info | wevtutil.exe | type = file_attributes |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
5 | |
| Open | STD_INPUT_HANDLE | - |
|
3 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 112, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\SysWOW64\wevtutil.exe | os_pid = 0x814, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x1140000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75130000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x75172780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x7514fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7514a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x74e435c0 |
|
1 |
Environment (19)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
2 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Windows\SysWOW64 |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000000 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #639: wevtutil.exe
0
0
| Information | Value |
|---|---|
| ID | #639 |
| File Name | c:\windows\syswow64\wevtutil.exe |
| Command Line | wevtutil.exe clear-log "Microsoft-Windows-DSC/Operational" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:04:00, Reason: Child Process |
| Unmonitor | End Time: 00:04:01, Reason: Self Terminated |
| Monitor Duration | 00:00:01 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x814 |
| Parent PID | 0xf78 (c:\windows\syswow64\wevtutil.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
E5C
0x
94C
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| wevtutil.exe | 0x00b40000 | 0x00b6efff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000dd0000 | 0x00dd0000 | 0x04dcffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000004dd0000 | 0x04dd0000 | 0x04deffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004df0000 | 0x04df0000 | 0x04df1fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004e00000 | 0x04e00000 | 0x04e13fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000004e20000 | 0x04e20000 | 0x04e5ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004e60000 | 0x04e60000 | 0x04e9ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004ea0000 | 0x04ea0000 | 0x04ea3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000004eb0000 | 0x04eb0000 | 0x04eb0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000004ec0000 | 0x04ec0000 | 0x04ec1fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004fb0000 | 0x04fb0000 | 0x04fbffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005060000 | 0x05060000 | 0x0515ffff | Private Memory | rw |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007eb10000 | 0x7eb10000 | 0x7eb32fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007eb35000 | 0x7eb35000 | 0x7eb35fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007eb3c000 | 0x7eb3c000 | 0x7eb3efff | Private Memory | rw |
|
|
|
- |
| private_0x000000007eb3f000 | 0x7eb3f000 | 0x7eb3ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Process #640: cmd.exe
58
0
| Information | Value |
|---|---|
| ID | #640 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-DUI/Diagnostic" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:04:01, Reason: Child Process |
| Unmonitor | End Time: 00:04:01, Reason: Self Terminated |
| Monitor Duration | 00:00:00 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x848 |
| Parent PID | 0x8dc (c:\programdata\safe.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
41C
0x
B24
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000740000 | 0x00740000 | 0x0075ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000740000 | 0x00740000 | 0x0074ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000750000 | 0x00750000 | 0x00753fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000760000 | 0x00760000 | 0x00761fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000760000 | 0x00760000 | 0x0076ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000770000 | 0x00770000 | 0x00783fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000790000 | 0x00790000 | 0x007cffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000007d0000 | 0x007d0000 | 0x008cffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000008d0000 | 0x008d0000 | 0x008d3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000008e0000 | 0x008e0000 | 0x008e0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000008f0000 | 0x008f0000 | 0x008f1fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00900000 | 0x009bdfff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000009c0000 | 0x009c0000 | 0x009cffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000009d0000 | 0x009d0000 | 0x009d3fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000009e0000 | 0x009e0000 | 0x00adffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000ae0000 | 0x00ae0000 | 0x00b1ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000b20000 | 0x00b20000 | 0x00c1ffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x00c20000 | 0x00f56fff | Memory Mapped File | r |
|
|
|
- |
| cmd.exe | 0x01140000 | 0x0118ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000001190000 | 0x01190000 | 0x0518ffff | Pagefile Backed Memory | - |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74d30000 | 0x74ea5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75130000 | 0x7521ffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x778d0000 | 0x7798dfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007f1d0000 | 0x7f1d0000 | 0x7f2cffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007f2d0000 | 0x7f2d0000 | 0x7f2f2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f2f3000 | 0x7f2f3000 | 0x7f2f3fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f2f8000 | 0x7f2f8000 | 0x7f2fafff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f2fb000 | 0x7f2fb000 | 0x7f2fbfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f2fd000 | 0x7f2fd000 | 0x7f2fffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (11)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Windows\SysWOW64 | type = file_attributes |
|
2 | |
| Get Info | wevtutil.exe | type = file_attributes |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
5 | |
| Open | STD_INPUT_HANDLE | - |
|
3 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 112, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\SysWOW64\wevtutil.exe | os_pid = 0x850, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x1140000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75130000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x75172780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x7514fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7514a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x74e435c0 |
|
1 |
Environment (19)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
2 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Windows\SysWOW64 |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000000 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #642: wevtutil.exe
0
0
| Information | Value |
|---|---|
| ID | #642 |
| File Name | c:\windows\syswow64\wevtutil.exe |
| Command Line | wevtutil.exe clear-log "Microsoft-Windows-DUI/Diagnostic" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:04:01, Reason: Child Process |
| Unmonitor | End Time: 00:04:01, Reason: Self Terminated |
| Monitor Duration | 00:00:00 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x850 |
| Parent PID | 0x848 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
C04
0x
60C
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x00000000003a0000 | 0x003a0000 | 0x003bffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000003c0000 | 0x003c0000 | 0x003c1fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000003d0000 | 0x003d0000 | 0x003e3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000003f0000 | 0x003f0000 | 0x0042ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000430000 | 0x00430000 | 0x0046ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000470000 | 0x00470000 | 0x00473fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000480000 | 0x00480000 | 0x00480fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000490000 | 0x00490000 | 0x00491fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000005c0000 | 0x005c0000 | 0x005cffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000006e0000 | 0x006e0000 | 0x007dffff | Private Memory | rw |
|
|
|
- |
| wevtutil.exe | 0x00b40000 | 0x00b6efff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000b70000 | 0x00b70000 | 0x04b6ffff | Pagefile Backed Memory | - |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007fc10000 | 0x7fc10000 | 0x7fc32fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007fc37000 | 0x7fc37000 | 0x7fc37fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007fc3a000 | 0x7fc3a000 | 0x7fc3afff | Private Memory | rw |
|
|
|
- |
| private_0x000000007fc3d000 | 0x7fc3d000 | 0x7fc3ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Process #643: cmd.exe
58
0
| Information | Value |
|---|---|
| ID | #643 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-DUSER/Diagnostic" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:04:01, Reason: Child Process |
| Unmonitor | End Time: 00:04:02, Reason: Self Terminated |
| Monitor Duration | 00:00:01 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xf08 |
| Parent PID | 0x8dc (c:\programdata\safe.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
EB4
0x
F9C
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000bb0000 | 0x00bb0000 | 0x00bcffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000bb0000 | 0x00bb0000 | 0x00bbffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000bc0000 | 0x00bc0000 | 0x00bc3fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000bd0000 | 0x00bd0000 | 0x00bd1fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000bd0000 | 0x00bd0000 | 0x00bd3fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000be0000 | 0x00be0000 | 0x00bf3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000c00000 | 0x00c00000 | 0x00c3ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000c40000 | 0x00c40000 | 0x00d3ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000d40000 | 0x00d40000 | 0x00d43fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000d50000 | 0x00d50000 | 0x00d50fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000d60000 | 0x00d60000 | 0x00d61fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00d70000 | 0x00e2dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000e30000 | 0x00e30000 | 0x00e6ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000e90000 | 0x00e90000 | 0x00e9ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000ea0000 | 0x00ea0000 | 0x00f9ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001030000 | 0x01030000 | 0x0112ffff | Private Memory | rw |
|
|
|
- |
| cmd.exe | 0x01140000 | 0x0118ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000001190000 | 0x01190000 | 0x0518ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000005250000 | 0x05250000 | 0x0525ffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x05260000 | 0x05596fff | Memory Mapped File | r |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74d30000 | 0x74ea5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75130000 | 0x7521ffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x778d0000 | 0x7798dfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007eb60000 | 0x7eb60000 | 0x7ec5ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007ec60000 | 0x7ec60000 | 0x7ec82fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007ec87000 | 0x7ec87000 | 0x7ec89fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ec8a000 | 0x7ec8a000 | 0x7ec8afff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ec8c000 | 0x7ec8c000 | 0x7ec8efff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ec8f000 | 0x7ec8f000 | 0x7ec8ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (11)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Windows\SysWOW64 | type = file_attributes |
|
2 | |
| Get Info | wevtutil.exe | type = file_attributes |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
5 | |
| Open | STD_INPUT_HANDLE | - |
|
3 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 136, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\SysWOW64\wevtutil.exe | os_pid = 0xb4c, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x1140000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75130000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x75172780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x7514fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7514a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x74e435c0 |
|
1 |
Environment (19)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
2 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Windows\SysWOW64 |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000000 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #645: wevtutil.exe
0
0
| Information | Value |
|---|---|
| ID | #645 |
| File Name | c:\windows\syswow64\wevtutil.exe |
| Command Line | wevtutil.exe clear-log "Microsoft-Windows-DUSER/Diagnostic" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:04:01, Reason: Child Process |
| Unmonitor | End Time: 00:04:02, Reason: Self Terminated |
| Monitor Duration | 00:00:01 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xb4c |
| Parent PID | 0xf08 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
EC4
0x
E90
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000340000 | 0x00340000 | 0x0035ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000360000 | 0x00360000 | 0x00361fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000370000 | 0x00370000 | 0x00383fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000390000 | 0x00390000 | 0x003cffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000003d0000 | 0x003d0000 | 0x0040ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000410000 | 0x00410000 | 0x00413fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000420000 | 0x00420000 | 0x00420fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000430000 | 0x00430000 | 0x00431fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000004b0000 | 0x004b0000 | 0x004bffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000005c0000 | 0x005c0000 | 0x006bffff | Private Memory | rw |
|
|
|
- |
| wevtutil.exe | 0x00b40000 | 0x00b6efff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000b70000 | 0x00b70000 | 0x04b6ffff | Pagefile Backed Memory | - |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007e720000 | 0x7e720000 | 0x7e742fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007e745000 | 0x7e745000 | 0x7e745fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007e74c000 | 0x7e74c000 | 0x7e74efff | Private Memory | rw |
|
|
|
- |
| private_0x000000007e74f000 | 0x7e74f000 | 0x7e74ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Process #646: cmd.exe
58
0
| Information | Value |
|---|---|
| ID | #646 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-DXGI/Analytic" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:04:02, Reason: Child Process |
| Unmonitor | End Time: 00:04:02, Reason: Self Terminated |
| Monitor Duration | 00:00:00 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xea4 |
| Parent PID | 0x8dc (c:\programdata\safe.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
788
0x
FB0
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000e30000 | 0x00e30000 | 0x00e4ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000e30000 | 0x00e30000 | 0x00e3ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000e40000 | 0x00e40000 | 0x00e43fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000e50000 | 0x00e50000 | 0x00e51fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000e50000 | 0x00e50000 | 0x00e53fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000e60000 | 0x00e60000 | 0x00e73fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000e80000 | 0x00e80000 | 0x00ebffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000ec0000 | 0x00ec0000 | 0x00fbffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000fc0000 | 0x00fc0000 | 0x00fc3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000fd0000 | 0x00fd0000 | 0x00fd0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000fe0000 | 0x00fe0000 | 0x00fe1fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00ff0000 | 0x010adfff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000010b0000 | 0x010b0000 | 0x010effff | Private Memory | rw |
|
|
|
- |
| cmd.exe | 0x01140000 | 0x0118ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000001190000 | 0x01190000 | 0x0518ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000005190000 | 0x05190000 | 0x0528ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005350000 | 0x05350000 | 0x0535ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005460000 | 0x05460000 | 0x0546ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000054e0000 | 0x054e0000 | 0x055dffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x055e0000 | 0x05916fff | Memory Mapped File | r |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74d30000 | 0x74ea5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75130000 | 0x7521ffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x778d0000 | 0x7798dfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007eeb0000 | 0x7eeb0000 | 0x7efaffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007efb0000 | 0x7efb0000 | 0x7efd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007efd6000 | 0x7efd6000 | 0x7efd8fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efd9000 | 0x7efd9000 | 0x7efd9fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efdc000 | 0x7efdc000 | 0x7efdcfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efdd000 | 0x7efdd000 | 0x7efdffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (11)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Windows\SysWOW64 | type = file_attributes |
|
2 | |
| Get Info | wevtutil.exe | type = file_attributes |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
5 | |
| Open | STD_INPUT_HANDLE | - |
|
3 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 52, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\SysWOW64\wevtutil.exe | os_pid = 0xf94, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x1140000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75130000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x75172780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x7514fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7514a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x74e435c0 |
|
1 |
Environment (19)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
2 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Windows\SysWOW64 |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000000 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #648: wevtutil.exe
0
0
| Information | Value |
|---|---|
| ID | #648 |
| File Name | c:\windows\syswow64\wevtutil.exe |
| Command Line | wevtutil.exe clear-log "Microsoft-Windows-DXGI/Analytic" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:04:02, Reason: Child Process |
| Unmonitor | End Time: 00:04:02, Reason: Self Terminated |
| Monitor Duration | 00:00:00 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xf94 |
| Parent PID | 0xea4 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
EF0
0x
994
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| wevtutil.exe | 0x00b40000 | 0x00b6efff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000cb0000 | 0x00cb0000 | 0x04caffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000004cb0000 | 0x04cb0000 | 0x04ccffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004cd0000 | 0x04cd0000 | 0x04cd1fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004ce0000 | 0x04ce0000 | 0x04cf3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000004d00000 | 0x04d00000 | 0x04d3ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004d40000 | 0x04d40000 | 0x04d7ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004d80000 | 0x04d80000 | 0x04d83fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000004d90000 | 0x04d90000 | 0x04d90fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000004da0000 | 0x04da0000 | 0x04da1fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004e10000 | 0x04e10000 | 0x04e1ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004eb0000 | 0x04eb0000 | 0x04faffff | Private Memory | rw |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007ec00000 | 0x7ec00000 | 0x7ec22fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007ec29000 | 0x7ec29000 | 0x7ec2bfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ec2c000 | 0x7ec2c000 | 0x7ec2cfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ec2f000 | 0x7ec2f000 | 0x7ec2ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Process #649: cmd.exe
58
0
| Information | Value |
|---|---|
| ID | #649 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-DXGI/Logging" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:04:02, Reason: Child Process |
| Unmonitor | End Time: 00:04:03, Reason: Self Terminated |
| Monitor Duration | 00:00:01 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xfa8 |
| Parent PID | 0x8dc (c:\programdata\safe.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
920
0x
C0C
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000e30000 | 0x00e30000 | 0x00e4ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000e30000 | 0x00e30000 | 0x00e3ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000e40000 | 0x00e40000 | 0x00e43fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000e50000 | 0x00e50000 | 0x00e51fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000e50000 | 0x00e50000 | 0x00e53fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000e60000 | 0x00e60000 | 0x00e73fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000e80000 | 0x00e80000 | 0x00ebffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000ec0000 | 0x00ec0000 | 0x00fbffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000fc0000 | 0x00fc0000 | 0x00fc3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000fd0000 | 0x00fd0000 | 0x00fd0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000fe0000 | 0x00fe0000 | 0x00fe1fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001000000 | 0x01000000 | 0x0100ffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x01010000 | 0x010cdfff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000010d0000 | 0x010d0000 | 0x0110ffff | Private Memory | rw |
|
|
|
- |
| cmd.exe | 0x01140000 | 0x0118ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000001190000 | 0x01190000 | 0x0518ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000005220000 | 0x05220000 | 0x0531ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005320000 | 0x05320000 | 0x0541ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005540000 | 0x05540000 | 0x0554ffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x05550000 | 0x05886fff | Memory Mapped File | r |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74d30000 | 0x74ea5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75130000 | 0x7521ffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x778d0000 | 0x7798dfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007ee40000 | 0x7ee40000 | 0x7ef3ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007ef40000 | 0x7ef40000 | 0x7ef62fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007ef68000 | 0x7ef68000 | 0x7ef6afff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ef6b000 | 0x7ef6b000 | 0x7ef6dfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ef6e000 | 0x7ef6e000 | 0x7ef6efff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ef6f000 | 0x7ef6f000 | 0x7ef6ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (11)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Windows\SysWOW64 | type = file_attributes |
|
2 | |
| Get Info | wevtutil.exe | type = file_attributes |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
5 | |
| Open | STD_INPUT_HANDLE | - |
|
3 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 248, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\SysWOW64\wevtutil.exe | os_pid = 0xb58, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x1140000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75130000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x75172780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x7514fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7514a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x74e435c0 |
|
1 |
Environment (19)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
2 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Windows\SysWOW64 |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000000 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #651: wevtutil.exe
0
0
| Information | Value |
|---|---|
| ID | #651 |
| File Name | c:\windows\syswow64\wevtutil.exe |
| Command Line | wevtutil.exe clear-log "Microsoft-Windows-DXGI/Logging" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:04:02, Reason: Child Process |
| Unmonitor | End Time: 00:04:03, Reason: Self Terminated |
| Monitor Duration | 00:00:01 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xb58 |
| Parent PID | 0xfa8 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
968
0x
34C
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| wevtutil.exe | 0x00b40000 | 0x00b6efff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000e60000 | 0x00e60000 | 0x04e5ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000004e60000 | 0x04e60000 | 0x04e7ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004e80000 | 0x04e80000 | 0x04e81fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004e90000 | 0x04e90000 | 0x04ea3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000004eb0000 | 0x04eb0000 | 0x04eeffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004ef0000 | 0x04ef0000 | 0x04f2ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004f30000 | 0x04f30000 | 0x04f33fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000004f40000 | 0x04f40000 | 0x04f40fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000004f50000 | 0x04f50000 | 0x04f51fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005080000 | 0x05080000 | 0x0508ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000050c0000 | 0x050c0000 | 0x051bffff | Private Memory | rw |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007e7c0000 | 0x7e7c0000 | 0x7e7e2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007e7e4000 | 0x7e7e4000 | 0x7e7e4fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007e7ec000 | 0x7e7ec000 | 0x7e7ecfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007e7ed000 | 0x7e7ed000 | 0x7e7effff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Process #652: cmd.exe
58
0
| Information | Value |
|---|---|
| ID | #652 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-DXP/Analytic" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:04:02, Reason: Child Process |
| Unmonitor | End Time: 00:04:03, Reason: Self Terminated |
| Monitor Duration | 00:00:01 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xfcc |
| Parent PID | 0x8dc (c:\programdata\safe.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
3D0
0x
908
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000ab0000 | 0x00ab0000 | 0x00acffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000ab0000 | 0x00ab0000 | 0x00abffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000ac0000 | 0x00ac0000 | 0x00ac3fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000ad0000 | 0x00ad0000 | 0x00ad1fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000ad0000 | 0x00ad0000 | 0x00ad3fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000ae0000 | 0x00ae0000 | 0x00af3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000b00000 | 0x00b00000 | 0x00b3ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000b40000 | 0x00b40000 | 0x00c3ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000c40000 | 0x00c40000 | 0x00c43fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000c50000 | 0x00c50000 | 0x00c50fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000c60000 | 0x00c60000 | 0x00c61fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00c70000 | 0x00d2dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000d30000 | 0x00d30000 | 0x00d6ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000e40000 | 0x00e40000 | 0x00e4ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000e50000 | 0x00e50000 | 0x00f4ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000fe0000 | 0x00fe0000 | 0x010dffff | Private Memory | rw |
|
|
|
- |
| cmd.exe | 0x01140000 | 0x0118ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000001190000 | 0x01190000 | 0x0518ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000005270000 | 0x05270000 | 0x0527ffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x05280000 | 0x055b6fff | Memory Mapped File | r |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74d30000 | 0x74ea5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75130000 | 0x7521ffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x778d0000 | 0x7798dfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007f8a0000 | 0x7f8a0000 | 0x7f99ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007f9a0000 | 0x7f9a0000 | 0x7f9c2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f9c6000 | 0x7f9c6000 | 0x7f9c6fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f9c9000 | 0x7f9c9000 | 0x7f9cbfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f9cc000 | 0x7f9cc000 | 0x7f9ccfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f9cd000 | 0x7f9cd000 | 0x7f9cffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (11)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Windows\SysWOW64 | type = file_attributes |
|
2 | |
| Get Info | wevtutil.exe | type = file_attributes |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
5 | |
| Open | STD_INPUT_HANDLE | - |
|
3 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 47, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\SysWOW64\wevtutil.exe | os_pid = 0xf98, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x1140000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75130000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x75172780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x7514fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7514a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x74e435c0 |
|
1 |
Environment (19)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
2 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Windows\SysWOW64 |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000000 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #654: wevtutil.exe
0
0
| Information | Value |
|---|---|
| ID | #654 |
| File Name | c:\windows\syswow64\wevtutil.exe |
| Command Line | wevtutil.exe clear-log "Microsoft-Windows-DXP/Analytic" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:04:03, Reason: Child Process |
| Unmonitor | End Time: 00:04:03, Reason: Self Terminated |
| Monitor Duration | 00:00:00 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xf98 |
| Parent PID | 0xfcc (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
C48
0x
FF4
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| wevtutil.exe | 0x00b40000 | 0x00b6efff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000e40000 | 0x00e40000 | 0x04e3ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000004e40000 | 0x04e40000 | 0x04e5ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004e60000 | 0x04e60000 | 0x04e61fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004e70000 | 0x04e70000 | 0x04e83fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000004e90000 | 0x04e90000 | 0x04ecffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004ed0000 | 0x04ed0000 | 0x04f0ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004f10000 | 0x04f10000 | 0x04f13fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000004f20000 | 0x04f20000 | 0x04f20fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000004f30000 | 0x04f30000 | 0x04f31fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000050c0000 | 0x050c0000 | 0x050cffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005270000 | 0x05270000 | 0x0536ffff | Private Memory | rw |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007f830000 | 0x7f830000 | 0x7f852fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f857000 | 0x7f857000 | 0x7f857fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f85c000 | 0x7f85c000 | 0x7f85efff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f85f000 | 0x7f85f000 | 0x7f85ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Process #655: cmd.exe
58
0
| Information | Value |
|---|---|
| ID | #655 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-Data-Pdf/Debug" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:04:03, Reason: Child Process |
| Unmonitor | End Time: 00:04:04, Reason: Self Terminated |
| Monitor Duration | 00:00:01 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x370 |
| Parent PID | 0x8dc (c:\programdata\safe.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
C58
0x
C90
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x00000000003c0000 | 0x003c0000 | 0x003dffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000003c0000 | 0x003c0000 | 0x003cffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x00000000003d0000 | 0x003d0000 | 0x003d3fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000003e0000 | 0x003e0000 | 0x003e1fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000003e0000 | 0x003e0000 | 0x003e3fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000003f0000 | 0x003f0000 | 0x00403fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000410000 | 0x00410000 | 0x0044ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000450000 | 0x00450000 | 0x0054ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000550000 | 0x00550000 | 0x00553fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000560000 | 0x00560000 | 0x00560fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000570000 | 0x00570000 | 0x00571fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00580000 | 0x0063dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000640000 | 0x00640000 | 0x0067ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000006e0000 | 0x006e0000 | 0x006effff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000790000 | 0x00790000 | 0x0088ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000890000 | 0x00890000 | 0x0098ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000b40000 | 0x00b40000 | 0x00b4ffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x00b50000 | 0x00e86fff | Memory Mapped File | r |
|
|
|
- |
| cmd.exe | 0x01140000 | 0x0118ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000001190000 | 0x01190000 | 0x0518ffff | Pagefile Backed Memory | - |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74d30000 | 0x74ea5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75130000 | 0x7521ffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x778d0000 | 0x7798dfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007f150000 | 0x7f150000 | 0x7f24ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007f250000 | 0x7f250000 | 0x7f272fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f275000 | 0x7f275000 | 0x7f275fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f276000 | 0x7f276000 | 0x7f276fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f27a000 | 0x7f27a000 | 0x7f27cfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f27d000 | 0x7f27d000 | 0x7f27ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (11)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Windows\SysWOW64 | type = file_attributes |
|
2 | |
| Get Info | wevtutil.exe | type = file_attributes |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
5 | |
| Open | STD_INPUT_HANDLE | - |
|
3 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 112, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\SysWOW64\wevtutil.exe | os_pid = 0xc2c, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x1140000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75130000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x75172780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x7514fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7514a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x74e435c0 |
|
1 |
Environment (19)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
2 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Windows\SysWOW64 |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000000 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #657: wevtutil.exe
0
0
| Information | Value |
|---|---|
| ID | #657 |
| File Name | c:\windows\syswow64\wevtutil.exe |
| Command Line | wevtutil.exe clear-log "Microsoft-Windows-Data-Pdf/Debug" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:04:03, Reason: Child Process |
| Unmonitor | End Time: 00:04:04, Reason: Self Terminated |
| Monitor Duration | 00:00:01 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xc2c |
| Parent PID | 0x370 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
FF8
0x
C3C
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| wevtutil.exe | 0x00b40000 | 0x00b6efff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000df0000 | 0x00df0000 | 0x04deffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000004df0000 | 0x04df0000 | 0x04e0ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004e10000 | 0x04e10000 | 0x04e11fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004e20000 | 0x04e20000 | 0x04e33fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000004e40000 | 0x04e40000 | 0x04e7ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004e80000 | 0x04e80000 | 0x04ebffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004ec0000 | 0x04ec0000 | 0x04ec3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000004ed0000 | 0x04ed0000 | 0x04ed0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000004ee0000 | 0x04ee0000 | 0x04ee1fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005050000 | 0x05050000 | 0x0505ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005230000 | 0x05230000 | 0x0532ffff | Private Memory | rw |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007f0d0000 | 0x7f0d0000 | 0x7f0f2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f0fa000 | 0x7f0fa000 | 0x7f0fafff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f0fc000 | 0x7f0fc000 | 0x7f0fefff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f0ff000 | 0x7f0ff000 | 0x7f0fffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Process #658: cmd.exe
58
0
| Information | Value |
|---|---|
| ID | #658 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-DataIntegrityScan/Admin" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:04:03, Reason: Child Process |
| Unmonitor | End Time: 00:04:04, Reason: Self Terminated |
| Monitor Duration | 00:00:01 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xf20 |
| Parent PID | 0x8dc (c:\programdata\safe.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
C84
0x
FDC
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000bb0000 | 0x00bb0000 | 0x00bcffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000bb0000 | 0x00bb0000 | 0x00bbffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000bc0000 | 0x00bc0000 | 0x00bc3fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000bd0000 | 0x00bd0000 | 0x00bd1fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000bd0000 | 0x00bd0000 | 0x00bd3fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000be0000 | 0x00be0000 | 0x00bf3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000c00000 | 0x00c00000 | 0x00c3ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000c40000 | 0x00c40000 | 0x00d3ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000d40000 | 0x00d40000 | 0x00d43fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000d50000 | 0x00d50000 | 0x00d50fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000d60000 | 0x00d60000 | 0x00d61fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000d70000 | 0x00d70000 | 0x00daffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000e00000 | 0x00e00000 | 0x00e0ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000e90000 | 0x00e90000 | 0x00f8ffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00f90000 | 0x0104dfff | Memory Mapped File | r |
|
|
|
- |
| cmd.exe | 0x01140000 | 0x0118ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000001190000 | 0x01190000 | 0x0518ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000005190000 | 0x05190000 | 0x0528ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000053f0000 | 0x053f0000 | 0x053fffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x05400000 | 0x05736fff | Memory Mapped File | r |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74d30000 | 0x74ea5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75130000 | 0x7521ffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x778d0000 | 0x7798dfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007ea90000 | 0x7ea90000 | 0x7eb8ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007eb90000 | 0x7eb90000 | 0x7ebb2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007ebb3000 | 0x7ebb3000 | 0x7ebb3fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ebb9000 | 0x7ebb9000 | 0x7ebb9fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ebba000 | 0x7ebba000 | 0x7ebbcfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ebbd000 | 0x7ebbd000 | 0x7ebbffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (11)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Windows\SysWOW64 | type = file_attributes |
|
2 | |
| Get Info | wevtutil.exe | type = file_attributes |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
5 | |
| Open | STD_INPUT_HANDLE | - |
|
3 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 204, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\SysWOW64\wevtutil.exe | os_pid = 0xfe8, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x1140000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75130000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x75172780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x7514fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7514a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x74e435c0 |
|
1 |
Environment (19)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
2 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Windows\SysWOW64 |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000000 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #660: wevtutil.exe
0
0
| Information | Value |
|---|---|
| ID | #660 |
| File Name | c:\windows\syswow64\wevtutil.exe |
| Command Line | wevtutil.exe clear-log "Microsoft-Windows-DataIntegrityScan/Admin" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:04:04, Reason: Child Process |
| Unmonitor | End Time: 00:04:04, Reason: Self Terminated |
| Monitor Duration | 00:00:00 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xfe8 |
| Parent PID | 0xf20 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
C78
0x
538
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x00000000003e0000 | 0x003e0000 | 0x003fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000400000 | 0x00400000 | 0x00401fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000410000 | 0x00410000 | 0x00423fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000430000 | 0x00430000 | 0x0046ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000470000 | 0x00470000 | 0x004affff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000004b0000 | 0x004b0000 | 0x004b3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000004c0000 | 0x004c0000 | 0x004c0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000004d0000 | 0x004d0000 | 0x004d1fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000590000 | 0x00590000 | 0x0068ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000690000 | 0x00690000 | 0x0069ffff | Private Memory | rw |
|
|
|
- |
| wevtutil.exe | 0x00b40000 | 0x00b6efff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000b70000 | 0x00b70000 | 0x04b6ffff | Pagefile Backed Memory | - |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007ea10000 | 0x7ea10000 | 0x7ea32fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007ea3b000 | 0x7ea3b000 | 0x7ea3dfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ea3e000 | 0x7ea3e000 | 0x7ea3efff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ea3f000 | 0x7ea3f000 | 0x7ea3ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Process #661: cmd.exe
58
0
| Information | Value |
|---|---|
| ID | #661 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-DataIntegrityScan/CrashRecovery" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:04:04, Reason: Child Process |
| Unmonitor | End Time: 00:04:04, Reason: Self Terminated |
| Monitor Duration | 00:00:00 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xee8 |
| Parent PID | 0x8dc (c:\programdata\safe.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
458
0x
DB8
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x00000000007c0000 | 0x007c0000 | 0x007dffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000007c0000 | 0x007c0000 | 0x007cffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x00000000007d0000 | 0x007d0000 | 0x007d3fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000007e0000 | 0x007e0000 | 0x007e1fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000007e0000 | 0x007e0000 | 0x007e3fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000007f0000 | 0x007f0000 | 0x00803fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000810000 | 0x00810000 | 0x0084ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000850000 | 0x00850000 | 0x0094ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000950000 | 0x00950000 | 0x00953fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000960000 | 0x00960000 | 0x00960fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000970000 | 0x00970000 | 0x00971fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00980000 | 0x00a3dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000a40000 | 0x00a40000 | 0x00a4ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000a50000 | 0x00a50000 | 0x00a8ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000b00000 | 0x00b00000 | 0x00bfffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000c00000 | 0x00c00000 | 0x00cfffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000ee0000 | 0x00ee0000 | 0x00eeffff | Private Memory | rw |
|
|
|
- |
| cmd.exe | 0x01140000 | 0x0118ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000001190000 | 0x01190000 | 0x0518ffff | Pagefile Backed Memory | - |
|
|
|
- |
| sortdefault.nls | 0x05190000 | 0x054c6fff | Memory Mapped File | r |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74d30000 | 0x74ea5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75130000 | 0x7521ffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x778d0000 | 0x7798dfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007f450000 | 0x7f450000 | 0x7f54ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007f550000 | 0x7f550000 | 0x7f572fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f575000 | 0x7f575000 | 0x7f575fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f577000 | 0x7f577000 | 0x7f579fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f57a000 | 0x7f57a000 | 0x7f57cfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f57d000 | 0x7f57d000 | 0x7f57dfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (11)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Windows\SysWOW64 | type = file_attributes |
|
2 | |
| Get Info | wevtutil.exe | type = file_attributes |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
5 | |
| Open | STD_INPUT_HANDLE | - |
|
3 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 24, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\SysWOW64\wevtutil.exe | os_pid = 0x828, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x1140000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75130000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x75172780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x7514fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7514a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x74e435c0 |
|
1 |
Environment (19)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
2 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Windows\SysWOW64 |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000000 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #663: wevtutil.exe
0
0
| Information | Value |
|---|---|
| ID | #663 |
| File Name | c:\windows\syswow64\wevtutil.exe |
| Command Line | wevtutil.exe clear-log "Microsoft-Windows-DataIntegrityScan/CrashRecovery" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:04:04, Reason: Child Process |
| Unmonitor | End Time: 00:04:04, Reason: Self Terminated |
| Monitor Duration | 00:00:00 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x828 |
| Parent PID | 0xee8 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
580
0x
BE4
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000a00000 | 0x00a00000 | 0x00a1ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000a20000 | 0x00a20000 | 0x00a21fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000a30000 | 0x00a30000 | 0x00a43fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000a50000 | 0x00a50000 | 0x00a8ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000a90000 | 0x00a90000 | 0x00acffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000ad0000 | 0x00ad0000 | 0x00ad3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000ae0000 | 0x00ae0000 | 0x00ae0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000af0000 | 0x00af0000 | 0x00af1fff | Private Memory | rw |
|
|
|
- |
| wevtutil.exe | 0x00b40000 | 0x00b6efff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000b70000 | 0x00b70000 | 0x04b6ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000004d30000 | 0x04d30000 | 0x04d3ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004f30000 | 0x04f30000 | 0x0502ffff | Private Memory | rw |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007f310000 | 0x7f310000 | 0x7f332fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f336000 | 0x7f336000 | 0x7f336fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f33c000 | 0x7f33c000 | 0x7f33efff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f33f000 | 0x7f33f000 | 0x7f33ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Process #664: cmd.exe
58
0
| Information | Value |
|---|---|
| ID | #664 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-DateTimeControlPanel/Analytic" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:04:04, Reason: Child Process |
| Unmonitor | End Time: 00:04:05, Reason: Self Terminated |
| Monitor Duration | 00:00:01 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x444 |
| Parent PID | 0x8dc (c:\programdata\safe.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
FD4
0x
57C
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000f80000 | 0x00f80000 | 0x00f9ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000f80000 | 0x00f80000 | 0x00f8ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000f90000 | 0x00f90000 | 0x00f93fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000fa0000 | 0x00fa0000 | 0x00fa1fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000fa0000 | 0x00fa0000 | 0x00fa3fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000fb0000 | 0x00fb0000 | 0x00fc3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000fd0000 | 0x00fd0000 | 0x0100ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001010000 | 0x01010000 | 0x0110ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000001110000 | 0x01110000 | 0x01113fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000001120000 | 0x01120000 | 0x01120fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000001130000 | 0x01130000 | 0x01131fff | Private Memory | rw |
|
|
|
- |
| cmd.exe | 0x01140000 | 0x0118ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000001190000 | 0x01190000 | 0x0518ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x00000000051a0000 | 0x051a0000 | 0x051affff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x051b0000 | 0x0526dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000005270000 | 0x05270000 | 0x052affff | Private Memory | rw |
