a7aae83573aa9a682ce9733468882e841564f41ec4aa004cb795b98fd4834d15 (SHA256)
SS BRAID PO.doc.rtf
RTF Document
Created at 2018-09-05 20:13:00
Notifications (2/2)
The maximum number of reputation URL requests (25 per analysis) was exceeded. As a result, the reputation status could not be queried for all contacted URLs. In order to get the reputation status for all contacted URLs, please increase the 'Max URL Requests' setting in the system configurations.
The overall sleep time of all monitored processes was truncated from "16 minutes, 44 seconds" to "2 minutes, 10 seconds" to reveal dormant functionality.
Monitored Processes
Behavior Information - Grouped by Category
Process #1: winword.exe
0
0
| Information | Value |
|---|---|
| ID | #1 |
| File Name | c:\program files\microsoft office\root\office16\winword.exe |
| Command Line | "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n |
| Initial Working Directory | C:\Users\aETAdzjz\Desktop\ |
| Monitor | Start Time: 00:00:19, Reason: Analysis Target |
| Unmonitor | End Time: 00:03:27, Reason: Self Terminated |
| Monitor Duration | 00:03:08 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x9c0 |
| Parent PID | 0x45c (c:\windows\explorer.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | YKYD69Q\aETAdzjz |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
A5C
0x
A58
0x
A54
0x
A50
0x
A3C
0x
A2C
0x
A28
0x
A24
0x
A20
0x
A1C
0x
A18
0x
A14
0x
A10
0x
A0C
0x
A08
0x
A04
0x
A00
0x
9D8
0x
9D4
0x
9D0
0x
9CC
0x
9C8
0x
9C4
0x
AC4
0x
B30
0x
3C4
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000000020000 | 0x00020000 | 0x00020fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000030000 | 0x00030000 | 0x00033fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000040000 | 0x00040000 | 0x00043fff | Pagefile Backed Memory | r |
|
|
|
- |
| locale.nls | 0x00050000 | 0x000b6fff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000000c0000 | 0x000c0000 | 0x000c0fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000000d0000 | 0x000d0000 | 0x000dffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000000e0000 | 0x000e0000 | 0x000e0fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000000f0000 | 0x000f0000 | 0x000f0fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000000100000 | 0x00100000 | 0x00106fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000110000 | 0x00110000 | 0x00111fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000120000 | 0x00120000 | 0x00120fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000130000 | 0x00130000 | 0x00130fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000140000 | 0x00140000 | 0x00141fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000150000 | 0x00150000 | 0x00151fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000160000 | 0x00160000 | 0x00162fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000170000 | 0x00170000 | 0x00171fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000180000 | 0x00180000 | 0x0018ffff | Private Memory | - |
|
|
|
- |
| private_0x0000000000190000 | 0x00190000 | 0x0028ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000290000 | 0x00290000 | 0x0038ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000390000 | 0x00390000 | 0x00392fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000003a0000 | 0x003a0000 | 0x003a2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000003b0000 | 0x003b0000 | 0x004affff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000004b0000 | 0x004b0000 | 0x00637fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000640000 | 0x00640000 | 0x007c0fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000007d0000 | 0x007d0000 | 0x01bcffff | Pagefile Backed Memory | r |
|
|
|
- |
| sortdefault.nls | 0x01bd0000 | 0x01e9efff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000000001ea0000 | 0x01ea0000 | 0x02292fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000022a0000 | 0x022a0000 | 0x0239ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000023a0000 | 0x023a0000 | 0x023a2fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000023b0000 | 0x023b0000 | 0x023b2fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000023c0000 | 0x023c0000 | 0x023c2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000023d0000 | 0x023d0000 | 0x023dffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000023e0000 | 0x023e0000 | 0x025dffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000025e0000 | 0x025e0000 | 0x0261ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002670000 | 0x02670000 | 0x02670fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000002680000 | 0x02680000 | 0x02680fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000002690000 | 0x02690000 | 0x0270ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000002710000 | 0x02710000 | 0x027eefff | Pagefile Backed Memory | r |
|
|
|
- |
| kernelbase.dll.mui | 0x027f0000 | 0x028affff | Memory Mapped File | rw |
|
|
|
- |
| pagefile_0x00000000028e0000 | 0x028e0000 | 0x028e4fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x00000000028f0000 | 0x028f0000 | 0x028f0fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000002900000 | 0x02900000 | 0x02901fff | Pagefile Backed Memory | r |
|
|
|
- |
| index.dat | 0x02910000 | 0x0291bfff | Memory Mapped File | rw |
|
|
|
- |
| index.dat | 0x02920000 | 0x02927fff | Memory Mapped File | rw |
|
|
|
- |
| private_0x0000000002930000 | 0x02930000 | 0x02a2ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002aa0000 | 0x02aa0000 | 0x02b1ffff | Private Memory | rw |
|
|
|
- |
| index.dat | 0x02b20000 | 0x02b2ffff | Memory Mapped File | rw |
|
|
|
- |
| pagefile_0x0000000002b30000 | 0x02b30000 | 0x02b30fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000002b40000 | 0x02b40000 | 0x02b40fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002b50000 | 0x02b50000 | 0x02b5ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000002b60000 | 0x02b60000 | 0x02b60fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000002b70000 | 0x02b70000 | 0x02b70fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000002b80000 | 0x02b80000 | 0x02c7ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002c80000 | 0x02c80000 | 0x02c80fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000002c90000 | 0x02c90000 | 0x02c91fff | Pagefile Backed Memory | r |
|
|
|
- |
| msxml6r.dll | 0x02ca0000 | 0x02ca0fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000000002cb0000 | 0x02cb0000 | 0x02cb0fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000002cc0000 | 0x02cc0000 | 0x02ccffff | Private Memory | rw |
|
|
|
- |
| {afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x0000000000000017.db | 0x02cd0000 | 0x02ceffff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000000002cf0000 | 0x02cf0000 | 0x02cf1fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000002d00000 | 0x02d00000 | 0x02d00fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000002e20000 | 0x02e20000 | 0x02e21fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002e30000 | 0x02e30000 | 0x02e30fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002e40000 | 0x02e40000 | 0x02f3ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002f40000 | 0x02f40000 | 0x0303ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003040000 | 0x03040000 | 0x0313ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000003140000 | 0x03140000 | 0x0353ffff | Pagefile Backed Memory | r |
|
|
|
- |
| c_1255.nls | 0x03540000 | 0x03550fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000003580000 | 0x03580000 | 0x0367ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003680000 | 0x03680000 | 0x0377ffff | Private Memory | rw |
|
|
|
- |
| segoeui.ttf | 0x03780000 | 0x037fefff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000003820000 | 0x03820000 | 0x0382ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003830000 | 0x03830000 | 0x0392ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000039a0000 | 0x039a0000 | 0x039affff | Private Memory | rw |
|
|
|
- |
| tahoma.ttf | 0x039b0000 | 0x03a5afff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000003a80000 | 0x03a80000 | 0x03afffff | Private Memory | rwx |
|
|
|
- |
| private_0x0000000003b00000 | 0x03b00000 | 0x03efffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003fa0000 | 0x03fa0000 | 0x0409ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000040e0000 | 0x040e0000 | 0x041dffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000041e0000 | 0x041e0000 | 0x042dffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004320000 | 0x04320000 | 0x0441ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004420000 | 0x04420000 | 0x04c1ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000004c20000 | 0x04c20000 | 0x04f62fff | Pagefile Backed Memory | r |
|
|
|
- |
| staticcache.dat | 0x04f70000 | 0x0589ffff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000058a0000 | 0x058a0000 | 0x0599ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005a10000 | 0x05a10000 | 0x05a8ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005b60000 | 0x05b60000 | 0x05b6ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005c10000 | 0x05c10000 | 0x05d0ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005e90000 | 0x05e90000 | 0x05f8ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000006060000 | 0x06060000 | 0x060dffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000006170000 | 0x06170000 | 0x0626ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000006330000 | 0x06330000 | 0x0642ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000006430000 | 0x06430000 | 0x0652ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000006530000 | 0x06530000 | 0x0662ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000006690000 | 0x06690000 | 0x0678ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000067d0000 | 0x067d0000 | 0x068cffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000068d0000 | 0x068d0000 | 0x070cffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000007170000 | 0x07170000 | 0x0726ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000007290000 | 0x07290000 | 0x0738ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000007390000 | 0x07390000 | 0x0838ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000008430000 | 0x08430000 | 0x084affff | Private Memory | rw |
|
|
|
- |
| private_0x00000000085f0000 | 0x085f0000 | 0x0866ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000087f0000 | 0x087f0000 | 0x0886ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000008870000 | 0x08870000 | 0x08c6ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000008c70000 | 0x08c70000 | 0x09070fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000009080000 | 0x09080000 | 0x09480fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000009490000 | 0x09490000 | 0x09890fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000098a0000 | 0x098a0000 | 0x09a9ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000009aa0000 | 0x09aa0000 | 0x0aaa0fff | Private Memory | rw |
|
|
|
- |
| private_0x000000000aab0000 | 0x0aab0000 | 0x0aeaffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000037240000 | 0x37240000 | 0x3724ffff | Private Memory | rwx |
|
|
|
- |
| private_0x0000000037490000 | 0x37490000 | 0x3749ffff | Private Memory | rwx |
|
|
|
- |
| osppc.dll | 0x749d0000 | 0x74a02fff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x77230000 | 0x77329fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x77330000 | 0x7744efff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77450000 | 0x775f8fff | Memory Mapped File | rwx |
|
|
|
- |
| normaliz.dll | 0x77610000 | 0x77612fff | Memory Mapped File | rwx |
|
|
|
- |
| psapi.dll | 0x77620000 | 0x77626fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f0e0000 | 0x7f0e0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| winword.exe | 0x13f160000 | 0x13f33bfff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x000007febd6b0000 | 0x7febd6b0000 | 0x7febd6bffff | Private Memory | rwx |
|
|
|
- |
| private_0x000007febdad0000 | 0x7febdad0000 | 0x7febdadffff | Private Memory | rwx |
|
|
|
- |
| ivy.dll | 0x7fee3bd0000 | 0x7fee3e24fff | Memory Mapped File | rwx |
|
|
|
- |
| chart.dll | 0x7fee3e30000 | 0x7fee4c05fff | Memory Mapped File | rwx |
|
|
|
- |
| msptls.dll | 0x7fee4c10000 | 0x7fee4d83fff | Memory Mapped File | rwx |
|
|
|
- |
| adal.dll | 0x7fee4d90000 | 0x7fee4ea9fff | Memory Mapped File | rwx |
|
|
|
- |
| riched20.dll | 0x7fee4eb0000 | 0x7fee514afff | Memory Mapped File | rwx |
|
|
|
- |
| mscoreei.dll | 0x7fee52f0000 | 0x7fee5388fff | Memory Mapped File | rwx |
|
|
|
- |
| d3d10warp.dll | 0x7fee5390000 | 0x7fee555ffff | Memory Mapped File | rwx |
|
|
|
- |
| msointl.dll | 0x7fee5560000 | 0x7fee56fcfff | Memory Mapped File | rwx |
|
|
|
- |
| msores.dll | 0x7fee5700000 | 0x7fee9ae6fff | Memory Mapped File | rwx |
|
|
|
- |
| mso99lres.dll | 0x7fee9af0000 | 0x7feea7e4fff | Memory Mapped File | rwx |
|
|
|
- |
| mso40uires.dll | 0x7feea7f0000 | 0x7feeac2cfff | Memory Mapped File | rwx |
|
|
|
- |
| mso.dll | 0x7feeac30000 | 0x7feec65bfff | Memory Mapped File | rwx |
|
|
|
- |
| mso98win32client.dll | 0x7feec660000 | 0x7feed306fff | Memory Mapped File | rwx |
|
|
|
- |
| mso40uiwin32client.dll | 0x7feed310000 | 0x7feedddefff | Memory Mapped File | rwx |
|
|
|
- |
| mso30win32client.dll | 0x7feedde0000 | 0x7feee4c3fff | Memory Mapped File | rwx |
|
|
|
- |
| mso20win32client.dll | 0x7feee4d0000 | 0x7feee972fff | Memory Mapped File | rwx |
|
|
|
- |
| oart.dll | 0x7feee980000 | 0x7feef904fff | Memory Mapped File | rwx |
|
|
|
- |
| wwlib.dll | 0x7feef910000 | 0x7fef20e8fff | Memory Mapped File | rwx |
|
|
|
- |
| mscoree.dll | 0x7fef2160000 | 0x7fef21cefff | Memory Mapped File | rwx |
|
|
|
- |
| mlang.dll | 0x7fef21d0000 | 0x7fef220afff | Memory Mapped File | rwx |
|
|
|
- |
| dwrite.dll | 0x7fef2300000 | 0x7fef247dfff | Memory Mapped File | rwx |
|
|
|
- |
| wwintl.dll | 0x7fef2480000 | 0x7fef253ffff | Memory Mapped File | rwx |
|
|
|
- |
| d2d1.dll | 0x7fef2540000 | 0x7fef2621fff | Memory Mapped File | rwx |
|
|
|
- |
| mso50win32client.dll | 0x7fef2630000 | 0x7fef26bafff | Memory Mapped File | rwx |
|
|
|
- |
| msvcp140.dll | 0x7fef26c0000 | 0x7fef275bfff | Memory Mapped File | rwx |
|
|
|
- |
|
For performance reasons, the remaining 196 entries are omitted.
The remaining entries can be found in flog.txt. |
||||||||
Process #2: eqnedt32.exe
8
1
| Information | Value |
|---|---|
| ID | #2 |
| File Name | c:\program files\microsoft office\root\vfs\programfilescommonx64\microsoft shared\equation\eqnedt32.exe |
| Command Line | "C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:00:27, Reason: RPC Server |
| Unmonitor | End Time: 00:00:36, Reason: Self Terminated |
| Monitor Duration | 00:00:09 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xac8 |
| Parent PID | 0x258 (c:\windows\system32\svchost.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | YKYD69Q\aETAdzjz |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
ACC
0x
AD0
0x
AD4
0x
AD8
0x
ADC
0x
AE0
0x
AE4
0x
AE8
0x
AEC
0x
AF0
0x
AF4
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000000020000 | 0x00020000 | 0x00020fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00031fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00030fff | Private Memory | rw |
|
|
|
- |
| apisetschema.dll | 0x00040000 | 0x00040fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x0000000000050000 | 0x00050000 | 0x0008ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000090000 | 0x00090000 | 0x0018ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000190000 | 0x00190000 | 0x00193fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000001a0000 | 0x001a0000 | 0x001a0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000001b0000 | 0x001b0000 | 0x001b0fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000001c0000 | 0x001c0000 | 0x001c0fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x00000000001d0000 | 0x001d0000 | 0x001d6fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000001e0000 | 0x001e0000 | 0x001e1fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x00000000001f0000 | 0x001f0000 | 0x0026ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000270000 | 0x00270000 | 0x002affff | Private Memory | rw |
|
|
|
- |
| private_0x00000000002b0000 | 0x002b0000 | 0x003affff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000003b0000 | 0x003b0000 | 0x003b0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000003c0000 | 0x003c0000 | 0x003fffff | Private Memory | rw |
|
|
|
- |
| eqnedt32.exe | 0x00400000 | 0x0048dfff | Memory Mapped File | rwx |
|
|
|
- |
| locale.nls | 0x00490000 | 0x004f6fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000500000 | 0x00500000 | 0x0053ffff | Private Memory | rw |
|
|
|
- |
| index.dat | 0x00540000 | 0x0054bfff | Memory Mapped File | rw |
|
|
|
- |
| private_0x0000000000550000 | 0x00550000 | 0x0055ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000560000 | 0x00560000 | 0x0059ffff | Private Memory | rw |
|
|
|
- |
| index.dat | 0x005a0000 | 0x005a7fff | Memory Mapped File | rw |
|
|
|
- |
| private_0x00000000005b0000 | 0x005b0000 | 0x005bffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000005c0000 | 0x005c0000 | 0x005fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000600000 | 0x00600000 | 0x0067ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000680000 | 0x00680000 | 0x0068ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000690000 | 0x00690000 | 0x00817fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000820000 | 0x00820000 | 0x009a0fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000009b0000 | 0x009b0000 | 0x01daffff | Pagefile Backed Memory | r |
|
|
|
- |
| sortdefault.nls | 0x01db0000 | 0x0207efff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000000002080000 | 0x02080000 | 0x02472fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000002480000 | 0x02480000 | 0x0287ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000002880000 | 0x02880000 | 0x0295efff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000002960000 | 0x02960000 | 0x02a5ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002a60000 | 0x02a60000 | 0x02b5ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002b60000 | 0x02b60000 | 0x02c5ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002c60000 | 0x02c60000 | 0x02d5ffff | Private Memory | rw |
|
|
|
- |
| kernelbase.dll.mui | 0x02d60000 | 0x02e1ffff | Memory Mapped File | rw |
|
|
|
- |
| index.dat | 0x02e20000 | 0x02e2ffff | Memory Mapped File | rw |
|
|
|
- |
| index.dat | 0x02e30000 | 0x02e6ffff | Memory Mapped File | rw |
|
|
|
|
| pagefile_0x0000000002e70000 | 0x02e70000 | 0x02e71fff | Pagefile Backed Memory | r |
|
|
|
- |
| windowsshell.manifest | 0x02e80000 | 0x02e80fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000002e80000 | 0x02e80000 | 0x02e80fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000002e80000 | 0x02e80000 | 0x02e80fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000002e90000 | 0x02e90000 | 0x02e91fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000002ea0000 | 0x02ea0000 | 0x02edffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000002ee0000 | 0x02ee0000 | 0x02ee0fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000002ef0000 | 0x02ef0000 | 0x02f2ffff | Private Memory | rw |
|
|
|
- |
| staticcache.dat | 0x02f30000 | 0x0385ffff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000000003860000 | 0x03860000 | 0x03ba2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000003bb0000 | 0x03bb0000 | 0x03caffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003cb0000 | 0x03cb0000 | 0x03daffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003db0000 | 0x03db0000 | 0x03deffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003df0000 | 0x03df0000 | 0x03e2ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000003e30000 | 0x03e30000 | 0x03e30fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000003e40000 | 0x03e40000 | 0x03e7ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003e90000 | 0x03e90000 | 0x03e9ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003ea0000 | 0x03ea0000 | 0x03edffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003ee0000 | 0x03ee0000 | 0x03fdffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003fe0000 | 0x03fe0000 | 0x040dffff | Private Memory | rw |
|
|
|
- |
| c_20127.nls | 0x040e0000 | 0x040f0fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000004150000 | 0x04150000 | 0x0415ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004160000 | 0x04160000 | 0x0425ffff | Private Memory | rw |
|
|
|
- |
| eeintl.dll | 0x3de20000 | 0x3de2dfff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x000000006f630000 | 0x6f630000 | 0x6f63ffff | Private Memory | rwx |
|
|
|
- |
| msi.dll | 0x74330000 | 0x7456ffff | Memory Mapped File | rwx |
|
|
|
- |
| fwpuclnt.dll | 0x74410000 | 0x74447fff | Memory Mapped File | rwx |
|
|
|
- |
| wship6.dll | 0x74450000 | 0x74455fff | Memory Mapped File | rwx |
|
|
|
- |
| npmproxy.dll | 0x74460000 | 0x74467fff | Memory Mapped File | rwx |
|
|
|
- |
| netprofm.dll | 0x74470000 | 0x744c9fff | Memory Mapped File | rwx |
|
|
|
- |
| rasadhlp.dll | 0x744d0000 | 0x744d5fff | Memory Mapped File | rwx |
|
|
|
- |
| nlaapi.dll | 0x744e0000 | 0x744effff | Memory Mapped File | rwx |
|
|
|
- |
| wshtcpip.dll | 0x744f0000 | 0x744f4fff | Memory Mapped File | rwx |
|
|
|
- |
| mswsock.dll | 0x74500000 | 0x7453bfff | Memory Mapped File | rwx |
|
|
|
- |
| sensapi.dll | 0x74540000 | 0x74545fff | Memory Mapped File | rwx |
|
|
|
- |
| rasman.dll | 0x74550000 | 0x74564fff | Memory Mapped File | rwx |
|
|
|
- |
| rtutils.dll | 0x747a0000 | 0x747acfff | Memory Mapped File | rwx |
|
|
|
- |
| rasapi32.dll | 0x747b0000 | 0x74801fff | Memory Mapped File | rwx |
|
|
|
- |
| iphlpapi.dll | 0x74810000 | 0x7482bfff | Memory Mapped File | rwx |
|
|
|
- |
| comctl32.dll | 0x74830000 | 0x749cdfff | Memory Mapped File | rwx |
|
|
|
- |
| dwmapi.dll | 0x74a10000 | 0x74a22fff | Memory Mapped File | rwx |
|
|
|
- |
| uxtheme.dll | 0x74a30000 | 0x74aaffff | Memory Mapped File | rwx |
|
|
|
- |
| api-ms-win-core-synch-l1-2-0.dll | 0x74ab0000 | 0x74ab2fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64cpu.dll | 0x74ac0000 | 0x74ac7fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x74ad0000 | 0x74b2bfff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x74b30000 | 0x74b6efff | Memory Mapped File | rwx |
|
|
|
- |
| winnsi.dll | 0x74b70000 | 0x74b76fff | Memory Mapped File | rwx |
|
|
|
- |
| dnsapi.dll | 0x74b80000 | 0x74bc3fff | Memory Mapped File | rwx |
|
|
|
- |
| version.dll | 0x74bd0000 | 0x74bd8fff | Memory Mapped File | rwx |
|
|
|
- |
| ntmarta.dll | 0x74be0000 | 0x74c00fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrtremote.dll | 0x74c10000 | 0x74c1dfff | Memory Mapped File | rwx |
|
|
|
- |
| rsaenh.dll | 0x74c20000 | 0x74c5afff | Memory Mapped File | rwx |
|
|
|
- |
| cryptsp.dll | 0x74c60000 | 0x74c75fff | Memory Mapped File | rwx |
|
|
|
- |
| comctl32.dll | 0x74c80000 | 0x74d03fff | Memory Mapped File | rwx |
|
|
|
- |
| profapi.dll | 0x74d10000 | 0x74d1afff | Memory Mapped File | rwx |
|
|
|
- |
| userenv.dll | 0x74d20000 | 0x74d36fff | Memory Mapped File | rwx |
|
|
|
- |
| c2r32.dll | 0x74d40000 | 0x74eb8fff | Memory Mapped File | rwx |
|
|
|
- |
| appvisvsubsystems32.dll | 0x74ec0000 | 0x75077fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x75180000 | 0x7518bfff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x75190000 | 0x751effff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x75210000 | 0x752fffff | Memory Mapped File | rwx |
|
|
|
- |
| ws2_32.dll | 0x75300000 | 0x75334fff | Memory Mapped File | rwx |
|
|
|
- |
| clbcatq.dll | 0x75340000 | 0x753c2fff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x753d0000 | 0x7545ffff | Memory Mapped File | rwx |
|
|
|
- |
| wldap32.dll | 0x754e0000 | 0x75524fff | Memory Mapped File | rwx |
|
|
|
- |
| shlwapi.dll | 0x756d0000 | 0x75726fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75730000 | 0x7583ffff | Memory Mapped File | rwx |
|
|
|
- |