|
|
|
- |
| private_0x00000000052d0000 | 0x052d0000 | 0x052dffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005340000 | 0x05340000 | 0x0543ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005440000 | 0x05440000 | 0x0553ffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x05540000 | 0x05876fff | Memory Mapped File | r |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74d30000 | 0x74ea5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75130000 | 0x7521ffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x778d0000 | 0x7798dfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007f850000 | 0x7f850000 | 0x7f94ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007f950000 | 0x7f950000 | 0x7f972fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f975000 | 0x7f975000 | 0x7f977fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f978000 | 0x7f978000 | 0x7f978fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f97a000 | 0x7f97a000 | 0x7f97cfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f97d000 | 0x7f97d000 | 0x7f97dfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (11)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Windows\SysWOW64 | type = file_attributes |
|
2 | |
| Get Info | wevtutil.exe | type = file_attributes |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
5 | |
| Open | STD_INPUT_HANDLE | - |
|
3 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 3, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\SysWOW64\wevtutil.exe | os_pid = 0xee0, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x1140000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75130000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x75172780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x7514fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7514a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x74e435c0 |
|
1 |
Environment (19)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
2 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Windows\SysWOW64 |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000000 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #666: wevtutil.exe
0
0
| Information | Value |
|---|---|
| ID | #666 |
| File Name | c:\windows\syswow64\wevtutil.exe |
| Command Line | wevtutil.exe clear-log "Microsoft-Windows-DateTimeControlPanel/Analytic" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:04:04, Reason: Child Process |
| Unmonitor | End Time: 00:04:05, Reason: Self Terminated |
| Monitor Duration | 00:00:01 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xee0 |
| Parent PID | 0x444 (c:\windows\syswow64\wevtutil.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
C5C
0x
688
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000820000 | 0x00820000 | 0x0083ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000840000 | 0x00840000 | 0x00841fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000850000 | 0x00850000 | 0x00863fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000870000 | 0x00870000 | 0x008affff | Private Memory | rw |
|
|
|
- |
| private_0x00000000008b0000 | 0x008b0000 | 0x008effff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000008f0000 | 0x008f0000 | 0x008f3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000900000 | 0x00900000 | 0x00900fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000910000 | 0x00910000 | 0x00911fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000a50000 | 0x00a50000 | 0x00a5ffff | Private Memory | rw |
|
|
|
- |
| wevtutil.exe | 0x00b40000 | 0x00b6efff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000b70000 | 0x00b70000 | 0x04b6ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000004c00000 | 0x04c00000 | 0x04cfffff | Private Memory | rw |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007ef50000 | 0x7ef50000 | 0x7ef72fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007ef7a000 | 0x7ef7a000 | 0x7ef7cfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ef7d000 | 0x7ef7d000 | 0x7ef7dfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ef7f000 | 0x7ef7f000 | 0x7ef7ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Process #667: cmd.exe
58
0
| Information | Value |
|---|---|
| ID | #667 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-DateTimeControlPanel/Debug" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:04:05, Reason: Child Process |
| Unmonitor | End Time: 00:04:05, Reason: Self Terminated |
| Monitor Duration | 00:00:00 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x550 |
| Parent PID | 0x8dc (c:\programdata\safe.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
DF0
0x
DEC
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000f30000 | 0x00f30000 | 0x00f4ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000f30000 | 0x00f30000 | 0x00f3ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000f40000 | 0x00f40000 | 0x00f43fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000f50000 | 0x00f50000 | 0x00f51fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000f50000 | 0x00f50000 | 0x00f53fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000f60000 | 0x00f60000 | 0x00f73fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000f80000 | 0x00f80000 | 0x00fbffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000fc0000 | 0x00fc0000 | 0x010bffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000010c0000 | 0x010c0000 | 0x010c3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000010d0000 | 0x010d0000 | 0x010d0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000010e0000 | 0x010e0000 | 0x010e1fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000010f0000 | 0x010f0000 | 0x0112ffff | Private Memory | rw |
|
|
|
- |
| cmd.exe | 0x01140000 | 0x0118ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000001190000 | 0x01190000 | 0x0518ffff | Pagefile Backed Memory | - |
|
|
|
- |
| locale.nls | 0x05190000 | 0x0524dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000005250000 | 0x05250000 | 0x0534ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005380000 | 0x05380000 | 0x0538ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000053f0000 | 0x053f0000 | 0x053fffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000054d0000 | 0x054d0000 | 0x055cffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x055d0000 | 0x05906fff | Memory Mapped File | r |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74d30000 | 0x74ea5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75130000 | 0x7521ffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x778d0000 | 0x7798dfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007fb90000 | 0x7fb90000 | 0x7fc8ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007fc90000 | 0x7fc90000 | 0x7fcb2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007fcb8000 | 0x7fcb8000 | 0x7fcb8fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007fcb9000 | 0x7fcb9000 | 0x7fcbbfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007fcbc000 | 0x7fcbc000 | 0x7fcbefff | Private Memory | rw |
|
|
|
- |
| private_0x000000007fcbf000 | 0x7fcbf000 | 0x7fcbffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (11)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Windows\SysWOW64 | type = file_attributes |
|
2 | |
| Get Info | wevtutil.exe | type = file_attributes |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
5 | |
| Open | STD_INPUT_HANDLE | - |
|
3 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 232, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\SysWOW64\wevtutil.exe | os_pid = 0xa24, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x1140000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75130000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x75172780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x7514fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7514a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x74e435c0 |
|
1 |
Environment (19)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
2 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Windows\SysWOW64 |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000000 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #669: wevtutil.exe
0
0
| Information | Value |
|---|---|
| ID | #669 |
| File Name | c:\windows\syswow64\wevtutil.exe |
| Command Line | wevtutil.exe clear-log "Microsoft-Windows-DateTimeControlPanel/Debug" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:04:05, Reason: Child Process |
| Unmonitor | End Time: 00:04:05, Reason: Self Terminated |
| Monitor Duration | 00:00:00 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xa24 |
| Parent PID | 0x550 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
D90
0x
790
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| wevtutil.exe | 0x00b40000 | 0x00b6efff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000d30000 | 0x00d30000 | 0x04d2ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000004d30000 | 0x04d30000 | 0x04d4ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004d50000 | 0x04d50000 | 0x04d51fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004d60000 | 0x04d60000 | 0x04d73fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000004d80000 | 0x04d80000 | 0x04dbffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004dc0000 | 0x04dc0000 | 0x04dfffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004e00000 | 0x04e00000 | 0x04e03fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000004e10000 | 0x04e10000 | 0x04e10fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000004e20000 | 0x04e20000 | 0x04e21fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004fa0000 | 0x04fa0000 | 0x04faffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005110000 | 0x05110000 | 0x0520ffff | Private Memory | rw |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007e750000 | 0x7e750000 | 0x7e772fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007e776000 | 0x7e776000 | 0x7e776fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007e777000 | 0x7e777000 | 0x7e777fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007e77d000 | 0x7e77d000 | 0x7e77ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Process #670: cmd.exe
58
0
| Information | Value |
|---|---|
| ID | #670 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-DateTimeControlPanel/Operational" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:04:05, Reason: Child Process |
| Unmonitor | End Time: 00:04:06, Reason: Self Terminated |
| Monitor Duration | 00:00:01 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x638 |
| Parent PID | 0x8dc (c:\programdata\safe.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
E14
0x
584
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000bd0000 | 0x00bd0000 | 0x00beffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000bd0000 | 0x00bd0000 | 0x00bdffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000be0000 | 0x00be0000 | 0x00be3fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000bf0000 | 0x00bf0000 | 0x00bf1fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000bf0000 | 0x00bf0000 | 0x00bfffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000c00000 | 0x00c00000 | 0x00c13fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000c20000 | 0x00c20000 | 0x00c5ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000c60000 | 0x00c60000 | 0x00d5ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000d60000 | 0x00d60000 | 0x00d63fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000d70000 | 0x00d70000 | 0x00d70fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000d80000 | 0x00d80000 | 0x00d81fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00d90000 | 0x00e4dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000e50000 | 0x00e50000 | 0x00e8ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000e90000 | 0x00e90000 | 0x00e93fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000f80000 | 0x00f80000 | 0x00f8ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000f90000 | 0x00f90000 | 0x0108ffff | Private Memory | rw |
|
|
|
- |
| cmd.exe | 0x01140000 | 0x0118ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000001190000 | 0x01190000 | 0x0518ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000005380000 | 0x05380000 | 0x0547ffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x05480000 | 0x057b6fff | Memory Mapped File | r |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74d30000 | 0x74ea5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75130000 | 0x7521ffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x778d0000 | 0x7798dfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007eeb0000 | 0x7eeb0000 | 0x7efaffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007efb0000 | 0x7efb0000 | 0x7efd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007efd7000 | 0x7efd7000 | 0x7efd9fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efda000 | 0x7efda000 | 0x7efdcfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efdd000 | 0x7efdd000 | 0x7efddfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efdf000 | 0x7efdf000 | 0x7efdffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (11)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Windows\SysWOW64 | type = file_attributes |
|
2 | |
| Get Info | wevtutil.exe | type = file_attributes |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
5 | |
| Open | STD_INPUT_HANDLE | - |
|
3 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 172, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\SysWOW64\wevtutil.exe | os_pid = 0xdd4, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x1140000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75130000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x75172780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x7514fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7514a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x74e435c0 |
|
1 |
Environment (19)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
2 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Windows\SysWOW64 |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000000 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #672: wevtutil.exe
0
0
| Information | Value |
|---|---|
| ID | #672 |
| File Name | c:\windows\syswow64\wevtutil.exe |
| Command Line | wevtutil.exe clear-log "Microsoft-Windows-DateTimeControlPanel/Operational" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:04:05, Reason: Child Process |
| Unmonitor | End Time: 00:04:06, Reason: Self Terminated |
| Monitor Duration | 00:00:01 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xdd4 |
| Parent PID | 0x638 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
E0C
0x
70C
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| wevtutil.exe | 0x00b40000 | 0x00b6efff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000ca0000 | 0x00ca0000 | 0x04c9ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000004ca0000 | 0x04ca0000 | 0x04cbffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004cc0000 | 0x04cc0000 | 0x04cc1fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004cd0000 | 0x04cd0000 | 0x04ce3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000004cf0000 | 0x04cf0000 | 0x04d2ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004d30000 | 0x04d30000 | 0x04d6ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004d70000 | 0x04d70000 | 0x04d73fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000004d80000 | 0x04d80000 | 0x04d80fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000004d90000 | 0x04d90000 | 0x04d91fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004db0000 | 0x04db0000 | 0x04dbffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004e90000 | 0x04e90000 | 0x04f8ffff | Private Memory | rw |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007f2a0000 | 0x7f2a0000 | 0x7f2c2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f2c3000 | 0x7f2c3000 | 0x7f2c3fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f2cc000 | 0x7f2cc000 | 0x7f2cefff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f2cf000 | 0x7f2cf000 | 0x7f2cffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Process #673: cmd.exe
58
0
| Information | Value |
|---|---|
| ID | #673 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-Deduplication/Diagnostic" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:04:06, Reason: Child Process |
| Unmonitor | End Time: 00:04:06, Reason: Self Terminated |
| Monitor Duration | 00:00:00 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x3f0 |
| Parent PID | 0x8dc (c:\programdata\safe.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
DF4
0x
924
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x00000000009d0000 | 0x009d0000 | 0x009effff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000009d0000 | 0x009d0000 | 0x009dffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x00000000009e0000 | 0x009e0000 | 0x009e3fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000009f0000 | 0x009f0000 | 0x009f1fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000009f0000 | 0x009f0000 | 0x009f3fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000a00000 | 0x00a00000 | 0x00a13fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000a20000 | 0x00a20000 | 0x00a5ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000a60000 | 0x00a60000 | 0x00b5ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000b60000 | 0x00b60000 | 0x00b63fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000b70000 | 0x00b70000 | 0x00b70fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000b80000 | 0x00b80000 | 0x00b81fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000b90000 | 0x00b90000 | 0x00b9ffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00ba0000 | 0x00c5dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000c60000 | 0x00c60000 | 0x00c9ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000ca0000 | 0x00ca0000 | 0x00d9ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000da0000 | 0x00da0000 | 0x00e9ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001070000 | 0x01070000 | 0x0107ffff | Private Memory | rw |
|
|
|
- |
| cmd.exe | 0x01140000 | 0x0118ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000001190000 | 0x01190000 | 0x0518ffff | Pagefile Backed Memory | - |
|
|
|
- |
| sortdefault.nls | 0x05190000 | 0x054c6fff | Memory Mapped File | r |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74d30000 | 0x74ea5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75130000 | 0x7521ffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x778d0000 | 0x7798dfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007f950000 | 0x7f950000 | 0x7fa4ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007fa50000 | 0x7fa50000 | 0x7fa72fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007fa74000 | 0x7fa74000 | 0x7fa74fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007fa78000 | 0x7fa78000 | 0x7fa7afff | Private Memory | rw |
|
|
|
- |
| private_0x000000007fa7b000 | 0x7fa7b000 | 0x7fa7dfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007fa7e000 | 0x7fa7e000 | 0x7fa7efff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (11)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Windows\SysWOW64 | type = file_attributes |
|
2 | |
| Get Info | wevtutil.exe | type = file_attributes |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
5 | |
| Open | STD_INPUT_HANDLE | - |
|
3 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 200, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\SysWOW64\wevtutil.exe | os_pid = 0xe20, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x1140000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75130000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x75172780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x7514fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7514a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x74e435c0 |
|
1 |
Environment (19)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
2 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Windows\SysWOW64 |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000000 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #675: wevtutil.exe
0
0
| Information | Value |
|---|---|
| ID | #675 |
| File Name | c:\windows\syswow64\wevtutil.exe |
| Command Line | wevtutil.exe clear-log "Microsoft-Windows-Deduplication/Diagnostic" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:04:06, Reason: Child Process |
| Unmonitor | End Time: 00:04:06, Reason: Self Terminated |
| Monitor Duration | 00:00:00 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xe20 |
| Parent PID | 0x3f0 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
D80
0x
69C
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| wevtutil.exe | 0x00b40000 | 0x00b6efff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000f50000 | 0x00f50000 | 0x04f4ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000004f50000 | 0x04f50000 | 0x04f6ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004f70000 | 0x04f70000 | 0x04f71fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004f80000 | 0x04f80000 | 0x04f93fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000004fa0000 | 0x04fa0000 | 0x04fdffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004fe0000 | 0x04fe0000 | 0x0501ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000005020000 | 0x05020000 | 0x05023fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000005030000 | 0x05030000 | 0x05030fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000005040000 | 0x05040000 | 0x05041fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000050f0000 | 0x050f0000 | 0x051effff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005200000 | 0x05200000 | 0x0520ffff | Private Memory | rw |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007f2f0000 | 0x7f2f0000 | 0x7f312fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f317000 | 0x7f317000 | 0x7f317fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f31a000 | 0x7f31a000 | 0x7f31afff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f31d000 | 0x7f31d000 | 0x7f31ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Process #676: cmd.exe
58
0
| Information | Value |
|---|---|
| ID | #676 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-Deduplication/Operational" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:04:06, Reason: Child Process |
| Unmonitor | End Time: 00:04:07, Reason: Self Terminated |
| Monitor Duration | 00:00:01 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xd1c |
| Parent PID | 0x8dc (c:\programdata\safe.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
CB4
0x
DCC
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000b50000 | 0x00b50000 | 0x00b6ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000b50000 | 0x00b50000 | 0x00b5ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000b60000 | 0x00b60000 | 0x00b63fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000b70000 | 0x00b70000 | 0x00b71fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000b70000 | 0x00b70000 | 0x00b73fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000b80000 | 0x00b80000 | 0x00b93fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000ba0000 | 0x00ba0000 | 0x00bdffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000be0000 | 0x00be0000 | 0x00cdffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000ce0000 | 0x00ce0000 | 0x00ce3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000cf0000 | 0x00cf0000 | 0x00cf0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000d00000 | 0x00d00000 | 0x00d01fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00d10000 | 0x00dcdfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000dd0000 | 0x00dd0000 | 0x00e0ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000e10000 | 0x00e10000 | 0x00e1ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000e20000 | 0x00e20000 | 0x00f1ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000f60000 | 0x00f60000 | 0x0105ffff | Private Memory | rw |
|
|
|
- |
| cmd.exe | 0x01140000 | 0x0118ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000001190000 | 0x01190000 | 0x0518ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000005310000 | 0x05310000 | 0x0531ffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x05320000 | 0x05656fff | Memory Mapped File | r |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74d30000 | 0x74ea5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75130000 | 0x7521ffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x778d0000 | 0x7798dfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007f0f0000 | 0x7f0f0000 | 0x7f1effff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007f1f0000 | 0x7f1f0000 | 0x7f212fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f218000 | 0x7f218000 | 0x7f218fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f219000 | 0x7f219000 | 0x7f21bfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f21c000 | 0x7f21c000 | 0x7f21efff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f21f000 | 0x7f21f000 | 0x7f21ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (11)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Windows\SysWOW64 | type = file_attributes |
|
2 | |
| Get Info | wevtutil.exe | type = file_attributes |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
5 | |
| Open | STD_INPUT_HANDLE | - |
|
3 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 144, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\SysWOW64\wevtutil.exe | os_pid = 0xe24, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x1140000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75130000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x75172780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x7514fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7514a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x74e435c0 |
|
1 |
Environment (19)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
2 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Windows\SysWOW64 |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000000 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #678: wevtutil.exe
0
0
| Information | Value |
|---|---|
| ID | #678 |
| File Name | c:\windows\syswow64\wevtutil.exe |
| Command Line | wevtutil.exe clear-log "Microsoft-Windows-Deduplication/Operational" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:04:06, Reason: Child Process |
| Unmonitor | End Time: 00:04:07, Reason: Self Terminated |
| Monitor Duration | 00:00:01 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xe24 |
| Parent PID | 0xd1c (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
EF8
0x
CA4
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| wevtutil.exe | 0x00b40000 | 0x00b6efff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000eb0000 | 0x00eb0000 | 0x04eaffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000004eb0000 | 0x04eb0000 | 0x04ecffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004ed0000 | 0x04ed0000 | 0x04ed1fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004ee0000 | 0x04ee0000 | 0x04ef3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000004f00000 | 0x04f00000 | 0x04f3ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004f40000 | 0x04f40000 | 0x04f7ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004f80000 | 0x04f80000 | 0x04f83fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000004f90000 | 0x04f90000 | 0x04f90fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000004fa0000 | 0x04fa0000 | 0x04fa1fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005020000 | 0x05020000 | 0x0502ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005160000 | 0x05160000 | 0x0525ffff | Private Memory | rw |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007e680000 | 0x7e680000 | 0x7e6a2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007e6aa000 | 0x7e6aa000 | 0x7e6acfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007e6ad000 | 0x7e6ad000 | 0x7e6adfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007e6ae000 | 0x7e6ae000 | 0x7e6aefff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Process #679: cmd.exe
58
0
| Information | Value |
|---|---|
| ID | #679 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-Deduplication/Performance" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:04:07, Reason: Child Process |
| Unmonitor | End Time: 00:04:07, Reason: Self Terminated |
| Monitor Duration | 00:00:00 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x678 |
| Parent PID | 0x8dc (c:\programdata\safe.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
42C
0x
A70
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000270000 | 0x00270000 | 0x0028ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000270000 | 0x00270000 | 0x0027ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000280000 | 0x00280000 | 0x00283fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000290000 | 0x00290000 | 0x00291fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000290000 | 0x00290000 | 0x00293fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000002a0000 | 0x002a0000 | 0x002b3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000002c0000 | 0x002c0000 | 0x002fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000300000 | 0x00300000 | 0x003fffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000400000 | 0x00400000 | 0x00403fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000410000 | 0x00410000 | 0x00410fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000420000 | 0x00420000 | 0x00421fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000430000 | 0x00430000 | 0x0046ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000470000 | 0x00470000 | 0x0047ffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00480000 | 0x0053dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000580000 | 0x00580000 | 0x0067ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000680000 | 0x00680000 | 0x0077ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000820000 | 0x00820000 | 0x0082ffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x00830000 | 0x00b66fff | Memory Mapped File | r |
|
|
|
- |
| cmd.exe | 0x01140000 | 0x0118ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000001190000 | 0x01190000 | 0x0518ffff | Pagefile Backed Memory | - |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74d30000 | 0x74ea5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75130000 | 0x7521ffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x778d0000 | 0x7798dfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007f5a0000 | 0x7f5a0000 | 0x7f69ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007f6a0000 | 0x7f6a0000 | 0x7f6c2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f6c3000 | 0x7f6c3000 | 0x7f6c3fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f6c6000 | 0x7f6c6000 | 0x7f6c6fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f6ca000 | 0x7f6ca000 | 0x7f6ccfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f6cd000 | 0x7f6cd000 | 0x7f6cffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (11)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Windows\SysWOW64 | type = file_attributes |
|
2 | |
| Get Info | wevtutil.exe | type = file_attributes |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
5 | |
| Open | STD_INPUT_HANDLE | - |
|
3 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 144, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\SysWOW64\wevtutil.exe | os_pid = 0x750, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x1140000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75130000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x75172780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x7514fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7514a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x74e435c0 |
|
1 |
Environment (19)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
2 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Windows\SysWOW64 |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000000 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #681: wevtutil.exe
0
0
| Information | Value |
|---|---|
| ID | #681 |
| File Name | c:\windows\syswow64\wevtutil.exe |
| Command Line | wevtutil.exe clear-log "Microsoft-Windows-Deduplication/Performance" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:04:07, Reason: Child Process |
| Unmonitor | End Time: 00:04:07, Reason: Self Terminated |
| Monitor Duration | 00:00:00 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x750 |
| Parent PID | 0x678 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
CF8
0x
768
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| wevtutil.exe | 0x00b40000 | 0x00b6efff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000f90000 | 0x00f90000 | 0x04f8ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000004f90000 | 0x04f90000 | 0x04faffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004fb0000 | 0x04fb0000 | 0x04fb1fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004fc0000 | 0x04fc0000 | 0x04fd3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000004fe0000 | 0x04fe0000 | 0x0501ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005020000 | 0x05020000 | 0x0505ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000005060000 | 0x05060000 | 0x05063fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000005070000 | 0x05070000 | 0x05070fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000005080000 | 0x05080000 | 0x05081fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005090000 | 0x05090000 | 0x0509ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005210000 | 0x05210000 | 0x0530ffff | Private Memory | rw |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007f860000 | 0x7f860000 | 0x7f882fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f887000 | 0x7f887000 | 0x7f887fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f88a000 | 0x7f88a000 | 0x7f88cfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f88d000 | 0x7f88d000 | 0x7f88dfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Process #682: cmd.exe
58
0
| Information | Value |
|---|---|
| ID | #682 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-Deduplication/Scrubbing" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:04:07, Reason: Child Process |
| Unmonitor | End Time: 00:04:08, Reason: Self Terminated |
| Monitor Duration | 00:00:01 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xf80 |
| Parent PID | 0x8dc (c:\programdata\safe.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
6D8
0x
DDC
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x00000000009d0000 | 0x009d0000 | 0x009effff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000009d0000 | 0x009d0000 | 0x009dffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x00000000009e0000 | 0x009e0000 | 0x009e3fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000009f0000 | 0x009f0000 | 0x009f1fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000009f0000 | 0x009f0000 | 0x009f3fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000a00000 | 0x00a00000 | 0x00a13fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000a20000 | 0x00a20000 | 0x00a5ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000a60000 | 0x00a60000 | 0x00b5ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000b60000 | 0x00b60000 | 0x00b63fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000b70000 | 0x00b70000 | 0x00b70fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000b80000 | 0x00b80000 | 0x00b81fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000b90000 | 0x00b90000 | 0x00bcffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000c10000 | 0x00c10000 | 0x00c1ffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00c20000 | 0x00cddfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000d00000 | 0x00d00000 | 0x00dfffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000e00000 | 0x00e00000 | 0x00efffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001070000 | 0x01070000 | 0x0107ffff | Private Memory | rw |
|
|
|
- |
| cmd.exe | 0x01140000 | 0x0118ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000001190000 | 0x01190000 | 0x0518ffff | Pagefile Backed Memory | - |
|
|
|
- |
| sortdefault.nls | 0x05190000 | 0x054c6fff | Memory Mapped File | r |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74d30000 | 0x74ea5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75130000 | 0x7521ffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x778d0000 | 0x7798dfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007e340000 | 0x7e340000 | 0x7e43ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007e440000 | 0x7e440000 | 0x7e462fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007e463000 | 0x7e463000 | 0x7e463fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007e469000 | 0x7e469000 | 0x7e46bfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007e46c000 | 0x7e46c000 | 0x7e46efff | Private Memory | rw |
|
|
|
- |
| private_0x000000007e46f000 | 0x7e46f000 | 0x7e46ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (11)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Windows\SysWOW64 | type = file_attributes |
|
2 | |
| Get Info | wevtutil.exe | type = file_attributes |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
5 | |
| Open | STD_INPUT_HANDLE | - |
|
3 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 136, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\SysWOW64\wevtutil.exe | os_pid = 0x978, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x1140000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75130000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x75172780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x7514fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7514a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x74e435c0 |
|
1 |
Environment (19)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
2 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Windows\SysWOW64 |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000000 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #684: wevtutil.exe
0
0
| Information | Value |
|---|---|
| ID | #684 |
| File Name | c:\windows\syswow64\wevtutil.exe |
| Command Line | wevtutil.exe clear-log "Microsoft-Windows-Deduplication/Scrubbing" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:04:08, Reason: Child Process |
| Unmonitor | End Time: 00:04:08, Reason: Self Terminated |
| Monitor Duration | 00:00:00 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x978 |
| Parent PID | 0xf80 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
DC4
0x
D88
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| wevtutil.exe | 0x00b40000 | 0x00b6efff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000bf0000 | 0x00bf0000 | 0x04beffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000004bf0000 | 0x04bf0000 | 0x04c0ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004c10000 | 0x04c10000 | 0x04c11fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004c20000 | 0x04c20000 | 0x04c33fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000004c40000 | 0x04c40000 | 0x04c7ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004c80000 | 0x04c80000 | 0x04cbffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004cc0000 | 0x04cc0000 | 0x04cc3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000004cd0000 | 0x04cd0000 | 0x04cd0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000004ce0000 | 0x04ce0000 | 0x04ce1fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004dd0000 | 0x04dd0000 | 0x04ddffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004f90000 | 0x04f90000 | 0x0508ffff | Private Memory | rw |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007ef00000 | 0x7ef00000 | 0x7ef22fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007ef2a000 | 0x7ef2a000 | 0x7ef2cfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ef2d000 | 0x7ef2d000 | 0x7ef2dfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ef2f000 | 0x7ef2f000 | 0x7ef2ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Process #685: cmd.exe
58
0
| Information | Value |
|---|---|
| ID | #685 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-Defrag-Core/Debug" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:04:08, Reason: Child Process |
| Unmonitor | End Time: 00:04:08, Reason: Self Terminated |
| Monitor Duration | 00:00:00 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x7f0 |
| Parent PID | 0x8dc (c:\programdata\safe.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
D78
0x
D18
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x00000000008f0000 | 0x008f0000 | 0x0090ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000008f0000 | 0x008f0000 | 0x008fffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000900000 | 0x00900000 | 0x00903fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000910000 | 0x00910000 | 0x00911fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000910000 | 0x00910000 | 0x00913fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000920000 | 0x00920000 | 0x00933fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000940000 | 0x00940000 | 0x0097ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000980000 | 0x00980000 | 0x00a7ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000a80000 | 0x00a80000 | 0x00a83fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000a90000 | 0x00a90000 | 0x00a90fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000aa0000 | 0x00aa0000 | 0x00aa1fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000ab0000 | 0x00ab0000 | 0x00baffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000bb0000 | 0x00bb0000 | 0x00beffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000bf0000 | 0x00bf0000 | 0x00bfffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00c00000 | 0x00cbdfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000cc0000 | 0x00cc0000 | 0x00dbffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000f40000 | 0x00f40000 | 0x00f4ffff | Private Memory | rw |
|
|
|
- |
| cmd.exe | 0x01140000 | 0x0118ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000001190000 | 0x01190000 | 0x0518ffff | Pagefile Backed Memory | - |
|
|
|
- |
| sortdefault.nls | 0x05190000 | 0x054c6fff | Memory Mapped File | r |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74d30000 | 0x74ea5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75130000 | 0x7521ffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x778d0000 | 0x7798dfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007f5c0000 | 0x7f5c0000 | 0x7f6bffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007f6c0000 | 0x7f6c0000 | 0x7f6e2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f6e6000 | 0x7f6e6000 | 0x7f6e8fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f6e9000 | 0x7f6e9000 | 0x7f6ebfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f6ec000 | 0x7f6ec000 | 0x7f6ecfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f6ed000 | 0x7f6ed000 | 0x7f6edfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (11)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Windows\SysWOW64 | type = file_attributes |
|
2 | |
| Get Info | wevtutil.exe | type = file_attributes |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
5 | |
| Open | STD_INPUT_HANDLE | - |
|
3 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 253, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\SysWOW64\wevtutil.exe | os_pid = 0xd4c, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x1140000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75130000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x75172780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x7514fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7514a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x74e435c0 |
|
1 |
Environment (19)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
2 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Windows\SysWOW64 |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000000 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #687: wevtutil.exe
0
0
| Information | Value |
|---|---|
| ID | #687 |
| File Name | c:\windows\syswow64\wevtutil.exe |
| Command Line | wevtutil.exe clear-log "Microsoft-Windows-Defrag-Core/Debug" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:04:08, Reason: Child Process |
| Unmonitor | End Time: 00:04:08, Reason: Self Terminated |
| Monitor Duration | 00:00:00 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xd4c |
| Parent PID | 0x7f0 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
F60
0x
E88
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| wevtutil.exe | 0x00b40000 | 0x00b6efff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000de0000 | 0x00de0000 | 0x04ddffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000004de0000 | 0x04de0000 | 0x04dfffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004e00000 | 0x04e00000 | 0x04e01fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004e10000 | 0x04e10000 | 0x04e23fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000004e30000 | 0x04e30000 | 0x04e6ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004e70000 | 0x04e70000 | 0x04eaffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004eb0000 | 0x04eb0000 | 0x04eb3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000004ec0000 | 0x04ec0000 | 0x04ec0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000004ed0000 | 0x04ed0000 | 0x04ed1fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004f00000 | 0x04f00000 | 0x04ffffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005090000 | 0x05090000 | 0x0509ffff | Private Memory | rw |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007f000000 | 0x7f000000 | 0x7f022fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f02b000 | 0x7f02b000 | 0x7f02bfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f02c000 | 0x7f02c000 | 0x7f02efff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f02f000 | 0x7f02f000 | 0x7f02ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Process #688: cmd.exe
58
0
| Information | Value |
|---|---|
| ID | #688 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-Deplorch/Analytic" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:04:08, Reason: Child Process |
| Unmonitor | End Time: 00:04:09, Reason: Self Terminated |
| Monitor Duration | 00:00:01 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x700 |
| Parent PID | 0x8dc (c:\programdata\safe.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
E34
0x
CEC
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000490000 | 0x00490000 | 0x004affff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000490000 | 0x00490000 | 0x0049ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x00000000004a0000 | 0x004a0000 | 0x004a3fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000004b0000 | 0x004b0000 | 0x004b1fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000004b0000 | 0x004b0000 | 0x004b3fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000004c0000 | 0x004c0000 | 0x004d3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000004e0000 | 0x004e0000 | 0x0051ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000520000 | 0x00520000 | 0x0061ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000620000 | 0x00620000 | 0x00623fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000630000 | 0x00630000 | 0x00630fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000640000 | 0x00640000 | 0x00641fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000650000 | 0x00650000 | 0x0068ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000690000 | 0x00690000 | 0x0069ffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x006a0000 | 0x0075dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000007f0000 | 0x007f0000 | 0x008effff | Private Memory | rw |
|
|
|
- |
| private_0x00000000008f0000 | 0x008f0000 | 0x009effff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000ac0000 | 0x00ac0000 | 0x00acffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x00ad0000 | 0x00e06fff | Memory Mapped File | r |
|
|
|
- |
| cmd.exe | 0x01140000 | 0x0118ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000001190000 | 0x01190000 | 0x0518ffff | Pagefile Backed Memory | - |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74d30000 | 0x74ea5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75130000 | 0x7521ffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x778d0000 | 0x7798dfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007f070000 | 0x7f070000 | 0x7f16ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007f170000 | 0x7f170000 | 0x7f192fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f196000 | 0x7f196000 | 0x7f198fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f199000 | 0x7f199000 | 0x7f199fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f19a000 | 0x7f19a000 | 0x7f19afff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f19d000 | 0x7f19d000 | 0x7f19ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (11)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Windows\SysWOW64 | type = file_attributes |
|
2 | |
| Get Info | wevtutil.exe | type = file_attributes |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
5 | |
| Open | STD_INPUT_HANDLE | - |
|
3 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 56, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\SysWOW64\wevtutil.exe | os_pid = 0xce0, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x1140000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75130000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x75172780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x7514fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7514a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x74e435c0 |
|
1 |
Environment (19)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
2 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Windows\SysWOW64 |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000000 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #690: wevtutil.exe
0
0
| Information | Value |
|---|---|
| ID | #690 |
| File Name | c:\windows\syswow64\wevtutil.exe |
| Command Line | wevtutil.exe clear-log "Microsoft-Windows-Deplorch/Analytic" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:04:09, Reason: Child Process |
| Unmonitor | End Time: 00:04:09, Reason: Self Terminated |
| Monitor Duration | 00:00:00 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xce0 |
| Parent PID | 0x700 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
114
0x
E74
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x00000000009e0000 | 0x009e0000 | 0x009fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000a00000 | 0x00a00000 | 0x00a01fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000a10000 | 0x00a10000 | 0x00a23fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000a30000 | 0x00a30000 | 0x00a6ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000a70000 | 0x00a70000 | 0x00aaffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000ab0000 | 0x00ab0000 | 0x00ab3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000ac0000 | 0x00ac0000 | 0x00ac0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000ad0000 | 0x00ad0000 | 0x00ad1fff | Private Memory | rw |
|
|
|
- |
| wevtutil.exe | 0x00b40000 | 0x00b6efff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000b70000 | 0x00b70000 | 0x04b6ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000004bb0000 | 0x04bb0000 | 0x04caffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004d10000 | 0x04d10000 | 0x04d1ffff | Private Memory | rw |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007f2b0000 | 0x7f2b0000 | 0x7f2d2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f2d5000 | 0x7f2d5000 | 0x7f2d5fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f2db000 | 0x7f2db000 | 0x7f2dbfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f2dd000 | 0x7f2dd000 | 0x7f2dffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Process #691: cmd.exe
58
0
| Information | Value |
|---|---|