| nsi.dll | 0x75840000 | 0x75845fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x75850000 | 0x75895fff | Memory Mapped File | rwx |
|
|
|
- |
| msasn1.dll | 0x758b0000 | 0x758bbfff | Memory Mapped File | rwx |
|
|
|
- |
| normaliz.dll | 0x758c0000 | 0x758c2fff | Memory Mapped File | rwx |
|
|
|
- |
| wininet.dll | 0x758d0000 | 0x759c4fff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x759d0000 | 0x75a6ffff | Memory Mapped File | rwx |
|
|
|
- |
| usp10.dll | 0x75b00000 | 0x75b9cfff | Memory Mapped File | rwx |
|
|
|
- |
| urlmon.dll | 0x75ba0000 | 0x75cd5fff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x75ce0000 | 0x75dabfff | Memory Mapped File | rwx |
|
|
|
- |
| iertutil.dll | 0x75db0000 | 0x75faafff | Memory Mapped File | rwx |
|
|
|
- |
| ole32.dll | 0x75fb0000 | 0x7610bfff | Memory Mapped File | rwx |
|
|
|
- |
| shell32.dll | 0x76110000 | 0x76d59fff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x76d60000 | 0x76dbffff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x76dc0000 | 0x76ebffff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x76ec0000 | 0x76ed8fff | Memory Mapped File | rwx |
|
|
|
- |
| oleaut32.dll | 0x76ee0000 | 0x76f6efff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x76fa0000 | 0x7704bfff | Memory Mapped File | rwx |
|
|
|
- |
| crypt32.dll | 0x770e0000 | 0x771fcfff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x0000000077230000 | 0x77230000 | 0x77329fff | Private Memory | rwx |
|
|
|
- |
| private_0x0000000077330000 | 0x77330000 | 0x7744efff | Private Memory | rwx |
|
|
|
- |
| ntdll.dll | 0x77450000 | 0x775f8fff | Memory Mapped File | rwx |
|
|
|
- |
| lpk.dll | 0x77600000 | 0x77609fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77630000 | 0x777affff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x000000007efa1000 | 0x7efa1000 | 0x7efa3fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efa4000 | 0x7efa4000 | 0x7efa6fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efa7000 | 0x7efa7000 | 0x7efa9fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efaa000 | 0x7efaa000 | 0x7efacfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efad000 | 0x7efad000 | 0x7efaffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000007efb0000 | 0x7efb0000 | 0x7efd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007efd5000 | 0x7efd5000 | 0x7efd7fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efd8000 | 0x7efd8000 | 0x7efdafff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efdb000 | 0x7efdb000 | 0x7efddfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efde000 | 0x7efde000 | 0x7efdefff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efdf000 | 0x7efdf000 | 0x7efdffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efe0000 | 0x7efe0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f0e0000 | 0x7f0e0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7fffffeffff | Private Memory | r |
|
|
|
- |
|
For performance reasons, the remaining 32 entries are omitted.
The remaining entries can be found in flog.txt. |
||||||||
Created Files
| Filename | File Size | Hash Values | YARA Match | Actions |
|---|---|---|---|---|
| C:\Users\aETAdzjz\AppData\Roaming\jsjhdhdhdhjfjhhf.exe | 1.07 MB |
MD5:
e2c7b5d78675bbccc85af58db4711648
SHA1: f9865f7d0fa19d942aa9be0a57580af0c7ad07f1 SHA256: 411ad7a95a34da04211b3887c3c2ab4b08359363fb1c4baf22fb323af6d9e408 SSDeep: 12288:7KrQPt9tEZjhY8LbbEjLQvJ2o/X8FMidEdwccqA5LboI5dg7taDncJGM:2EtkbwjaMo/sFDdewV5t5duADcJGM |
|
|
Modified Files
| Filename | File Size | Hash Values | YARA Match | Actions |
|---|---|---|---|---|
| C:\Users\aETAdzjz\AppData\Roaming\jsjhdhdhdhjfjhhf.exe | 1.07 MB |
MD5:
e2c7b5d78675bbccc85af58db4711648
SHA1: f9865f7d0fa19d942aa9be0a57580af0c7ad07f1 SHA256: 411ad7a95a34da04211b3887c3c2ab4b08359363fb1c4baf22fb323af6d9e408 SSDeep: 12288:7KrQPt9tEZjhY8LbbEjLQvJ2o/X8FMidEdwccqA5LboI5dg7taDncJGM:2EtkbwjaMo/sFDdewV5t5duADcJGM |
|
|
| c:\users\aetadzjz\appdata\roaming\microsoft\windows\ietldcache\index.dat | 256.00 KB |
MD5:
8ed682d01fa076cced515bf6b21ba022
SHA1: e69667b35d101d9cd052697da198c40a88e16e74 SHA256: 4abb12ce35853bda9c190e84a3329ab50701e035b92436eba8f4ddf9b96e4e6c SSDeep: 384:p8JEJHPiHzw9qthimENkKHK0M/kWJAm0yvCUW0TT0nufeuP6DYAfIc1FAPEOyAa2:pTHPUpI2djFQ7JNAocaKTbUZUzx3S |
|
|
Host Behavior
File (1)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\aETAdzjz\AppData\Roaming\jsjhdhdhdhjfjhhf.exe | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\aETAdzjz\AppData\Roaming\jsjhdhdhdhjfjhhf.exe | show_window = SW_SHOWNORMAL |
|
1 |
Module (6)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | Urlmon | base_address = 0x75ba0000 |
|
1 | |
| Load | Shell32 | base_address = 0x76110000 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ExpandEnvironmentStringsW, address_out = 0x75744173 |
|
1 | |
| Get Address | c:\windows\syswow64\urlmon.dll | function = URLDownloadToFileW, address_out = 0x75c366f6 |
|
1 | |
| Get Address | c:\windows\syswow64\shell32.dll | function = ShellExecuteExW, address_out = 0x76131e46 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ExitProcess, address_out = 0x75747a10 |
|
1 |
Network Behavior
URL (1)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Download | url = http://rollboat.tk/new/kc.exe, filename = C:\Users\aETAdzjz\AppData\Roaming\jsjhdhdhdhjfjhhf.exe |
|
1 |
Process #4: jsjhdhdhdhjfjhhf.exe
49
0
| Information | Value |
|---|---|
| ID | #4 |
| File Name | c:\users\aetadzjz\appdata\roaming\jsjhdhdhdhjfjhhf.exe |
| Command Line | "C:\Users\aETAdzjz\AppData\Roaming\jsjhdhdhdhjfjhhf.exe" |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:00:35, Reason: Child Process |
| Unmonitor | End Time: 00:01:18, Reason: Self Terminated |
| Monitor Duration | 00:00:43 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xaf8 |
| Parent PID | 0xac8 (c:\program files\microsoft office\root\vfs\programfilescommonx64\microsoft shared\equation\eqnedt32.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | YKYD69Q\aETAdzjz |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
AFC
0x
B20
0x
B24
0x
B28
0x
B2C
0x
BC4
0x
BD4
0x
98C
0x
988
0x
95C
0x
964
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000020000 | 0x00020000 | 0x00020fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00031fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00030fff | Private Memory | rw |
|
|
|
- |
| apisetschema.dll | 0x00040000 | 0x00040fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000050000 | 0x00050000 | 0x00053fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000060000 | 0x00060000 | 0x00060fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000070000 | 0x00070000 | 0x00070fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000000080000 | 0x00080000 | 0x0008ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000090000 | 0x00090000 | 0x0009ffff | Private Memory | - |
|
|
|
- |
| private_0x00000000000a0000 | 0x000a0000 | 0x000affff | Private Memory | - |
|
|
|
- |
| private_0x00000000000b0000 | 0x000b0000 | 0x000effff | Private Memory | rw |
|
|
|
- |
| private_0x00000000000f0000 | 0x000f0000 | 0x000fffff | Private Memory | - |
|
|
|
- |
| jsjhdhdhdhjfjhhf.exe | 0x00100000 | 0x00219fff | Memory Mapped File | rwx |
|
|
|
|
| locale.nls | 0x00220000 | 0x00286fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000290000 | 0x00290000 | 0x0029ffff | Private Memory | - |
|
|
|
- |
| private_0x00000000002a0000 | 0x002a0000 | 0x002affff | Private Memory | - |
|
|
|
- |
| private_0x00000000002b0000 | 0x002b0000 | 0x002b0fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000002c0000 | 0x002c0000 | 0x002c0fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000002d0000 | 0x002d0000 | 0x002dffff | Private Memory | - |
|
|
|
- |
| private_0x00000000002e0000 | 0x002e0000 | 0x002effff | Private Memory | rw |
|
|
|
- |
| private_0x00000000002f0000 | 0x002f0000 | 0x002fffff | Private Memory | - |
|
|
|
- |
| pagefile_0x0000000000300000 | 0x00300000 | 0x00300fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000000310000 | 0x00310000 | 0x00310fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000320000 | 0x00320000 | 0x0032ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000330000 | 0x00330000 | 0x0033ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000340000 | 0x00340000 | 0x0034ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000350000 | 0x00350000 | 0x0038ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000390000 | 0x00390000 | 0x003b9fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x00000000003c0000 | 0x003c0000 | 0x003cffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000003d0000 | 0x003d0000 | 0x003dffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000003e0000 | 0x003e0000 | 0x004dffff | Private Memory | rw |
|
|
|
- |
| mscorrc.dll | 0x004e0000 | 0x00541fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000550000 | 0x00550000 | 0x0055ffff | Private Memory | - |
|
|
|
- |
| private_0x0000000000560000 | 0x00560000 | 0x0059ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000005a0000 | 0x005a0000 | 0x005dffff | Private Memory | rwx |
|
|
|
- |
| private_0x0000000000600000 | 0x00600000 | 0x0063ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000650000 | 0x00650000 | 0x006cffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000006d0000 | 0x006d0000 | 0x0070ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000710000 | 0x00710000 | 0x0080ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000840000 | 0x00840000 | 0x0093ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000940000 | 0x00940000 | 0x00ac7fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000ad0000 | 0x00ad0000 | 0x00c50fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000c60000 | 0x00c60000 | 0x0205ffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000002060000 | 0x02060000 | 0x020fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002070000 | 0x02070000 | 0x020affff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002110000 | 0x02110000 | 0x0211ffff | Private Memory | - |
|
|
|
- |
| private_0x0000000002140000 | 0x02140000 | 0x0217ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000021a0000 | 0x021a0000 | 0x021dffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002230000 | 0x02230000 | 0x0226ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002270000 | 0x02270000 | 0x0231ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002340000 | 0x02340000 | 0x0237ffff | Private Memory | rwx |
|
|
|
- |
| private_0x0000000002380000 | 0x02380000 | 0x0437ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004450000 | 0x04450000 | 0x0454ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004580000 | 0x04580000 | 0x0467ffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x04680000 | 0x0494efff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000000004950000 | 0x04950000 | 0x04a2efff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000004a70000 | 0x04a70000 | 0x04b6ffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nlp | 0x04b70000 | 0x04e41fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000004e50000 | 0x04e50000 | 0x04f7ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004fe0000 | 0x04fe0000 | 0x0501ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005030000 | 0x05030000 | 0x0506ffff | Private Memory | rwx |
|
|
|
- |
| private_0x0000000005080000 | 0x05080000 | 0x0517ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000050a0000 | 0x050a0000 | 0x050dffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005180000 | 0x05180000 | 0x0617ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000051e0000 | 0x051e0000 | 0x052dffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000054a0000 | 0x054a0000 | 0x0559ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000055e0000 | 0x055e0000 | 0x056dffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000006180000 | 0x06180000 | 0x0717ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000007180000 | 0x07180000 | 0x073cffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000073d0000 | 0x073d0000 | 0x074affff | Private Memory | rw |
|
|
|
- |
| private_0x00000000074b0000 | 0x074b0000 | 0x075affff | Private Memory | rw |
|
|
|
- |
| private_0x0000000007610000 | 0x07610000 | 0x0770ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000007710000 | 0x07710000 | 0x0780ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000007810000 | 0x07810000 | 0x07a0ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000007a10000 | 0x07a10000 | 0x07c0ffff | Private Memory | rw |
|
|
|
- |
| system.core.ni.dll | 0x70550000 | 0x70c65fff | Memory Mapped File | rwx |
|
|
|
- |
| system.windows.forms.ni.dll | 0x70c70000 | 0x718c7fff | Memory Mapped File | rwx |
|
|
|
- |
| system.ni.dll | 0x718d0000 | 0x7227cfff | Memory Mapped File | rwx |
|
|
|
- |
| mscorlib.ni.dll | 0x72280000 | 0x734aafff | Memory Mapped File | rwx |
|
|
|
- |
| clr.dll | 0x734b0000 | 0x73b57fff | Memory Mapped File | rwx |
|
|
|
- |
| microsoft.visualbasic.ni.dll | 0x74170000 | 0x7433afff | Memory Mapped File | rwx |
|
|
|
- |
| mscoreei.dll | 0x74340000 | 0x743b7fff | Memory Mapped File | rwx |
|
|
|
- |
| mscoree.dll | 0x743c0000 | 0x74409fff | Memory Mapped File | rwx |
|
|
|
- |
| windowscodecs.dll | 0x747d0000 | 0x748cafff | Memory Mapped File | rwx |
|
|
|
- |
| msvcr120_clr0400.dll | 0x748d0000 | 0x749c4fff | Memory Mapped File | rwx |
|
|
|
- |
| uxtheme.dll | 0x74a30000 | 0x74aaffff | Memory Mapped File | rwx |
|
|
|
- |
| wow64cpu.dll | 0x74ac0000 | 0x74ac7fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x74ad0000 | 0x74b2bfff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x74b30000 | 0x74b6efff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrtremote.dll | 0x74c10000 | 0x74c1dfff | Memory Mapped File | rwx |
|
|
|
- |
| gdiplus.dll | 0x74c20000 | 0x74daffff | Memory Mapped File | rwx |
|
|
|
- |
| rsaenh.dll | 0x74db0000 | 0x74deafff | Memory Mapped File | rwx |
|
|
|
- |
| cryptsp.dll | 0x74df0000 | 0x74e05fff | Memory Mapped File | rwx |
|
|
|
- |
| bcrypt.dll | 0x74e10000 | 0x74e26fff | Memory Mapped File | rwx |
|
|
|
- |
| profapi.dll | 0x74e30000 | 0x74e3afff | Memory Mapped File | rwx |
|
|
|
- |
| nlssorting.dll | 0x74e40000 | 0x74e52fff | Memory Mapped File | rwx |
|
|
|
- |
| system.drawing.ni.dll | 0x74e60000 | 0x74fecfff | Memory Mapped File | rwx |
|
|
|
- |
| clrjit.dll | 0x74ff0000 | 0x7506cfff | Memory Mapped File | rwx |
|
|
|
- |
| version.dll | 0x75070000 | 0x75078fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x75180000 | 0x7518bfff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x75190000 | 0x751effff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x75210000 | 0x752fffff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x753d0000 | 0x7545ffff | Memory Mapped File | rwx |
|
|
|
- |
| shlwapi.dll | 0x756d0000 | 0x75726fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75730000 | 0x7583ffff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x75850000 | 0x75895fff | Memory Mapped File | rwx |
|
|
|
- |
| psapi.dll | 0x758a0000 | 0x758a4fff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x759d0000 | 0x75a6ffff | Memory Mapped File | rwx |
|
|
|
- |
| usp10.dll | 0x75b00000 | 0x75b9cfff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x75ce0000 | 0x75dabfff | Memory Mapped File | rwx |
|
|
|
- |
| ole32.dll | 0x75fb0000 | 0x7610bfff | Memory Mapped File | rwx |
|
|
|
- |
| shell32.dll | 0x76110000 | 0x76d59fff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x76d60000 | 0x76dbffff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x76dc0000 | 0x76ebffff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x76ec0000 | 0x76ed8fff | Memory Mapped File | rwx |
|
|
|
- |
| oleaut32.dll | 0x76ee0000 | 0x76f6efff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x76fa0000 | 0x7704bfff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x0000000077230000 | 0x77230000 | 0x77329fff | Private Memory | rwx |
|
|
|
- |
| private_0x0000000077330000 | 0x77330000 | 0x7744efff | Private Memory | rwx |
|
|
|
- |
| ntdll.dll | 0x77450000 | 0x775f8fff | Memory Mapped File | rwx |
|
|
|
- |
| lpk.dll | 0x77600000 | 0x77609fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77630000 | 0x777affff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x000000007ef9e000 | 0x7ef9e000 | 0x7efa0fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efa1000 | 0x7efa1000 | 0x7efa3fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efa4000 | 0x7efa4000 | 0x7efa6fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efa7000 | 0x7efa7000 | 0x7efa9fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efaa000 | 0x7efaa000 | 0x7efacfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efad000 | 0x7efad000 | 0x7efaffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000007efb0000 | 0x7efb0000 | 0x7efd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007efd5000 | 0x7efd5000 | 0x7efd7fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efd8000 | 0x7efd8000 | 0x7efdafff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efdb000 | 0x7efdb000 | 0x7efddfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efde000 | 0x7efde000 | 0x7efdefff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efdf000 | 0x7efdf000 | 0x7efdffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efe0000 | 0x7efe0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f0e0000 | 0x7f0e0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7fffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (7)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\aETAdzjz\AppData\Roaming\jsjhdhdhdhjfjhhf.exe | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Get Info | C:\Windows\Microsoft.NET\Framework\v4.0.30319\config\machine.config | type = file_attributes |
|
1 | |
| Get Info | C:\Users\aETAdzjz\AppData\Roaming\jsjhdhdhdhjfjhhf.exe.config | type = file_attributes |
|
1 | |
| Get Info | C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup | type = file_attributes |
|
1 | |
| Get Info | C:\Users\aETAdzjz\AppData\Roaming\jsjhdhdhdhjfjhhf.exe | type = file_type |
|
2 | |
| Delete | C:\Users\aETAdzjz\AppData\Roaming\jsjhdhdhdhjfjhhf.exe:Zone.Identifier | - |
|
1 |
Registry (3)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER | - |
|
1 | |
| Read Value | HKEY_CURRENT_USER | type = REG_NONE |
|
1 | |
| Write Value | HKEY_CURRENT_USER | data = -boot, size = 14, type = REG_SZ |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\aETAdzjz\AppData\Roaming\jsjhdhdhdhjfjhhf.exe | os_pid = 0x140, creation_flags = CREATE_SUSPENDED, show_window = SW_HIDE |
|
1 |
Thread (3)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Context | c:\users\aetadzjz\appdata\roaming\jsjhdhdhdhjfjhhf.exe | os_tid = 0xafc |
|
1 | |
| Set Context | c:\users\aetadzjz\appdata\roaming\jsjhdhdhdhjfjhhf.exe | os_tid = 0xafc |
|
1 | |
| Resume | c:\users\aetadzjz\appdata\roaming\jsjhdhdhdhjfjhhf.exe | os_tid = 0xafc |
|
1 |
Memory (7)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Allocate | C:\Users\aETAdzjz\AppData\Roaming\jsjhdhdhdhjfjhhf.exe | address = 0x400000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 557056 |
|
1 | |
| Read | C:\Users\aETAdzjz\AppData\Roaming\jsjhdhdhdhjfjhhf.exe | address = 0x7efde008, size = 4 |
|
1 | |
| Write | C:\Users\aETAdzjz\AppData\Roaming\jsjhdhdhdhjfjhhf.exe | address = 0x400000, size = 512 |
|
1 | |
| Write | C:\Users\aETAdzjz\AppData\Roaming\jsjhdhdhdhjfjhhf.exe | address = 0x402000, size = 519168 |
|
1 | |
| Write | C:\Users\aETAdzjz\AppData\Roaming\jsjhdhdhdhjfjhhf.exe | address = 0x482000, size = 12800 |
|
1 | |