| ID | #691 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-DesktopActivityModerator/Diagnostic" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:04:09, Reason: Child Process |
| Unmonitor | End Time: 00:04:09, Reason: Self Terminated |
| Monitor Duration | 00:00:00 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xcb0 |
| Parent PID | 0x8dc (c:\programdata\safe.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
954
0x
E54
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000770000 | 0x00770000 | 0x0078ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000770000 | 0x00770000 | 0x0077ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000780000 | 0x00780000 | 0x00783fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000790000 | 0x00790000 | 0x00791fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000790000 | 0x00790000 | 0x00793fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000007a0000 | 0x007a0000 | 0x007b3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000007c0000 | 0x007c0000 | 0x007fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000800000 | 0x00800000 | 0x008fffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000900000 | 0x00900000 | 0x00903fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000910000 | 0x00910000 | 0x00910fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000920000 | 0x00920000 | 0x00921fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000930000 | 0x00930000 | 0x0096ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000009b0000 | 0x009b0000 | 0x009bffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000a50000 | 0x00a50000 | 0x00b4ffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00b50000 | 0x00c0dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000c10000 | 0x00c10000 | 0x00d0ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000e80000 | 0x00e80000 | 0x00e8ffff | Private Memory | rw |
|
|
|
- |
| cmd.exe | 0x01140000 | 0x0118ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000001190000 | 0x01190000 | 0x0518ffff | Pagefile Backed Memory | - |
|
|
|
- |
| sortdefault.nls | 0x05190000 | 0x054c6fff | Memory Mapped File | r |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74d30000 | 0x74ea5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75130000 | 0x7521ffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x778d0000 | 0x7798dfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007e620000 | 0x7e620000 | 0x7e71ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007e720000 | 0x7e720000 | 0x7e742fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007e746000 | 0x7e746000 | 0x7e748fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007e749000 | 0x7e749000 | 0x7e749fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007e74b000 | 0x7e74b000 | 0x7e74dfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007e74e000 | 0x7e74e000 | 0x7e74efff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (11)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Windows\SysWOW64 | type = file_attributes |
|
2 | |
| Get Info | wevtutil.exe | type = file_attributes |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
5 | |
| Open | STD_INPUT_HANDLE | - |
|
3 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 24, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\SysWOW64\wevtutil.exe | os_pid = 0x590, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x1140000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75130000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x75172780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x7514fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7514a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x74e435c0 |
|
1 |
Environment (19)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
2 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Windows\SysWOW64 |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000000 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #693: wevtutil.exe
0
0
| Information | Value |
|---|---|
| ID | #693 |
| File Name | c:\windows\syswow64\wevtutil.exe |
| Command Line | wevtutil.exe clear-log "Microsoft-Windows-DesktopActivityModerator/Diagnostic" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:04:09, Reason: Child Process |
| Unmonitor | End Time: 00:04:09, Reason: Self Terminated |
| Monitor Duration | 00:00:00 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x590 |
| Parent PID | 0xcb0 (c:\windows\syswow64\wevtutil.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
DD8
0x
DD0
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x00000000001d0000 | 0x001d0000 | 0x001effff | Private Memory | rw |
|
|
|
- |
| private_0x00000000001f0000 | 0x001f0000 | 0x001f1fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000200000 | 0x00200000 | 0x00213fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000220000 | 0x00220000 | 0x0025ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000260000 | 0x00260000 | 0x0029ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000002a0000 | 0x002a0000 | 0x002a3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000002b0000 | 0x002b0000 | 0x002b0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000002c0000 | 0x002c0000 | 0x002c1fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000002e0000 | 0x002e0000 | 0x003dffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000480000 | 0x00480000 | 0x0048ffff | Private Memory | rw |
|
|
|
- |
| wevtutil.exe | 0x00b40000 | 0x00b6efff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000b70000 | 0x00b70000 | 0x04b6ffff | Pagefile Backed Memory | - |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007f230000 | 0x7f230000 | 0x7f252fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f25b000 | 0x7f25b000 | 0x7f25bfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f25c000 | 0x7f25c000 | 0x7f25efff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f25f000 | 0x7f25f000 | 0x7f25ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Process #694: cmd.exe
58
0
| Information | Value |
|---|---|
| ID | #694 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-DesktopWindowManager-Diag/Diagnostic" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:04:09, Reason: Child Process |
| Unmonitor | End Time: 00:04:10, Reason: Self Terminated |
| Monitor Duration | 00:00:01 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x348 |
| Parent PID | 0x8dc (c:\programdata\safe.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
604
0x
7E8
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000510000 | 0x00510000 | 0x0052ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000510000 | 0x00510000 | 0x0051ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000520000 | 0x00520000 | 0x00523fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000530000 | 0x00530000 | 0x00531fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000530000 | 0x00530000 | 0x00533fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000540000 | 0x00540000 | 0x00553fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000560000 | 0x00560000 | 0x0059ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000005a0000 | 0x005a0000 | 0x0069ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000006a0000 | 0x006a0000 | 0x006a3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000006b0000 | 0x006b0000 | 0x006b0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000006c0000 | 0x006c0000 | 0x006c1fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000006e0000 | 0x006e0000 | 0x006effff | Private Memory | rw |
|
|
|
- |
| private_0x00000000006f0000 | 0x006f0000 | 0x0072ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000740000 | 0x00740000 | 0x0083ffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00840000 | 0x008fdfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000900000 | 0x00900000 | 0x009fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000be0000 | 0x00be0000 | 0x00beffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x00bf0000 | 0x00f26fff | Memory Mapped File | r |
|
|
|
- |
| cmd.exe | 0x01140000 | 0x0118ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000001190000 | 0x01190000 | 0x0518ffff | Pagefile Backed Memory | - |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74d30000 | 0x74ea5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75130000 | 0x7521ffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x778d0000 | 0x7798dfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007f060000 | 0x7f060000 | 0x7f15ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007f160000 | 0x7f160000 | 0x7f182fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f183000 | 0x7f183000 | 0x7f183fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f187000 | 0x7f187000 | 0x7f189fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f18a000 | 0x7f18a000 | 0x7f18afff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f18d000 | 0x7f18d000 | 0x7f18ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (11)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Windows\SysWOW64 | type = file_attributes |
|
2 | |
| Get Info | wevtutil.exe | type = file_attributes |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
5 | |
| Open | STD_INPUT_HANDLE | - |
|
3 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 233, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\SysWOW64\wevtutil.exe | os_pid = 0xb0, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x1140000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75130000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x75172780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x7514fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7514a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x74e435c0 |
|
1 |
Environment (19)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
2 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Windows\SysWOW64 |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000000 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #696: wevtutil.exe
0
0
| Information | Value |
|---|---|
| ID | #696 |
| File Name | c:\windows\syswow64\wevtutil.exe |
| Command Line | wevtutil.exe clear-log "Microsoft-Windows-DesktopWindowManager-Diag/Diagnostic" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:04:09, Reason: Child Process |
| Unmonitor | End Time: 00:04:10, Reason: Self Terminated |
| Monitor Duration | 00:00:01 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xb0 |
| Parent PID | 0x348 (c:\windows\syswow64\wevtutil.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
1A0
0x
E40
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000950000 | 0x00950000 | 0x0096ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000970000 | 0x00970000 | 0x00971fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000980000 | 0x00980000 | 0x00993fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000009a0000 | 0x009a0000 | 0x009dffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000009e0000 | 0x009e0000 | 0x00a1ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000a20000 | 0x00a20000 | 0x00a23fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000a30000 | 0x00a30000 | 0x00a30fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000a40000 | 0x00a40000 | 0x00a41fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000a50000 | 0x00a50000 | 0x00a5ffff | Private Memory | rw |
|
|
|
- |
| wevtutil.exe | 0x00b40000 | 0x00b6efff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000b70000 | 0x00b70000 | 0x04b6ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000004c60000 | 0x04c60000 | 0x04d5ffff | Private Memory | rw |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007f070000 | 0x7f070000 | 0x7f092fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f096000 | 0x7f096000 | 0x7f096fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f09a000 | 0x7f09a000 | 0x7f09afff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f09d000 | 0x7f09d000 | 0x7f09ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Process #697: cmd.exe
58
0
| Information | Value |
|---|---|
| ID | #697 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-DeviceAssociationService/Performance" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:04:10, Reason: Child Process |
| Unmonitor | End Time: 00:04:10, Reason: Self Terminated |
| Monitor Duration | 00:00:00 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xd30 |
| Parent PID | 0x8dc (c:\programdata\safe.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
43C
0x
E7C
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000ca0000 | 0x00ca0000 | 0x00cbffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000ca0000 | 0x00ca0000 | 0x00caffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000cb0000 | 0x00cb0000 | 0x00cb3fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000cc0000 | 0x00cc0000 | 0x00cc1fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000cc0000 | 0x00cc0000 | 0x00ccffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000cd0000 | 0x00cd0000 | 0x00ce3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000cf0000 | 0x00cf0000 | 0x00d2ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000d30000 | 0x00d30000 | 0x00e2ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000e30000 | 0x00e30000 | 0x00e33fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000e40000 | 0x00e40000 | 0x00e40fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000e50000 | 0x00e50000 | 0x00e51fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000e60000 | 0x00e60000 | 0x00e9ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000ea0000 | 0x00ea0000 | 0x00ea3fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000eb0000 | 0x00eb0000 | 0x00ebffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00ec0000 | 0x00f7dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000f80000 | 0x00f80000 | 0x0107ffff | Private Memory | rw |
|
|
|
- |
| cmd.exe | 0x01140000 | 0x0118ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000001190000 | 0x01190000 | 0x0518ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000005340000 | 0x05340000 | 0x0543ffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x05440000 | 0x05776fff | Memory Mapped File | r |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74d30000 | 0x74ea5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75130000 | 0x7521ffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x778d0000 | 0x7798dfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007ef20000 | 0x7ef20000 | 0x7f01ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007f020000 | 0x7f020000 | 0x7f042fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f043000 | 0x7f043000 | 0x7f043fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f048000 | 0x7f048000 | 0x7f04afff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f04b000 | 0x7f04b000 | 0x7f04dfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f04e000 | 0x7f04e000 | 0x7f04efff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (11)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Windows\SysWOW64 | type = file_attributes |
|
2 | |
| Get Info | wevtutil.exe | type = file_attributes |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
5 | |
| Open | STD_INPUT_HANDLE | - |
|
3 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 184, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\SysWOW64\wevtutil.exe | os_pid = 0x328, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x1140000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75130000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x75172780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x7514fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7514a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x74e435c0 |
|
1 |
Environment (19)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
2 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Windows\SysWOW64 |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000000 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #699: wevtutil.exe
0
0
| Information | Value |
|---|---|
| ID | #699 |
| File Name | c:\windows\syswow64\wevtutil.exe |
| Command Line | wevtutil.exe clear-log "Microsoft-Windows-DeviceAssociationService/Performance" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:04:10, Reason: Child Process |
| Unmonitor | End Time: 00:04:10, Reason: Self Terminated |
| Monitor Duration | 00:00:00 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x328 |
| Parent PID | 0xd30 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
804
0x
304
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| wevtutil.exe | 0x00b40000 | 0x00b6efff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000ed0000 | 0x00ed0000 | 0x04ecffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000004ed0000 | 0x04ed0000 | 0x04eeffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004ef0000 | 0x04ef0000 | 0x04ef1fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004f00000 | 0x04f00000 | 0x04f13fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000004f20000 | 0x04f20000 | 0x04f5ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004f60000 | 0x04f60000 | 0x04f9ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004fa0000 | 0x04fa0000 | 0x04fa3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000004fb0000 | 0x04fb0000 | 0x04fb0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000004fc0000 | 0x04fc0000 | 0x04fc1fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000050e0000 | 0x050e0000 | 0x050effff | Private Memory | rw |
|
|
|
- |
| private_0x00000000051d0000 | 0x051d0000 | 0x052cffff | Private Memory | rw |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007f870000 | 0x7f870000 | 0x7f892fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f89a000 | 0x7f89a000 | 0x7f89afff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f89c000 | 0x7f89c000 | 0x7f89cfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f89d000 | 0x7f89d000 | 0x7f89ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Process #700: cmd.exe
58
0
| Information | Value |
|---|---|
| ID | #700 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-DeviceConfidence/Analytic" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:04:10, Reason: Child Process |
| Unmonitor | End Time: 00:04:10, Reason: Self Terminated |
| Monitor Duration | 00:00:00 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x6fc |
| Parent PID | 0x8dc (c:\programdata\safe.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
428
0x
A34
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000680000 | 0x00680000 | 0x0069ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000680000 | 0x00680000 | 0x0068ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000690000 | 0x00690000 | 0x00693fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000006a0000 | 0x006a0000 | 0x006a1fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000006a0000 | 0x006a0000 | 0x006a3fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000006b0000 | 0x006b0000 | 0x006c3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000006d0000 | 0x006d0000 | 0x0070ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000710000 | 0x00710000 | 0x0080ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000810000 | 0x00810000 | 0x00813fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000820000 | 0x00820000 | 0x00820fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000830000 | 0x00830000 | 0x00831fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000850000 | 0x00850000 | 0x0085ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000860000 | 0x00860000 | 0x0089ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000008e0000 | 0x008e0000 | 0x009dffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x009e0000 | 0x00a9dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000aa0000 | 0x00aa0000 | 0x00b9ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000d00000 | 0x00d00000 | 0x00d0ffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x00d10000 | 0x01046fff | Memory Mapped File | r |
|
|
|
- |
| cmd.exe | 0x01140000 | 0x0118ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000001190000 | 0x01190000 | 0x0518ffff | Pagefile Backed Memory | - |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74d30000 | 0x74ea5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75130000 | 0x7521ffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x778d0000 | 0x7798dfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007ea80000 | 0x7ea80000 | 0x7eb7ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007eb80000 | 0x7eb80000 | 0x7eba2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007eba4000 | 0x7eba4000 | 0x7eba6fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007eba7000 | 0x7eba7000 | 0x7eba7fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ebaa000 | 0x7ebaa000 | 0x7ebacfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ebad000 | 0x7ebad000 | 0x7ebadfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (11)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Windows\SysWOW64 | type = file_attributes |
|
2 | |
| Get Info | wevtutil.exe | type = file_attributes |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
5 | |
| Open | STD_INPUT_HANDLE | - |
|
3 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 144, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\SysWOW64\wevtutil.exe | os_pid = 0x8ec, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x1140000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75130000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x75172780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x7514fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7514a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x74e435c0 |
|
1 |
Environment (19)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
2 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Windows\SysWOW64 |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000000 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #702: wevtutil.exe
0
0
| Information | Value |
|---|---|
| ID | #702 |
| File Name | c:\windows\syswow64\wevtutil.exe |
| Command Line | wevtutil.exe clear-log "Microsoft-Windows-DeviceConfidence/Analytic" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:04:10, Reason: Child Process |
| Unmonitor | End Time: 00:04:10, Reason: Self Terminated |
| Monitor Duration | 00:00:00 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x8ec |
| Parent PID | 0x6fc (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
468
0x
15C
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000050000 | 0x00050000 | 0x0006ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000070000 | 0x00070000 | 0x00071fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000080000 | 0x00080000 | 0x00093fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000000a0000 | 0x000a0000 | 0x000dffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000000e0000 | 0x000e0000 | 0x0011ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000120000 | 0x00120000 | 0x00123fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000130000 | 0x00130000 | 0x00130fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000140000 | 0x00140000 | 0x00141fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000300000 | 0x00300000 | 0x0030ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000460000 | 0x00460000 | 0x0055ffff | Private Memory | rw |
|
|
|
- |
| wevtutil.exe | 0x00b40000 | 0x00b6efff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000b70000 | 0x00b70000 | 0x04b6ffff | Pagefile Backed Memory | - |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007e500000 | 0x7e500000 | 0x7e522fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007e523000 | 0x7e523000 | 0x7e523fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007e52c000 | 0x7e52c000 | 0x7e52cfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007e52d000 | 0x7e52d000 | 0x7e52ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Process #703: cmd.exe
58
0
| Information | Value |
|---|---|
| ID | #703 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-DeviceSetupManager/Admin" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:04:10, Reason: Child Process |
| Unmonitor | End Time: 00:04:11, Reason: Self Terminated |
| Monitor Duration | 00:00:01 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xa40 |
| Parent PID | 0x8dc (c:\programdata\safe.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
464
0x
C98
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x00000000007e0000 | 0x007e0000 | 0x007fffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000007e0000 | 0x007e0000 | 0x007effff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x00000000007f0000 | 0x007f0000 | 0x007f3fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000800000 | 0x00800000 | 0x00801fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000800000 | 0x00800000 | 0x00803fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000810000 | 0x00810000 | 0x00823fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000830000 | 0x00830000 | 0x0086ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000870000 | 0x00870000 | 0x0096ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000970000 | 0x00970000 | 0x00973fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000980000 | 0x00980000 | 0x00980fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000990000 | 0x00990000 | 0x00991fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000009b0000 | 0x009b0000 | 0x009bffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000009c0000 | 0x009c0000 | 0x009fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000a50000 | 0x00a50000 | 0x00b4ffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00b50000 | 0x00c0dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000c10000 | 0x00c10000 | 0x00d0ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000df0000 | 0x00df0000 | 0x00dfffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x00e00000 | 0x01136fff | Memory Mapped File | r |
|
|
|
- |
| cmd.exe | 0x01140000 | 0x0118ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000001190000 | 0x01190000 | 0x0518ffff | Pagefile Backed Memory | - |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74d30000 | 0x74ea5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75130000 | 0x7521ffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x778d0000 | 0x7798dfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007efd0000 | 0x7efd0000 | 0x7f0cffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007f0d0000 | 0x7f0d0000 | 0x7f0f2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f0f7000 | 0x7f0f7000 | 0x7f0f7fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f0f8000 | 0x7f0f8000 | 0x7f0fafff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f0fb000 | 0x7f0fb000 | 0x7f0fbfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f0fd000 | 0x7f0fd000 | 0x7f0fffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (11)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Windows\SysWOW64 | type = file_attributes |
|
2 | |
| Get Info | wevtutil.exe | type = file_attributes |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
5 | |
| Open | STD_INPUT_HANDLE | - |
|
3 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 200, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\SysWOW64\wevtutil.exe | os_pid = 0xb04, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x1140000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75130000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x75172780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x7514fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7514a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x74e435c0 |
|
1 |
Environment (19)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
2 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Windows\SysWOW64 |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000000 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #705: wevtutil.exe
0
0
| Information | Value |
|---|---|
| ID | #705 |
| File Name | c:\windows\syswow64\wevtutil.exe |
| Command Line | wevtutil.exe clear-log "Microsoft-Windows-DeviceSetupManager/Admin" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:04:11, Reason: Child Process |
| Unmonitor | End Time: 00:04:11, Reason: Self Terminated |
| Monitor Duration | 00:00:00 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xb04 |
| Parent PID | 0xa40 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
B38
0x
6E0
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000900000 | 0x00900000 | 0x0091ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000920000 | 0x00920000 | 0x00921fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000930000 | 0x00930000 | 0x00943fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000950000 | 0x00950000 | 0x0098ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000990000 | 0x00990000 | 0x009cffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000009d0000 | 0x009d0000 | 0x009d3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000009e0000 | 0x009e0000 | 0x009e0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000009f0000 | 0x009f0000 | 0x009f1fff | Private Memory | rw |
|
|
|
- |
| wevtutil.exe | 0x00b40000 | 0x00b6efff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000b70000 | 0x00b70000 | 0x04b6ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000004ce0000 | 0x04ce0000 | 0x04ceffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004da0000 | 0x04da0000 | 0x04e9ffff | Private Memory | rw |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007ec80000 | 0x7ec80000 | 0x7eca2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007eca5000 | 0x7eca5000 | 0x7eca5fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ecac000 | 0x7ecac000 | 0x7ecaefff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ecaf000 | 0x7ecaf000 | 0x7ecaffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Process #706: cmd.exe
58
0
| Information | Value |
|---|---|
| ID | #706 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-DeviceSetupManager/Analytic" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:04:11, Reason: Child Process |
| Unmonitor | End Time: 00:04:11, Reason: Self Terminated |
| Monitor Duration | 00:00:00 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x2d0 |
| Parent PID | 0x8dc (c:\programdata\safe.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
2E4
0x
424
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000b70000 | 0x00b70000 | 0x00b8ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000b70000 | 0x00b70000 | 0x00b7ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000b80000 | 0x00b80000 | 0x00b83fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000b90000 | 0x00b90000 | 0x00b91fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000b90000 | 0x00b90000 | 0x00b93fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000ba0000 | 0x00ba0000 | 0x00bb3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000bc0000 | 0x00bc0000 | 0x00bfffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000c00000 | 0x00c00000 | 0x00cfffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000d00000 | 0x00d00000 | 0x00d03fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000d10000 | 0x00d10000 | 0x00d10fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000d20000 | 0x00d20000 | 0x00d21fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00d30000 | 0x00dedfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000df0000 | 0x00df0000 | 0x00e2ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000e50000 | 0x00e50000 | 0x00e5ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000ee0000 | 0x00ee0000 | 0x00eeffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000ef0000 | 0x00ef0000 | 0x00feffff | Private Memory | rw |
|
|
|
- |
| cmd.exe | 0x01140000 | 0x0118ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000001190000 | 0x01190000 | 0x0518ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000005340000 | 0x05340000 | 0x0543ffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x05440000 | 0x05776fff | Memory Mapped File | r |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74d30000 | 0x74ea5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75130000 | 0x7521ffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x778d0000 | 0x7798dfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007eff0000 | 0x7eff0000 | 0x7f0effff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007f0f0000 | 0x7f0f0000 | 0x7f112fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f115000 | 0x7f115000 | 0x7f115fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f119000 | 0x7f119000 | 0x7f11bfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f11c000 | 0x7f11c000 | 0x7f11cfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f11d000 | 0x7f11d000 | 0x7f11ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (11)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Windows\SysWOW64 | type = file_attributes |
|
2 | |
| Get Info | wevtutil.exe | type = file_attributes |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
5 | |
| Open | STD_INPUT_HANDLE | - |
|
3 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 144, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\SysWOW64\wevtutil.exe | os_pid = 0x960, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x1140000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75130000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x75172780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x7514fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7514a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x74e435c0 |
|
1 |
Environment (19)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
2 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Windows\SysWOW64 |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000000 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #708: wevtutil.exe
0
0
| Information | Value |
|---|---|
| ID | #708 |
| File Name | c:\windows\syswow64\wevtutil.exe |
| Command Line | wevtutil.exe clear-log "Microsoft-Windows-DeviceSetupManager/Analytic" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:04:11, Reason: Child Process |
| Unmonitor | End Time: 00:04:11, Reason: Self Terminated |
| Monitor Duration | 00:00:00 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x960 |
| Parent PID | 0x2d0 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
BF0
0x
BDC
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| wevtutil.exe | 0x00b40000 | 0x00b6efff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000c50000 | 0x00c50000 | 0x04c4ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000004c50000 | 0x04c50000 | 0x04c6ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004c70000 | 0x04c70000 | 0x04c71fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004c80000 | 0x04c80000 | 0x04c93fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000004ca0000 | 0x04ca0000 | 0x04cdffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004ce0000 | 0x04ce0000 | 0x04d1ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004d20000 | 0x04d20000 | 0x04d23fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000004d30000 | 0x04d30000 | 0x04d30fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000004d40000 | 0x04d40000 | 0x04d41fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004da0000 | 0x04da0000 | 0x04e9ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004f40000 | 0x04f40000 | 0x04f4ffff | Private Memory | rw |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007eda0000 | 0x7eda0000 | 0x7edc2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007edc5000 | 0x7edc5000 | 0x7edc5fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007edcb000 | 0x7edcb000 | 0x7edcbfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007edcd000 | 0x7edcd000 | 0x7edcffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Process #709: cmd.exe
58
0
| Information | Value |
|---|---|
| ID | #709 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-DeviceSetupManager/Debug" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:04:11, Reason: Child Process |
| Unmonitor | End Time: 00:04:12, Reason: Self Terminated |
| Monitor Duration | 00:00:01 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x4b0 |
| Parent PID | 0x8dc (c:\programdata\safe.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
CF4
0x
64C
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000180000 | 0x00180000 | 0x0019ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000180000 | 0x00180000 | 0x0018ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000190000 | 0x00190000 | 0x00193fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000001a0000 | 0x001a0000 | 0x001a1fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000001a0000 | 0x001a0000 | 0x001a3fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000001b0000 | 0x001b0000 | 0x001c3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000001d0000 | 0x001d0000 | 0x0020ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000210000 | 0x00210000 | 0x0030ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000310000 | 0x00310000 | 0x00313fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000320000 | 0x00320000 | 0x00320fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000330000 | 0x00330000 | 0x00331fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000340000 | 0x00340000 | 0x0037ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000003d0000 | 0x003d0000 | 0x004cffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000500000 | 0x00500000 | 0x0050ffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00510000 | 0x005cdfff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000005d0000 | 0x005d0000 | 0x006cffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000810000 | 0x00810000 | 0x0081ffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x00820000 | 0x00b56fff | Memory Mapped File | r |
|
|
|
- |
| cmd.exe | 0x01140000 | 0x0118ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000001190000 | 0x01190000 | 0x0518ffff | Pagefile Backed Memory | - |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74d30000 | 0x74ea5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75130000 | 0x7521ffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x778d0000 | 0x7798dfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007f100000 | 0x7f100000 | 0x7f1fffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007f200000 | 0x7f200000 | 0x7f222fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f228000 | 0x7f228000 | 0x7f228fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f229000 | 0x7f229000 | 0x7f22bfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f22c000 | 0x7f22c000 | 0x7f22efff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f22f000 | 0x7f22f000 | 0x7f22ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (11)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Windows\SysWOW64 | type = file_attributes |
|
2 | |
| Get Info | wevtutil.exe | type = file_attributes |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
5 | |
| Open | STD_INPUT_HANDLE | - |
|
3 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 40, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\SysWOW64\wevtutil.exe | os_pid = 0xcb8, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x1140000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75130000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x75172780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x7514fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7514a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x74e435c0 |
|
1 |
Environment (19)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
2 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Windows\SysWOW64 |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000000 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #711: wevtutil.exe
0
0
| Information | Value |
|---|---|
| ID | #711 |
| File Name | c:\windows\syswow64\wevtutil.exe |
| Command Line | wevtutil.exe clear-log "Microsoft-Windows-DeviceSetupManager/Debug" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:04:11, Reason: Child Process |
| Unmonitor | End Time: 00:04:12, Reason: Self Terminated |
| Monitor Duration | 00:00:01 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xcb8 |
| Parent PID | 0x4b0 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
6E8
0x
5E8
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| wevtutil.exe | 0x00b40000 | 0x00b6efff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000d30000 | 0x00d30000 | 0x04d2ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000004d30000 | 0x04d30000 | 0x04d4ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004d50000 | 0x04d50000 | 0x04d51fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004d60000 | 0x04d60000 | 0x04d73fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000004d80000 | 0x04d80000 | 0x04dbffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004dc0000 | 0x04dc0000 | 0x04dfffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004e00000 | 0x04e00000 | 0x04e03fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000004e10000 | 0x04e10000 | 0x04e10fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000004e20000 | 0x04e20000 | 0x04e21fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004ec0000 | 0x04ec0000 | 0x04ecffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004ed0000 | 0x04ed0000 | 0x04fcffff | Private Memory | rw |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007f960000 | 0x7f960000 | 0x7f982fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f986000 | 0x7f986000 | 0x7f986fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f98b000 | 0x7f98b000 | 0x7f98dfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f98e000 | 0x7f98e000 | 0x7f98efff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Process #712: cmd.exe
58
0
| Information | Value |
|---|---|
| ID | #712 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-DeviceSetupManager/Operational" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:04:12, Reason: Child Process |
| Unmonitor | End Time: 00:04:12, Reason: Self Terminated |
| Monitor Duration | 00:00:00 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xb44 |
| Parent PID | 0x8dc (c:\programdata\safe.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
2EC
0x
7F8
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000250000 | 0x00250000 | 0x0026ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000250000 | 0x00250000 | 0x0025ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000260000 | 0x00260000 | 0x00263fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000270000 | 0x00270000 | 0x00271fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000270000 | 0x00270000 | 0x00273fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000280000 | 0x00280000 | 0x00293fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000002a0000 | 0x002a0000 | 0x002dffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000002e0000 | 0x002e0000 | 0x003dffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000003e0000 | 0x003e0000 | 0x003e3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000003f0000 | 0x003f0000 | 0x003f0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000400000 | 0x00400000 | 0x00401fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000410000 | 0x00410000 | 0x0044ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000480000 | 0x00480000 | 0x0048ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000490000 | 0x00490000 | 0x0049ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000004d0000 | 0x004d0000 | 0x005cffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x005d0000 | 0x0068dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000690000 | 0x00690000 | 0x0078ffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x00790000 | 0x00ac6fff | Memory Mapped File | r |
|
|
|
- |
| cmd.exe | 0x01140000 | 0x0118ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000001190000 | 0x01190000 | 0x0518ffff | Pagefile Backed Memory | - |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74d30000 | 0x74ea5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75130000 | 0x7521ffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x778d0000 | 0x7798dfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007e2c0000 | 0x7e2c0000 | 0x7e3bffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007e3c0000 | 0x7e3c0000 | 0x7e3e2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007e3e8000 | 0x7e3e8000 | 0x7e3eafff | Private Memory | rw |
|
|
|
- |
| private_0x000000007e3eb000 | 0x7e3eb000 | 0x7e3edfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007e3ee000 | 0x7e3ee000 | 0x7e3eefff | Private Memory | rw |
|
|
|
- |
| private_0x000000007e3ef000 | 0x7e3ef000 | 0x7e3effff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (11)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Windows\SysWOW64 | type = file_attributes |
|
2 | |
| Get Info | wevtutil.exe | type = file_attributes |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
5 | |
| Open | STD_INPUT_HANDLE | - |
|
3 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 232, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\SysWOW64\wevtutil.exe | os_pid = 0xf00, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x1140000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75130000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x75172780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x7514fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7514a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x74e435c0 |
|
1 |
Environment (19)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
2 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Windows\SysWOW64 |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000000 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #714: wevtutil.exe
0
0
| Information | Value |
|---|---|
| ID | #714 |
| File Name | c:\windows\syswow64\wevtutil.exe |
| Command Line | wevtutil.exe clear-log "Microsoft-Windows-DeviceSetupManager/Operational" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:04:12, Reason: Child Process |
| Unmonitor | End Time: 00:04:12, Reason: Self Terminated |
| Monitor Duration | 00:00:00 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xf00 |
| Parent PID | 0xb44 (c:\windows\syswow64\wevtutil.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
F3C
0x
BF8
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| wevtutil.exe | 0x00b40000 | 0x00b6efff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000fb0000 | 0x00fb0000 | 0x04faffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000004fb0000 | 0x04fb0000 | 0x04fcffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004fd0000 | 0x04fd0000 | 0x04fd1fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004fe0000 | 0x04fe0000 | 0x04ff3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000005000000 | 0x05000000 | 0x0503ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005040000 | 0x05040000 | 0x0507ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000005080000 | 0x05080000 | 0x05083fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000005090000 | 0x05090000 | 0x05090fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000050a0000 | 0x050a0000 | 0x050a1fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005130000 | 0x05130000 | 0x0513ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005300000 | 0x05300000 | 0x053fffff | Private Memory | rw |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007e870000 | 0x7e870000 | 0x7e892fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007e897000 | 0x7e897000 | 0x7e897fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007e89c000 | 0x7e89c000 | 0x7e89efff | Private Memory | rw |
|
|
|
- |
| private_0x000000007e89f000 | 0x7e89f000 | 0x7e89ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Process #715: cmd.exe
58
0
| Information | Value |
|---|---|
| ID | #715 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-DeviceSync/Analytic" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:04:12, Reason: Child Process |
| Unmonitor | End Time: 00:04:13, Reason: Self Terminated |
| Monitor Duration | 00:00:01 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xa80 |
| Parent PID | 0x8dc (c:\programdata\safe.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
E70
0x
EB8
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000cc0000 | 0x00cc0000 | 0x00cdffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000cc0000 | 0x00cc0000 | 0x00ccffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000cd0000 | 0x00cd0000 | 0x00cd3fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000ce0000 | 0x00ce0000 | 0x00ce1fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000ce0000 | 0x00ce0000 | 0x00ce3fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000cf0000 | 0x00cf0000 | 0x00d03fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000d10000 | 0x00d10000 | 0x00d4ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000d50000 | 0x00d50000 | 0x00e4ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000e50000 | 0x00e50000 | 0x00e53fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000e60000 | 0x00e60000 | 0x00e60fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000e70000 | 0x00e70000 | 0x00e71fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000e80000 | 0x00e80000 | 0x00ebffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000f30000 | 0x00f30000 | 0x00f3ffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00f40000 | 0x00ffdfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000001000000 | 0x01000000 | 0x010fffff | Private Memory | rw |
|
|
|
- |
| cmd.exe | 0x01140000 | 0x0118ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000001190000 | 0x01190000 | 0x0518ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000005360000 | 0x05360000 | 0x0536ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005370000 | 0x05370000 | 0x0546ffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x05470000 | 0x057a6fff | Memory Mapped File | r |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74d30000 | 0x74ea5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75130000 | 0x7521ffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x778d0000 | 0x7798dfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007f2f0000 | 0x7f2f0000 | 0x7f3effff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007f3f0000 | 0x7f3f0000 | 0x7f412fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f416000 | 0x7f416000 | 0x7f416fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f417000 | 0x7f417000 | 0x7f419fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f41a000 | 0x7f41a000 | 0x7f41afff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f41d000 | 0x7f41d000 | 0x7f41ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (11)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Windows\SysWOW64 | type = file_attributes |
|
2 | |
| Get Info | wevtutil.exe | type = file_attributes |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
5 | |
| Open | STD_INPUT_HANDLE | - |
|
3 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 120, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\SysWOW64\wevtutil.exe | os_pid = 0x740, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x1140000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75130000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x75172780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x7514fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7514a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x74e435c0 |
|
1 |
Environment (19)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
2 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Windows\SysWOW64 |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000000 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #717: wevtutil.exe
0
0
| Information | Value |
|---|---|
| ID | #717 |
| File Name | c:\windows\syswow64\wevtutil.exe |
| Command Line | wevtutil.exe clear-log "Microsoft-Windows-DeviceSync/Analytic" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:04:12, Reason: Child Process |
| Unmonitor | End Time: 00:04:13, Reason: Self Terminated |
| Monitor Duration | 00:00:01 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x740 |