| Write | C:\Users\aETAdzjz\AppData\Roaming\jsjhdhdhdhjfjhhf.exe | address = 0x486000, size = 512 |
|
1 | |
| Write | C:\Users\aETAdzjz\AppData\Roaming\jsjhdhdhdhjfjhhf.exe | address = 0x7efde008, size = 4 |
|
1 |
Module (2)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Filename | - | process_name = c:\users\aetadzjz\appdata\roaming\jsjhdhdhdhjfjhhf.exe, file_name_orig = C:\Users\aETAdzjz\AppData\Roaming\jsjhdhdhdhjfjhhf.exe, size = 2048 |
|
2 |
User (1)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Lookup Privilege | privilege = SeDebugPrivilege, luid = 20 |
|
1 |
System (19)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Sleep | duration = 1798 milliseconds (1.798 seconds) |
|
1 | |
| Sleep | duration = 4729 milliseconds (4.729 seconds) |
|
1 | |
| Sleep | duration = 25000 milliseconds (25.000 seconds) |
|
1 | |
| Sleep | duration = 1000 milliseconds (1.000 seconds) |
|
14 | |
| Sleep | duration = -1 (infinite) |
|
1 | |
| Sleep | duration = 20 milliseconds (0.020 seconds) |
|
1 |
Process #6: jsjhdhdhdhjfjhhf.exe
2735
65
| Information | Value |
|---|---|
| ID | #6 |
| File Name | c:\users\aetadzjz\appdata\roaming\jsjhdhdhdhjfjhhf.exe |
| Command Line | "C:\Users\aETAdzjz\AppData\Roaming\jsjhdhdhdhjfjhhf.exe" |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:01:04, Reason: Child Process |
| Unmonitor | End Time: 00:04:24, Reason: Terminated by Timeout |
| Monitor Duration | 00:03:20 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x140 |
| Parent PID | 0xaf8 (c:\users\aetadzjz\appdata\roaming\jsjhdhdhdhjfjhhf.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | YKYD69Q\aETAdzjz |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
7A8
0x
96C
0x
974
0x
978
0x
958
0x
A88
0x
A90
0x
AA0
0x
92C
0x
930
0x
71C
0x
570
0x
638
0x
244
0x
538
0x
808
0x
818
0x
828
0x
838
0x
848
0x
85C
0x
87C
0x
8A0
0x
8B4
0x
8CC
0x
8E0
0x
574
0x
AD0
0x
ACC
0x
AC8
0x
6F0
0x
35C
0x
BB8
0x
BCC
0x
BC8
0x
4F4
0x
758
0x
53C
0x
864
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000020000 | 0x00020000 | 0x00020fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00031fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00030fff | Private Memory | rw |
|
|
|
- |
| apisetschema.dll | 0x00040000 | 0x00040fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000050000 | 0x00050000 | 0x00053fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000060000 | 0x00060000 | 0x00060fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000070000 | 0x00070000 | 0x00070fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000000080000 | 0x00080000 | 0x0008ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000090000 | 0x00090000 | 0x000cffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000000d0000 | 0x000d0000 | 0x000dffff | Private Memory | - |
|
|
|
- |
| private_0x00000000000e0000 | 0x000e0000 | 0x000effff | Private Memory | - |
|
|
|
- |
| private_0x00000000000f0000 | 0x000f0000 | 0x000fffff | Private Memory | - |
|
|
|
- |
| jsjhdhdhdhjfjhhf.exe | 0x00100000 | 0x00219fff | Memory Mapped File | rwx |
|
|
|
|
| locale.nls | 0x00220000 | 0x00286fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000290000 | 0x00290000 | 0x0029ffff | Private Memory | - |
|
|
|
- |
| private_0x00000000002a0000 | 0x002a0000 | 0x002affff | Private Memory | - |
|
|
|
- |
| private_0x00000000002b0000 | 0x002b0000 | 0x002b0fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000002c0000 | 0x002c0000 | 0x002c0fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000002d0000 | 0x002d0000 | 0x002dffff | Private Memory | - |
|
|
|
- |
| private_0x00000000002e0000 | 0x002e0000 | 0x002effff | Private Memory | rw |
|
|
|
- |
| private_0x00000000002f0000 | 0x002f0000 | 0x002fffff | Private Memory | - |
|
|
|
- |
| private_0x0000000000300000 | 0x00300000 | 0x003fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000400000 | 0x00400000 | 0x00487fff | Private Memory | rwx |
|
|
|
- |
| private_0x0000000000490000 | 0x00490000 | 0x0052ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000530000 | 0x00530000 | 0x005affff | Private Memory | rw |
|
|
|
- |
| private_0x00000000005b0000 | 0x005b0000 | 0x005effff | Private Memory | rw |
|
|
|
- |
| private_0x00000000005f0000 | 0x005f0000 | 0x0062ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000630000 | 0x00630000 | 0x00636fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000640000 | 0x00640000 | 0x00641fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000650000 | 0x00650000 | 0x0074ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000750000 | 0x00750000 | 0x00750fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000000750000 | 0x00750000 | 0x00751fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000760000 | 0x00760000 | 0x00760fff | Pagefile Backed Memory | rw |
|
|
|
- |
| gdipfontcachev1.dat | 0x00770000 | 0x0078bfff | Memory Mapped File | rw |
|
|
|
|
| windowsshell.manifest | 0x00770000 | 0x00770fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000000000780000 | 0x00780000 | 0x00781fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000007a0000 | 0x007a0000 | 0x007dffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000007e0000 | 0x007e0000 | 0x0081ffff | Private Memory | rwx |
|
|
|
- |
| private_0x0000000000840000 | 0x00840000 | 0x0087ffff | Private Memory | rw |
|
|
|
- |
| comctl32.dll | 0x00880000 | 0x00901fff | Memory Mapped File | r |
|
|
|
- |
| mscorrc.dll | 0x00880000 | 0x008e1fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000910000 | 0x00910000 | 0x0091ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000920000 | 0x00920000 | 0x00a1ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000a80000 | 0x00a80000 | 0x00a8ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000a90000 | 0x00a90000 | 0x00c17fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000c20000 | 0x00c20000 | 0x00da0fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000db0000 | 0x00db0000 | 0x021affff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000021b0000 | 0x021b0000 | 0x0230ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000021b0000 | 0x021b0000 | 0x0228efff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000022d0000 | 0x022d0000 | 0x0230ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002310000 | 0x02310000 | 0x0234ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002350000 | 0x02350000 | 0x0238ffff | Private Memory | rwx |
|
|
|
- |
| private_0x00000000023a0000 | 0x023a0000 | 0x023dffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000023e0000 | 0x023e0000 | 0x043dffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000043e0000 | 0x043e0000 | 0x044dffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004510000 | 0x04510000 | 0x0460ffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x04610000 | 0x048defff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000048e0000 | 0x048e0000 | 0x049cffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000048e0000 | 0x048e0000 | 0x0499ffff | Private Memory | rw |
|
|
|
- |
| segoeui.ttf | 0x048e0000 | 0x0495efff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000004960000 | 0x04960000 | 0x0499ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000049c0000 | 0x049c0000 | 0x049cffff | Private Memory | rw |
|
|
|
- |
| kernelbase.dll.mui | 0x049d0000 | 0x04a8ffff | Memory Mapped File | rw |
|
|
|
- |
| private_0x0000000004ae0000 | 0x04ae0000 | 0x04b1ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004b40000 | 0x04b40000 | 0x04b7ffff | Private Memory | rwx |
|
|
|
- |
| sortdefault.nlp | 0x04b80000 | 0x04e51fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000004e60000 | 0x04e60000 | 0x04fbffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004e60000 | 0x04e60000 | 0x04f5ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004fb0000 | 0x04fb0000 | 0x04fbffff | Private Memory | rw |
|
|
|
- |
| tahoma.ttf | 0x04fc0000 | 0x0506afff | Memory Mapped File | r |
|
|
|
- |
| micross.ttf | 0x04fc0000 | 0x0505ffff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000004fc0000 | 0x04fc0000 | 0x050affff | Private Memory | rw |
|
|
|
- |
| private_0x00000000050e0000 | 0x050e0000 | 0x051dffff | Private Memory | rw |
|
|
|
- |
| msjh.ttf | 0x051e0000 | 0x06688fff | Memory Mapped File | r |
|
|
|
- |
| msyh.ttf | 0x051e0000 | 0x066a2fff | Memory Mapped File | r |
|
|
|
- |
| malgun.ttf | 0x051e0000 | 0x05602fff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000051e0000 | 0x051e0000 | 0x053dffff | Private Memory | rw |
|
|
|
- |
| comctl32.dll | 0x053e0000 | 0x0557afff | Memory Mapped File | r |
|
|
|
- |
| system.windows.forms.ni.dll | 0x6f110000 | 0x6fd67fff | Memory Mapped File | rwx |
|
|
|
- |
| system.core.ni.dll | 0x70550000 | 0x70c65fff | Memory Mapped File | rwx |
|
|
|
- |
| system.windows.forms.dll | 0x70d10000 | 0x711a7fff | Memory Mapped File | rwx |
|
|
|
- |
| system.xml.ni.dll | 0x711b0000 | 0x718c5fff | Memory Mapped File | rwx |
|
|
|
- |
| system.ni.dll | 0x718d0000 | 0x7227cfff | Memory Mapped File | rwx |
|
|
|
- |
| mscorlib.ni.dll | 0x72280000 | 0x734aafff | Memory Mapped File | rwx |
|
|
|
- |
| clr.dll | 0x734b0000 | 0x73b57fff | Memory Mapped File | rwx |
|
|
|
- |
| comctl32.dll | 0x73e40000 | 0x73fddfff | Memory Mapped File | rwx |
|
|
|
- |
| gdiplus.dll | 0x73fe0000 | 0x7416ffff | Memory Mapped File | rwx |
|
|
|
- |
| microsoft.visualbasic.ni.dll | 0x74170000 | 0x7433afff | Memory Mapped File | rwx |
|
|
|
- |
| mscoreei.dll | 0x74340000 | 0x743b7fff | Memory Mapped File | rwx |
|
|
|
- |
| mscoree.dll | 0x743c0000 | 0x74409fff | Memory Mapped File | rwx |
|
|
|
- |
| rsaenh.dll | 0x74890000 | 0x748cafff | Memory Mapped File | rwx |
|
|
|
- |
| msvcr120_clr0400.dll | 0x748d0000 | 0x749c4fff | Memory Mapped File | rwx |
|
|
|
- |
| dwmapi.dll | 0x74a10000 | 0x74a22fff | Memory Mapped File | rwx |
|
|
|
- |