| Parent PID | 0xa80 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
D58
0x
D54
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| wevtutil.exe | 0x00b40000 | 0x00b6efff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000de0000 | 0x00de0000 | 0x04ddffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000004de0000 | 0x04de0000 | 0x04dfffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004e00000 | 0x04e00000 | 0x04e01fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004e10000 | 0x04e10000 | 0x04e23fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000004e30000 | 0x04e30000 | 0x04e6ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004e70000 | 0x04e70000 | 0x04eaffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004eb0000 | 0x04eb0000 | 0x04eb3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000004ec0000 | 0x04ec0000 | 0x04ec0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000004ed0000 | 0x04ed0000 | 0x04ed1fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004f90000 | 0x04f90000 | 0x04f9ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005030000 | 0x05030000 | 0x0512ffff | Private Memory | rw |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007ee70000 | 0x7ee70000 | 0x7ee92fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007ee96000 | 0x7ee96000 | 0x7ee96fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ee9c000 | 0x7ee9c000 | 0x7ee9efff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ee9f000 | 0x7ee9f000 | 0x7ee9ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Process #718: cmd.exe
58
0
| Information | Value |
|---|---|
| ID | #718 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-DeviceSync/Operational" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:04:12, Reason: Child Process |
| Unmonitor | End Time: 00:04:13, Reason: Self Terminated |
| Monitor Duration | 00:00:01 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x3ec |
| Parent PID | 0x8dc (c:\programdata\safe.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
EFC
0x
D48
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000fc0000 | 0x00fc0000 | 0x00fdffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000fc0000 | 0x00fc0000 | 0x00fcffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000fd0000 | 0x00fd0000 | 0x00fdffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000fe0000 | 0x00fe0000 | 0x00fe1fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000fe0000 | 0x00fe0000 | 0x00fe3fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000ff0000 | 0x00ff0000 | 0x01003fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000001010000 | 0x01010000 | 0x0104ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000001050000 | 0x01050000 | 0x01053fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000001060000 | 0x01060000 | 0x01060fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000001070000 | 0x01070000 | 0x01071fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x01080000 | 0x0113dfff | Memory Mapped File | r |
|
|
|
- |
| cmd.exe | 0x01140000 | 0x0118ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000001190000 | 0x01190000 | 0x0518ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000005190000 | 0x05190000 | 0x0528ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005290000 | 0x05290000 | 0x052cffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000052d0000 | 0x052d0000 | 0x052d3fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005380000 | 0x05380000 | 0x0547ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005480000 | 0x05480000 | 0x0548ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005490000 | 0x05490000 | 0x0558ffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x05590000 | 0x058c6fff | Memory Mapped File | r |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74d30000 | 0x74ea5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75130000 | 0x7521ffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x778d0000 | 0x7798dfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007e810000 | 0x7e810000 | 0x7e90ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007e910000 | 0x7e910000 | 0x7e932fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007e934000 | 0x7e934000 | 0x7e934fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007e939000 | 0x7e939000 | 0x7e93bfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007e93c000 | 0x7e93c000 | 0x7e93efff | Private Memory | rw |
|
|
|
- |
| private_0x000000007e93f000 | 0x7e93f000 | 0x7e93ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (11)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Windows\SysWOW64 | type = file_attributes |
|
2 | |
| Get Info | wevtutil.exe | type = file_attributes |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
5 | |
| Open | STD_INPUT_HANDLE | - |
|
3 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 152, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\SysWOW64\wevtutil.exe | os_pid = 0xe98, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x1140000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75130000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x75172780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x7514fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7514a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x74e435c0 |
|
1 |
Environment (19)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
2 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Windows\SysWOW64 |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000000 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #720: wevtutil.exe
0
0
| Information | Value |
|---|---|
| ID | #720 |
| File Name | c:\windows\syswow64\wevtutil.exe |
| Command Line | wevtutil.exe clear-log "Microsoft-Windows-DeviceSync/Operational" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:04:13, Reason: Child Process |
| Unmonitor | End Time: 00:04:13, Reason: Self Terminated |
| Monitor Duration | 00:00:00 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xe98 |
| Parent PID | 0x3ec (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
D5C
0x
ADC
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000590000 | 0x00590000 | 0x005affff | Private Memory | rw |
|
|
|
- |
| private_0x00000000005b0000 | 0x005b0000 | 0x005b1fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000005c0000 | 0x005c0000 | 0x005d3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000005e0000 | 0x005e0000 | 0x0061ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000620000 | 0x00620000 | 0x0065ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000660000 | 0x00660000 | 0x00663fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000670000 | 0x00670000 | 0x00670fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000680000 | 0x00680000 | 0x00681fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000840000 | 0x00840000 | 0x0084ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000940000 | 0x00940000 | 0x00a3ffff | Private Memory | rw |
|
|
|
- |
| wevtutil.exe | 0x00b40000 | 0x00b6efff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000b70000 | 0x00b70000 | 0x04b6ffff | Pagefile Backed Memory | - |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007eb60000 | 0x7eb60000 | 0x7eb82fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007eb88000 | 0x7eb88000 | 0x7eb88fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007eb8c000 | 0x7eb8c000 | 0x7eb8cfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007eb8d000 | 0x7eb8d000 | 0x7eb8ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Process #721: cmd.exe
58
0
| Information | Value |
|---|---|
| ID | #721 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-DeviceUx/Informational" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:04:13, Reason: Child Process |
| Unmonitor | End Time: 00:04:14, Reason: Self Terminated |
| Monitor Duration | 00:00:01 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xf14 |
| Parent PID | 0x8dc (c:\programdata\safe.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
818
0x
490
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x00000000000f0000 | 0x000f0000 | 0x0010ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000000f0000 | 0x000f0000 | 0x000fffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000100000 | 0x00100000 | 0x00103fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000110000 | 0x00110000 | 0x00111fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000110000 | 0x00110000 | 0x00113fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000120000 | 0x00120000 | 0x00133fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000140000 | 0x00140000 | 0x0017ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000180000 | 0x00180000 | 0x0027ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000280000 | 0x00280000 | 0x00283fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000290000 | 0x00290000 | 0x00290fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000002a0000 | 0x002a0000 | 0x002a1fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000002c0000 | 0x002c0000 | 0x003bffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x003c0000 | 0x0047dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000490000 | 0x00490000 | 0x0049ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000004a0000 | 0x004a0000 | 0x004dffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000004e0000 | 0x004e0000 | 0x005dffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000006a0000 | 0x006a0000 | 0x006affff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x006b0000 | 0x009e6fff | Memory Mapped File | r |
|
|
|
- |
| cmd.exe | 0x01140000 | 0x0118ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000001190000 | 0x01190000 | 0x0518ffff | Pagefile Backed Memory | - |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74d30000 | 0x74ea5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75130000 | 0x7521ffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x778d0000 | 0x7798dfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007f590000 | 0x7f590000 | 0x7f68ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007f690000 | 0x7f690000 | 0x7f6b2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f6b4000 | 0x7f6b4000 | 0x7f6b4fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f6b7000 | 0x7f6b7000 | 0x7f6b9fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f6ba000 | 0x7f6ba000 | 0x7f6bafff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f6bd000 | 0x7f6bd000 | 0x7f6bffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (11)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Windows\SysWOW64 | type = file_attributes |
|
2 | |
| Get Info | wevtutil.exe | type = file_attributes |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
5 | |
| Open | STD_INPUT_HANDLE | - |
|
3 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 24, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\SysWOW64\wevtutil.exe | os_pid = 0xd0c, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x1140000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75130000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x75172780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x7514fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7514a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x74e435c0 |
|
1 |
Environment (19)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
2 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Windows\SysWOW64 |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000000 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #723: wevtutil.exe
0
0
| Information | Value |
|---|---|
| ID | #723 |
| File Name | c:\windows\syswow64\wevtutil.exe |
| Command Line | wevtutil.exe clear-log "Microsoft-Windows-DeviceUx/Informational" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:04:13, Reason: Child Process |
| Unmonitor | End Time: 00:04:14, Reason: Self Terminated |
| Monitor Duration | 00:00:01 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xd0c |
| Parent PID | 0xf14 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
E04
0x
7BC
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000a20000 | 0x00a20000 | 0x00a3ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000a40000 | 0x00a40000 | 0x00a41fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000a50000 | 0x00a50000 | 0x00a63fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000a70000 | 0x00a70000 | 0x00aaffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000ab0000 | 0x00ab0000 | 0x00aeffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000af0000 | 0x00af0000 | 0x00af3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000b00000 | 0x00b00000 | 0x00b00fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000b10000 | 0x00b10000 | 0x00b11fff | Private Memory | rw |
|
|
|
- |
| wevtutil.exe | 0x00b40000 | 0x00b6efff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000b70000 | 0x00b70000 | 0x04b6ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000004bc0000 | 0x04bc0000 | 0x04bcffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004ca0000 | 0x04ca0000 | 0x04d9ffff | Private Memory | rw |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007ec80000 | 0x7ec80000 | 0x7eca2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007eca4000 | 0x7eca4000 | 0x7eca4fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ecac000 | 0x7ecac000 | 0x7ecaefff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ecaf000 | 0x7ecaf000 | 0x7ecaffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Process #724: cmd.exe
58
0
| Information | Value |
|---|---|
| ID | #724 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-DeviceUx/Performance" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:04:13, Reason: Child Process |
| Unmonitor | End Time: 00:04:14, Reason: Self Terminated |
| Monitor Duration | 00:00:01 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xf40 |
| Parent PID | 0x8dc (c:\programdata\safe.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
B28
0x
364
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x00000000001c0000 | 0x001c0000 | 0x001dffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000001c0000 | 0x001c0000 | 0x001cffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x00000000001d0000 | 0x001d0000 | 0x001d3fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000001e0000 | 0x001e0000 | 0x001e1fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000001e0000 | 0x001e0000 | 0x001e3fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000001f0000 | 0x001f0000 | 0x00203fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000210000 | 0x00210000 | 0x0024ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000250000 | 0x00250000 | 0x0034ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000350000 | 0x00350000 | 0x00353fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000360000 | 0x00360000 | 0x00360fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000370000 | 0x00370000 | 0x00371fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000380000 | 0x00380000 | 0x003bffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000003e0000 | 0x003e0000 | 0x003effff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x003f0000 | 0x004adfff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000004b0000 | 0x004b0000 | 0x005affff | Private Memory | rw |
|
|
|
- |
| private_0x00000000005b0000 | 0x005b0000 | 0x006affff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000820000 | 0x00820000 | 0x0082ffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x00830000 | 0x00b66fff | Memory Mapped File | r |
|
|
|
- |
| cmd.exe | 0x01140000 | 0x0118ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000001190000 | 0x01190000 | 0x0518ffff | Pagefile Backed Memory | - |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74d30000 | 0x74ea5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75130000 | 0x7521ffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x778d0000 | 0x7798dfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007e700000 | 0x7e700000 | 0x7e7fffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007e800000 | 0x7e800000 | 0x7e822fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007e823000 | 0x7e823000 | 0x7e823fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007e826000 | 0x7e826000 | 0x7e826fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007e82a000 | 0x7e82a000 | 0x7e82cfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007e82d000 | 0x7e82d000 | 0x7e82ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (11)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Windows\SysWOW64 | type = file_attributes |
|
2 | |
| Get Info | wevtutil.exe | type = file_attributes |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
5 | |
| Open | STD_INPUT_HANDLE | - |
|
3 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 128, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\SysWOW64\wevtutil.exe | os_pid = 0x844, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x1140000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75130000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x75172780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x7514fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7514a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x74e435c0 |
|
1 |
Environment (19)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
2 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Windows\SysWOW64 |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000000 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #726: wevtutil.exe
0
0
| Information | Value |
|---|---|
| ID | #726 |
| File Name | c:\windows\syswow64\wevtutil.exe |
| Command Line | wevtutil.exe clear-log "Microsoft-Windows-DeviceUx/Performance" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:04:14, Reason: Child Process |
| Unmonitor | End Time: 00:04:14, Reason: Self Terminated |
| Monitor Duration | 00:00:00 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x844 |
| Parent PID | 0xf40 (c:\windows\syswow64\wevtutil.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
76C
0x
A2C
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| wevtutil.exe | 0x00b40000 | 0x00b6efff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000ef0000 | 0x00ef0000 | 0x04eeffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000004ef0000 | 0x04ef0000 | 0x04f0ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004f10000 | 0x04f10000 | 0x04f11fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004f20000 | 0x04f20000 | 0x04f33fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000004f40000 | 0x04f40000 | 0x04f7ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004f80000 | 0x04f80000 | 0x04fbffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004fc0000 | 0x04fc0000 | 0x04fc3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000004fd0000 | 0x04fd0000 | 0x04fd0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000004fe0000 | 0x04fe0000 | 0x04fe1fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005000000 | 0x05000000 | 0x0500ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005030000 | 0x05030000 | 0x0512ffff | Private Memory | rw |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007e4f0000 | 0x7e4f0000 | 0x7e512fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007e51a000 | 0x7e51a000 | 0x7e51afff | Private Memory | rw |
|
|
|
- |
| private_0x000000007e51c000 | 0x7e51c000 | 0x7e51efff | Private Memory | rw |
|
|
|
- |
| private_0x000000007e51f000 | 0x7e51f000 | 0x7e51ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Process #727: cmd.exe
58
0
| Information | Value |
|---|---|
| ID | #727 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-Dhcp-Client/Admin" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:04:14, Reason: Child Process |
| Unmonitor | End Time: 00:04:14, Reason: Self Terminated |
| Monitor Duration | 00:00:00 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xd44 |
| Parent PID | 0x8dc (c:\programdata\safe.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
BD8
0x
950
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x00000000000a0000 | 0x000a0000 | 0x000bffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000000a0000 | 0x000a0000 | 0x000affff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x00000000000b0000 | 0x000b0000 | 0x000b3fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000000c0000 | 0x000c0000 | 0x000c1fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000000c0000 | 0x000c0000 | 0x000c3fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000000d0000 | 0x000d0000 | 0x000e3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000000f0000 | 0x000f0000 | 0x0012ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000130000 | 0x00130000 | 0x0022ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000230000 | 0x00230000 | 0x00233fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000240000 | 0x00240000 | 0x00240fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000250000 | 0x00250000 | 0x00251fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000260000 | 0x00260000 | 0x0029ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000002a0000 | 0x002a0000 | 0x002affff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x002b0000 | 0x0036dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000420000 | 0x00420000 | 0x0051ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000520000 | 0x00520000 | 0x0061ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000007d0000 | 0x007d0000 | 0x007dffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x007e0000 | 0x00b16fff | Memory Mapped File | r |
|
|
|
- |
| cmd.exe | 0x01140000 | 0x0118ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000001190000 | 0x01190000 | 0x0518ffff | Pagefile Backed Memory | - |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74d30000 | 0x74ea5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75130000 | 0x7521ffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x778d0000 | 0x7798dfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007ee30000 | 0x7ee30000 | 0x7ef2ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007ef30000 | 0x7ef30000 | 0x7ef52fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007ef55000 | 0x7ef55000 | 0x7ef57fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ef58000 | 0x7ef58000 | 0x7ef58fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ef5a000 | 0x7ef5a000 | 0x7ef5afff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ef5d000 | 0x7ef5d000 | 0x7ef5ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (11)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Windows\SysWOW64 | type = file_attributes |
|
2 | |
| Get Info | wevtutil.exe | type = file_attributes |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
5 | |
| Open | STD_INPUT_HANDLE | - |
|
3 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 200, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\SysWOW64\wevtutil.exe | os_pid = 0xe4c, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x1140000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75130000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x75172780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x7514fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7514a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x74e435c0 |
|
1 |
Environment (19)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
2 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Windows\SysWOW64 |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000000 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #729: wevtutil.exe
0
0
| Information | Value |
|---|---|
| ID | #729 |
| File Name | c:\windows\syswow64\wevtutil.exe |
| Command Line | wevtutil.exe clear-log "Microsoft-Windows-Dhcp-Client/Admin" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:04:14, Reason: Child Process |
| Unmonitor | End Time: 00:04:14, Reason: Self Terminated |
| Monitor Duration | 00:00:00 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xe4c |
| Parent PID | 0xd44 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
2F0
0x
D3C
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x00000000005f0000 | 0x005f0000 | 0x0060ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000610000 | 0x00610000 | 0x00611fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000620000 | 0x00620000 | 0x00633fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000640000 | 0x00640000 | 0x0067ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000680000 | 0x00680000 | 0x006bffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000006c0000 | 0x006c0000 | 0x006c3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000006d0000 | 0x006d0000 | 0x006d0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000006e0000 | 0x006e0000 | 0x006e1fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000830000 | 0x00830000 | 0x0083ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000008d0000 | 0x008d0000 | 0x009cffff | Private Memory | rw |
|
|
|
- |
| wevtutil.exe | 0x00b40000 | 0x00b6efff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000b70000 | 0x00b70000 | 0x04b6ffff | Pagefile Backed Memory | - |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007ed90000 | 0x7ed90000 | 0x7edb2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007edb4000 | 0x7edb4000 | 0x7edb4fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007edba000 | 0x7edba000 | 0x7edbcfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007edbd000 | 0x7edbd000 | 0x7edbdfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Process #730: cmd.exe
58
0
| Information | Value |
|---|---|
| ID | #730 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-Dhcp-Client/Operational" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:04:14, Reason: Child Process |
| Unmonitor | End Time: 00:04:16, Reason: Self Terminated |
| Monitor Duration | 00:00:02 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xb3c |
| Parent PID | 0x8dc (c:\programdata\safe.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
544
0x
D08
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000920000 | 0x00920000 | 0x0093ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000920000 | 0x00920000 | 0x0092ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000930000 | 0x00930000 | 0x00933fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000940000 | 0x00940000 | 0x00941fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000940000 | 0x00940000 | 0x00943fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000950000 | 0x00950000 | 0x00963fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000970000 | 0x00970000 | 0x009affff | Private Memory | rw |
|
|
|
- |
| private_0x00000000009b0000 | 0x009b0000 | 0x00aaffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000ab0000 | 0x00ab0000 | 0x00ab3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000ac0000 | 0x00ac0000 | 0x00ac0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000ad0000 | 0x00ad0000 | 0x00ad1fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000ae0000 | 0x00ae0000 | 0x00b1ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000b80000 | 0x00b80000 | 0x00b8ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000bb0000 | 0x00bb0000 | 0x00caffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00cb0000 | 0x00d6dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000d70000 | 0x00d70000 | 0x00e6ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000ff0000 | 0x00ff0000 | 0x00ffffff | Private Memory | rw |
|
|
|
- |
| cmd.exe | 0x01140000 | 0x0118ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000001190000 | 0x01190000 | 0x0518ffff | Pagefile Backed Memory | - |
|
|
|
- |
| sortdefault.nls | 0x05190000 | 0x054c6fff | Memory Mapped File | r |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74d30000 | 0x74ea5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75130000 | 0x7521ffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x778d0000 | 0x7798dfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007e5d0000 | 0x7e5d0000 | 0x7e6cffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007e6d0000 | 0x7e6d0000 | 0x7e6f2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007e6f8000 | 0x7e6f8000 | 0x7e6fafff | Private Memory | rw |
|
|
|
- |
| private_0x000000007e6fb000 | 0x7e6fb000 | 0x7e6fdfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007e6fe000 | 0x7e6fe000 | 0x7e6fefff | Private Memory | rw |
|
|
|
- |
| private_0x000000007e6ff000 | 0x7e6ff000 | 0x7e6fffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (11)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Windows\SysWOW64 | type = file_attributes |
|
2 | |
| Get Info | wevtutil.exe | type = file_attributes |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
5 | |
| Open | STD_INPUT_HANDLE | - |
|
3 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 168, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\SysWOW64\wevtutil.exe | os_pid = 0x534, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x1140000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75130000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x75172780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x7514fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7514a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x74e435c0 |
|
1 |
Environment (19)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
2 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Windows\SysWOW64 |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000000 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #732: wevtutil.exe
0
0
| Information | Value |
|---|---|
| ID | #732 |
| File Name | c:\windows\syswow64\wevtutil.exe |
| Command Line | wevtutil.exe clear-log "Microsoft-Windows-Dhcp-Client/Operational" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:04:15, Reason: Child Process |
| Unmonitor | End Time: 00:04:15, Reason: Self Terminated |
| Monitor Duration | 00:00:00 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x534 |
| Parent PID | 0xb3c (c:\windows\syswow64\wevtutil.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
FB8
0x
548
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000710000 | 0x00710000 | 0x0072ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000730000 | 0x00730000 | 0x00731fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000740000 | 0x00740000 | 0x00753fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000760000 | 0x00760000 | 0x0079ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000007a0000 | 0x007a0000 | 0x007dffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000007e0000 | 0x007e0000 | 0x007e3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000007f0000 | 0x007f0000 | 0x007f0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000800000 | 0x00800000 | 0x00801fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000009b0000 | 0x009b0000 | 0x009bffff | Private Memory | rw |
|
|
|
- |
| wevtutil.exe | 0x00b40000 | 0x00b6efff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000b70000 | 0x00b70000 | 0x04b6ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000004d30000 | 0x04d30000 | 0x04e2ffff | Private Memory | rw |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007eed0000 | 0x7eed0000 | 0x7eef2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007eef4000 | 0x7eef4000 | 0x7eef4fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007eefa000 | 0x7eefa000 | 0x7eefafff | Private Memory | rw |
|
|
|
- |
| private_0x000000007eefd000 | 0x7eefd000 | 0x7eefffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Process #733: cmd.exe
58
0
| Information | Value |
|---|---|
| ID | #733 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-Dhcpv6-Client/Admin" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:04:15, Reason: Child Process |
| Unmonitor | End Time: 00:04:15, Reason: Self Terminated |
| Monitor Duration | 00:00:00 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xfc4 |
| Parent PID | 0x8dc (c:\programdata\safe.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
D38
0x
894
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000320000 | 0x00320000 | 0x0033ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000320000 | 0x00320000 | 0x0032ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000330000 | 0x00330000 | 0x00333fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000340000 | 0x00340000 | 0x00341fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000340000 | 0x00340000 | 0x00343fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000350000 | 0x00350000 | 0x00363fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000370000 | 0x00370000 | 0x003affff | Private Memory | rw |
|
|
|
- |
| private_0x00000000003b0000 | 0x003b0000 | 0x004affff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000004b0000 | 0x004b0000 | 0x004b3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000004c0000 | 0x004c0000 | 0x004c0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000004d0000 | 0x004d0000 | 0x004d1fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000004e0000 | 0x004e0000 | 0x0051ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000540000 | 0x00540000 | 0x0063ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000690000 | 0x00690000 | 0x0069ffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x006a0000 | 0x0075dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000760000 | 0x00760000 | 0x0085ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000009c0000 | 0x009c0000 | 0x009cffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x009d0000 | 0x00d06fff | Memory Mapped File | r |
|
|
|
- |
| cmd.exe | 0x01140000 | 0x0118ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000001190000 | 0x01190000 | 0x0518ffff | Pagefile Backed Memory | - |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74d30000 | 0x74ea5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75130000 | 0x7521ffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x778d0000 | 0x7798dfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007eb70000 | 0x7eb70000 | 0x7ec6ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007ec70000 | 0x7ec70000 | 0x7ec92fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007ec96000 | 0x7ec96000 | 0x7ec98fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ec99000 | 0x7ec99000 | 0x7ec99fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ec9c000 | 0x7ec9c000 | 0x7ec9efff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ec9f000 | 0x7ec9f000 | 0x7ec9ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (11)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Windows\SysWOW64 | type = file_attributes |
|
2 | |
| Get Info | wevtutil.exe | type = file_attributes |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
5 | |
| Open | STD_INPUT_HANDLE | - |
|
3 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 103, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\SysWOW64\wevtutil.exe | os_pid = 0xe58, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x1140000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75130000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x75172780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x7514fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7514a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x74e435c0 |
|
1 |
Environment (19)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
2 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Windows\SysWOW64 |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000000 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #735: wevtutil.exe
0
0
| Information | Value |
|---|---|
| ID | #735 |
| File Name | c:\windows\syswow64\wevtutil.exe |
| Command Line | wevtutil.exe clear-log "Microsoft-Windows-Dhcpv6-Client/Admin" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:04:15, Reason: Child Process |
| Unmonitor | End Time: 00:04:15, Reason: Self Terminated |
| Monitor Duration | 00:00:00 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xe58 |
| Parent PID | 0xfc4 (c:\windows\syswow64\wevtutil.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
1B4
0x
9C4
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x00000000008a0000 | 0x008a0000 | 0x008bffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000008c0000 | 0x008c0000 | 0x008c1fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000008d0000 | 0x008d0000 | 0x008e3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000008f0000 | 0x008f0000 | 0x0092ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000930000 | 0x00930000 | 0x0096ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000970000 | 0x00970000 | 0x00973fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000980000 | 0x00980000 | 0x00980fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000990000 | 0x00990000 | 0x00991fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000a60000 | 0x00a60000 | 0x00a6ffff | Private Memory | rw |
|
|
|
- |
| wevtutil.exe | 0x00b40000 | 0x00b6efff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000b70000 | 0x00b70000 | 0x04b6ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000004b90000 | 0x04b90000 | 0x04c8ffff | Private Memory | rw |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007e720000 | 0x7e720000 | 0x7e742fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007e745000 | 0x7e745000 | 0x7e745fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007e74b000 | 0x7e74b000 | 0x7e74bfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007e74d000 | 0x7e74d000 | 0x7e74ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Process #736: cmd.exe
58
0
| Information | Value |
|---|---|
| ID | #736 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-Dhcpv6-Client/Operational" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:04:15, Reason: Child Process |
| Unmonitor | End Time: 00:04:16, Reason: Self Terminated |
| Monitor Duration | 00:00:01 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xe5c |
| Parent PID | 0x8dc (c:\programdata\safe.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
94C
0x
814
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000450000 | 0x00450000 | 0x0046ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000450000 | 0x00450000 | 0x0045ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000460000 | 0x00460000 | 0x00463fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000470000 | 0x00470000 | 0x00471fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000470000 | 0x00470000 | 0x0047ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000480000 | 0x00480000 | 0x00493fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000004a0000 | 0x004a0000 | 0x004dffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000004e0000 | 0x004e0000 | 0x005dffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000005e0000 | 0x005e0000 | 0x005e3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000005f0000 | 0x005f0000 | 0x005f0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000600000 | 0x00600000 | 0x00601fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000610000 | 0x00610000 | 0x0064ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000650000 | 0x00650000 | 0x00653fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000680000 | 0x00680000 | 0x0068ffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00690000 | 0x0074dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000760000 | 0x00760000 | 0x0085ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000860000 | 0x00860000 | 0x0095ffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x00960000 | 0x00c96fff | Memory Mapped File | r |
|
|
|
- |
| cmd.exe | 0x01140000 | 0x0118ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000001190000 | 0x01190000 | 0x0518ffff | Pagefile Backed Memory | - |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74d30000 | 0x74ea5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75130000 | 0x7521ffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x778d0000 | 0x7798dfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007e4b0000 | 0x7e4b0000 | 0x7e5affff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007e5b0000 | 0x7e5b0000 | 0x7e5d2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007e5d7000 | 0x7e5d7000 | 0x7e5d9fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007e5da000 | 0x7e5da000 | 0x7e5dafff | Private Memory | rw |
|
|
|
- |
| private_0x000000007e5db000 | 0x7e5db000 | 0x7e5dbfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007e5dd000 | 0x7e5dd000 | 0x7e5dffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (11)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Windows\SysWOW64 | type = file_attributes |
|
2 | |
| Get Info | wevtutil.exe | type = file_attributes |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
5 | |
| Open | STD_INPUT_HANDLE | - |
|
3 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 144, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\SysWOW64\wevtutil.exe | os_pid = 0xf78, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x1140000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75130000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x75172780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x7514fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7514a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x74e435c0 |
|
1 |
Environment (19)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
2 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Windows\SysWOW64 |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000000 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #738: wevtutil.exe
0
0
| Information | Value |
|---|---|
| ID | #738 |
| File Name | c:\windows\syswow64\wevtutil.exe |
| Command Line | wevtutil.exe clear-log "Microsoft-Windows-Dhcpv6-Client/Operational" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:04:15, Reason: Child Process |
| Unmonitor | End Time: 00:04:16, Reason: Self Terminated |
| Monitor Duration | 00:00:01 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xf78 |
| Parent PID | 0xe5c (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
478
0x
E78
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000530000 | 0x00530000 | 0x0054ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000550000 | 0x00550000 | 0x00551fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000560000 | 0x00560000 | 0x00573fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000580000 | 0x00580000 | 0x005bffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000005c0000 | 0x005c0000 | 0x005fffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000600000 | 0x00600000 | 0x00603fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000610000 | 0x00610000 | 0x00610fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000620000 | 0x00620000 | 0x00621fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000006a0000 | 0x006a0000 | 0x006affff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000860000 | 0x00860000 | 0x0095ffff | Private Memory | rw |
|
|
|
- |
| wevtutil.exe | 0x00b40000 | 0x00b6efff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000b70000 | 0x00b70000 | 0x04b6ffff | Pagefile Backed Memory | - |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007eee0000 | 0x7eee0000 | 0x7ef02fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007ef04000 | 0x7ef04000 | 0x7ef04fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ef0b000 | 0x7ef0b000 | 0x7ef0bfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ef0d000 | 0x7ef0d000 | 0x7ef0ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Process #739: cmd.exe
58
0
| Information | Value |
|---|---|
| ID | #739 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-DiagCpl/Debug" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:04:16, Reason: Child Process |
| Unmonitor | End Time: 00:04:16, Reason: Self Terminated |
| Monitor Duration | 00:00:00 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xc60 |
| Parent PID | 0x8dc (c:\programdata\safe.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
FBC
0x
C04
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x00000000009e0000 | 0x009e0000 | 0x009fffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000009e0000 | 0x009e0000 | 0x009effff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x00000000009f0000 | 0x009f0000 | 0x009f3fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000a00000 | 0x00a00000 | 0x00a01fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000a00000 | 0x00a00000 | 0x00a03fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000a10000 | 0x00a10000 | 0x00a23fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000a30000 | 0x00a30000 | 0x00a6ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000a70000 | 0x00a70000 | 0x00b6ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000b70000 | 0x00b70000 | 0x00b73fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000b80000 | 0x00b80000 | 0x00b80fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000b90000 | 0x00b90000 | 0x00b91fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000ba0000 | 0x00ba0000 | 0x00bdffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000c20000 | 0x00c20000 | 0x00c2ffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00c30000 | 0x00cedfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000d70000 | 0x00d70000 | 0x00d7ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000d90000 | 0x00d90000 | 0x00e8ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000e90000 | 0x00e90000 | 0x00f8ffff | Private Memory | rw |
|
|
|
- |
| cmd.exe | 0x01140000 | 0x0118ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000001190000 | 0x01190000 | 0x0518ffff | Pagefile Backed Memory | - |
|
|
|
- |
| sortdefault.nls | 0x05190000 | 0x054c6fff | Memory Mapped File | r |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74d30000 | 0x74ea5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75130000 | 0x7521ffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x778d0000 | 0x7798dfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007fab0000 | 0x7fab0000 | 0x7fbaffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007fbb0000 | 0x7fbb0000 | 0x7fbd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007fbd7000 | 0x7fbd7000 | 0x7fbd9fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007fbda000 | 0x7fbda000 | 0x7fbdafff | Private Memory | rw |
|
|
|
- |
| private_0x000000007fbdc000 | 0x7fbdc000 | 0x7fbdefff | Private Memory | rw |
|
|
|
- |
| private_0x000000007fbdf000 | 0x7fbdf000 | 0x7fbdffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (11)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Windows\SysWOW64 | type = file_attributes |
|
2 | |
| Get Info | wevtutil.exe | type = file_attributes |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
5 | |
| Open | STD_INPUT_HANDLE | - |
|
3 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 27, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\SysWOW64\wevtutil.exe | os_pid = 0x60c, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x1140000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75130000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x75172780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x7514fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7514a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x74e435c0 |
|
1 |
Environment (19)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
2 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Windows\SysWOW64 |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000000 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #741: wevtutil.exe
0
0
| Information | Value |
|---|---|
| ID | #741 |
| File Name | c:\windows\syswow64\wevtutil.exe |
| Command Line | wevtutil.exe clear-log "Microsoft-Windows-DiagCpl/Debug" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:04:16, Reason: Child Process |
| Unmonitor | End Time: 00:04:16, Reason: Self Terminated |
| Monitor Duration | 00:00:00 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x60c |
| Parent PID | 0xc60 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
EC0
0x
41C
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| wevtutil.exe | 0x00b40000 | 0x00b6efff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000be0000 | 0x00be0000 | 0x04bdffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000004be0000 | 0x04be0000 | 0x04bfffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004c00000 | 0x04c00000 | 0x04c01fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004c10000 | 0x04c10000 | 0x04c23fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000004c30000 | 0x04c30000 | 0x04c6ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004c70000 | 0x04c70000 | 0x04caffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004cb0000 | 0x04cb0000 | 0x04cb3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000004cc0000 | 0x04cc0000 | 0x04cc0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000004cd0000 | 0x04cd0000 | 0x04cd1fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004da0000 | 0x04da0000 | 0x04daffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004ea0000 | 0x04ea0000 | 0x04f9ffff | Private Memory | rw |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007efb0000 | 0x7efb0000 | 0x7efd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007efd6000 | 0x7efd6000 | 0x7efd6fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efdb000 | 0x7efdb000 | 0x7efdbfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efdd000 | 0x7efdd000 | 0x7efdffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Process #742: cmd.exe
58
0
| Information | Value |
|---|---|
| ID | #742 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-Diagnosis-AdvancedTaskManager/Analytic" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:04:16, Reason: Child Process |
| Unmonitor | End Time: 00:04:16, Reason: Self Terminated |
| Monitor Duration | 00:00:00 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xb24 |
| Parent PID | 0x8dc (c:\programdata\safe.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
CDC
0x
EC4
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000ca0000 | 0x00ca0000 | 0x00cbffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000ca0000 | 0x00ca0000 | 0x00caffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000cb0000 | 0x00cb0000 | 0x00cb3fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000cc0000 | 0x00cc0000 | 0x00cc1fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000cc0000 | 0x00cc0000 | 0x00cc3fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000cd0000 | 0x00cd0000 | 0x00ce3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000cf0000 | 0x00cf0000 | 0x00d2ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000d30000 | 0x00d30000 | 0x00e2ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000e30000 | 0x00e30000 | 0x00e33fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000e40000 | 0x00e40000 | 0x00e40fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000e50000 | 0x00e50000 | 0x00e51fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000e60000 | 0x00e60000 | 0x00e9ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000f00000 | 0x00f00000 | 0x00f0ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000f30000 | 0x00f30000 | 0x0102ffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x01030000 | 0x010edfff | Memory Mapped File | r |
|
|
|
- |
| cmd.exe | 0x01140000 | 0x0118ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000001190000 | 0x01190000 | 0x0518ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000005190000 | 0x05190000 | 0x0528ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000053c0000 | 0x053c0000 | 0x053cffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x053d0000 | 0x05706fff | Memory Mapped File | r |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74d30000 | 0x74ea5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75130000 | 0x7521ffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x778d0000 | 0x7798dfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007ece0000 | 0x7ece0000 | 0x7eddffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007ede0000 | 0x7ede0000 | 0x7ee02fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007ee05000 | 0x7ee05000 | 0x7ee07fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ee08000 | 0x7ee08000 | 0x7ee08fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ee0a000 | 0x7ee0a000 | 0x7ee0afff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ee0d000 | 0x7ee0d000 | 0x7ee0ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (11)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Windows\SysWOW64 | type = file_attributes |
|
2 | |
| Get Info | wevtutil.exe | type = file_attributes |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
5 | |
| Open | STD_INPUT_HANDLE | - |
|
3 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 136, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\SysWOW64\wevtutil.exe | os_pid = 0xe90, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x1140000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75130000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x75172780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x7514fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7514a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x74e435c0 |
|
1 |
Environment (19)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
2 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Windows\SysWOW64 |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000000 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #744: wevtutil.exe
0
0
| Information | Value |
|---|---|
| ID | #744 |
| File Name | c:\windows\syswow64\wevtutil.exe |
| Command Line | wevtutil.exe clear-log "Microsoft-Windows-Diagnosis-AdvancedTaskManager/Analytic" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:04:16, Reason: Child Process |
| Unmonitor | End Time: 00:04:16, Reason: Self Terminated |
| Monitor Duration | 00:00:00 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xe90 |
| Parent PID | 0xb24 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
CC8
0x
EB4
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000350000 | 0x00350000 | 0x0036ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000370000 | 0x00370000 | 0x00371fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000380000 | 0x00380000 | 0x00393fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000003a0000 | 0x003a0000 | 0x003dffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000003e0000 | 0x003e0000 | 0x0041ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000420000 | 0x00420000 | 0x00423fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000430000 | 0x00430000 | 0x00430fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000440000 | 0x00440000 | 0x00441fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000005f0000 | 0x005f0000 | 0x005fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000780000 | 0x00780000 | 0x0087ffff | Private Memory | rw |
|
|
|
- |
| wevtutil.exe | 0x00b40000 | 0x00b6efff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000b70000 | 0x00b70000 | 0x04b6ffff | Pagefile Backed Memory | - |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007f070000 | 0x7f070000 | 0x7f092fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f098000 | 0x7f098000 | 0x7f098fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f09c000 | 0x7f09c000 | 0x7f09cfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f09d000 | 0x7f09d000 | 0x7f09ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Process #745: cmd.exe
58
0
| Information | Value |
|---|---|
| ID | #745 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-Diagnosis-DPS/Analytic" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:04:16, Reason: Child Process |
| Unmonitor | End Time: 00:04:17, Reason: Self Terminated |
| Monitor Duration | 00:00:01 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xf9c |
| Parent PID | 0x8dc (c:\programdata\safe.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
B74
0x
EF0
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000f90000 | 0x00f90000 | 0x00faffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000f90000 | 0x00f90000 | 0x00f9ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000fa0000 | 0x00fa0000 | 0x00fa3fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000fb0000 | 0x00fb0000 | 0x00fb1fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000fb0000 | 0x00fb0000 | 0x00fb3fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000fc0000 | 0x00fc0000 | 0x00fd3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000fe0000 | 0x00fe0000 | 0x0101ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001020000 | 0x01020000 | 0x0111ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000001120000 | 0x01120000 | 0x01123fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000001130000 | 0x01130000 | 0x01130fff | Pagefile Backed Memory | r |
|
|
|
- |
| cmd.exe | 0x01140000 | 0x0118ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000001190000 | 0x01190000 | 0x0518ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000005190000 | 0x05190000 | 0x05191fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x051a0000 | 0x0525dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000005260000 | 0x05260000 | 0x0529ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005300000 | 0x05300000 | 0x0530ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000053a0000 | 0x053a0000 | 0x0549ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000054a0000 | 0x054a0000 | 0x0559ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005630000 | 0x05630000 | 0x0563ffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x05640000 | 0x05976fff | Memory Mapped File | r |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74d30000 | 0x74ea5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75130000 | 0x7521ffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x778d0000 | 0x7798dfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007e560000 | 0x7e560000 | 0x7e65ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007e660000 | 0x7e660000 | 0x7e682fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007e688000 | 0x7e688000 | 0x7e688fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007e689000 | 0x7e689000 | 0x7e68bfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007e68c000 | 0x7e68c000 | 0x7e68efff | Private Memory | rw |
|
|
|
- |
| private_0x000000007e68f000 | 0x7e68f000 | 0x7e68ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (11)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Windows\SysWOW64 | type = file_attributes |
|
2 | |
| Get Info | wevtutil.exe | type = file_attributes |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
5 | |
| Open | STD_INPUT_HANDLE | - |
|
3 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 136, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\SysWOW64\wevtutil.exe | os_pid = 0x994, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x1140000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75130000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x75172780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x7514fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7514a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x74e435c0 |
|
1 |
Environment (19)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
2 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Windows\SysWOW64 |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000000 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #747: wevtutil.exe
0
0
| Information | Value |
|---|---|
| ID | #747 |
| File Name | c:\windows\syswow64\wevtutil.exe |
| Command Line | wevtutil.exe clear-log "Microsoft-Windows-Diagnosis-DPS/Analytic" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:04:17, Reason: Child Process |
| Unmonitor | End Time: 00:04:17, Reason: Self Terminated |
| Monitor Duration | 00:00:00 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x994 |
| Parent PID | 0xf9c (c:\windows\syswow64\wevtutil.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
AD0
0x
788
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x00000000001f0000 | 0x001f0000 | 0x0020ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000210000 | 0x00210000 | 0x00211fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000220000 | 0x00220000 | 0x00233fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000240000 | 0x00240000 | 0x0027ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000280000 | 0x00280000 | 0x002bffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000002c0000 | 0x002c0000 | 0x002c3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000002d0000 | 0x002d0000 | 0x002d0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000002e0000 | 0x002e0000 | 0x002e1fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000003f0000 | 0x003f0000 | 0x003fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000450000 | 0x00450000 | 0x0054ffff | Private Memory | rw |
|
|
|
- |
| wevtutil.exe | 0x00b40000 | 0x00b6efff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000b70000 | 0x00b70000 | 0x04b6ffff | Pagefile Backed Memory | - |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007ef40000 | 0x7ef40000 | 0x7ef62fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007ef65000 | 0x7ef65000 | 0x7ef65fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ef6a000 | 0x7ef6a000 | 0x7ef6cfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ef6d000 | 0x7ef6d000 | 0x7ef6dfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Process #748: cmd.exe
58
0
| Information | Value |
|---|---|
| ID | #748 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-Diagnosis-DPS/Debug" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:04:17, Reason: Child Process |
| Unmonitor | End Time: 00:04:17, Reason: Self Terminated |
| Monitor Duration | 00:00:00 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xfb0 |
| Parent PID | 0x8dc (c:\programdata\safe.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
EF4
0x
968
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x00000000000f0000 | 0x000f0000 | 0x0010ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000000f0000 | 0x000f0000 | 0x000fffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000100000 | 0x00100000 | 0x00103fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000110000 | 0x00110000 | 0x00111fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000110000 | 0x00110000 | 0x00113fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000120000 | 0x00120000 | 0x00133fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000140000 | 0x00140000 | 0x0017ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000180000 | 0x00180000 | 0x0027ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000280000 | 0x00280000 | 0x00283fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000290000 | 0x00290000 | 0x00290fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000002a0000 | 0x002a0000 | 0x002a1fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000002c0000 | 0x002c0000 | 0x002cffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x002d0000 | 0x0038dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000390000 | 0x00390000 | 0x003cffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000420000 | 0x00420000 | 0x0051ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000520000 | 0x00520000 | 0x0061ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000007e0000 | 0x007e0000 | 0x007effff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x007f0000 | 0x00b26fff | Memory Mapped File | r |
|
|
|
- |
| cmd.exe | 0x01140000 | 0x0118ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000001190000 | 0x01190000 | 0x0518ffff | Pagefile Backed Memory | - |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74d30000 | 0x74ea5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75130000 | 0x7521ffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x778d0000 | 0x7798dfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007ebf0000 | 0x7ebf0000 | 0x7eceffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007ecf0000 | 0x7ecf0000 | 0x7ed12fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007ed16000 | 0x7ed16000 | 0x7ed16fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ed18000 | 0x7ed18000 | 0x7ed18fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ed1a000 | 0x7ed1a000 | 0x7ed1cfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ed1d000 | 0x7ed1d000 | 0x7ed1ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (11)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Windows\SysWOW64 | type = file_attributes |
|
2 | |
| Get Info | wevtutil.exe | type = file_attributes |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
5 | |
| Open | STD_INPUT_HANDLE | - |
|
3 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 168, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\SysWOW64\wevtutil.exe | os_pid = 0x34c, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x1140000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75130000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x75172780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x7514fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7514a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x74e435c0 |
|
1 |
Environment (19)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
2 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Windows\SysWOW64 |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000000 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #750: wevtutil.exe
0
0
| Information | Value |
|---|---|
| ID | #750 |
| File Name | c:\windows\syswow64\wevtutil.exe |
| Command Line | wevtutil.exe clear-log "Microsoft-Windows-Diagnosis-DPS/Debug" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:04:17, Reason: Child Process |
| Unmonitor | End Time: 00:04:17, Reason: Self Terminated |
| Monitor Duration | 00:00:00 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x34c |
| Parent PID | 0xfb0 (c:\windows\syswow64\wevtutil.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
F18
0x
920
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000850000 | 0x00850000 | 0x0086ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000870000 | 0x00870000 | 0x00871fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000880000 | 0x00880000 | 0x00893fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000008a0000 | 0x008a0000 | 0x008dffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000008e0000 | 0x008e0000 | 0x0091ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000920000 | 0x00920000 | 0x00923fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000930000 | 0x00930000 | 0x00930fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000940000 | 0x00940000 | 0x00941fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000990000 | 0x00990000 | 0x0099ffff | Private Memory | rw |
|
|
|
- |
| wevtutil.exe | 0x00b40000 | 0x00b6efff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000b70000 | 0x00b70000 | 0x04b6ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000004c90000 | 0x04c90000 | 0x04d8ffff | Private Memory | rw |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007f260000 | 0x7f260000 | 0x7f282fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f285000 | 0x7f285000 | 0x7f285fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f289000 | 0x7f289000 | 0x7f289fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f28d000 | 0x7f28d000 | 0x7f28ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Process #751: cmd.exe
58
0
| Information | Value |
|---|---|
| ID | #751 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-Diagnosis-DPS/Operational" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:04:17, Reason: Child Process |
| Unmonitor | End Time: 00:04:18, Reason: Self Terminated |
| Monitor Duration | 00:00:01 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xc0c |
| Parent PID | 0x8dc (c:\programdata\safe.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
EA0
0x
C48
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000890000 | 0x00890000 | 0x008affff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000890000 | 0x00890000 | 0x0089ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x00000000008a0000 | 0x008a0000 | 0x008a3fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000008b0000 | 0x008b0000 | 0x008b1fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000008b0000 | 0x008b0000 | 0x008b3fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000008c0000 | 0x008c0000 | 0x008d3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000008e0000 | 0x008e0000 | 0x0091ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000920000 | 0x00920000 | 0x00a1ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000a20000 | 0x00a20000 | 0x00a23fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000a30000 | 0x00a30000 | 0x00a30fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000a40000 | 0x00a40000 | 0x00a41fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000a80000 | 0x00a80000 | 0x00b7ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000b80000 | 0x00b80000 | 0x00bbffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000bf0000 | 0x00bf0000 | 0x00bfffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00c00000 | 0x00cbdfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000cc0000 | 0x00cc0000 | 0x00dbffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000e00000 | 0x00e00000 | 0x00e0ffff | Private Memory | rw |
|
|
|
- |
| cmd.exe | 0x01140000 | 0x0118ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000001190000 | 0x01190000 | 0x0518ffff | Pagefile Backed Memory | - |
|
|
|
- |
| sortdefault.nls | 0x05190000 | 0x054c6fff | Memory Mapped File | r |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74d30000 | 0x74ea5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75130000 | 0x7521ffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x778d0000 | 0x7798dfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007f5f0000 | 0x7f5f0000 | 0x7f6effff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007f6f0000 | 0x7f6f0000 | 0x7f712fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f713000 | 0x7f713000 | 0x7f713fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f719000 | 0x7f719000 | 0x7f71bfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f71c000 | 0x7f71c000 | 0x7f71cfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f71d000 | 0x7f71d000 | 0x7f71ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (11)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Windows\SysWOW64 | type = file_attributes |
|
2 | |
| Get Info | wevtutil.exe | type = file_attributes |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
5 | |
| Open | STD_INPUT_HANDLE | - |
|
3 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 115, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\SysWOW64\wevtutil.exe | os_pid = 0xff4, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x1140000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75130000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x75172780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x7514fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7514a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x74e435c0 |
|
1 |
Environment (19)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
2 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Windows\SysWOW64 |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000000 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #753: wevtutil.exe
0
0
| Information | Value |
|---|---|
| ID | #753 |
| File Name | c:\windows\syswow64\wevtutil.exe |
| Command Line | wevtutil.exe clear-log "Microsoft-Windows-Diagnosis-DPS/Operational" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:04:17, Reason: Child Process |
| Unmonitor | End Time: 00:04:18, Reason: Self Terminated |
| Monitor Duration | 00:00:01 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xff4 |
| Parent PID | 0xc0c (c:\windows\syswow64\wevtutil.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
FFC
0x
3D0
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x00000000006a0000 | 0x006a0000 | 0x006bffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000006c0000 | 0x006c0000 | 0x006c1fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000006d0000 | 0x006d0000 | 0x006e3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000006f0000 | 0x006f0000 | 0x0072ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000730000 | 0x00730000 | 0x0076ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000770000 | 0x00770000 | 0x00773fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000780000 | 0x00780000 | 0x00780fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000790000 | 0x00790000 | 0x00791fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000008d0000 | 0x008d0000 | 0x008dffff | Private Memory | rw |
|
|
|
- |
| wevtutil.exe | 0x00b40000 | 0x00b6efff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000b70000 | 0x00b70000 | 0x04b6ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000004d30000 | 0x04d30000 | 0x04e2ffff | Private Memory | rw |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007e8f0000 | 0x7e8f0000 | 0x7e912fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007e919000 | 0x7e919000 | 0x7e91bfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007e91c000 | 0x7e91c000 | 0x7e91cfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007e91d000 | 0x7e91d000 | 0x7e91dfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Process #754: cmd.exe
58
0
| Information | Value |
|---|---|
| ID | #754 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-Diagnosis-MSDE/Debug" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:04:18, Reason: Child Process |
| Unmonitor | End Time: 00:04:18, Reason: Self Terminated |
| Monitor Duration | 00:00:00 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x908 |
| Parent PID | 0x8dc (c:\programdata\safe.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
B68
0x
FF8
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000e40000 | 0x00e40000 | 0x00e5ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000e40000 | 0x00e40000 | 0x00e4ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000e50000 | 0x00e50000 | 0x00e53fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000e60000 | 0x00e60000 | 0x00e61fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000e60000 | 0x00e60000 | 0x00e63fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000e70000 | 0x00e70000 | 0x00e83fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000e90000 | 0x00e90000 | 0x00ecffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000ed0000 | 0x00ed0000 | 0x00fcffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000fd0000 | 0x00fd0000 | 0x00fd3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000fe0000 | 0x00fe0000 | 0x00fe0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000ff0000 | 0x00ff0000 | 0x00ff1fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001000000 | 0x01000000 | 0x0103ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001080000 | 0x01080000 | 0x0108ffff | Private Memory | rw |
|
|
|
- |
| cmd.exe | 0x01140000 | 0x0118ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000001190000 | 0x01190000 | 0x0518ffff | Pagefile Backed Memory | - |
|
|
|
- |
| locale.nls | 0x05190000 | 0x0524dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000052f0000 | 0x052f0000 | 0x053effff | Private Memory | rw |
|
|
|
- |
| private_0x00000000053f0000 | 0x053f0000 | 0x054effff | Private Memory | rw |
|
|
|
- |
| private_0x00000000055e0000 | 0x055e0000 | 0x055effff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x055f0000 | 0x05926fff | Memory Mapped File | r |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74d30000 | 0x74ea5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75130000 | 0x7521ffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x778d0000 | 0x7798dfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007e910000 | 0x7e910000 | 0x7ea0ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007ea10000 | 0x7ea10000 | 0x7ea32fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007ea35000 | 0x7ea35000 | 0x7ea35fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ea37000 | 0x7ea37000 | 0x7ea37fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ea3a000 | 0x7ea3a000 | 0x7ea3cfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ea3d000 | 0x7ea3d000 | 0x7ea3ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (11)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Windows\SysWOW64 | type = file_attributes |
|
2 | |
| Get Info | wevtutil.exe | type = file_attributes |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
5 | |
| Open | STD_INPUT_HANDLE | - |
|
3 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 200, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\SysWOW64\wevtutil.exe | os_pid = 0xc3c, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x1140000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75130000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x75172780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x7514fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7514a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x74e435c0 |
|
1 |
Environment (19)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
2 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Windows\SysWOW64 |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000000 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #756: wevtutil.exe
0
0
| Information | Value |
|---|---|
| ID | #756 |
| File Name | c:\windows\syswow64\wevtutil.exe |
| Command Line | wevtutil.exe clear-log "Microsoft-Windows-Diagnosis-MSDE/Debug" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:04:18, Reason: Child Process |
| Unmonitor | End Time: 00:04:18, Reason: Self Terminated |
| Monitor Duration | 00:00:00 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xc3c |
| Parent PID | 0x908 (c:\windows\syswow64\wevtutil.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
FE0
0x
C58
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000060000 | 0x00060000 | 0x0007ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000080000 | 0x00080000 | 0x00081fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000090000 | 0x00090000 | 0x000a3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000000b0000 | 0x000b0000 | 0x000effff | Private Memory | rw |
|
|
|
- |
| private_0x00000000000f0000 | 0x000f0000 | 0x0012ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000130000 | 0x00130000 | 0x00133fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000140000 | 0x00140000 | 0x00140fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000150000 | 0x00150000 | 0x00151fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000190000 | 0x00190000 | 0x0028ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000320000 | 0x00320000 | 0x0032ffff | Private Memory | rw |
|
|
|
- |
| wevtutil.exe | 0x00b40000 | 0x00b6efff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000b70000 | 0x00b70000 | 0x04b6ffff | Pagefile Backed Memory | - |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007ee50000 | 0x7ee50000 | 0x7ee72fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007ee75000 | 0x7ee75000 | 0x7ee75fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ee7a000 | 0x7ee7a000 | 0x7ee7cfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ee7d000 | 0x7ee7d000 | 0x7ee7dfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Process #757: cmd.exe
58
0
| Information | Value |
|---|---|
| ID | #757 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-Diagnosis-PCW/Analytic" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:04:18, Reason: Child Process |
| Unmonitor | End Time: 00:04:18, Reason: Self Terminated |
| Monitor Duration | 00:00:00 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xc90 |
| Parent PID | 0x8dc (c:\programdata\safe.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
EE4
0x
C78
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000ee0000 | 0x00ee0000 | 0x00efffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000ee0000 | 0x00ee0000 | 0x00eeffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000ef0000 | 0x00ef0000 | 0x00ef3fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000f00000 | 0x00f00000 | 0x00f01fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000f00000 | 0x00f00000 | 0x00f03fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000f10000 | 0x00f10000 | 0x00f23fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000f30000 | 0x00f30000 | 0x00f6ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000f70000 | 0x00f70000 | 0x0106ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000001070000 | 0x01070000 | 0x01073fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000001080000 | 0x01080000 | 0x01080fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000001090000 | 0x01090000 | 0x01091fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000010a0000 | 0x010a0000 | 0x010dffff | Private Memory | rw |
|
|
|
- |
| cmd.exe | 0x01140000 | 0x0118ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000001190000 | 0x01190000 | 0x0518ffff | Pagefile Backed Memory | - |
|
|
|
- |
| locale.nls | 0x05190000 | 0x0524dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000005250000 | 0x05250000 | 0x0534ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005350000 | 0x05350000 | 0x0535ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005460000 | 0x05460000 | 0x0546ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005520000 | 0x05520000 | 0x0561ffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x05620000 | 0x05956fff | Memory Mapped File | r |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74d30000 | 0x74ea5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75130000 | 0x7521ffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x778d0000 | 0x7798dfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007ee50000 | 0x7ee50000 | 0x7ef4ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007ef50000 | 0x7ef50000 | 0x7ef72fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007ef77000 | 0x7ef77000 | 0x7ef79fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ef7a000 | 0x7ef7a000 | 0x7ef7cfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ef7d000 | 0x7ef7d000 | 0x7ef7dfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ef7e000 | 0x7ef7e000 | 0x7ef7efff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (11)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Windows\SysWOW64 | type = file_attributes |
|
2 | |
| Get Info | wevtutil.exe | type = file_attributes |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
5 | |
| Open | STD_INPUT_HANDLE | - |
|
3 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 248, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\SysWOW64\wevtutil.exe | os_pid = 0x538, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x1140000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75130000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x75172780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x7514fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7514a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x74e435c0 |
|
1 |
Environment (19)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
2 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Windows\SysWOW64 |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000000 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #759: wevtutil.exe
0
0
| Information | Value |
|---|---|
| ID | #759 |
| File Name | c:\windows\syswow64\wevtutil.exe |
| Command Line | wevtutil.exe clear-log "Microsoft-Windows-Diagnosis-PCW/Analytic" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:04:18, Reason: Child Process |
| Unmonitor | End Time: 00:04:18, Reason: Self Terminated |
| Monitor Duration | 00:00:00 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x538 |
| Parent PID | 0xc90 (c:\windows\syswow64\wevtutil.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
CF0
0x
C84
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x00000000003c0000 | 0x003c0000 | 0x003dffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000003e0000 | 0x003e0000 | 0x003e1fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000003f0000 | 0x003f0000 | 0x00403fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000410000 | 0x00410000 | 0x0044ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000450000 | 0x00450000 | 0x0048ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000490000 | 0x00490000 | 0x00493fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000004a0000 | 0x004a0000 | 0x004a0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000004b0000 | 0x004b0000 | 0x004b1fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000004c0000 | 0x004c0000 | 0x004cffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000550000 | 0x00550000 | 0x0064ffff | Private Memory | rw |
|
|
|
- |
| wevtutil.exe | 0x00b40000 | 0x00b6efff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000b70000 | 0x00b70000 | 0x04b6ffff | Pagefile Backed Memory | - |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007ec40000 | 0x7ec40000 | 0x7ec62fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007ec66000 | 0x7ec66000 | 0x7ec66fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ec6b000 | 0x7ec6b000 | 0x7ec6dfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ec6e000 | 0x7ec6e000 | 0x7ec6efff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Process #760: cmd.exe
58
0
| Information | Value |
|---|---|
| ID | #760 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-Diagnosis-PCW/Debug" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:04:18, Reason: Child Process |
| Unmonitor | End Time: 00:04:19, Reason: Self Terminated |
| Monitor Duration | 00:00:01 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xfdc |
| Parent PID | 0x8dc (c:\programdata\safe.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
CFC
0x
580
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000480000 | 0x00480000 | 0x0049ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000480000 | 0x00480000 | 0x0048ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000490000 | 0x00490000 | 0x00493fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000004a0000 | 0x004a0000 | 0x004a1fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000004a0000 | 0x004a0000 | 0x004a3fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000004b0000 | 0x004b0000 | 0x004c3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000004d0000 | 0x004d0000 | 0x0050ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000510000 | 0x00510000 | 0x0060ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000610000 | 0x00610000 | 0x00613fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000620000 | 0x00620000 | 0x00620fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000630000 | 0x00630000 | 0x00631fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000670000 | 0x00670000 | 0x0067ffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00680000 | 0x0073dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000770000 | 0x00770000 | 0x0086ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000870000 | 0x00870000 | 0x008affff | Private Memory | rw |
|
|
|
- |
| private_0x00000000008b0000 | 0x008b0000 | 0x009affff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000aa0000 | 0x00aa0000 | 0x00aaffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x00ab0000 | 0x00de6fff | Memory Mapped File | r |
|
|
|
- |
| cmd.exe | 0x01140000 | 0x0118ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000001190000 | 0x01190000 | 0x0518ffff | Pagefile Backed Memory | - |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74d30000 | 0x74ea5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75130000 | 0x7521ffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x778d0000 | 0x7798dfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007f940000 | 0x7f940000 | 0x7fa3ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007fa40000 | 0x7fa40000 | 0x7fa62fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007fa68000 | 0x7fa68000 | 0x7fa6afff | Private Memory | rw |
|
|
|
- |
| private_0x000000007fa6b000 | 0x7fa6b000 | 0x7fa6dfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007fa6e000 | 0x7fa6e000 | 0x7fa6efff | Private Memory | rw |
|
|
|
- |
| private_0x000000007fa6f000 | 0x7fa6f000 | 0x7fa6ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (11)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Windows\SysWOW64 | type = file_attributes |
|
2 | |
| Get Info | wevtutil.exe | type = file_attributes |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
5 | |
| Open | STD_INPUT_HANDLE | - |
|
3 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 120, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\SysWOW64\wevtutil.exe | os_pid = 0xbe4, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x1140000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75130000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x75172780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x7514fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7514a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x74e435c0 |
|
1 |
Environment (19)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
2 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Windows\SysWOW64 |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000000 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #762: wevtutil.exe
0
0
| Information | Value |
|---|---|
| ID | #762 |
| File Name | c:\windows\syswow64\wevtutil.exe |
| Command Line | wevtutil.exe clear-log "Microsoft-Windows-Diagnosis-PCW/Debug" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:04:19, Reason: Child Process |
| Unmonitor | End Time: 00:04:19, Reason: Self Terminated |
| Monitor Duration | 00:00:00 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xbe4 |
| Parent PID | 0xfdc (c:\users\ciihmnxmn6ps\desktop\kraken.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
8A4
0x
458
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x00000000000f0000 | 0x000f0000 | 0x0010ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000110000 | 0x00110000 | 0x00111fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000120000 | 0x00120000 | 0x00133fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000140000 | 0x00140000 | 0x0017ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000180000 | 0x00180000 | 0x001bffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000001c0000 | 0x001c0000 | 0x001c3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000001d0000 | 0x001d0000 | 0x001d0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000001e0000 | 0x001e0000 | 0x001e1fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000280000 | 0x00280000 | 0x0028ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000003f0000 | 0x003f0000 | 0x004effff | Private Memory | rw |
|
|
|
- |
| wevtutil.exe | 0x00b40000 | 0x00b6efff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000b70000 | 0x00b70000 | 0x04b6ffff | Pagefile Backed Memory | - |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007ec40000 | 0x7ec40000 | 0x7ec62fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007ec69000 | 0x7ec69000 | 0x7ec69fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ec6c000 | 0x7ec6c000 | 0x7ec6efff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ec6f000 | 0x7ec6f000 | 0x7ec6ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Process #763: cmd.exe
58
0
| Information | Value |
|---|---|
| ID | #763 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-Diagnosis-PCW/Operational" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:04:19, Reason: Child Process |
| Unmonitor | End Time: 00:04:19, Reason: Self Terminated |
| Monitor Duration | 00:00:00 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xdb8 |
| Parent PID | 0x8dc (c:\programdata\safe.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
ED8
0x
C5C
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000290000 | 0x00290000 | 0x002affff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000290000 | 0x00290000 | 0x0029ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x00000000002a0000 | 0x002a0000 | 0x002a3fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000002b0000 | 0x002b0000 | 0x002b1fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000002b0000 | 0x002b0000 | 0x002b3fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000002c0000 | 0x002c0000 | 0x002d3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000002e0000 | 0x002e0000 | 0x0031ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000320000 | 0x00320000 | 0x0041ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000420000 | 0x00420000 | 0x00423fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000430000 | 0x00430000 | 0x00430fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000440000 | 0x00440000 | 0x00441fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000450000 | 0x00450000 | 0x0048ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000004a0000 | 0x004a0000 | 0x0059ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000610000 | 0x00610000 | 0x0061ffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00620000 | 0x006ddfff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000006e0000 | 0x006e0000 | 0x007dffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000970000 | 0x00970000 | 0x0097ffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x00980000 | 0x00cb6fff | Memory Mapped File | r |
|
|
|
- |
| cmd.exe | 0x01140000 | 0x0118ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000001190000 | 0x01190000 | 0x0518ffff | Pagefile Backed Memory | - |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74d30000 | 0x74ea5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75130000 | 0x7521ffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x778d0000 | 0x7798dfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007f6b0000 | 0x7f6b0000 | 0x7f7affff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007f7b0000 | 0x7f7b0000 | 0x7f7d2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f7d8000 | 0x7f7d8000 | 0x7f7dafff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f7db000 | 0x7f7db000 | 0x7f7ddfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f7de000 | 0x7f7de000 | 0x7f7defff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f7df000 | 0x7f7df000 | 0x7f7dffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (11)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Windows\SysWOW64 | type = file_attributes |
|
2 | |
| Get Info | wevtutil.exe | type = file_attributes |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
5 | |
| Open | STD_INPUT_HANDLE | - |
|
3 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 248, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\SysWOW64\wevtutil.exe | os_pid = 0x688, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x1140000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75130000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x75172780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x7514fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7514a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x74e435c0 |
|
1 |
Environment (19)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
2 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Windows\SysWOW64 |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000000 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #765: wevtutil.exe
0
0
| Information | Value |
|---|---|
| ID | #765 |
| File Name | c:\windows\syswow64\wevtutil.exe |
| Command Line | wevtutil.exe clear-log "Microsoft-Windows-Diagnosis-PCW/Operational" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:04:19, Reason: Child Process |
| Unmonitor | End Time: 00:04:19, Reason: Self Terminated |
| Monitor Duration | 00:00:00 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x688 |
| Parent PID | 0xdb8 (c:\windows\syswow64\wevtutil.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
C68
0x
FD4
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000630000 | 0x00630000 | 0x0064ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000650000 | 0x00650000 | 0x00651fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000660000 | 0x00660000 | 0x00673fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000680000 | 0x00680000 | 0x006bffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000006c0000 | 0x006c0000 | 0x006fffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000700000 | 0x00700000 | 0x00703fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000710000 | 0x00710000 | 0x00710fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000720000 | 0x00720000 | 0x00721fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000008d0000 | 0x008d0000 | 0x008dffff | Private Memory | rw |
|
|
|
- |
| wevtutil.exe | 0x00b40000 | 0x00b6efff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000b70000 | 0x00b70000 | 0x04b6ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000004d50000 | 0x04d50000 | 0x04e4ffff | Private Memory | rw |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007f030000 | 0x7f030000 | 0x7f052fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f059000 | 0x7f059000 | 0x7f05bfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f05c000 | 0x7f05c000 | 0x7f05cfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f05f000 | 0x7f05f000 | 0x7f05ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Process #766: cmd.exe
58
0
| Information | Value |
|---|---|
| ID | #766 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-Diagnosis-PLA/Debug" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:04:19, Reason: Child Process |
| Unmonitor | End Time: 00:04:20, Reason: Self Terminated |
| Monitor Duration | 00:00:01 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x57c |
| Parent PID | 0x8dc (c:\programdata\safe.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
B20
0x
D90
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000e50000 | 0x00e50000 | 0x00e6ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000e50000 | 0x00e50000 | 0x00e5ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000e60000 | 0x00e60000 | 0x00e63fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000e70000 | 0x00e70000 | 0x00e71fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000e70000 | 0x00e70000 | 0x00e73fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000e80000 | 0x00e80000 | 0x00e93fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000ea0000 | 0x00ea0000 | 0x00edffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000ee0000 | 0x00ee0000 | 0x00fdffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000fe0000 | 0x00fe0000 | 0x00fe3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000ff0000 | 0x00ff0000 | 0x00ff0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000001000000 | 0x01000000 | 0x01001fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001040000 | 0x01040000 | 0x0104ffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x01050000 | 0x0110dfff | Memory Mapped File | r |
|
|
|
- |
| cmd.exe | 0x01140000 | 0x0118ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000001190000 | 0x01190000 | 0x0518ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000005190000 | 0x05190000 | 0x051cffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005240000 | 0x05240000 | 0x0524ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005270000 | 0x05270000 | 0x0536ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005370000 | 0x05370000 | 0x0546ffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x05470000 | 0x057a6fff | Memory Mapped File | r |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74d30000 | 0x74ea5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75130000 | 0x7521ffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x778d0000 | 0x7798dfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007f450000 | 0x7f450000 | 0x7f54ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007f550000 | 0x7f550000 | 0x7f572fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f578000 | 0x7f578000 | 0x7f57afff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f57b000 | 0x7f57b000 | 0x7f57dfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f57e000 | 0x7f57e000 | 0x7f57efff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f57f000 | 0x7f57f000 | 0x7f57ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (11)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Windows\SysWOW64 | type = file_attributes |
|
2 | |
| Get Info | wevtutil.exe | type = file_attributes |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
5 | |
| Open | STD_INPUT_HANDLE | - |
|
3 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 72, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\SysWOW64\wevtutil.exe | os_pid = 0x790, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x1140000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75130000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x75172780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x7514fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7514a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x74e435c0 |
|
1 |
Environment (19)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
2 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Windows\SysWOW64 |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000000 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #768: wevtutil.exe
0
0
| Information | Value |
|---|---|
| ID | #768 |
| File Name | c:\windows\syswow64\wevtutil.exe |
| Command Line | wevtutil.exe clear-log "Microsoft-Windows-Diagnosis-PLA/Debug" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:04:20, Reason: Child Process |
| Unmonitor | End Time: 00:04:20, Reason: Self Terminated |
| Monitor Duration | 00:00:00 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x790 |
| Parent PID | 0x57c (c:\windows\system32\reg.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
8D8
0x
DF0
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000190000 | 0x00190000 | 0x001affff | Private Memory | rw |
|
|
|
- |
| private_0x00000000001b0000 | 0x001b0000 | 0x001b1fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000001c0000 | 0x001c0000 | 0x001d3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000001e0000 | 0x001e0000 | 0x0021ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000220000 | 0x00220000 | 0x0025ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000260000 | 0x00260000 | 0x00263fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000270000 | 0x00270000 | 0x00270fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000280000 | 0x00280000 | 0x00281fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000290000 | 0x00290000 | 0x0038ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000003e0000 | 0x003e0000 | 0x003effff | Private Memory | rw |
|
|
|
- |
| wevtutil.exe | 0x00b40000 | 0x00b6efff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000b70000 | 0x00b70000 | 0x04b6ffff | Pagefile Backed Memory | - |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007ec90000 | 0x7ec90000 | 0x7ecb2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007ecba000 | 0x7ecba000 | 0x7ecbcfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ecbd000 | 0x7ecbd000 | 0x7ecbdfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ecbf000 | 0x7ecbf000 | 0x7ecbffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Process #769: cmd.exe
58
0
| Information | Value |
|---|---|
| ID | #769 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-Diagnosis-PLA/Operational" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:04:20, Reason: Child Process |
| Unmonitor | End Time: 00:04:21, Reason: Self Terminated |
| Monitor Duration | 00:00:01 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xdec |
| Parent PID | 0x8dc (c:\programdata\safe.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
C74
0x
E0C