| uxtheme.dll | 0x74a30000 | 0x74aaffff | Memory Mapped File | rwx |
|
|
|
- |
| wow64cpu.dll | 0x74ac0000 | 0x74ac7fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x74ad0000 | 0x74b2bfff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x74b30000 | 0x74b6efff | Memory Mapped File | rwx |
|
|
|
- |
| cryptsp.dll | 0x74b70000 | 0x74b85fff | Memory Mapped File | rwx |
|
|
|
- |
| system.configuration.ni.dll | 0x74b90000 | 0x74c7ffff | Memory Mapped File | rwx |
|
|
|
- |
| system.runtime.remoting.ni.dll | 0x74c80000 | 0x74d44fff | Memory Mapped File | rwx |
|
|
|
- |
| comctl32.dll | 0x74d50000 | 0x74dd3fff | Memory Mapped File | rwx |
|
|
|
- |
| system.drawing.ni.dll | 0x74de0000 | 0x74f6cfff | Memory Mapped File | rwx |
|
|
|
- |
| clrjit.dll | 0x74f70000 | 0x74fecfff | Memory Mapped File | rwx |
|
|
|
- |
| wship6.dll | 0x74ff0000 | 0x74ff5fff | Memory Mapped File | rwx |
|
|
|
- |
| wshtcpip.dll | 0x75000000 | 0x75004fff | Memory Mapped File | rwx |
|
|
|
- |
| mswsock.dll | 0x75010000 | 0x7504bfff | Memory Mapped File | rwx |
|
|
|
- |
| nlssorting.dll | 0x75050000 | 0x75062fff | Memory Mapped File | rwx |
|
|
|
- |
| version.dll | 0x75070000 | 0x75078fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x75180000 | 0x7518bfff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x75190000 | 0x751effff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x75210000 | 0x752fffff | Memory Mapped File | rwx |
|
|
|
- |
| ws2_32.dll | 0x75300000 | 0x75334fff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x753d0000 | 0x7545ffff | Memory Mapped File | rwx |
|
|
|
- |
| shlwapi.dll | 0x756d0000 | 0x75726fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75730000 | 0x7583ffff | Memory Mapped File | rwx |
|
|
|
- |
| nsi.dll | 0x75840000 | 0x75845fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x75850000 | 0x75895fff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x759d0000 | 0x75a6ffff | Memory Mapped File | rwx |
|
|
|
- |
| usp10.dll | 0x75b00000 | 0x75b9cfff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x75ce0000 | 0x75dabfff | Memory Mapped File | rwx |
|
|
|
- |
| ole32.dll | 0x75fb0000 | 0x7610bfff | Memory Mapped File | rwx |
|
|
|
- |
| shell32.dll | 0x76110000 | 0x76d59fff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x76d60000 | 0x76dbffff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x76dc0000 | 0x76ebffff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x76ec0000 | 0x76ed8fff | Memory Mapped File | rwx |
|
|
|
- |
| oleaut32.dll | 0x76ee0000 | 0x76f6efff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x76fa0000 | 0x7704bfff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x0000000077230000 | 0x77230000 | 0x77329fff | Private Memory | rwx |
|
|
|
- |
| private_0x0000000077330000 | 0x77330000 | 0x7744efff | Private Memory | rwx |
|
|
|
- |
| ntdll.dll | 0x77450000 | 0x775f8fff | Memory Mapped File | rwx |
|
|
|
- |
| lpk.dll | 0x77600000 | 0x77609fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77630000 | 0x777affff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x000000007ef40000 | 0x7ef40000 | 0x7ef4ffff | Private Memory | rwx |
|
|
|
- |
| private_0x000000007ef50000 | 0x7ef50000 | 0x7ef9ffff | Private Memory | rwx |
|
|
|
- |
| private_0x000000007efa7000 | 0x7efa7000 | 0x7efa9fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efaa000 | 0x7efaa000 | 0x7efacfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efad000 | 0x7efad000 | 0x7efaffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000007efb0000 | 0x7efb0000 | 0x7efd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007efd5000 | 0x7efd5000 | 0x7efd7fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efd8000 | 0x7efd8000 | 0x7efdafff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efdb000 | 0x7efdb000 | 0x7efddfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efde000 | 0x7efde000 | 0x7efdefff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efdf000 | 0x7efdf000 | 0x7efdffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efe0000 | 0x7efe0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f0e0000 | 0x7f0e0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7fffffeffff | Private Memory | r |
|
|
|
- |
|
For performance reasons, the remaining 124 entries are omitted.
The remaining entries can be found in flog.txt. |
||||||||
Injection Information
| Injection Type | Source Process | Source Os Thread ID | Information | Success | Count | Logfile |
|---|---|---|---|---|---|---|
| Modify Memory | #4: c:\users\aetadzjz\appdata\roaming\jsjhdhdhdhjfjhhf.exe | 0xafc | address = 0x400000, size = 512 |
|
1 | |
| Modify Memory | #4: c:\users\aetadzjz\appdata\roaming\jsjhdhdhdhjfjhhf.exe | 0xafc | address = 0x402000, size = 519168 |
|
1 | |
| Modify Memory | #4: c:\users\aetadzjz\appdata\roaming\jsjhdhdhdhjfjhhf.exe | 0xafc | address = 0x482000, size = 12800 |
|
1 | |
| Modify Memory | #4: c:\users\aetadzjz\appdata\roaming\jsjhdhdhdhjfjhhf.exe | 0xafc | address = 0x486000, size = 512 |
|
1 | |
| Modify Memory | #4: c:\users\aetadzjz\appdata\roaming\jsjhdhdhdhjfjhhf.exe | 0xafc | address = 0x7efde008, size = 4 |
|
1 | |
| Modify Control Flow | #4: c:\users\aetadzjz\appdata\roaming\jsjhdhdhdhjfjhhf.exe | 0xafc | os_tid = 0x7a8, address = 0x0 |
|
1 |
Created Files
| Filename | File Size | Hash Values | YARA Match | Actions |
|---|---|---|---|---|
| C:\Users\aETAdzjz\AppData\Roaming\pid.txt | 0.00 KB |
MD5:
320722549d1751cf3f247855f937b982
SHA1: 7fdec83a2662ffe53af456402cbaeafa380b15b4 SHA256: 88820462180e5c893eff2ed73f4ec33e205d1cd5acc4d17fa7b2bca2495d3448 SSDeep: 3:QV:QV |
|
|
| C:\Users\aETAdzjz\AppData\Roaming\pidloc.txt | 0.05 KB |
MD5:
87819f6ce8eada938d45a0a19258bb58
SHA1: 28cab071479d4d2ebeda3662a66b58f220ecf7f6 SHA256: 3d1d10f3d9b4de9aefc08608f20c0c0c789bf430b73cb2fa0d20b8b575075aa7 SSDeep: 3:oNJxzp4EaKC5uhDPfQC:oN/zpJaZ5uiC |
|
|
Modified Files
| Filename | File Size | Hash Values | YARA Match | Actions |
|---|---|---|---|---|
| c:\users\aetadzjz\appdata\local\gdipfontcachev1.dat | 109.69 KB |
MD5:
8c07b597e04adb6ef1c7a91e611668d8
SHA1: 03bfce03604869383ecb864c4d8ab9b99d4af8c8 SHA256: 63304f19e0ad5ec509b7e5484ec4074b451db2379f2838de3b4b2c14c8b6dd8c SSDeep: 1536:A2cnwUXHgTlmIUxyX337I5NZjP4LMLzZ5KsLJ:PTArrHvLJ |
|
|
Host Behavior
COM (24)
| Operation | Class | Interface | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|---|
| Create | WbemDefaultPathParser | IClassFactory | cls_context = CLSCTX_INPROC_SERVER, CLSCTX_LOCAL_SERVER, CLSCTX_REMOTE_SERVER |
|
11 | |
| Create | WBEMLocator | IClassFactory | cls_context = CLSCTX_INPROC_SERVER, CLSCTX_LOCAL_SERVER, CLSCTX_REMOTE_SERVER |
|
5 | |
| Create | WBEMLocator | IWbemLocator | cls_context = CLSCTX_INPROC_SERVER |
|
4 | |
| Execute | WBEMLocator | IWbemLocator | method_name = ConnectServer, network_resource = \\YKYD69Q\root\SecurityCenter2 |
|
1 | |
| Execute | WBEMLocator | IWbemLocator | method_name = ConnectServer, network_resource = \\.\root\cimv2 |
|
1 | |
| Execute | WBEMLocator | IWbemLocator | method_name = ConnectServer, network_resource = \\.\root\cimv2 |
|
1 | |
| Execute | WBEMLocator | IWbemLocator | method_name = ConnectServer, network_resource = \\.\root\cimv2 |
|
1 |
File (1579)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\aETAdzjz\AppData\Roaming\pid.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\aETAdzjz\AppData\Roaming\pidloc.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\aETAdzjz\AppData\Local\Temp\holdermail.txt | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
344 | |
| Create | C:\Users\aETAdzjz\AppData\Local\Temp\holderwb.txt | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
428 | |
| Get Info | C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config | type = file_attributes |
|
2 | |
| Get Info | C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config | type = file_type |
|
2 | |
| Get Info | C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config | type = size, size_out = 0 |
|
1 | |
| Get Info | C:\Users\aETAdzjz\AppData\Roaming\jsjhdhdhdhjfjhhf.exe.config | type = file_attributes |
|
3 | |
| Get Info | C:\Users\aETAdzjz\AppData\Roaming\pid.txt | type = file_attributes |
|
1 | |
| Get Info | C:\Users\aETAdzjz\AppData\Roaming\pid.txt | type = file_type |
|
2 | |
| Get Info | C:\Users\aETAdzjz\AppData\Roaming\pidloc.txt | type = file_attributes |
|
1 | |
| Get Info | C:\Users\aETAdzjz\AppData\Roaming\pidloc.txt | type = file_type |
|
2 | |
| Get Info | C:\Users\aETAdzjz\AppData\Local\Temp\holdermail.txt | type = file_attributes |
|
344 | |
| Get Info | C:\Users\aETAdzjz\AppData\Roaming\.minecraft\lastlogin | type = file_attributes |
|
1 | |
| Get Info | C:\Users\aETAdzjz\AppData\Roaming\jagex_cache\regPin\YKYD69Q_Pin0.jpeg | type = file_attributes |
|
1 | |
| Get Info | C:\Users\aETAdzjz\AppData\Local\Temp\holderwb.txt | type = file_attributes |
|
429 | |
| Get Info | C:\Users\aETAdzjz\AppData\Roaming\bitcoin\wallet.dat | type = file_attributes |
|
1 | |
| Get Info | C:\Users\aETAdzjz\AppData\Local\Temp\wallet.dat | type = file_attributes |
|
1 | |
| Read | C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config | size = 4096, size_out = 4096 |
|
8 | |
| Read | C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config | size = 4096, size_out = 3215 |
|
1 | |
| Read | C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config | size = 4096, size_out = 0 |
|
1 | |
| Write | C:\Users\aETAdzjz\AppData\Roaming\pid.txt | size = 3 |
|
1 | |
| Write | C:\Users\aETAdzjz\AppData\Roaming\pidloc.txt | size = 54 |
|
1 | |
| Delete | C:\Users\aETAdzjz\AppData\Local\Temp\holdermail.txt | - |
|
1 |