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000ce0000 | 0x00ce0000 | 0x00cfffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000ce0000 | 0x00ce0000 | 0x00ceffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000cf0000 | 0x00cf0000 | 0x00cf3fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000d00000 | 0x00d00000 | 0x00d01fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000d00000 | 0x00d00000 | 0x00d03fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000d10000 | 0x00d10000 | 0x00d23fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000d30000 | 0x00d30000 | 0x00d6ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000d70000 | 0x00d70000 | 0x00e6ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000e70000 | 0x00e70000 | 0x00e73fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000e80000 | 0x00e80000 | 0x00e80fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000e90000 | 0x00e90000 | 0x00e91fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00ea0000 | 0x00f5dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000f70000 | 0x00f70000 | 0x00f7ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000f80000 | 0x00f80000 | 0x00fbffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000fc0000 | 0x00fc0000 | 0x010bffff | Private Memory | rw |
|
|
|
- |
| cmd.exe | 0x01140000 | 0x0118ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000001190000 | 0x01190000 | 0x0518ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000005300000 | 0x05300000 | 0x053fffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000055a0000 | 0x055a0000 | 0x055affff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x055b0000 | 0x058e6fff | Memory Mapped File | r |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74d30000 | 0x74ea5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75130000 | 0x7521ffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x778d0000 | 0x7798dfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007f2d0000 | 0x7f2d0000 | 0x7f3cffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007f3d0000 | 0x7f3d0000 | 0x7f3f2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f3f6000 | 0x7f3f6000 | 0x7f3f6fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f3f7000 | 0x7f3f7000 | 0x7f3f9fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f3fa000 | 0x7f3fa000 | 0x7f3fafff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f3fd000 | 0x7f3fd000 | 0x7f3fffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (11)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Windows\SysWOW64 | type = file_attributes |
|
2 | |
| Get Info | wevtutil.exe | type = file_attributes |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
5 | |
| Open | STD_INPUT_HANDLE | - |
|
3 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 120, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\SysWOW64\wevtutil.exe | os_pid = 0x70c, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x1140000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75130000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x75172780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x7514fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7514a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x74e435c0 |
|
1 |
Environment (19)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
2 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Windows\SysWOW64 |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000000 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #771: wevtutil.exe
0
0
| Information | Value |
|---|---|
| ID | #771 |
| File Name | c:\windows\syswow64\wevtutil.exe |
| Command Line | wevtutil.exe clear-log "Microsoft-Windows-Diagnosis-PLA/Operational" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:04:20, Reason: Child Process |
| Unmonitor | End Time: 00:04:21, Reason: Self Terminated |
| Monitor Duration | 00:00:01 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x70c |
| Parent PID | 0xdec (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
CA8
0x
E14
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| wevtutil.exe | 0x00b40000 | 0x00b6efff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000d60000 | 0x00d60000 | 0x04d5ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000004d60000 | 0x04d60000 | 0x04d7ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004d80000 | 0x04d80000 | 0x04d81fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004d90000 | 0x04d90000 | 0x04da3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000004db0000 | 0x04db0000 | 0x04deffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004df0000 | 0x04df0000 | 0x04e2ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004e30000 | 0x04e30000 | 0x04e33fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000004e40000 | 0x04e40000 | 0x04e40fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000004e50000 | 0x04e50000 | 0x04e51fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004f90000 | 0x04f90000 | 0x04f9ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005170000 | 0x05170000 | 0x0526ffff | Private Memory | rw |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007f8e0000 | 0x7f8e0000 | 0x7f902fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f903000 | 0x7f903000 | 0x7f903fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f90c000 | 0x7f90c000 | 0x7f90cfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f90d000 | 0x7f90d000 | 0x7f90ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Process #772: cmd.exe
58
0
| Information | Value |
|---|---|
| ID | #772 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-Diagnosis-Perfhost/Analytic" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:04:20, Reason: Child Process |
| Unmonitor | End Time: 00:04:21, Reason: Self Terminated |
| Monitor Duration | 00:00:01 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x584 |
| Parent PID | 0x8dc (c:\programdata\safe.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
E08
0x
D80
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000d70000 | 0x00d70000 | 0x00d8ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000d70000 | 0x00d70000 | 0x00d7ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000d80000 | 0x00d80000 | 0x00d83fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000d90000 | 0x00d90000 | 0x00d91fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000d90000 | 0x00d90000 | 0x00d93fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000da0000 | 0x00da0000 | 0x00db3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000dc0000 | 0x00dc0000 | 0x00dfffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000e00000 | 0x00e00000 | 0x00efffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000f00000 | 0x00f00000 | 0x00f03fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000f10000 | 0x00f10000 | 0x00f10fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000f20000 | 0x00f20000 | 0x00f21fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000f40000 | 0x00f40000 | 0x00f4ffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00f50000 | 0x0100dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000001010000 | 0x01010000 | 0x0104ffff | Private Memory | rw |
|
|
|
- |
| cmd.exe | 0x01140000 | 0x0118ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000001190000 | 0x01190000 | 0x0518ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000005190000 | 0x05190000 | 0x0528ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000052e0000 | 0x052e0000 | 0x053dffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000055d0000 | 0x055d0000 | 0x055dffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x055e0000 | 0x05916fff | Memory Mapped File | r |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74d30000 | 0x74ea5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75130000 | 0x7521ffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x778d0000 | 0x7798dfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007ecb0000 | 0x7ecb0000 | 0x7edaffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007edb0000 | 0x7edb0000 | 0x7edd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007edd3000 | 0x7edd3000 | 0x7edd3fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007edd9000 | 0x7edd9000 | 0x7edd9fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007edda000 | 0x7edda000 | 0x7eddcfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007eddd000 | 0x7eddd000 | 0x7eddffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (11)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Windows\SysWOW64 | type = file_attributes |
|
2 | |
| Get Info | wevtutil.exe | type = file_attributes |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
5 | |
| Open | STD_INPUT_HANDLE | - |
|
3 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 88, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\SysWOW64\wevtutil.exe | os_pid = 0x69c, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x1140000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75130000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x75172780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x7514fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7514a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x74e435c0 |
|
1 |
Environment (19)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
2 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Windows\SysWOW64 |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000000 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #774: wevtutil.exe
0
0
| Information | Value |
|---|---|
| ID | #774 |
| File Name | c:\windows\syswow64\wevtutil.exe |
| Command Line | wevtutil.exe clear-log "Microsoft-Windows-Diagnosis-Perfhost/Analytic" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:04:21, Reason: Child Process |
| Unmonitor | End Time: 00:04:21, Reason: Self Terminated |
| Monitor Duration | 00:00:00 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x69c |
| Parent PID | 0x584 (c:\windows\syswow64\wevtutil.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
93C
0x
DF4
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000200000 | 0x00200000 | 0x0021ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000220000 | 0x00220000 | 0x00221fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000230000 | 0x00230000 | 0x00243fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000250000 | 0x00250000 | 0x0028ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000290000 | 0x00290000 | 0x002cffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000002d0000 | 0x002d0000 | 0x002d3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000002e0000 | 0x002e0000 | 0x002e0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000002f0000 | 0x002f0000 | 0x002f1fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000300000 | 0x00300000 | 0x003fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000460000 | 0x00460000 | 0x0046ffff | Private Memory | rw |
|
|
|
- |
| wevtutil.exe | 0x00b40000 | 0x00b6efff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000b70000 | 0x00b70000 | 0x04b6ffff | Pagefile Backed Memory | - |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007eb70000 | 0x7eb70000 | 0x7eb92fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007eb98000 | 0x7eb98000 | 0x7eb9afff | Private Memory | rw |
|
|
|
- |
| private_0x000000007eb9b000 | 0x7eb9b000 | 0x7eb9bfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007eb9e000 | 0x7eb9e000 | 0x7eb9efff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Process #775: cmd.exe
58
0
| Information | Value |
|---|---|
| ID | #775 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-Diagnosis-Scheduled/Operational" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:04:21, Reason: Child Process |
| Unmonitor | End Time: 00:04:21, Reason: Self Terminated |
| Monitor Duration | 00:00:00 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x924 |
| Parent PID | 0x8dc (c:\programdata\safe.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
D9C
0x
EF8
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000180000 | 0x00180000 | 0x0019ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000180000 | 0x00180000 | 0x0018ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000190000 | 0x00190000 | 0x00193fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000001a0000 | 0x001a0000 | 0x001a1fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000001a0000 | 0x001a0000 | 0x001a3fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000001b0000 | 0x001b0000 | 0x001c3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000001d0000 | 0x001d0000 | 0x0020ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000210000 | 0x00210000 | 0x0030ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000310000 | 0x00310000 | 0x00313fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000320000 | 0x00320000 | 0x00320fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000330000 | 0x00330000 | 0x00331fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00340000 | 0x003fdfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000420000 | 0x00420000 | 0x0042ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000430000 | 0x00430000 | 0x0046ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000004c0000 | 0x004c0000 | 0x005bffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000005c0000 | 0x005c0000 | 0x006bffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000750000 | 0x00750000 | 0x0075ffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x00760000 | 0x00a96fff | Memory Mapped File | r |
|
|
|
- |
| cmd.exe | 0x01140000 | 0x0118ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000001190000 | 0x01190000 | 0x0518ffff | Pagefile Backed Memory | - |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74d30000 | 0x74ea5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75130000 | 0x7521ffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x778d0000 | 0x7798dfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007ecb0000 | 0x7ecb0000 | 0x7edaffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007edb0000 | 0x7edb0000 | 0x7edd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007edd4000 | 0x7edd4000 | 0x7edd6fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007edd7000 | 0x7edd7000 | 0x7edd9fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007edda000 | 0x7edda000 | 0x7eddafff | Private Memory | rw |
|
|
|
- |
| private_0x000000007eddd000 | 0x7eddd000 | 0x7edddfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (11)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Windows\SysWOW64 | type = file_attributes |
|
2 | |
| Get Info | wevtutil.exe | type = file_attributes |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
5 | |
| Open | STD_INPUT_HANDLE | - |
|
3 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 160, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\SysWOW64\wevtutil.exe | os_pid = 0xca4, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x1140000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75130000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x75172780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x7514fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7514a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x74e435c0 |
|
1 |
Environment (19)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
2 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Windows\SysWOW64 |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000000 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #777: wevtutil.exe
0
0
| Information | Value |
|---|---|
| ID | #777 |
| File Name | c:\windows\syswow64\wevtutil.exe |
| Command Line | wevtutil.exe clear-log "Microsoft-Windows-Diagnosis-Scheduled/Operational" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:04:21, Reason: Child Process |
| Unmonitor | End Time: 00:04:21, Reason: Self Terminated |
| Monitor Duration | 00:00:00 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xca4 |
| Parent PID | 0x924 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
72C
0x
CB4
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| wevtutil.exe | 0x00b40000 | 0x00b6efff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000df0000 | 0x00df0000 | 0x04deffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000004df0000 | 0x04df0000 | 0x04e0ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004e10000 | 0x04e10000 | 0x04e11fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004e20000 | 0x04e20000 | 0x04e33fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000004e40000 | 0x04e40000 | 0x04e7ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004e80000 | 0x04e80000 | 0x04ebffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004ec0000 | 0x04ec0000 | 0x04ec3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000004ed0000 | 0x04ed0000 | 0x04ed0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000004ee0000 | 0x04ee0000 | 0x04ee1fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005050000 | 0x05050000 | 0x0505ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005110000 | 0x05110000 | 0x0520ffff | Private Memory | rw |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007f1b0000 | 0x7f1b0000 | 0x7f1d2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f1db000 | 0x7f1db000 | 0x7f1dbfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f1dc000 | 0x7f1dc000 | 0x7f1defff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f1df000 | 0x7f1df000 | 0x7f1dffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Process #778: cmd.exe
58
0
| Information | Value |
|---|---|
| ID | #778 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-Diagnosis-Scripted/Admin" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:04:21, Reason: Child Process |
| Unmonitor | End Time: 00:04:22, Reason: Self Terminated |
| Monitor Duration | 00:00:01 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xdcc |
| Parent PID | 0x8dc (c:\programdata\safe.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
E30
0x
CF8
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000450000 | 0x00450000 | 0x0046ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000450000 | 0x00450000 | 0x0045ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000460000 | 0x00460000 | 0x00463fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000470000 | 0x00470000 | 0x00471fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000470000 | 0x00470000 | 0x00473fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000480000 | 0x00480000 | 0x00493fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000004a0000 | 0x004a0000 | 0x004dffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000004e0000 | 0x004e0000 | 0x005dffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000005e0000 | 0x005e0000 | 0x005e3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000005f0000 | 0x005f0000 | 0x005f0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000600000 | 0x00600000 | 0x00601fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000610000 | 0x00610000 | 0x0064ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000660000 | 0x00660000 | 0x0075ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000780000 | 0x00780000 | 0x0078ffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00790000 | 0x0084dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000850000 | 0x00850000 | 0x0094ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000a60000 | 0x00a60000 | 0x00a6ffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x00a70000 | 0x00da6fff | Memory Mapped File | r |
|
|
|
- |
| cmd.exe | 0x01140000 | 0x0118ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000001190000 | 0x01190000 | 0x0518ffff | Pagefile Backed Memory | - |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74d30000 | 0x74ea5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75130000 | 0x7521ffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x778d0000 | 0x7798dfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007f370000 | 0x7f370000 | 0x7f46ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007f470000 | 0x7f470000 | 0x7f492fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f496000 | 0x7f496000 | 0x7f496fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f499000 | 0x7f499000 | 0x7f49bfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f49c000 | 0x7f49c000 | 0x7f49efff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f49f000 | 0x7f49f000 | 0x7f49ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (11)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Windows\SysWOW64 | type = file_attributes |
|
2 | |
| Get Info | wevtutil.exe | type = file_attributes |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
5 | |
| Open | STD_INPUT_HANDLE | - |
|
3 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 168, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\SysWOW64\wevtutil.exe | os_pid = 0x768, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x1140000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75130000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x75172780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x7514fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7514a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x74e435c0 |
|
1 |
Environment (19)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
2 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Windows\SysWOW64 |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000000 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #780: wevtutil.exe
0
0
| Information | Value |
|---|---|
| ID | #780 |
| File Name | c:\windows\syswow64\wevtutil.exe |
| Command Line | wevtutil.exe clear-log "Microsoft-Windows-Diagnosis-Scripted/Admin" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:04:21, Reason: Child Process |
| Unmonitor | End Time: 00:04:22, Reason: Self Terminated |
| Monitor Duration | 00:00:01 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x768 |
| Parent PID | 0xdcc (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
E50
0x
42C
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| wevtutil.exe | 0x00b40000 | 0x00b6efff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000de0000 | 0x00de0000 | 0x04ddffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000004de0000 | 0x04de0000 | 0x04dfffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004e00000 | 0x04e00000 | 0x04e01fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004e10000 | 0x04e10000 | 0x04e23fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000004e30000 | 0x04e30000 | 0x04e6ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004e70000 | 0x04e70000 | 0x04eaffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004eb0000 | 0x04eb0000 | 0x04eb3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000004ec0000 | 0x04ec0000 | 0x04ec0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000004ed0000 | 0x04ed0000 | 0x04ed1fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005010000 | 0x05010000 | 0x0501ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005120000 | 0x05120000 | 0x0521ffff | Private Memory | rw |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007eef0000 | 0x7eef0000 | 0x7ef12fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007ef18000 | 0x7ef18000 | 0x7ef18fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ef1b000 | 0x7ef1b000 | 0x7ef1bfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ef1d000 | 0x7ef1d000 | 0x7ef1ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Process #781: cmd.exe
58
0
| Information | Value |
|---|---|
| ID | #781 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-Diagnosis-Scripted/Analytic" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:04:22, Reason: Child Process |
| Unmonitor | End Time: 00:04:22, Reason: Self Terminated |
| Monitor Duration | 00:00:00 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xa70 |
| Parent PID | 0x8dc (c:\programdata\safe.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
674
0x
DC4
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000980000 | 0x00980000 | 0x0099ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000980000 | 0x00980000 | 0x0098ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000990000 | 0x00990000 | 0x00993fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000009a0000 | 0x009a0000 | 0x009a1fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000009a0000 | 0x009a0000 | 0x009a3fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000009b0000 | 0x009b0000 | 0x009c3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000009d0000 | 0x009d0000 | 0x00a0ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000a10000 | 0x00a10000 | 0x00b0ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000b10000 | 0x00b10000 | 0x00b13fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000b20000 | 0x00b20000 | 0x00b20fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000b30000 | 0x00b30000 | 0x00b31fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00b40000 | 0x00bfdfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000c00000 | 0x00c00000 | 0x00c3ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000c70000 | 0x00c70000 | 0x00c7ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000ce0000 | 0x00ce0000 | 0x00ddffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000de0000 | 0x00de0000 | 0x00edffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000fd0000 | 0x00fd0000 | 0x00fdffff | Private Memory | rw |
|
|
|
- |
| cmd.exe | 0x01140000 | 0x0118ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000001190000 | 0x01190000 | 0x0518ffff | Pagefile Backed Memory | - |
|
|
|
- |
| sortdefault.nls | 0x05190000 | 0x054c6fff | Memory Mapped File | r |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74d30000 | 0x74ea5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75130000 | 0x7521ffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x778d0000 | 0x7798dfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007e560000 | 0x7e560000 | 0x7e65ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007e660000 | 0x7e660000 | 0x7e682fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007e686000 | 0x7e686000 | 0x7e686fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007e689000 | 0x7e689000 | 0x7e689fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007e68a000 | 0x7e68a000 | 0x7e68cfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007e68d000 | 0x7e68d000 | 0x7e68ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (11)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Windows\SysWOW64 | type = file_attributes |
|
2 | |
| Get Info | wevtutil.exe | type = file_attributes |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
5 | |
| Open | STD_INPUT_HANDLE | - |
|
3 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 144, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\SysWOW64\wevtutil.exe | os_pid = 0xd88, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x1140000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75130000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x75172780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x7514fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7514a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x74e435c0 |
|
1 |
Environment (19)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
2 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Windows\SysWOW64 |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000000 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #783: wevtutil.exe
0
0
| Information | Value |
|---|---|
| ID | #783 |
| File Name | c:\windows\syswow64\wevtutil.exe |
| Command Line | wevtutil.exe clear-log "Microsoft-Windows-Diagnosis-Scripted/Analytic" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:04:22, Reason: Child Process |
| Unmonitor | End Time: 00:04:22, Reason: Self Terminated |
| Monitor Duration | 00:00:00 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xd88 |
| Parent PID | 0xa70 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
E6C
0x
6D8
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000760000 | 0x00760000 | 0x0077ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000780000 | 0x00780000 | 0x00781fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000790000 | 0x00790000 | 0x007a3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000007b0000 | 0x007b0000 | 0x007effff | Private Memory | rw |
|
|
|
- |
| private_0x00000000007f0000 | 0x007f0000 | 0x0082ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000830000 | 0x00830000 | 0x00833fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000840000 | 0x00840000 | 0x00840fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000850000 | 0x00850000 | 0x00851fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000920000 | 0x00920000 | 0x0092ffff | Private Memory | rw |
|
|
|
- |
| wevtutil.exe | 0x00b40000 | 0x00b6efff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000b70000 | 0x00b70000 | 0x04b6ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000004d30000 | 0x04d30000 | 0x04e2ffff | Private Memory | rw |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007f070000 | 0x7f070000 | 0x7f092fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f099000 | 0x7f099000 | 0x7f09bfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f09c000 | 0x7f09c000 | 0x7f09cfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f09f000 | 0x7f09f000 | 0x7f09ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Process #784: cmd.exe
58
0
| Information | Value |
|---|---|
| ID | #784 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-Diagnosis-Scripted/Debug" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:04:22, Reason: Child Process |
| Unmonitor | End Time: 00:04:23, Reason: Self Terminated |
| Monitor Duration | 00:00:01 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xddc |
| Parent PID | 0x8dc (c:\programdata\safe.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
224
0x
F60
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000fb0000 | 0x00fb0000 | 0x00fcffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000fb0000 | 0x00fb0000 | 0x00fbffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000fc0000 | 0x00fc0000 | 0x00fc3fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000fd0000 | 0x00fd0000 | 0x00fd1fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000fd0000 | 0x00fd0000 | 0x00fd3fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000fe0000 | 0x00fe0000 | 0x00ff3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000001000000 | 0x01000000 | 0x0103ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001040000 | 0x01040000 | 0x0113ffff | Private Memory | rw |
|
|
|
- |
| cmd.exe | 0x01140000 | 0x0118ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000001190000 | 0x01190000 | 0x0518ffff | Pagefile Backed Memory | - |
|
|
|
- |
| pagefile_0x0000000005190000 | 0x05190000 | 0x05193fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000051a0000 | 0x051a0000 | 0x051a0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000051b0000 | 0x051b0000 | 0x051b1fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000051e0000 | 0x051e0000 | 0x052dffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000052e0000 | 0x052e0000 | 0x0531ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005350000 | 0x05350000 | 0x0535ffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x05360000 | 0x0541dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000005420000 | 0x05420000 | 0x0551ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005710000 | 0x05710000 | 0x0571ffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x05720000 | 0x05a56fff | Memory Mapped File | r |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74d30000 | 0x74ea5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75130000 | 0x7521ffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x778d0000 | 0x7798dfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007f2c0000 | 0x7f2c0000 | 0x7f3bffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007f3c0000 | 0x7f3c0000 | 0x7f3e2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f3e5000 | 0x7f3e5000 | 0x7f3e5fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f3e7000 | 0x7f3e7000 | 0x7f3e9fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f3ea000 | 0x7f3ea000 | 0x7f3eafff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f3ed000 | 0x7f3ed000 | 0x7f3effff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (11)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Windows\SysWOW64 | type = file_attributes |
|
2 | |
| Get Info | wevtutil.exe | type = file_attributes |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
5 | |
| Open | STD_INPUT_HANDLE | - |
|
3 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 216, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\SysWOW64\wevtutil.exe | os_pid = 0xe88, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x1140000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75130000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x75172780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x7514fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7514a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x74e435c0 |
|
1 |
Environment (19)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
2 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Windows\SysWOW64 |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000000 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #786: wevtutil.exe
0
0
| Information | Value |
|---|---|
| ID | #786 |
| File Name | c:\windows\syswow64\wevtutil.exe |
| Command Line | wevtutil.exe clear-log "Microsoft-Windows-Diagnosis-Scripted/Debug" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:04:22, Reason: Child Process |
| Unmonitor | End Time: 00:04:23, Reason: Self Terminated |
| Monitor Duration | 00:00:01 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xe88 |
| Parent PID | 0xddc (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
D24
0x
D78
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000a60000 | 0x00a60000 | 0x00a7ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000a80000 | 0x00a80000 | 0x00a81fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000a90000 | 0x00a90000 | 0x00aa3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000ab0000 | 0x00ab0000 | 0x00aeffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000af0000 | 0x00af0000 | 0x00b2ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000b30000 | 0x00b30000 | 0x00b33fff | Pagefile Backed Memory | r |
|
|
|
- |
| wevtutil.exe | 0x00b40000 | 0x00b6efff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000b70000 | 0x00b70000 | 0x04b6ffff | Pagefile Backed Memory | - |
|
|
|
- |
| pagefile_0x0000000004b70000 | 0x04b70000 | 0x04b70fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000004b80000 | 0x04b80000 | 0x04b81fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004ca0000 | 0x04ca0000 | 0x04caffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004de0000 | 0x04de0000 | 0x04edffff | Private Memory | rw |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007f160000 | 0x7f160000 | 0x7f182fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f18b000 | 0x7f18b000 | 0x7f18bfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f18c000 | 0x7f18c000 | 0x7f18cfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f18d000 | 0x7f18d000 | 0x7f18ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Process #787: cmd.exe
58
0
| Information | Value |
|---|---|
| ID | #787 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-Diagnosis-Scripted/Operational" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:04:22, Reason: Child Process |
| Unmonitor | End Time: 00:04:23, Reason: Self Terminated |
| Monitor Duration | 00:00:01 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xd18 |
| Parent PID | 0x8dc (c:\programdata\safe.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
E10
0x
114
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000150000 | 0x00150000 | 0x0016ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000150000 | 0x00150000 | 0x0015ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000160000 | 0x00160000 | 0x00163fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000170000 | 0x00170000 | 0x00171fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000170000 | 0x00170000 | 0x0017ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000180000 | 0x00180000 | 0x00193fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000001a0000 | 0x001a0000 | 0x001dffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000001e0000 | 0x001e0000 | 0x002dffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000002e0000 | 0x002e0000 | 0x002e3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000002f0000 | 0x002f0000 | 0x002f0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000300000 | 0x00300000 | 0x00301fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000310000 | 0x00310000 | 0x0031ffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00320000 | 0x003ddfff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000003e0000 | 0x003e0000 | 0x0041ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000420000 | 0x00420000 | 0x00423fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000004c0000 | 0x004c0000 | 0x005bffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000005c0000 | 0x005c0000 | 0x006bffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x006c0000 | 0x009f6fff | Memory Mapped File | r |
|
|
|
- |
| cmd.exe | 0x01140000 | 0x0118ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000001190000 | 0x01190000 | 0x0518ffff | Pagefile Backed Memory | - |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74d30000 | 0x74ea5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75130000 | 0x7521ffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x778d0000 | 0x7798dfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007ee70000 | 0x7ee70000 | 0x7ef6ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007ef70000 | 0x7ef70000 | 0x7ef92fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007ef96000 | 0x7ef96000 | 0x7ef98fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ef99000 | 0x7ef99000 | 0x7ef9bfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ef9c000 | 0x7ef9c000 | 0x7ef9cfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ef9d000 | 0x7ef9d000 | 0x7ef9dfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (11)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Windows\SysWOW64 | type = file_attributes |
|
2 | |
| Get Info | wevtutil.exe | type = file_attributes |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
5 | |
| Open | STD_INPUT_HANDLE | - |
|
3 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 248, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\SysWOW64\wevtutil.exe | os_pid = 0xe74, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x1140000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75130000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x75172780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x7514fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7514a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x74e435c0 |
|
1 |
Environment (19)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
2 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Windows\SysWOW64 |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000000 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #789: wevtutil.exe
0
0
| Information | Value |
|---|---|
| ID | #789 |
| File Name | c:\windows\syswow64\wevtutil.exe |
| Command Line | wevtutil.exe clear-log "Microsoft-Windows-Diagnosis-Scripted/Operational" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:04:23, Reason: Child Process |
| Unmonitor | End Time: 00:04:23, Reason: Self Terminated |
| Monitor Duration | 00:00:00 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xe74 |
| Parent PID | 0xd18 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
AF8
0x
E34
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000240000 | 0x00240000 | 0x0025ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000260000 | 0x00260000 | 0x00261fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000270000 | 0x00270000 | 0x00283fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000290000 | 0x00290000 | 0x002cffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000002d0000 | 0x002d0000 | 0x0030ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000310000 | 0x00310000 | 0x00313fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000320000 | 0x00320000 | 0x00320fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000330000 | 0x00330000 | 0x00331fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000450000 | 0x00450000 | 0x0045ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000004d0000 | 0x004d0000 | 0x005cffff | Private Memory | rw |
|
|
|
- |
| wevtutil.exe | 0x00b40000 | 0x00b6efff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000b70000 | 0x00b70000 | 0x04b6ffff | Pagefile Backed Memory | - |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007ef80000 | 0x7ef80000 | 0x7efa2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007efa4000 | 0x7efa4000 | 0x7efa4fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efa8000 | 0x7efa8000 | 0x7efa8fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efad000 | 0x7efad000 | 0x7efaffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Process #790: cmd.exe
58
0
| Information | Value |
|---|---|
| ID | #790 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-Diagnosis-ScriptedDiagnosticsProvider/Debug" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:04:23, Reason: Child Process |
| Unmonitor | End Time: 00:04:23, Reason: Self Terminated |
| Monitor Duration | 00:00:00 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xbe0 |
| Parent PID | 0x8dc (c:\programdata\safe.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
D8C
0x
DD0
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000960000 | 0x00960000 | 0x0097ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000960000 | 0x00960000 | 0x0096ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000970000 | 0x00970000 | 0x00973fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000980000 | 0x00980000 | 0x00981fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000980000 | 0x00980000 | 0x00983fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000990000 | 0x00990000 | 0x009a3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000009b0000 | 0x009b0000 | 0x009effff | Private Memory | rw |
|
|
|
- |
| private_0x00000000009f0000 | 0x009f0000 | 0x00aeffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000af0000 | 0x00af0000 | 0x00af3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000b00000 | 0x00b00000 | 0x00b00fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000b10000 | 0x00b10000 | 0x00b11fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00b20000 | 0x00bddfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000be0000 | 0x00be0000 | 0x00c1ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000cc0000 | 0x00cc0000 | 0x00ccffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000cd0000 | 0x00cd0000 | 0x00dcffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000e90000 | 0x00e90000 | 0x00f8ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000010f0000 | 0x010f0000 | 0x010fffff | Private Memory | rw |
|
|
|
- |
| cmd.exe | 0x01140000 | 0x0118ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000001190000 | 0x01190000 | 0x0518ffff | Pagefile Backed Memory | - |
|
|
|
- |
| sortdefault.nls | 0x05190000 | 0x054c6fff | Memory Mapped File | r |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74d30000 | 0x74ea5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75130000 | 0x7521ffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x778d0000 | 0x7798dfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007ebc0000 | 0x7ebc0000 | 0x7ecbffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007ecc0000 | 0x7ecc0000 | 0x7ece2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007ece5000 | 0x7ece5000 | 0x7ece5fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ece7000 | 0x7ece7000 | 0x7ece7fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ecea000 | 0x7ecea000 | 0x7ececfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007eced000 | 0x7eced000 | 0x7eceffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (11)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Windows\SysWOW64 | type = file_attributes |
|
2 | |
| Get Info | wevtutil.exe | type = file_attributes |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
5 | |
| Open | STD_INPUT_HANDLE | - |
|
3 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 145, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\SysWOW64\wevtutil.exe | os_pid = 0xe48, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x1140000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75130000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x75172780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x7514fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7514a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x74e435c0 |
|
1 |
Environment (19)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
2 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Windows\SysWOW64 |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000000 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #792: wevtutil.exe
0
0
| Information | Value |
|---|---|
| ID | #792 |
| File Name | c:\windows\syswow64\wevtutil.exe |
| Command Line | wevtutil.exe clear-log "Microsoft-Windows-Diagnosis-ScriptedDiagnosticsProvider/Debug" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:04:23, Reason: Child Process |
| Unmonitor | End Time: 00:04:23, Reason: Self Terminated |
| Monitor Duration | 00:00:00 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xe48 |
| Parent PID | 0xbe0 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
954
0x
E54
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x00000000003c0000 | 0x003c0000 | 0x003dffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000003e0000 | 0x003e0000 | 0x003e1fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000003f0000 | 0x003f0000 | 0x00403fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000410000 | 0x00410000 | 0x0044ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000450000 | 0x00450000 | 0x0048ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000490000 | 0x00490000 | 0x00493fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000004a0000 | 0x004a0000 | 0x004a0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000004b0000 | 0x004b0000 | 0x004b1fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000690000 | 0x00690000 | 0x0069ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000007a0000 | 0x007a0000 | 0x0089ffff | Private Memory | rw |
|
|
|
- |
| wevtutil.exe | 0x00b40000 | 0x00b6efff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000b70000 | 0x00b70000 | 0x04b6ffff | Pagefile Backed Memory | - |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007ea50000 | 0x7ea50000 | 0x7ea72fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007ea7b000 | 0x7ea7b000 | 0x7ea7dfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ea7e000 | 0x7ea7e000 | 0x7ea7efff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ea7f000 | 0x7ea7f000 | 0x7ea7ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Process #793: cmd.exe
58
0
| Information | Value |
|---|---|
| ID | #793 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-Diagnosis-ScriptedDiagnosticsProvider/Operational" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:04:23, Reason: Child Process |
| Unmonitor | End Time: 00:04:24, Reason: Self Terminated |
| Monitor Duration | 00:00:01 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x5f4 |
| Parent PID | 0x8dc (c:\programdata\safe.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
E1C
0x
E40
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000ec0000 | 0x00ec0000 | 0x00edffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000ec0000 | 0x00ec0000 | 0x00ecffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000ed0000 | 0x00ed0000 | 0x00ed3fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000ee0000 | 0x00ee0000 | 0x00ee1fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000ee0000 | 0x00ee0000 | 0x00ee3fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000ef0000 | 0x00ef0000 | 0x00f03fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000f10000 | 0x00f10000 | 0x00f4ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000f50000 | 0x00f50000 | 0x0104ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000001050000 | 0x01050000 | 0x01053fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000001060000 | 0x01060000 | 0x01060fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000001070000 | 0x01070000 | 0x01071fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x01080000 | 0x0113dfff | Memory Mapped File | r |
|
|
|
- |
| cmd.exe | 0x01140000 | 0x0118ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000001190000 | 0x01190000 | 0x0518ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000005190000 | 0x05190000 | 0x051cffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000052a0000 | 0x052a0000 | 0x052affff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005310000 | 0x05310000 | 0x0540ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005410000 | 0x05410000 | 0x0550ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005660000 | 0x05660000 | 0x0566ffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x05670000 | 0x059a6fff | Memory Mapped File | r |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74d30000 | 0x74ea5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75130000 | 0x7521ffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x778d0000 | 0x7798dfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007e6d0000 | 0x7e6d0000 | 0x7e7cffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007e7d0000 | 0x7e7d0000 | 0x7e7f2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007e7f3000 | 0x7e7f3000 | 0x7e7f3fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007e7f8000 | 0x7e7f8000 | 0x7e7fafff | Private Memory | rw |
|
|
|
- |
| private_0x000000007e7fb000 | 0x7e7fb000 | 0x7e7fbfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007e7fd000 | 0x7e7fd000 | 0x7e7fffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (11)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Windows\SysWOW64 | type = file_attributes |
|
2 | |
| Get Info | wevtutil.exe | type = file_attributes |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
5 | |
| Open | STD_INPUT_HANDLE | - |
|
3 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 118, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\SysWOW64\wevtutil.exe | os_pid = 0xb48, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x1140000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75130000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x75172780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x7514fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7514a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x74e435c0 |
|
1 |
Environment (19)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
2 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Windows\SysWOW64 |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000000 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #795: wevtutil.exe
0
0
| Information | Value |
|---|---|
| ID | #795 |
| File Name | c:\windows\syswow64\wevtutil.exe |
| Command Line | wevtutil.exe clear-log "Microsoft-Windows-Diagnosis-ScriptedDiagnosticsProvider/Operational" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:04:24, Reason: Child Process |
| Unmonitor | End Time: 00:04:24, Reason: Self Terminated |
| Monitor Duration | 00:00:00 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xb48 |
| Parent PID | 0x5f4 (c:\windows\syswow64\wevtutil.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
604
0x
7E8
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000090000 | 0x00090000 | 0x000affff | Private Memory | rw |
|
|
|
- |
| private_0x00000000000b0000 | 0x000b0000 | 0x000b1fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000000c0000 | 0x000c0000 | 0x000d3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000000e0000 | 0x000e0000 | 0x0011ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000120000 | 0x00120000 | 0x0015ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000160000 | 0x00160000 | 0x00163fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000170000 | 0x00170000 | 0x00170fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000180000 | 0x00180000 | 0x00181fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000310000 | 0x00310000 | 0x0031ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000460000 | 0x00460000 | 0x0055ffff | Private Memory | rw |
|
|
|
- |
| wevtutil.exe | 0x00b40000 | 0x00b6efff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000b70000 | 0x00b70000 | 0x04b6ffff | Pagefile Backed Memory | - |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007ea50000 | 0x7ea50000 | 0x7ea72fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007ea77000 | 0x7ea77000 | 0x7ea77fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ea7a000 | 0x7ea7a000 | 0x7ea7cfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ea7d000 | 0x7ea7d000 | 0x7ea7dfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Process #796: cmd.exe
58
0
| Information | Value |
|---|---|
| ID | #796 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-Diagnosis-WDC/Analytic" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:04:24, Reason: Child Process |
| Unmonitor | End Time: 00:04:24, Reason: Self Terminated |
| Monitor Duration | 00:00:00 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x554 |
| Parent PID | 0x8dc (c:\programdata\safe.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
E28
0x
304
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000980000 | 0x00980000 | 0x0099ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000980000 | 0x00980000 | 0x0098ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000990000 | 0x00990000 | 0x00993fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000009a0000 | 0x009a0000 | 0x009a1fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000009a0000 | 0x009a0000 | 0x009a3fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000009b0000 | 0x009b0000 | 0x009c3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000009d0000 | 0x009d0000 | 0x00a0ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000a10000 | 0x00a10000 | 0x00b0ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000b10000 | 0x00b10000 | 0x00b13fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000b20000 | 0x00b20000 | 0x00b20fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000b30000 | 0x00b30000 | 0x00b31fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00b40000 | 0x00bfdfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000c00000 | 0x00c00000 | 0x00c3ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000c50000 | 0x00c50000 | 0x00c5ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000d50000 | 0x00d50000 | 0x00e4ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000e50000 | 0x00e50000 | 0x00f4ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001040000 | 0x01040000 | 0x0104ffff | Private Memory | rw |
|
|
|
- |
| cmd.exe | 0x01140000 | 0x0118ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000001190000 | 0x01190000 | 0x0518ffff | Pagefile Backed Memory | - |
|
|
|
- |
| sortdefault.nls | 0x05190000 | 0x054c6fff | Memory Mapped File | r |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74d30000 | 0x74ea5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75130000 | 0x7521ffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x778d0000 | 0x7798dfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007e4b0000 | 0x7e4b0000 | 0x7e5affff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007e5b0000 | 0x7e5b0000 | 0x7e5d2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007e5d5000 | 0x7e5d5000 | 0x7e5d5fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007e5d9000 | 0x7e5d9000 | 0x7e5dbfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007e5dc000 | 0x7e5dc000 | 0x7e5defff | Private Memory | rw |
|
|
|
- |
| private_0x000000007e5df000 | 0x7e5df000 | 0x7e5dffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (11)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Windows\SysWOW64 | type = file_attributes |
|
2 | |
| Get Info | wevtutil.exe | type = file_attributes |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
5 | |
| Open | STD_INPUT_HANDLE | - |
|
3 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 152, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\SysWOW64\wevtutil.exe | os_pid = 0xc38, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x1140000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75130000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x75172780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x7514fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7514a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x74e435c0 |
|
1 |
Environment (19)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
2 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Windows\SysWOW64 |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000000 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #798: wevtutil.exe
0
0
| Information | Value |
|---|---|
| ID | #798 |
| File Name | c:\windows\syswow64\wevtutil.exe |
| Command Line | wevtutil.exe clear-log "Microsoft-Windows-Diagnosis-WDC/Analytic" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:04:24, Reason: Child Process |
| Unmonitor | End Time: 00:04:24, Reason: Self Terminated |
| Monitor Duration | 00:00:00 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xc38 |
| Parent PID | 0x554 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
43C
0x
E7C
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000700000 | 0x00700000 | 0x0071ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000720000 | 0x00720000 | 0x00721fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000730000 | 0x00730000 | 0x00743fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000750000 | 0x00750000 | 0x0078ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000790000 | 0x00790000 | 0x007cffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000007d0000 | 0x007d0000 | 0x007d3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000007e0000 | 0x007e0000 | 0x007e0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000007f0000 | 0x007f0000 | 0x007f1fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000890000 | 0x00890000 | 0x0089ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000008d0000 | 0x008d0000 | 0x009cffff | Private Memory | rw |
|
|
|
- |
| wevtutil.exe | 0x00b40000 | 0x00b6efff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000b70000 | 0x00b70000 | 0x04b6ffff | Pagefile Backed Memory | - |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007fc30000 | 0x7fc30000 | 0x7fc52fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007fc5b000 | 0x7fc5b000 | 0x7fc5dfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007fc5e000 | 0x7fc5e000 | 0x7fc5efff | Private Memory | rw |
|
|
|
- |
| private_0x000000007fc5f000 | 0x7fc5f000 | 0x7fc5ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Process #799: cmd.exe
58
0
| Information | Value |
|---|---|
| ID | #799 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-Diagnosis-WDI/Debug" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:04:24, Reason: Child Process |
| Unmonitor | End Time: 00:04:25, Reason: Self Terminated |
| Monitor Duration | 00:00:01 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xd50 |
| Parent PID | 0x8dc (c:\programdata\safe.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
BD0
0x
15C
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x00000000004a0000 | 0x004a0000 | 0x004bffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000004a0000 | 0x004a0000 | 0x004affff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x00000000004b0000 | 0x004b0000 | 0x004bffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000004c0000 | 0x004c0000 | 0x004c1fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000004c0000 | 0x004c0000 | 0x004c3fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000004d0000 | 0x004d0000 | 0x004e3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000004f0000 | 0x004f0000 | 0x0052ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000530000 | 0x00530000 | 0x0062ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000630000 | 0x00630000 | 0x00633fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000640000 | 0x00640000 | 0x00640fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000650000 | 0x00650000 | 0x00651fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000660000 | 0x00660000 | 0x0069ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000006a0000 | 0x006a0000 | 0x006a3fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000006e0000 | 0x006e0000 | 0x007dffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000007e0000 | 0x007e0000 | 0x007effff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x007f0000 | 0x008adfff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000008b0000 | 0x008b0000 | 0x009affff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x009b0000 | 0x00ce6fff | Memory Mapped File | r |
|
|
|
- |
| cmd.exe | 0x01140000 | 0x0118ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000001190000 | 0x01190000 | 0x0518ffff | Pagefile Backed Memory | - |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74d30000 | 0x74ea5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75130000 | 0x7521ffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x778d0000 | 0x7798dfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007ea40000 | 0x7ea40000 | 0x7eb3ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007eb40000 | 0x7eb40000 | 0x7eb62fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007eb65000 | 0x7eb65000 | 0x7eb65fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007eb68000 | 0x7eb68000 | 0x7eb6afff | Private Memory | rw |
|
|
|
- |
| private_0x000000007eb6b000 | 0x7eb6b000 | 0x7eb6dfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007eb6e000 | 0x7eb6e000 | 0x7eb6efff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (11)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Windows\SysWOW64 | type = file_attributes |
|
2 | |
| Get Info | wevtutil.exe | type = file_attributes |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
5 | |
| Open | STD_INPUT_HANDLE | - |
|
3 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 225, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\SysWOW64\wevtutil.exe | os_pid = 0xce8, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x1140000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75130000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x75172780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x7514fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7514a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x74e435c0 |
|
1 |
Environment (19)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
2 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Windows\SysWOW64 |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000000 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #801: wevtutil.exe
0
0
| Information | Value |
|---|---|
| ID | #801 |
| File Name | c:\windows\syswow64\wevtutil.exe |
| Command Line | wevtutil.exe clear-log "Microsoft-Windows-Diagnosis-WDI/Debug" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:04:24, Reason: Child Process |
| Unmonitor | End Time: 00:04:25, Reason: Self Terminated |
| Monitor Duration | 00:00:01 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xce8 |
| Parent PID | 0xd50 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
428
0x
A34
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x00000000005a0000 | 0x005a0000 | 0x005bffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000005c0000 | 0x005c0000 | 0x005c1fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000005d0000 | 0x005d0000 | 0x005e3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000005f0000 | 0x005f0000 | 0x0062ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000630000 | 0x00630000 | 0x0066ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000670000 | 0x00670000 | 0x00673fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000680000 | 0x00680000 | 0x00680fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000690000 | 0x00690000 | 0x00691fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000006d0000 | 0x006d0000 | 0x006dffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000740000 | 0x00740000 | 0x0083ffff | Private Memory | rw |
|
|
|
- |
| wevtutil.exe | 0x00b40000 | 0x00b6efff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000b70000 | 0x00b70000 | 0x04b6ffff | Pagefile Backed Memory | - |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007ebb0000 | 0x7ebb0000 | 0x7ebd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007ebd8000 | 0x7ebd8000 | 0x7ebd8fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ebdc000 | 0x7ebdc000 | 0x7ebdefff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ebdf000 | 0x7ebdf000 | 0x7ebdffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Process #802: cmd.exe
58
0
| Information | Value |
|---|---|
| ID | #802 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-Diagnostics-Networking/Debug" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:04:25, Reason: Child Process |
| Unmonitor | End Time: 00:04:25, Reason: Self Terminated |
| Monitor Duration | 00:00:00 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xe3c |
| Parent PID | 0x8dc (c:\programdata\safe.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
59C
0x
6E0
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x00000000005c0000 | 0x005c0000 | 0x005dffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000005c0000 | 0x005c0000 | 0x005cffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x00000000005d0000 | 0x005d0000 | 0x005d3fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000005e0000 | 0x005e0000 | 0x005e1fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000005e0000 | 0x005e0000 | 0x005e3fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000005f0000 | 0x005f0000 | 0x00603fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000610000 | 0x00610000 | 0x0064ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000650000 | 0x00650000 | 0x0074ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000750000 | 0x00750000 | 0x00753fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000760000 | 0x00760000 | 0x00760fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000770000 | 0x00770000 | 0x00771fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00780000 | 0x0083dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000840000 | 0x00840000 | 0x0087ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000008d0000 | 0x008d0000 | 0x008dffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000008e0000 | 0x008e0000 | 0x009dffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000aa0000 | 0x00aa0000 | 0x00b9ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000ca0000 | 0x00ca0000 | 0x00caffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x00cb0000 | 0x00fe6fff | Memory Mapped File | r |
|
|
|
- |
| cmd.exe | 0x01140000 | 0x0118ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000001190000 | 0x01190000 | 0x0518ffff | Pagefile Backed Memory | - |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74d30000 | 0x74ea5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75130000 | 0x7521ffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x778d0000 | 0x7798dfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007f3f0000 | 0x7f3f0000 | 0x7f4effff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007f4f0000 | 0x7f4f0000 | 0x7f512fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f516000 | 0x7f516000 | 0x7f516fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f517000 | 0x7f517000 | 0x7f517fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f51a000 | 0x7f51a000 | 0x7f51cfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f51d000 | 0x7f51d000 | 0x7f51ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (11)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Windows\SysWOW64 | type = file_attributes |
|
2 | |
| Get Info | wevtutil.exe | type = file_attributes |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
5 | |
| Open | STD_INPUT_HANDLE | - |
|
3 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 235, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\SysWOW64\wevtutil.exe | os_pid = 0xa54, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x1140000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75130000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x75172780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x7514fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7514a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x74e435c0 |
|
1 |
Environment (19)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
2 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Windows\SysWOW64 |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000000 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #804: wevtutil.exe
0
0
| Information | Value |
|---|---|
| ID | #804 |
| File Name | c:\windows\syswow64\wevtutil.exe |
| Command Line | wevtutil.exe clear-log "Microsoft-Windows-Diagnostics-Networking/Debug" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:04:25, Reason: Child Process |
| Unmonitor | End Time: 00:04:25, Reason: Self Terminated |
| Monitor Duration | 00:00:00 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xa54 |
| Parent PID | 0xe3c (c:\windows\syswow64\wevtutil.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
464
0x
C98
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| wevtutil.exe | 0x00b40000 | 0x00b6efff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000f20000 | 0x00f20000 | 0x04f1ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000004f20000 | 0x04f20000 | 0x04f3ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004f40000 | 0x04f40000 | 0x04f41fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004f50000 | 0x04f50000 | 0x04f63fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000004f70000 | 0x04f70000 | 0x04faffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004fb0000 | 0x04fb0000 | 0x04feffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004ff0000 | 0x04ff0000 | 0x04ff3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000005000000 | 0x05000000 | 0x05000fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000005010000 | 0x05010000 | 0x05011fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000050b0000 | 0x050b0000 | 0x051affff | Private Memory | rw |
|
|
|
- |
| private_0x00000000051f0000 | 0x051f0000 | 0x051fffff | Private Memory | rw |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007e420000 | 0x7e420000 | 0x7e442fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007e449000 | 0x7e449000 | 0x7e449fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007e44b000 | 0x7e44b000 | 0x7e44bfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007e44d000 | 0x7e44d000 | 0x7e44ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Process #805: cmd.exe
58
0
| Information | Value |
|---|---|
| ID | #805 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-Diagnostics-Networking/Operational" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:04:25, Reason: Child Process |
| Unmonitor | End Time: 00:04:26, Reason: Self Terminated |
| Monitor Duration | 00:00:01 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xe2c |
| Parent PID | 0x8dc (c:\programdata\safe.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
830
0x
BDC
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x00000000000a0000 | 0x000a0000 | 0x000bffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000000a0000 | 0x000a0000 | 0x000affff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x00000000000b0000 | 0x000b0000 | 0x000b3fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000000c0000 | 0x000c0000 | 0x000c1fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000000c0000 | 0x000c0000 | 0x000c3fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000000d0000 | 0x000d0000 | 0x000e3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000000f0000 | 0x000f0000 | 0x0012ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000130000 | 0x00130000 | 0x0022ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000230000 | 0x00230000 | 0x00233fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000240000 | 0x00240000 | 0x00240fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000250000 | 0x00250000 | 0x00251fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00260000 | 0x0031dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000320000 | 0x00320000 | 0x0035ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000450000 | 0x00450000 | 0x0045ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000460000 | 0x00460000 | 0x0055ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000005a0000 | 0x005a0000 | 0x0069ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000840000 | 0x00840000 | 0x0084ffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x00850000 | 0x00b86fff | Memory Mapped File | r |
|
|
|
- |
| cmd.exe | 0x01140000 | 0x0118ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000001190000 | 0x01190000 | 0x0518ffff | Pagefile Backed Memory | - |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74d30000 | 0x74ea5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75130000 | 0x7521ffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x778d0000 | 0x7798dfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007fd10000 | 0x7fd10000 | 0x7fe0ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007fe10000 | 0x7fe10000 | 0x7fe32fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007fe37000 | 0x7fe37000 | 0x7fe37fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007fe39000 | 0x7fe39000 | 0x7fe39fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007fe3a000 | 0x7fe3a000 | 0x7fe3cfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007fe3d000 | 0x7fe3d000 | 0x7fe3ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (11)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Windows\SysWOW64 | type = file_attributes |
|
2 | |
| Get Info | wevtutil.exe | type = file_attributes |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
5 | |
| Open | STD_INPUT_HANDLE | - |
|
3 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 210, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\SysWOW64\wevtutil.exe | os_pid = 0x5dc, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x1140000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75130000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x75172780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x7514fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7514a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x74e435c0 |
|
1 |
Environment (19)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
2 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Windows\SysWOW64 |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000000 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #807: wevtutil.exe
0
0
| Information | Value |
|---|---|
| ID | #807 |
| File Name | c:\windows\syswow64\wevtutil.exe |
| Command Line | wevtutil.exe clear-log "Microsoft-Windows-Diagnostics-Networking/Operational" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:04:25, Reason: Child Process |
| Unmonitor | End Time: 00:04:26, Reason: Self Terminated |
| Monitor Duration | 00:00:01 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x5dc |
| Parent PID | 0xe2c (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
2E4
0x
424
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x00000000001a0000 | 0x001a0000 | 0x001bffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000001c0000 | 0x001c0000 | 0x001c1fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000001d0000 | 0x001d0000 | 0x001e3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000001f0000 | 0x001f0000 | 0x0022ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000230000 | 0x00230000 | 0x0026ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000270000 | 0x00270000 | 0x00273fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000280000 | 0x00280000 | 0x00280fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000290000 | 0x00290000 | 0x00291fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000300000 | 0x00300000 | 0x0030ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000430000 | 0x00430000 | 0x0052ffff | Private Memory | rw |
|
|
|
- |
| wevtutil.exe | 0x00b40000 | 0x00b6efff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000b70000 | 0x00b70000 | 0x04b6ffff | Pagefile Backed Memory | - |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007f6b0000 | 0x7f6b0000 | 0x7f6d2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f6d3000 | 0x7f6d3000 | 0x7f6d3fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f6db000 | 0x7f6db000 | 0x7f6ddfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f6de000 | 0x7f6de000 | 0x7f6defff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Process #808: cmd.exe
58
0
| Information | Value |
|---|---|
| ID | #808 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-Diagnostics-PerfTrack-Counters/Diagnostic" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:04:26, Reason: Child Process |
| Unmonitor | End Time: 00:04:26, Reason: Self Terminated |
| Monitor Duration | 00:00:00 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xc34 |
| Parent PID | 0x8dc (c:\programdata\safe.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
C08
0x
5E8
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000b90000 | 0x00b90000 | 0x00baffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000b90000 | 0x00b90000 | 0x00b9ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000ba0000 | 0x00ba0000 | 0x00ba3fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000bb0000 | 0x00bb0000 | 0x00bb1fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000bb0000 | 0x00bb0000 | 0x00bb3fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000bc0000 | 0x00bc0000 | 0x00bd3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000be0000 | 0x00be0000 | 0x00c1ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000c20000 | 0x00c20000 | 0x00d1ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000d20000 | 0x00d20000 | 0x00d23fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000d30000 | 0x00d30000 | 0x00d30fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000d40000 | 0x00d40000 | 0x00d41fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000d50000 | 0x00d50000 | 0x00d8ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000dd0000 | 0x00dd0000 | 0x00ddffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000e20000 | 0x00e20000 | 0x00f1ffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00f20000 | 0x00fddfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000fe0000 | 0x00fe0000 | 0x010dffff | Private Memory | rw |
|
|
|
- |
| cmd.exe | 0x01140000 | 0x0118ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000001190000 | 0x01190000 | 0x0518ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x00000000052c0000 | 0x052c0000 | 0x052cffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x052d0000 | 0x05606fff | Memory Mapped File | r |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74d30000 | 0x74ea5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75130000 | 0x7521ffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x778d0000 | 0x7798dfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007f6a0000 | 0x7f6a0000 | 0x7f79ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007f7a0000 | 0x7f7a0000 | 0x7f7c2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f7c6000 | 0x7f7c6000 | 0x7f7c6fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f7c9000 | 0x7f7c9000 | 0x7f7cbfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f7cc000 | 0x7f7cc000 | 0x7f7cefff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f7cf000 | 0x7f7cf000 | 0x7f7cffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (11)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Windows\SysWOW64 | type = file_attributes |
|
2 | |
| Get Info | wevtutil.exe | type = file_attributes |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
5 | |
| Open | STD_INPUT_HANDLE | - |
|
3 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 243, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\SysWOW64\wevtutil.exe | os_pid = 0x48c, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x1140000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75130000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x75172780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x7514fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7514a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x74e435c0 |
|
1 |
Environment (19)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
2 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Windows\SysWOW64 |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000000 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #810: wevtutil.exe
0
0
| Information | Value |
|---|---|
| ID | #810 |
| File Name | c:\windows\syswow64\wevtutil.exe |
| Command Line | wevtutil.exe clear-log "Microsoft-Windows-Diagnostics-PerfTrack-Counters/Diagnostic" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:04:26, Reason: Child Process |
| Unmonitor | End Time: 00:04:26, Reason: Self Terminated |
| Monitor Duration | 00:00:00 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x48c |
| Parent PID | 0xc34 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
CF4
0x
64C
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000330000 | 0x00330000 | 0x0034ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000350000 | 0x00350000 | 0x00351fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000360000 | 0x00360000 | 0x00373fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000380000 | 0x00380000 | 0x003bffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000003c0000 | 0x003c0000 | 0x003fffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000400000 | 0x00400000 | 0x00403fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000410000 | 0x00410000 | 0x00410fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000420000 | 0x00420000 | 0x00421fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000600000 | 0x00600000 | 0x0060ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000750000 | 0x00750000 | 0x0084ffff | Private Memory | rw |
|
|
|
- |
| wevtutil.exe | 0x00b40000 | 0x00b6efff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000b70000 | 0x00b70000 | 0x04b6ffff | Pagefile Backed Memory | - |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007fab0000 | 0x7fab0000 | 0x7fad2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007fad8000 | 0x7fad8000 | 0x7fad8fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007fada000 | 0x7fada000 | 0x7fadcfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007fadd000 | 0x7fadd000 | 0x7faddfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Process #811: cmd.exe
58
0
| Information | Value |
|---|---|
| ID | #811 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-Diagnostics-PerfTrack/Diagnostic" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:04:26, Reason: Child Process |
| Unmonitor | End Time: 00:04:26, Reason: Self Terminated |
| Monitor Duration | 00:00:00 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x2c0 |
| Parent PID | 0x8dc (c:\programdata\safe.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
F84
0x
BF8
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000950000 | 0x00950000 | 0x0096ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000950000 | 0x00950000 | 0x0095ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000960000 | 0x00960000 | 0x00963fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000970000 | 0x00970000 | 0x00971fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000970000 | 0x00970000 | 0x00973fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000980000 | 0x00980000 | 0x00993fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000009a0000 | 0x009a0000 | 0x009dffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000009e0000 | 0x009e0000 | 0x00adffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000ae0000 | 0x00ae0000 | 0x00ae3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000af0000 | 0x00af0000 | 0x00af0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000b00000 | 0x00b00000 | 0x00b01fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00b10000 | 0x00bcdfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000bd0000 | 0x00bd0000 | 0x00c0ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000cb0000 | 0x00cb0000 | 0x00cbffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000cc0000 | 0x00cc0000 | 0x00dbffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000df0000 | 0x00df0000 | 0x00eeffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000fb0000 | 0x00fb0000 | 0x00fbffff | Private Memory | rw |
|
|
|
- |
| cmd.exe | 0x01140000 | 0x0118ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000001190000 | 0x01190000 | 0x0518ffff | Pagefile Backed Memory | - |
|
|
|
- |
| sortdefault.nls | 0x05190000 | 0x054c6fff | Memory Mapped File | r |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74d30000 | 0x74ea5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75130000 | 0x7521ffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x778d0000 | 0x7798dfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007f030000 | 0x7f030000 | 0x7f12ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007f130000 | 0x7f130000 | 0x7f152fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f154000 | 0x7f154000 | 0x7f156fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f157000 | 0x7f157000 | 0x7f157fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f15a000 | 0x7f15a000 | 0x7f15afff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f15d000 | 0x7f15d000 | 0x7f15ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (11)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Windows\SysWOW64 | type = file_attributes |
|
2 | |
| Get Info | wevtutil.exe | type = file_attributes |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
5 | |
| Open | STD_INPUT_HANDLE | - |
|
3 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 24, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\SysWOW64\wevtutil.exe | os_pid = 0xf48, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x1140000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75130000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x75172780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x7514fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7514a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x74e435c0 |
|
1 |
Environment (19)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
2 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Windows\SysWOW64 |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000000 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #813: wevtutil.exe
0
0
| Information | Value |
|---|---|
| ID | #813 |
| File Name | c:\windows\syswow64\wevtutil.exe |
| Command Line | wevtutil.exe clear-log "Microsoft-Windows-Diagnostics-PerfTrack/Diagnostic" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:04:26, Reason: Child Process |
| Unmonitor | End Time: 00:04:26, Reason: Self Terminated |
| Monitor Duration | 00:00:00 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xf48 |
| Parent PID | 0x2c0 (c:\windows\syswow64\wevtutil.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
2EC
0x
7F8
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| wevtutil.exe | 0x00b40000 | 0x00b6efff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000fe0000 | 0x00fe0000 | 0x04fdffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000004fe0000 | 0x04fe0000 | 0x04ffffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005000000 | 0x05000000 | 0x05001fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000005010000 | 0x05010000 | 0x05023fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000005030000 | 0x05030000 | 0x0506ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005070000 | 0x05070000 | 0x050affff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000050b0000 | 0x050b0000 | 0x050b3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000050c0000 | 0x050c0000 | 0x050c0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000050d0000 | 0x050d0000 | 0x050d1fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000052c0000 | 0x052c0000 | 0x052cffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005460000 | 0x05460000 | 0x0555ffff | Private Memory | rw |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007eeb0000 | 0x7eeb0000 | 0x7eed2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007eed3000 | 0x7eed3000 | 0x7eed3fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007eedb000 | 0x7eedb000 | 0x7eedbfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007eedd000 | 0x7eedd000 | 0x7eedffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Process #814: cmd.exe
58
0
| Information | Value |
|---|---|
| ID | #814 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-Diagnostics-Performance/Diagnostic" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:04:26, Reason: Child Process |
| Unmonitor | End Time: 00:04:27, Reason: Self Terminated |
| Monitor Duration | 00:00:01 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xfe4 |
| Parent PID | 0x8dc (c:\programdata\safe.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
3D4
0x
D54
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x00000000007b0000 | 0x007b0000 | 0x007cffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000007b0000 | 0x007b0000 | 0x007bffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x00000000007c0000 | 0x007c0000 | 0x007c3fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000007d0000 | 0x007d0000 | 0x007d1fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000007d0000 | 0x007d0000 | 0x007d3fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000007e0000 | 0x007e0000 | 0x007f3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000800000 | 0x00800000 | 0x0083ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000840000 | 0x00840000 | 0x0093ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000940000 | 0x00940000 | 0x00943fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000950000 | 0x00950000 | 0x00950fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000960000 | 0x00960000 | 0x00961fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000970000 | 0x00970000 | 0x009affff | Private Memory | rw |
|
|
|
- |
| private_0x00000000009e0000 | 0x009e0000 | 0x009effff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x009f0000 | 0x00aadfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000b20000 | 0x00b20000 | 0x00c1ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000c20000 | 0x00c20000 | 0x00d1ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000f00000 | 0x00f00000 | 0x00f0ffff | Private Memory | rw |
|
|
|
- |
| cmd.exe | 0x01140000 | 0x0118ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000001190000 | 0x01190000 | 0x0518ffff | Pagefile Backed Memory | - |
|
|
|
- |
| sortdefault.nls | 0x05190000 | 0x054c6fff | Memory Mapped File | r |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74d30000 | 0x74ea5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75130000 | 0x7521ffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x778d0000 | 0x7798dfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007f880000 | 0x7f880000 | 0x7f97ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007f980000 | 0x7f980000 | 0x7f9a2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f9a3000 | 0x7f9a3000 | 0x7f9a3fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f9a7000 | 0x7f9a7000 | 0x7f9a7fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f9aa000 | 0x7f9aa000 | 0x7f9acfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f9ad000 | 0x7f9ad000 | 0x7f9affff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (11)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Windows\SysWOW64 | type = file_attributes |
|
2 | |
| Get Info | wevtutil.exe | type = file_attributes |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
5 | |
| Open | STD_INPUT_HANDLE | - |
|
3 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 152, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\SysWOW64\wevtutil.exe | os_pid = 0xc40, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x1140000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75130000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x75172780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x7514fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7514a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x74e435c0 |
|
1 |
Environment (19)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
2 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Windows\SysWOW64 |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000000 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #816: wevtutil.exe
0
0
| Information | Value |
|---|---|
| ID | #816 |
| File Name | c:\windows\syswow64\wevtutil.exe |
| Command Line | wevtutil.exe clear-log "Microsoft-Windows-Diagnostics-Performance/Diagnostic" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:04:27, Reason: Child Process |
| Unmonitor | End Time: 00:04:27, Reason: Self Terminated |
| Monitor Duration | 00:00:00 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xc40 |
| Parent PID | 0xfe4 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
E70
0x
EB8
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000100000 | 0x00100000 | 0x0011ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000120000 | 0x00120000 | 0x00121fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000130000 | 0x00130000 | 0x00143fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000150000 | 0x00150000 | 0x0018ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000190000 | 0x00190000 | 0x001cffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000001d0000 | 0x001d0000 | 0x001d3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000001e0000 | 0x001e0000 | 0x001e0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000001f0000 | 0x001f0000 | 0x001f1fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000390000 | 0x00390000 | 0x0039ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000460000 | 0x00460000 | 0x0055ffff | Private Memory | rw |
|
|
|
- |
| wevtutil.exe | 0x00b40000 | 0x00b6efff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000b70000 | 0x00b70000 | 0x04b6ffff | Pagefile Backed Memory | - |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007f3c0000 | 0x7f3c0000 | 0x7f3e2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f3e5000 | 0x7f3e5000 | 0x7f3e5fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f3eb000 | 0x7f3eb000 | 0x7f3ebfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f3ed000 | 0x7f3ed000 | 0x7f3effff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Process #817: cmd.exe
58
0
| Information | Value |
|---|---|
| ID | #817 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-Diagnostics-Performance/Diagnostic/Loopback" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:04:27, Reason: Child Process |
| Unmonitor | End Time: 00:04:27, Reason: Self Terminated |
| Monitor Duration | 00:00:00 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xf8c |
| Parent PID | 0x8dc (c:\programdata\safe.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
18C
0x
ADC
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x00000000005b0000 | 0x005b0000 | 0x005cffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000005b0000 | 0x005b0000 | 0x005bffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x00000000005c0000 | 0x005c0000 | 0x005c3fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000005d0000 | 0x005d0000 | 0x005d1fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000005d0000 | 0x005d0000 | 0x005d3fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000005e0000 | 0x005e0000 | 0x005f3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000600000 | 0x00600000 | 0x0063ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000640000 | 0x00640000 | 0x0073ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000740000 | 0x00740000 | 0x00743fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000750000 | 0x00750000 | 0x00750fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000760000 | 0x00760000 | 0x00761fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00770000 | 0x0082dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000830000 | 0x00830000 | 0x0086ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000890000 | 0x00890000 | 0x0089ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000008f0000 | 0x008f0000 | 0x008fffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000009e0000 | 0x009e0000 | 0x00adffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000ae0000 | 0x00ae0000 | 0x00bdffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x00be0000 | 0x00f16fff | Memory Mapped File | r |
|
|
|
- |
| cmd.exe | 0x01140000 | 0x0118ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000001190000 | 0x01190000 | 0x0518ffff | Pagefile Backed Memory | - |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74d30000 | 0x74ea5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75130000 | 0x7521ffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x778d0000 | 0x7798dfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007e540000 | 0x7e540000 | 0x7e63ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007e640000 | 0x7e640000 | 0x7e662fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007e667000 | 0x7e667000 | 0x7e669fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007e66a000 | 0x7e66a000 | 0x7e66afff | Private Memory | rw |
|
|
|
- |
| private_0x000000007e66b000 | 0x7e66b000 | 0x7e66bfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007e66d000 | 0x7e66d000 | 0x7e66ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (11)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Windows\SysWOW64 | type = file_attributes |
|
2 | |
| Get Info | wevtutil.exe | type = file_attributes |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
5 | |
| Open | STD_INPUT_HANDLE | - |
|
3 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 56, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\SysWOW64\wevtutil.exe | os_pid = 0x5d0, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x1140000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75130000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x75172780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x7514fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7514a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x74e435c0 |
|
1 |
Environment (19)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
2 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Windows\SysWOW64 |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000000 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #819: wevtutil.exe
0
0
| Information | Value |
|---|---|
| ID | #819 |
| File Name | c:\windows\syswow64\wevtutil.exe |
| Command Line | wevtutil.exe clear-log "Microsoft-Windows-Diagnostics-Performance/Diagnostic/Loopback" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:04:27, Reason: Child Process |
| Unmonitor | End Time: 00:04:27, Reason: Self Terminated |
| Monitor Duration | 00:00:00 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x5d0 |
| Parent PID | 0xf8c (c:\windows\syswow64\wevtutil.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
EFC
0x
D48
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000690000 | 0x00690000 | 0x006affff | Private Memory | rw |
|
|
|
- |
| private_0x00000000006b0000 | 0x006b0000 | 0x006b1fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000006c0000 | 0x006c0000 | 0x006d3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000006e0000 | 0x006e0000 | 0x0071ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000720000 | 0x00720000 | 0x0075ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000760000 | 0x00760000 | 0x00763fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000770000 | 0x00770000 | 0x00770fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000780000 | 0x00780000 | 0x00781fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000007c0000 | 0x007c0000 | 0x007cffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000940000 | 0x00940000 | 0x00a3ffff | Private Memory | rw |
|
|
|
- |
| wevtutil.exe | 0x00b40000 | 0x00b6efff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000b70000 | 0x00b70000 | 0x04b6ffff | Pagefile Backed Memory | - |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007ee90000 | 0x7ee90000 | 0x7eeb2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007eeb7000 | 0x7eeb7000 | 0x7eeb7fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007eebc000 | 0x7eebc000 | 0x7eebefff | Private Memory | rw |
|
|
|
- |
| private_0x000000007eebf000 | 0x7eebf000 | 0x7eebffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Process #820: cmd.exe
58
0
| Information | Value |
|---|---|
| ID | #820 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-Diagnostics-Performance/Operational" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:04:27, Reason: Child Process |
| Unmonitor | End Time: 00:04:28, Reason: Self Terminated |
| Monitor Duration | 00:00:01 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xf64 |
| Parent PID | 0x8dc (c:\programdata\safe.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
D64
0x
7BC
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x00000000003e0000 | 0x003e0000 | 0x003fffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000003e0000 | 0x003e0000 | 0x003effff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x00000000003f0000 | 0x003f0000 | 0x003f3fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000400000 | 0x00400000 | 0x00401fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000400000 | 0x00400000 | 0x00403fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000410000 | 0x00410000 | 0x00423fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000430000 | 0x00430000 | 0x0046ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000470000 | 0x00470000 | 0x0056ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000570000 | 0x00570000 | 0x00573fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000580000 | 0x00580000 | 0x00580fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000590000 | 0x00590000 | 0x00591fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000005a0000 | 0x005a0000 | 0x005dffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000005e0000 | 0x005e0000 | 0x005effff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x005f0000 | 0x006adfff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000006b0000 | 0x006b0000 | 0x007affff | Private Memory | rw |
|
|
|
- |
| private_0x00000000007d0000 | 0x007d0000 | 0x008cffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000a70000 | 0x00a70000 | 0x00a7ffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x00a80000 | 0x00db6fff | Memory Mapped File | r |
|
|
|
- |
| cmd.exe | 0x01140000 | 0x0118ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000001190000 | 0x01190000 | 0x0518ffff | Pagefile Backed Memory | - |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74d30000 | 0x74ea5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75130000 | 0x7521ffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x778d0000 | 0x7798dfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007ebf0000 | 0x7ebf0000 | 0x7eceffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007ecf0000 | 0x7ecf0000 | 0x7ed12fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007ed13000 | 0x7ed13000 | 0x7ed13fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ed19000 | 0x7ed19000 | 0x7ed1bfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ed1c000 | 0x7ed1c000 | 0x7ed1efff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ed1f000 | 0x7ed1f000 | 0x7ed1ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (11)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Windows\SysWOW64 | type = file_attributes |
|
2 | |
| Get Info | wevtutil.exe | type = file_attributes |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
5 | |
| Open | STD_INPUT_HANDLE | - |
|
3 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 40, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\SysWOW64\wevtutil.exe | os_pid = 0xd60, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x1140000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75130000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x75172780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x7514fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7514a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x74e435c0 |