Registry (36)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319 | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\AppContext | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319 | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\Greenwich Standard Time | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\Greenwich Standard Time\Dynamic DST | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework | value_name = DbgJITDebugLaunchSetting, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework | value_name = DbgManagedDebugger, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion | value_name = InstallationType, data = 0, type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion | value_name = InstallationType, data = Client, type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework | value_name = LegacyWPADSupport, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319 | value_name = HWRPortReuseOnSocketBind, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | value_name = Hidden, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework | value_name = DbgJITDebugLaunchSetting, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework | value_name = DbgManagedDebugger, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework | value_name = DbgJITDebugLaunchSetting, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework | value_name = DbgManagedDebugger, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319 | value_name = SchUseStrongCrypto, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\Greenwich Standard Time | value_name = TZI, type = REG_BINARY |
|
2 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\Greenwich Standard Time | value_name = MUI_Display, data = 0, type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\Greenwich Standard Time | value_name = MUI_Display, data = @tzres.dll,-880, type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\Greenwich Standard Time | value_name = MUI_Std, data = 0, type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\Greenwich Standard Time | value_name = MUI_Std, data = @tzres.dll,-272, type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\Greenwich Standard Time | value_name = MUI_Dlt, data = 0, type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\Greenwich Standard Time | value_name = MUI_Dlt, data = @tzres.dll,-271, type = REG_SZ |
|
1 | |
| Write Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | value_name = Hidden, data = 1, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 |
Process (2)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\aETAdzjz\AppData\Local\Temp\holdermail.txt" | os_pid = 0x138, creation_flags = CREATE_SUSPENDED, show_window = SW_HIDE |
|
1 | |
| Create | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\aETAdzjz\AppData\Local\Temp\holderwb.txt" | os_pid = 0xad4, creation_flags = CREATE_SUSPENDED, show_window = SW_HIDE |
|
1 |
Thread (6)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Context | c:\users\aetadzjz\appdata\roaming\jsjhdhdhdhjfjhhf.exe | os_tid = 0x574 |
|
1 | |
| Get Context | c:\program files\microsoft office\root\vfs\programfilescommonx64\microsoft shared\equation\eqnedt32.exe | os_tid = 0xad0 |
|
1 | |
| Set Context | c:\users\aetadzjz\appdata\roaming\jsjhdhdhdhjfjhhf.exe | os_tid = 0x574 |
|
1 | |
| Set Context | c:\program files\microsoft office\root\vfs\programfilescommonx64\microsoft shared\equation\eqnedt32.exe | os_tid = 0xad0 |
|
1 | |
| Resume | c:\users\aetadzjz\appdata\roaming\jsjhdhdhdhjfjhhf.exe | os_tid = 0x574 |
|
1 | |
| Resume | c:\program files\microsoft office\root\vfs\programfilescommonx64\microsoft shared\equation\eqnedt32.exe | os_tid = 0xad0 |
|
1 |
Memory (14)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Allocate | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\aETAdzjz\AppData\Local\Temp\holdermail.txt" | address = 0x400000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 110592 |
|
1 | |
| Allocate | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\aETAdzjz\AppData\Local\Temp\holderwb.txt" | address = 0x400000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 360448 |
|
1 | |
| Write | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\aETAdzjz\AppData\Local\Temp\holdermail.txt" | address = 0x400000, size = 1024 |
|
1 | |
| Write | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\aETAdzjz\AppData\Local\Temp\holdermail.txt" | address = 0x401000, size = 68096 |
|
1 | |
| Write | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\aETAdzjz\AppData\Local\Temp\holdermail.txt" | address = 0x412000, size = 14336 |
|
1 | |
| Write | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\aETAdzjz\AppData\Local\Temp\holdermail.txt" | address = 0x416000, size = 3072 |
|
1 | |
| Write | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\aETAdzjz\AppData\Local\Temp\holdermail.txt" | address = 0x418000, size = 12288 |
|
1 | |
| Write | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\aETAdzjz\AppData\Local\Temp\holdermail.txt" | address = 0x0, size = 4 |
|
1 | |
| Write | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\aETAdzjz\AppData\Local\Temp\holderwb.txt" | address = 0x400000, size = 1024 |
|
1 | |
| Write | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\aETAdzjz\AppData\Local\Temp\holderwb.txt" | address = 0x401000, size = 269824 |
|
1 | |
| Write | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\aETAdzjz\AppData\Local\Temp\holderwb.txt" | address = 0x443000, size = 46592 |
|
1 | |
| Write | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\aETAdzjz\AppData\Local\Temp\holderwb.txt" | address = 0x44f000, size = 5632 |
|
1 | |
| Write | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\aETAdzjz\AppData\Local\Temp\holderwb.txt" | address = 0x452000, size = 22528 |
|
1 | |
| Write | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\aETAdzjz\AppData\Local\Temp\holderwb.txt" | address = 0x0, size = 4 |
|
1 |
Module (81)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | comctl32.dll | base_address = 0x74d50000 |
|
1 | |
| Load | comctl32.dll | base_address = 0x73e40000 |
|
1 | |
| Load | C:\Windows\Microsoft.NET\Framework\v4.0.30319\\wminet_utils.dll | base_address = 0x73be0000 |
|
1 | |
| Load | C:\Windows\system32\en-US\tzres.dll.mui | base_address = 0x2290001 |
|
3 | |
| Get Handle | comctl32.dll | base_address = 0x0 |
|
2 | |
| Get Handle | c:\windows\syswow64\user32.dll | base_address = 0x76dc0000 |
|
1 | |
| Get Handle | private_0x0000000000400000 | base_address = 0x400000 |
|
10 | |
| Get Handle | c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll | base_address = 0x74d50000 |
|
8 | |
| Get Handle | c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll | base_address = 0x73e40000 |
|
3 | |
| Get Address | c:\windows\syswow64\user32.dll | function = DefWindowProcW, address_out = 0x776625dd |
|
1 | |
| Get Address | Unknown module name | function = ResetSecurity, address_out = 0x73be24de |
|
1 | |
| Get Address | Unknown module name | function = SetSecurity, address_out = 0x73be2520 |
|
1 | |
| Get Address | Unknown module name | function = BlessIWbemServices, address_out = 0x73be1c69 |
|
1 | |
| Get Address | Unknown module name | function = BlessIWbemServicesObject, address_out = 0x73be1cbb |
|
1 | |
| Get Address | Unknown module name | function = GetPropertyHandle, address_out = 0x73be21b4 |
|
1 | |
| Get Address | Unknown module name | function = WritePropertyValue, address_out = 0x73be2617 |
|
1 | |
| Get Address | Unknown module name | function = Clone, address_out = 0x73be1d0d |
|
2 | |
| Get Address | Unknown module name | function = VerifyClientKey, address_out = 0x73be25b4 |
|
1 | |
| Get Address | Unknown module name | function = GetQualifierSet, address_out = 0x73be2215 |
|
1 | |
| Get Address | Unknown module name | function = Get, address_out = 0x73be20d4 |
|
1 | |
| Get Address | Unknown module name | function = Put, address_out = 0x73be22be |
|
1 | |
| Get Address | Unknown module name | function = Delete, address_out = 0x73be1f31 |
|
1 | |
| Get Address | Unknown module name | function = GetNames, address_out = 0x73be2182 |
|
1 | |
| Get Address | Unknown module name | function = BeginEnumeration, address_out = 0x73be1c43 |
|
1 | |
| Get Address | Unknown module name | function = Next, address_out = 0x73be2283 |
|
1 | |
| Get Address | Unknown module name | function = EndEnumeration, address_out = 0x73be1fc2 |
|
1 | |
| Get Address | Unknown module name | function = GetPropertyQualifierSet, address_out = 0x73be21ff |
|
1 | |
| Get Address | Unknown module name | function = GetObjectText, address_out = 0x73be219e |
|
1 | |
| Get Address | Unknown module name | function = SpawnDerivedClass, address_out = 0x73be2566 |
|
1 | |
| Get Address | Unknown module name | function = SpawnInstance, address_out = 0x73be257c |
|
1 | |
| Get Address | Unknown module name | function = CompareTo, address_out = 0x73be1d8d |
|
1 | |
| Get Address | Unknown module name | function = GetPropertyOrigin, address_out = 0x73be21e9 |
|
1 | |
| Get Address | Unknown module name | function = InheritsFrom, address_out = 0x73be2228 |
|
1 | |
| Get Address | Unknown module name | function = GetMethod, address_out = 0x73be213a |
|
1 | |
| Get Address | Unknown module name | function = DeleteMethod, address_out = 0x73be1f44 |
|
1 | |
| Get Address | Unknown module name | function = BeginMethodEnumeration, address_out = 0x73be1c56 |
|
1 | |
| Get Address | Unknown module name | function = NextMethod, address_out = 0x73be22a2 |
|
1 | |
| Get Address | Unknown module name | function = EndMethodEnumeration, address_out = 0x73be1fd2 |
|
1 | |
| Get Address | Unknown module name | function = GetMethodQualifierSet, address_out = 0x73be216c |
|
1 | |
| Get Address | Unknown module name | function = GetMethodOrigin, address_out = 0x73be2156 |
|
1 | |
| Get Address | Unknown module name | function = QualifierSet_Get, address_out = 0x73be242c |
|
1 | |
| Get Address | Unknown module name | function = QualifierSet_Put, address_out = 0x73be247a |