|
1 |
Environment (19)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
2 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Windows\SysWOW64 |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000000 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #822: wevtutil.exe
0
0
| Information | Value |
|---|---|
| ID | #822 |
| File Name | c:\windows\syswow64\wevtutil.exe |
| Command Line | wevtutil.exe clear-log "Microsoft-Windows-Diagnostics-Performance/Operational" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:04:27, Reason: Child Process |
| Unmonitor | End Time: 00:04:28, Reason: Self Terminated |
| Monitor Duration | 00:00:01 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xd60 |
| Parent PID | 0xf64 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
818
0x
490
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| wevtutil.exe | 0x00b40000 | 0x00b6efff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000fd0000 | 0x00fd0000 | 0x04fcffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000004fd0000 | 0x04fd0000 | 0x04feffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004ff0000 | 0x04ff0000 | 0x04ff1fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000005000000 | 0x05000000 | 0x05013fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000005020000 | 0x05020000 | 0x0505ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005060000 | 0x05060000 | 0x0509ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000050a0000 | 0x050a0000 | 0x050a3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000050b0000 | 0x050b0000 | 0x050b0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000050c0000 | 0x050c0000 | 0x050c1fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000051c0000 | 0x051c0000 | 0x051cffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000052e0000 | 0x052e0000 | 0x053dffff | Private Memory | rw |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007e540000 | 0x7e540000 | 0x7e562fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007e563000 | 0x7e563000 | 0x7e563fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007e56c000 | 0x7e56c000 | 0x7e56efff | Private Memory | rw |
|
|
|
- |
| private_0x000000007e56f000 | 0x7e56f000 | 0x7e56ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Process #823: cmd.exe
58
0
| Information | Value |
|---|---|
| ID | #823 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-Direct3D10/Analytic" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:04:28, Reason: Child Process |
| Unmonitor | End Time: 00:04:28, Reason: Self Terminated |
| Monitor Duration | 00:00:00 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x510 |
| Parent PID | 0x8dc (c:\programdata\safe.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
FAC
0x
76C
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000fb0000 | 0x00fb0000 | 0x00fcffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000fb0000 | 0x00fb0000 | 0x00fbffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000fc0000 | 0x00fc0000 | 0x00fc3fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000fd0000 | 0x00fd0000 | 0x00fd1fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000fd0000 | 0x00fd0000 | 0x00fd3fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000fe0000 | 0x00fe0000 | 0x00ff3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000001000000 | 0x01000000 | 0x0103ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001040000 | 0x01040000 | 0x0113ffff | Private Memory | rw |
|
|
|
- |
| cmd.exe | 0x01140000 | 0x0118ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000001190000 | 0x01190000 | 0x0518ffff | Pagefile Backed Memory | - |
|
|
|
- |
| pagefile_0x0000000005190000 | 0x05190000 | 0x05193fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000051a0000 | 0x051a0000 | 0x051a0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000051b0000 | 0x051b0000 | 0x051b1fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x051c0000 | 0x0527dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000005280000 | 0x05280000 | 0x0528ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005290000 | 0x05290000 | 0x052cffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005380000 | 0x05380000 | 0x0547ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005480000 | 0x05480000 | 0x0557ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000056f0000 | 0x056f0000 | 0x056fffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x05700000 | 0x05a36fff | Memory Mapped File | r |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74d30000 | 0x74ea5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75130000 | 0x7521ffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x778d0000 | 0x7798dfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007ee00000 | 0x7ee00000 | 0x7eefffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007ef00000 | 0x7ef00000 | 0x7ef22fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007ef26000 | 0x7ef26000 | 0x7ef28fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ef29000 | 0x7ef29000 | 0x7ef29fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ef2a000 | 0x7ef2a000 | 0x7ef2afff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ef2d000 | 0x7ef2d000 | 0x7ef2ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (11)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Windows\SysWOW64 | type = file_attributes |
|
2 | |
| Get Info | wevtutil.exe | type = file_attributes |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
5 | |
| Open | STD_INPUT_HANDLE | - |
|
3 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 8, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\SysWOW64\wevtutil.exe | os_pid = 0xa2c, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x1140000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75130000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x75172780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x7514fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7514a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x74e435c0 |
|
1 |
Environment (19)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
2 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Windows\SysWOW64 |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000000 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #825: wevtutil.exe
0
0
| Information | Value |
|---|---|
| ID | #825 |
| File Name | c:\windows\syswow64\wevtutil.exe |
| Command Line | wevtutil.exe clear-log "Microsoft-Windows-Direct3D10/Analytic" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:04:28, Reason: Child Process |
| Unmonitor | End Time: 00:04:28, Reason: Self Terminated |
| Monitor Duration | 00:00:00 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xa2c |
| Parent PID | 0x510 (c:\windows\syswow64\wevtutil.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
6C8
0x
B28
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| wevtutil.exe | 0x00b40000 | 0x00b6efff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000b80000 | 0x00b80000 | 0x04b7ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000004b80000 | 0x04b80000 | 0x04b9ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004ba0000 | 0x04ba0000 | 0x04ba1fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004bb0000 | 0x04bb0000 | 0x04bc3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000004bd0000 | 0x04bd0000 | 0x04c0ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004c10000 | 0x04c10000 | 0x04c4ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004c50000 | 0x04c50000 | 0x04c53fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000004c60000 | 0x04c60000 | 0x04c60fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000004c70000 | 0x04c70000 | 0x04c71fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004d00000 | 0x04d00000 | 0x04d0ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004eb0000 | 0x04eb0000 | 0x04faffff | Private Memory | rw |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007ed10000 | 0x7ed10000 | 0x7ed32fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007ed34000 | 0x7ed34000 | 0x7ed34fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ed35000 | 0x7ed35000 | 0x7ed35fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ed3d000 | 0x7ed3d000 | 0x7ed3ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Process #826: cmd.exe
58
0
| Information | Value |
|---|---|
| ID | #826 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-Direct3D10_1/Analytic" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:04:28, Reason: Child Process |
| Unmonitor | End Time: 00:04:29, Reason: Self Terminated |
| Monitor Duration | 00:00:01 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x364 |
| Parent PID | 0x8dc (c:\programdata\safe.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
E44
0x
2F0
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000370000 | 0x00370000 | 0x0038ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000370000 | 0x00370000 | 0x0037ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000380000 | 0x00380000 | 0x00383fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000390000 | 0x00390000 | 0x00391fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000390000 | 0x00390000 | 0x00393fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000003a0000 | 0x003a0000 | 0x003b3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000003c0000 | 0x003c0000 | 0x003fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000400000 | 0x00400000 | 0x004fffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000500000 | 0x00500000 | 0x00503fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000510000 | 0x00510000 | 0x00510fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000520000 | 0x00520000 | 0x00521fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00530000 | 0x005edfff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000005f0000 | 0x005f0000 | 0x0062ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000640000 | 0x00640000 | 0x0064ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000006f0000 | 0x006f0000 | 0x007effff | Private Memory | rw |
|
|
|
- |
| private_0x00000000007f0000 | 0x007f0000 | 0x008effff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000a80000 | 0x00a80000 | 0x00a8ffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x00a90000 | 0x00dc6fff | Memory Mapped File | r |
|
|
|
- |
| cmd.exe | 0x01140000 | 0x0118ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000001190000 | 0x01190000 | 0x0518ffff | Pagefile Backed Memory | - |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74d30000 | 0x74ea5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75130000 | 0x7521ffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x778d0000 | 0x7798dfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007e6a0000 | 0x7e6a0000 | 0x7e79ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007e7a0000 | 0x7e7a0000 | 0x7e7c2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007e7c8000 | 0x7e7c8000 | 0x7e7c8fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007e7c9000 | 0x7e7c9000 | 0x7e7cbfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007e7cc000 | 0x7e7cc000 | 0x7e7cefff | Private Memory | rw |
|
|
|
- |
| private_0x000000007e7cf000 | 0x7e7cf000 | 0x7e7cffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (11)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Windows\SysWOW64 | type = file_attributes |
|
2 | |
| Get Info | wevtutil.exe | type = file_attributes |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
5 | |
| Open | STD_INPUT_HANDLE | - |
|
3 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 152, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\SysWOW64\wevtutil.exe | os_pid = 0xd3c, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x1140000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75130000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x75172780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x7514fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7514a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x74e435c0 |
|
1 |
Environment (19)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
2 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Windows\SysWOW64 |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000000 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #828: wevtutil.exe
0
0
| Information | Value |
|---|---|
| ID | #828 |
| File Name | c:\windows\syswow64\wevtutil.exe |
| Command Line | wevtutil.exe clear-log "Microsoft-Windows-Direct3D10_1/Analytic" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:04:28, Reason: Child Process |
| Unmonitor | End Time: 00:04:29, Reason: Self Terminated |
| Monitor Duration | 00:00:01 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xd3c |
| Parent PID | 0x364 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
F5C
0x
BD8
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x00000000007c0000 | 0x007c0000 | 0x007dffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000007e0000 | 0x007e0000 | 0x007e1fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000007f0000 | 0x007f0000 | 0x00803fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000810000 | 0x00810000 | 0x0084ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000850000 | 0x00850000 | 0x0088ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000890000 | 0x00890000 | 0x00893fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000008a0000 | 0x008a0000 | 0x008a0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000008b0000 | 0x008b0000 | 0x008b1fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000008f0000 | 0x008f0000 | 0x008fffff | Private Memory | rw |
|
|
|
- |
| wevtutil.exe | 0x00b40000 | 0x00b6efff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000b70000 | 0x00b70000 | 0x04b6ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000004d00000 | 0x04d00000 | 0x04dfffff | Private Memory | rw |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007ecf0000 | 0x7ecf0000 | 0x7ed12fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007ed1a000 | 0x7ed1a000 | 0x7ed1afff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ed1b000 | 0x7ed1b000 | 0x7ed1dfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ed1e000 | 0x7ed1e000 | 0x7ed1efff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Process #829: cmd.exe
58
0
| Information | Value |
|---|---|
| ID | #829 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-Direct3D11/Analytic" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:04:28, Reason: Child Process |
| Unmonitor | End Time: 00:04:29, Reason: Self Terminated |
| Monitor Duration | 00:00:01 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x950 |
| Parent PID | 0x8dc (c:\programdata\safe.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
A74
0x
FB8
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x00000000008e0000 | 0x008e0000 | 0x008fffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000008e0000 | 0x008e0000 | 0x008effff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x00000000008f0000 | 0x008f0000 | 0x008f3fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000900000 | 0x00900000 | 0x00901fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000900000 | 0x00900000 | 0x00903fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000910000 | 0x00910000 | 0x00923fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000930000 | 0x00930000 | 0x0096ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000970000 | 0x00970000 | 0x00a6ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000a70000 | 0x00a70000 | 0x00a73fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000a80000 | 0x00a80000 | 0x00a80fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000a90000 | 0x00a90000 | 0x00a91fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00aa0000 | 0x00b5dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000b60000 | 0x00b60000 | 0x00b9ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000bd0000 | 0x00bd0000 | 0x00bdffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000be0000 | 0x00be0000 | 0x00cdffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000d20000 | 0x00d20000 | 0x00e1ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000e60000 | 0x00e60000 | 0x00e6ffff | Private Memory | rw |
|
|
|
- |
| cmd.exe | 0x01140000 | 0x0118ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000001190000 | 0x01190000 | 0x0518ffff | Pagefile Backed Memory | - |
|
|
|
- |
| sortdefault.nls | 0x05190000 | 0x054c6fff | Memory Mapped File | r |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74d30000 | 0x74ea5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75130000 | 0x7521ffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x778d0000 | 0x7798dfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007eaa0000 | 0x7eaa0000 | 0x7eb9ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007eba0000 | 0x7eba0000 | 0x7ebc2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007ebc6000 | 0x7ebc6000 | 0x7ebc8fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ebc9000 | 0x7ebc9000 | 0x7ebc9fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ebca000 | 0x7ebca000 | 0x7ebcafff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ebcd000 | 0x7ebcd000 | 0x7ebcffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (11)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Windows\SysWOW64 | type = file_attributes |
|
2 | |
| Get Info | wevtutil.exe | type = file_attributes |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
5 | |
| Open | STD_INPUT_HANDLE | - |
|
3 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 104, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\SysWOW64\wevtutil.exe | os_pid = 0x548, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x1140000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75130000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x75172780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x7514fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7514a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x74e435c0 |
|
1 |
Environment (19)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
2 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Windows\SysWOW64 |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000000 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #831: wevtutil.exe
0
0
| Information | Value |
|---|---|
| ID | #831 |
| File Name | c:\windows\syswow64\wevtutil.exe |
| Command Line | wevtutil.exe clear-log "Microsoft-Windows-Direct3D11/Analytic" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:04:29, Reason: Child Process |
| Unmonitor | End Time: 00:04:29, Reason: Self Terminated |
| Monitor Duration | 00:00:00 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x548 |
| Parent PID | 0x950 (c:\windows\syswow64\wevtutil.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
724
0x
544
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000500000 | 0x00500000 | 0x0051ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000520000 | 0x00520000 | 0x00521fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000530000 | 0x00530000 | 0x00543fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000550000 | 0x00550000 | 0x0058ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000590000 | 0x00590000 | 0x005cffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000005d0000 | 0x005d0000 | 0x005d3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000005e0000 | 0x005e0000 | 0x005e0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000005f0000 | 0x005f0000 | 0x005f1fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000630000 | 0x00630000 | 0x0063ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000006d0000 | 0x006d0000 | 0x007cffff | Private Memory | rw |
|
|
|
- |
| wevtutil.exe | 0x00b40000 | 0x00b6efff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000b70000 | 0x00b70000 | 0x04b6ffff | Pagefile Backed Memory | - |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007f340000 | 0x7f340000 | 0x7f362fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f366000 | 0x7f366000 | 0x7f366fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f369000 | 0x7f369000 | 0x7f369fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f36d000 | 0x7f36d000 | 0x7f36ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Process #832: cmd.exe
58
0
| Information | Value |
|---|---|
| ID | #832 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-Direct3D11/Logging" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:04:29, Reason: Child Process |
| Unmonitor | End Time: 00:04:29, Reason: Self Terminated |
| Monitor Duration | 00:00:00 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xd08 |
| Parent PID | 0x8dc (c:\programdata\safe.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
FD8
0x
1B4
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000360000 | 0x00360000 | 0x0037ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000360000 | 0x00360000 | 0x0036ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000370000 | 0x00370000 | 0x00373fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000380000 | 0x00380000 | 0x00381fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000380000 | 0x00380000 | 0x00383fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000390000 | 0x00390000 | 0x003a3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000003b0000 | 0x003b0000 | 0x003effff | Private Memory | rw |
|
|
|
- |
| private_0x00000000003f0000 | 0x003f0000 | 0x004effff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000004f0000 | 0x004f0000 | 0x004f3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000500000 | 0x00500000 | 0x00500fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000510000 | 0x00510000 | 0x00511fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00520000 | 0x005ddfff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000005f0000 | 0x005f0000 | 0x005fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000600000 | 0x00600000 | 0x0063ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000640000 | 0x00640000 | 0x0073ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000740000 | 0x00740000 | 0x0083ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000930000 | 0x00930000 | 0x0093ffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x00940000 | 0x00c76fff | Memory Mapped File | r |
|
|
|
- |
| cmd.exe | 0x01140000 | 0x0118ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000001190000 | 0x01190000 | 0x0518ffff | Pagefile Backed Memory | - |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74d30000 | 0x74ea5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75130000 | 0x7521ffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x778d0000 | 0x7798dfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007f900000 | 0x7f900000 | 0x7f9fffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007fa00000 | 0x7fa00000 | 0x7fa22fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007fa25000 | 0x7fa25000 | 0x7fa25fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007fa29000 | 0x7fa29000 | 0x7fa2bfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007fa2c000 | 0x7fa2c000 | 0x7fa2efff | Private Memory | rw |
|
|
|
- |
| private_0x000000007fa2f000 | 0x7fa2f000 | 0x7fa2ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (11)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Windows\SysWOW64 | type = file_attributes |
|
2 | |
| Get Info | wevtutil.exe | type = file_attributes |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
5 | |
| Open | STD_INPUT_HANDLE | - |
|
3 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 120, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\SysWOW64\wevtutil.exe | os_pid = 0x9c4, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x1140000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75130000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x75172780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x7514fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7514a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x74e435c0 |
|
1 |
Environment (19)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
2 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Windows\SysWOW64 |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000000 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #834: wevtutil.exe
0
0
| Information | Value |
|---|---|
| ID | #834 |
| File Name | c:\windows\syswow64\wevtutil.exe |
| Command Line | wevtutil.exe clear-log "Microsoft-Windows-Direct3D11/Logging" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:04:29, Reason: Child Process |
| Unmonitor | End Time: 00:04:29, Reason: Self Terminated |
| Monitor Duration | 00:00:00 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x9c4 |
| Parent PID | 0xd08 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
404
0x
D38
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000890000 | 0x00890000 | 0x008affff | Private Memory | rw |
|
|
|
- |
| private_0x00000000008b0000 | 0x008b0000 | 0x008b1fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000008c0000 | 0x008c0000 | 0x008d3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000008e0000 | 0x008e0000 | 0x0091ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000920000 | 0x00920000 | 0x0095ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000960000 | 0x00960000 | 0x00963fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000970000 | 0x00970000 | 0x00970fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000980000 | 0x00980000 | 0x00981fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000b20000 | 0x00b20000 | 0x00b2ffff | Private Memory | rw |
|
|
|
- |
| wevtutil.exe | 0x00b40000 | 0x00b6efff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000b70000 | 0x00b70000 | 0x04b6ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000004c50000 | 0x04c50000 | 0x04d4ffff | Private Memory | rw |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007f570000 | 0x7f570000 | 0x7f592fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f59b000 | 0x7f59b000 | 0x7f59bfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f59c000 | 0x7f59c000 | 0x7f59cfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f59d000 | 0x7f59d000 | 0x7f59ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Process #835: cmd.exe
58
0
| Information | Value |
|---|---|
| ID | #835 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-Direct3D11/PerfTiming" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:04:29, Reason: Child Process |
| Unmonitor | End Time: 00:04:30, Reason: Self Terminated |
| Monitor Duration | 00:00:01 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x438 |
| Parent PID | 0x8dc (c:\programdata\safe.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
5D4
0x
E78
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000ba0000 | 0x00ba0000 | 0x00bbffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000ba0000 | 0x00ba0000 | 0x00baffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000bb0000 | 0x00bb0000 | 0x00bb3fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000bc0000 | 0x00bc0000 | 0x00bc1fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000bc0000 | 0x00bc0000 | 0x00bc3fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000bd0000 | 0x00bd0000 | 0x00be3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000bf0000 | 0x00bf0000 | 0x00c2ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000c30000 | 0x00c30000 | 0x00d2ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000d30000 | 0x00d30000 | 0x00d33fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000d40000 | 0x00d40000 | 0x00d40fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000d50000 | 0x00d50000 | 0x00d51fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00d60000 | 0x00e1dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000e20000 | 0x00e20000 | 0x00e5ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000e90000 | 0x00e90000 | 0x00e9ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000ee0000 | 0x00ee0000 | 0x00eeffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000f20000 | 0x00f20000 | 0x0101ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001020000 | 0x01020000 | 0x0111ffff | Private Memory | rw |
|
|
|
- |
| cmd.exe | 0x01140000 | 0x0118ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000001190000 | 0x01190000 | 0x0518ffff | Pagefile Backed Memory | - |
|
|
|
- |
| sortdefault.nls | 0x05190000 | 0x054c6fff | Memory Mapped File | r |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74d30000 | 0x74ea5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75130000 | 0x7521ffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x778d0000 | 0x7798dfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007f0a0000 | 0x7f0a0000 | 0x7f19ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007f1a0000 | 0x7f1a0000 | 0x7f1c2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f1c4000 | 0x7f1c4000 | 0x7f1c6fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f1c7000 | 0x7f1c7000 | 0x7f1c7fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f1ca000 | 0x7f1ca000 | 0x7f1ccfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f1cd000 | 0x7f1cd000 | 0x7f1cdfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (11)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Windows\SysWOW64 | type = file_attributes |
|
2 | |
| Get Info | wevtutil.exe | type = file_attributes |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
5 | |
| Open | STD_INPUT_HANDLE | - |
|
3 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 56, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\SysWOW64\wevtutil.exe | os_pid = 0xf4c, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x1140000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75130000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x75172780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x7514fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7514a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x74e435c0 |
|
1 |
Environment (19)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
2 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Windows\SysWOW64 |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000000 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #837: wevtutil.exe
0
0
| Information | Value |
|---|---|
| ID | #837 |
| File Name | c:\windows\syswow64\wevtutil.exe |
| Command Line | wevtutil.exe clear-log "Microsoft-Windows-Direct3D11/PerfTiming" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:04:30, Reason: Child Process |
| Unmonitor | End Time: 00:04:30, Reason: Self Terminated |
| Monitor Duration | 00:00:00 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xf4c |
| Parent PID | 0x438 (c:\windows\syswow64\wevtutil.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
94C
0x
814
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000af0000 | 0x00af0000 | 0x00b0ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000b10000 | 0x00b10000 | 0x00b11fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000b20000 | 0x00b20000 | 0x00b33fff | Pagefile Backed Memory | r |
|
|
|
- |
| wevtutil.exe | 0x00b40000 | 0x00b6efff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000b70000 | 0x00b70000 | 0x04b6ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000004b70000 | 0x04b70000 | 0x04baffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004bb0000 | 0x04bb0000 | 0x04beffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004bf0000 | 0x04bf0000 | 0x04bf3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000004c00000 | 0x04c00000 | 0x04c00fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000004c10000 | 0x04c10000 | 0x04c11fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004e10000 | 0x04e10000 | 0x04e1ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004f80000 | 0x04f80000 | 0x0507ffff | Private Memory | rw |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007f470000 | 0x7f470000 | 0x7f492fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f496000 | 0x7f496000 | 0x7f496fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f49c000 | 0x7f49c000 | 0x7f49efff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f49f000 | 0x7f49f000 | 0x7f49ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Process #838: cmd.exe
58
0
| Information | Value |
|---|---|
| ID | #838 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-Direct3D12/Analytic" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:04:30, Reason: Child Process |
| Unmonitor | End Time: 00:04:31, Reason: Self Terminated |
| Monitor Duration | 00:00:01 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xd6c |
| Parent PID | 0x8dc (c:\programdata\safe.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
878
0x
41C
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000e50000 | 0x00e50000 | 0x00e6ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000e50000 | 0x00e50000 | 0x00e5ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000e60000 | 0x00e60000 | 0x00e63fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000e70000 | 0x00e70000 | 0x00e71fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000e70000 | 0x00e70000 | 0x00e73fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000e80000 | 0x00e80000 | 0x00e93fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000ea0000 | 0x00ea0000 | 0x00edffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000ee0000 | 0x00ee0000 | 0x00fdffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000fe0000 | 0x00fe0000 | 0x00fe3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000ff0000 | 0x00ff0000 | 0x00ff0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000001000000 | 0x01000000 | 0x01001fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001010000 | 0x01010000 | 0x0101ffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x01020000 | 0x010ddfff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000010e0000 | 0x010e0000 | 0x0111ffff | Private Memory | rw |
|
|
|
- |
| cmd.exe | 0x01140000 | 0x0118ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000001190000 | 0x01190000 | 0x0518ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000005190000 | 0x05190000 | 0x0528ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000052e0000 | 0x052e0000 | 0x053dffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000054a0000 | 0x054a0000 | 0x054affff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x054b0000 | 0x057e6fff | Memory Mapped File | r |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74d30000 | 0x74ea5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75130000 | 0x7521ffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x778d0000 | 0x7798dfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007fa30000 | 0x7fa30000 | 0x7fb2ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007fb30000 | 0x7fb30000 | 0x7fb52fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007fb58000 | 0x7fb58000 | 0x7fb58fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007fb59000 | 0x7fb59000 | 0x7fb5bfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007fb5c000 | 0x7fb5c000 | 0x7fb5cfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007fb5d000 | 0x7fb5d000 | 0x7fb5ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (11)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Windows\SysWOW64 | type = file_attributes |
|
2 | |
| Get Info | wevtutil.exe | type = file_attributes |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
5 | |
| Open | STD_INPUT_HANDLE | - |
|
3 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 200, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\SysWOW64\wevtutil.exe | os_pid = 0xfa4, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x1140000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75130000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x75172780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x7514fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7514a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x74e435c0 |
|
1 |
Environment (19)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
2 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Windows\SysWOW64 |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000000 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #840: wevtutil.exe
0
0
| Information | Value |
|---|---|
| ID | #840 |
| File Name | c:\windows\syswow64\wevtutil.exe |
| Command Line | wevtutil.exe clear-log "Microsoft-Windows-Direct3D12/Analytic" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:04:30, Reason: Child Process |
| Unmonitor | End Time: 00:04:30, Reason: Self Terminated |
| Monitor Duration | 00:00:00 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xfa4 |
| Parent PID | 0xd6c (c:\windows\syswow64\wevtutil.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
FBC
0x
C04
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| wevtutil.exe | 0x00b40000 | 0x00b6efff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000fb0000 | 0x00fb0000 | 0x04faffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000004fb0000 | 0x04fb0000 | 0x04fcffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004fd0000 | 0x04fd0000 | 0x04fd1fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004fe0000 | 0x04fe0000 | 0x04ff3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000005000000 | 0x05000000 | 0x0503ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005040000 | 0x05040000 | 0x0507ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000005080000 | 0x05080000 | 0x05083fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000005090000 | 0x05090000 | 0x05090fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000050a0000 | 0x050a0000 | 0x050a1fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000052a0000 | 0x052a0000 | 0x052affff | Private Memory | rw |
|
|
|
- |
| private_0x00000000053f0000 | 0x053f0000 | 0x054effff | Private Memory | rw |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007f350000 | 0x7f350000 | 0x7f372fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f375000 | 0x7f375000 | 0x7f375fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f37c000 | 0x7f37c000 | 0x7f37efff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f37f000 | 0x7f37f000 | 0x7f37ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Process #841: cmd.exe
58
0
| Information | Value |
|---|---|
| ID | #841 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-Direct3D12/Logging" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:04:30, Reason: Child Process |
| Unmonitor | End Time: 00:04:31, Reason: Self Terminated |
| Monitor Duration | 00:00:01 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xdb4 |
| Parent PID | 0x8dc (c:\programdata\safe.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
1FC
0x
EB4
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000e10000 | 0x00e10000 | 0x00e2ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000e10000 | 0x00e10000 | 0x00e1ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000e20000 | 0x00e20000 | 0x00e23fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000e30000 | 0x00e30000 | 0x00e31fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000e30000 | 0x00e30000 | 0x00e33fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000e40000 | 0x00e40000 | 0x00e53fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000e60000 | 0x00e60000 | 0x00e9ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000ea0000 | 0x00ea0000 | 0x00f9ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000fa0000 | 0x00fa0000 | 0x00fa3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000fb0000 | 0x00fb0000 | 0x00fb0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000fc0000 | 0x00fc0000 | 0x00fc1fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00fd0000 | 0x0108dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000001090000 | 0x01090000 | 0x010cffff | Private Memory | rw |
|
|
|
- |
| cmd.exe | 0x01140000 | 0x0118ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000001190000 | 0x01190000 | 0x0518ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000005190000 | 0x05190000 | 0x0528ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005330000 | 0x05330000 | 0x0533ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005400000 | 0x05400000 | 0x054fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005620000 | 0x05620000 | 0x0562ffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x05630000 | 0x05966fff | Memory Mapped File | r |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74d30000 | 0x74ea5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75130000 | 0x7521ffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x778d0000 | 0x7798dfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007f070000 | 0x7f070000 | 0x7f16ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007f170000 | 0x7f170000 | 0x7f192fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f193000 | 0x7f193000 | 0x7f193fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f196000 | 0x7f196000 | 0x7f196fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f19a000 | 0x7f19a000 | 0x7f19cfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f19d000 | 0x7f19d000 | 0x7f19ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (11)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Windows\SysWOW64 | type = file_attributes |
|
2 | |
| Get Info | wevtutil.exe | type = file_attributes |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
5 | |
| Open | STD_INPUT_HANDLE | - |
|
3 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 120, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\SysWOW64\wevtutil.exe | os_pid = 0xc18, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x1140000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75130000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x75172780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x7514fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7514a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x74e435c0 |
|
1 |
Environment (19)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
2 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Windows\SysWOW64 |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000000 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #843: wevtutil.exe
0
0
| Information | Value |
|---|---|
| ID | #843 |
| File Name | c:\windows\syswow64\wevtutil.exe |
| Command Line | wevtutil.exe clear-log "Microsoft-Windows-Direct3D12/Logging" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:04:31, Reason: Child Process |
| Unmonitor | End Time: 00:04:31, Reason: Self Terminated |
| Monitor Duration | 00:00:00 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xc18 |
| Parent PID | 0xdb4 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
CDC
0x
EC4
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| wevtutil.exe | 0x00b40000 | 0x00b6efff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000dc0000 | 0x00dc0000 | 0x04dbffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000004dc0000 | 0x04dc0000 | 0x04ddffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004de0000 | 0x04de0000 | 0x04de1fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004df0000 | 0x04df0000 | 0x04e03fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000004e10000 | 0x04e10000 | 0x04e4ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004e50000 | 0x04e50000 | 0x04e8ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004e90000 | 0x04e90000 | 0x04e93fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000004ea0000 | 0x04ea0000 | 0x04ea0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000004eb0000 | 0x04eb0000 | 0x04eb1fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004fb0000 | 0x04fb0000 | 0x04fbffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004fe0000 | 0x04fe0000 | 0x050dffff | Private Memory | rw |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007ee50000 | 0x7ee50000 | 0x7ee72fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007ee7a000 | 0x7ee7a000 | 0x7ee7afff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ee7b000 | 0x7ee7b000 | 0x7ee7bfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ee7d000 | 0x7ee7d000 | 0x7ee7ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Process #844: cmd.exe
58
0
| Information | Value |
|---|---|
| ID | #844 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-Direct3D12/PerfTiming" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:04:31, Reason: Child Process |
| Unmonitor | End Time: 00:04:31, Reason: Terminated by Timeout |
| Monitor Duration | 00:00:00 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xa68 |
| Parent PID | 0x8dc (c:\programdata\safe.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
848
0x
788
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000960000 | 0x00960000 | 0x0097ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000960000 | 0x00960000 | 0x0096ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000970000 | 0x00970000 | 0x00973fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000980000 | 0x00980000 | 0x00981fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000980000 | 0x00980000 | 0x00983fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000990000 | 0x00990000 | 0x009a3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000009b0000 | 0x009b0000 | 0x009effff | Private Memory | rw |
|
|
|
- |
| private_0x00000000009f0000 | 0x009f0000 | 0x00aeffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000af0000 | 0x00af0000 | 0x00af3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000b00000 | 0x00b00000 | 0x00b00fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000b10000 | 0x00b10000 | 0x00b11fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00b20000 | 0x00bddfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000c00000 | 0x00c00000 | 0x00c0ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000c10000 | 0x00c10000 | 0x00c4ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000c50000 | 0x00c50000 | 0x00d4ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000d60000 | 0x00d60000 | 0x00e5ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000f30000 | 0x00f30000 | 0x00f3ffff | Private Memory | rw |
|
|
|
- |
| cmd.exe | 0x01140000 | 0x0118ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000001190000 | 0x01190000 | 0x0518ffff | Pagefile Backed Memory | - |
|
|
|
- |
| sortdefault.nls | 0x05190000 | 0x054c6fff | Memory Mapped File | r |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74d30000 | 0x74ea5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75130000 | 0x7521ffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x778d0000 | 0x7798dfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007f320000 | 0x7f320000 | 0x7f41ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007f420000 | 0x7f420000 | 0x7f442fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f446000 | 0x7f446000 | 0x7f448fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f449000 | 0x7f449000 | 0x7f449fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f44b000 | 0x7f44b000 | 0x7f44dfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f44e000 | 0x7f44e000 | 0x7f44efff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (11)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Windows\SysWOW64 | type = file_attributes |
|
2 | |
| Get Info | wevtutil.exe | type = file_attributes |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
5 | |
| Open | STD_INPUT_HANDLE | - |
|
3 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 72, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\SysWOW64\wevtutil.exe | os_pid = 0xb4c, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x1140000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75130000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x75172780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x7514fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7514a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x74e435c0 |
|
1 |
Environment (19)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
2 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Windows\SysWOW64 |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000000 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #846: wevtutil.exe
0
0
| Information | Value |
|---|---|
| ID | #846 |
| File Name | c:\windows\syswow64\wevtutil.exe |
| Command Line | wevtutil.exe clear-log "Microsoft-Windows-Direct3D12/PerfTiming" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:04:31, Reason: Child Process |
| Unmonitor | End Time: 00:04:31, Reason: Terminated by Timeout |
| Monitor Duration | 00:00:00 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xb4c |
| Parent PID | 0xa68 (c:\windows\syswow64\wevtutil.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
B74
0x
EF0
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x00000000001c0000 | 0x001c0000 | 0x001dffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000001e0000 | 0x001e0000 | 0x001e1fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000001f0000 | 0x001f0000 | 0x00203fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000210000 | 0x00210000 | 0x0024ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000250000 | 0x00250000 | 0x0028ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000290000 | 0x00290000 | 0x00293fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000002a0000 | 0x002a0000 | 0x002a0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000002b0000 | 0x002b0000 | 0x002b1fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000460000 | 0x00460000 | 0x0046ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000660000 | 0x00660000 | 0x0075ffff | Private Memory | rw |
|
|
|
- |
| wevtutil.exe | 0x00b40000 | 0x00b6efff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000b70000 | 0x00b70000 | 0x04b6ffff | Pagefile Backed Memory | - |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007f050000 | 0x7f050000 | 0x7f072fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f07b000 | 0x7f07b000 | 0x7f07dfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f07e000 | 0x7f07e000 | 0x7f07efff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f07f000 | 0x7f07f000 | 0x7f07ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Process #847: cmd.exe
0
0
| Information | Value |
|---|---|
| ID | #847 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-Direct3D9/Analytic" |
| Initial Working Directory | C:\Windows\SysWOW64\ |
| Monitor | Start Time: 00:04:31, Reason: Child Process |
| Unmonitor | End Time: 00:04:31, Reason: Terminated by Timeout |
| Monitor Duration | 00:00:00 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x990 |
| Parent PID | 0x8dc (c:\programdata\safe.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
ED0
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000e60000 | 0x00e60000 | 0x00e7ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000e80000 | 0x00e80000 | 0x00e81fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000e90000 | 0x00e90000 | 0x00ea3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000eb0000 | 0x00eb0000 | 0x00eeffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000ef0000 | 0x00ef0000 | 0x00feffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000ff0000 | 0x00ff0000 | 0x00ff3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000001000000 | 0x01000000 | 0x01000fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000001010000 | 0x01010000 | 0x01011fff | Private Memory | rw |
|
|
|
- |
| cmd.exe | 0x01140000 | 0x0118ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000001190000 | 0x01190000 | 0x0518ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x00000000052b0000 | 0x052b0000 | 0x052bffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005350000 | 0x05350000 | 0x0544ffff | Private Memory | rw |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007f960000 | 0x7f960000 | 0x7f982fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f989000 | 0x7f989000 | 0x7f989fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f98c000 | 0x7f98c000 | 0x7f98efff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f98f000 | 0x7f98f000 | 0x7f98ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