|
1 | |
| Get Address | Unknown module name | function = QualifierSet_Delete, address_out = 0x73be2409 |
|
1 | |
| Get Address | Unknown module name | function = QualifierSet_GetNames, address_out = 0x73be2448 |
|
1 | |
| Get Address | Unknown module name | function = QualifierSet_BeginEnumeration, address_out = 0x73be23f6 |
|
1 | |
| Get Address | Unknown module name | function = QualifierSet_Next, address_out = 0x73be245e |
|
1 | |
| Get Address | Unknown module name | function = QualifierSet_EndEnumeration, address_out = 0x73be241c |
|
1 | |
| Get Address | Unknown module name | function = GetCurrentApartmentType, address_out = 0x73be2215 |
|
1 | |
| Get Address | Unknown module name | function = GetDemultiplexedStub, address_out = 0x73be20f3 |
|
1 | |
| Get Address | Unknown module name | function = CreateInstanceEnumWmi, address_out = 0x73be1ebb |
|
1 | |
| Get Address | Unknown module name | function = CreateClassEnumWmi, address_out = 0x73be1e45 |
|
1 | |
| Get Address | Unknown module name | function = ExecQueryWmi, address_out = 0x73be205b |
|
1 | |
| Get Address | Unknown module name | function = ExecNotificationQueryWmi, address_out = 0x73be1fe2 |
|
1 | |
| Get Address | Unknown module name | function = PutInstanceWmi, address_out = 0x73be235a |
|
1 | |
| Get Address | Unknown module name | function = PutClassWmi, address_out = 0x73be22da |
|
1 | |
| Get Address | Unknown module name | function = CloneEnumWbemClassObject, address_out = 0x73be1d20 |
|
1 | |
| Get Address | Unknown module name | function = ConnectServerWmi, address_out = 0x73be1da3 |
|
1 | |
| Create Mapping | - | filename = System Paging File, protection = PAGE_READWRITE, maximum_size = 132 |
|
1 | |
| Map | - | process_name = c:\users\aetadzjz\appdata\roaming\jsjhdhdhdhjfjhhf.exe, desired_access = FILE_MAP_WRITE |
|
1 |
User (1)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Lookup Privilege | privilege = SeDebugPrivilege, luid = 20 |
|
1 |
Window (23)
| Operation | Window Name | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | - | class_name = WindowsForms10.Window.8.app.0.141b42a_r14_ad1, wndproc_parameter = 0 |
|
1 | |
| Create | - | class_name = WindowsForms10.Window.0.app.0.141b42a_r14_ad1, wndproc_parameter = 0 |
|
1 | |
| Create | - | class_name = WindowsForms10.Window.8.app.0.141b42a_r14_ad1, wndproc_parameter = 0 |
|
1 | |
| Create | .NET-BroadcastEventWindow.4.0.0.0.141b42a.0 | class_name = .NET-BroadcastEventWindow.4.0.0.0.141b42a.0, wndproc_parameter = 0 |
|
1 | |
| Create | - | class_name = WindowsForms10.Window.0.app.0.141b42a_r14_ad1, wndproc_parameter = 0 |
|
1 | |
| Create | - | class_name = WindowsForms10.Window.8.app.0.141b42a_r14_ad1, wndproc_parameter = 0 |
|
1 | |
| Create | - | class_name = WindowsForms10.Window.8.app.0.141b42a_r14_ad1, wndproc_parameter = 0 |
|
1 | |
| Set Attribute | - | class_name = WindowsForms10.Window.8.app.0.141b42a_r14_ad1, index = 18446744073709551612, new_long = 2003183069 |
|
1 | |
| Set Attribute | - | class_name = WindowsForms10.Window.8.app.0.141b42a_r14_ad1, index = 18446744073709551612, new_long = 78907406 |
|
1 | |
| Set Attribute | - | class_name = WindowsForms10.Window.0.app.0.141b42a_r14_ad1, index = 18446744073709551612, new_long = 2003183069 |
|
1 | |
| Set Attribute | - | class_name = WindowsForms10.Window.0.app.0.141b42a_r14_ad1, index = 18446744073709551612, new_long = 78907486 |
|
1 | |
| Set Attribute | - | class_name = WindowsForms10.Window.8.app.0.141b42a_r14_ad1, index = 18446744073709551612, new_long = 2003183069 |
|
1 | |
| Set Attribute | - | class_name = WindowsForms10.Window.8.app.0.141b42a_r14_ad1, index = 18446744073709551612, new_long = 78907566 |
|
1 | |
| Set Attribute | - | class_name = WindowsForms10.Window.0.app.0.141b42a_r14_ad1, index = 18446744073709551612, new_long = 2003183069 |
|
1 | |
| Set Attribute | - | class_name = WindowsForms10.Window.0.app.0.141b42a_r14_ad1, index = 18446744073709551612, new_long = 78907686 |
|
1 | |
| Set Attribute | - | class_name = WindowsForms10.Window.8.app.0.141b42a_r14_ad1, index = 18446744073709551608, new_long = 66068 |
|
1 | |
| Set Attribute | - | class_name = WindowsForms10.Window.8.app.0.141b42a_r14_ad1, index = 18446744073709551608, new_long = 66068 |
|
1 | |
| Set Attribute | - | class_name = WindowsForms10.Window.8.app.0.141b42a_r14_ad1, index = 18446744073709551600, new_long = 570490880 |
|
1 | |
| Set Attribute | - | class_name = WindowsForms10.Window.8.app.0.141b42a_r14_ad1, index = 18446744073709551596, new_long = 589824 |
|
1 | |
| Set Attribute | - | class_name = WindowsForms10.Window.8.app.0.141b42a_r14_ad1, index = 18446744073709551612, new_long = 2003183069 |
|
1 | |
| Set Attribute | - | class_name = WindowsForms10.Window.8.app.0.141b42a_r14_ad1, index = 18446744073709551612, new_long = 78907806 |
|
1 | |
| Set Attribute | - | class_name = WindowsForms10.Window.8.app.0.141b42a_r14_ad1, index = 18446744073709551612, new_long = 2003183069 |
|
1 | |
| Set Attribute | - | class_name = WindowsForms10.Window.8.app.0.141b42a_r14_ad1, index = 18446744073709551612, new_long = 78907846 |
|
1 |
System (914)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Open Certificate Store | encoding_type = 65537, flags = 8708 |
|
1 | |
| Get Computer Name | result_out = YKYD69Q |
|
5 | |
| Sleep | duration = -1 (infinite) |
|
2 | |
| Sleep | duration = 0 milliseconds (0.000 seconds) |
|
1 | |
| Sleep | duration = 1000 milliseconds (1.000 seconds) |
|
1 | |
| Sleep | duration = 200 milliseconds (0.200 seconds) |
|
833 | |
| Sleep | duration = 120000 milliseconds (120.000 seconds) |
|
1 | |
| Sleep | duration = 140000 milliseconds (140.000 seconds) |
|
1 | |
| Sleep | duration = 2000 milliseconds (2.000 seconds) |
|
1 | |
| Sleep | duration = 10000 milliseconds (10.000 seconds) |
|
2 | |
| Sleep | duration = 5000 milliseconds (5.000 seconds) |
|
2 | |
| Sleep | duration = 100000 milliseconds (100.000 seconds) |
|
1 | |
| Sleep | duration = 180000 milliseconds (180.000 seconds) |
|
1 | |
| Sleep | duration = 89984 milliseconds (89.984 seconds) |
|
1 | |
| Sleep | duration = 79969 milliseconds (79.969 seconds) |
|
1 | |
| Sleep | duration = 69954 milliseconds (69.954 seconds) |
|
1 | |
| Sleep | duration = 59939 milliseconds (59.939 seconds) |
|
1 | |
| Sleep | duration = 49923 milliseconds (49.923 seconds) |
|
1 | |
| Sleep | duration = 39908 milliseconds (39.908 seconds) |
|
1 | |
| Sleep | duration = 29893 milliseconds (29.893 seconds) |
|
1 | |
| Sleep | duration = 19877 milliseconds (19.877 seconds) |
|
1 | |
| Sleep | duration = 9862 milliseconds (9.862 seconds) |
|
1 | |
| Sleep | duration = -1 (infinite) |
|
1 | |
| Sleep | duration = 0 milliseconds (0.000 seconds) |
|
50 | |
| Sleep | duration = 200 milliseconds (0.200 seconds) |
|
1 | |
| Get Info | type = SYSTEM_PROCESS_INFORMATION |
|
1 |
Mutex (2)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Create | - |
|
1 | |
| Release | - |
|
1 |
Environment (9)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | name = PinnableBufferCache_System.Net.HttpWebRequest_Disabled |
|
1 | |
| Get Environment String | name = PinnableBufferCache_System.Net.HttpWebRequest_MinCount |
|
1 | |
| Get Environment String | name = PinnableBufferCache_System.Net.Connection_Disabled |
|
1 | |
| Get Environment String | name = PinnableBufferCache_System.Net.Connection_MinCount |
|
1 | |
| Get Environment String | name = PinnableBufferCache_System.Net.SslStream_Disabled |
|
2 | |
| Get Environment String | name = PinnableBufferCache_System.Net.SslStream_MinCount |
|
2 | |
| Get Environment String | name = AppData, result_out = C:\Users\aETAdzjz\AppData\Roaming |
|
1 |
Network Behavior
DNS (5)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Hostname | name_out = YKyd69q |
|
1 | |
| Resolve Name | host = YKyd69q, address_out = fe80:0000:0000:0000:cc69:dee7:228c:baff, 192.168.0.105 |
|
1 | |
| Resolve Name | host = whatismyipaddress.com, address_out = 104.16.17.96, 104.16.20.96, 104.16.18.96, 104.16.19.96, 104.16.16.96 |
|
1 | |
| Resolve Name | host = smtp.gmail.com, address_out = 64.233.166.108, 64.233.166.109 |
|
2 |
TCP Sessions (1)
| Information | Value |
|---|---|
| Total Data Sent | 3.70 KB |
| Total Data Received | 3.77 KB |
| Contacted Host Count | 1 |
| Contacted Hosts | 64.233.166.108:587 |
TCP Session #1
| Information | Value |
|---|---|
| Handle | 0x368 |
| Address Family | AF_INET |
| Type | SOCK_STREAM |
| Protocol | IPPROTO_TCP |
| Remote Address | 64.233.166.108 |
| Remote Port | 587 |
| Local Address | 0.0.0.0 |
| Local Port | 49195 |
| Data Sent | 3.70 KB |
| Data Received | 3.77 KB |
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Create | protocol = IPPROTO_TCP, address_family = AF_INET, type = SOCK_STREAM |
|
1 | |
| Connect | remote_address = 64.233.166.108, remote_port = 587 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 256, size_out = 57 |
|
1 | |
| Send | flags = NO_FLAG_SET, size = 14, size_out = 14 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 256, size_out = 169 |
|
1 | |
| Send | flags = NO_FLAG_SET, size = 10, size_out = 10 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 256, size_out = 30 |
|
1 | |
| Send | flags = NO_FLAG_SET, size = 118, size_out = 118 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 5, size_out = 5 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 87, size_out = 87 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 5, size_out = 5 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 2291, size_out = 2291 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 5, size_out = 5 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 331, size_out = 331 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 5, size_out = 5 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 4, size_out = 4 |
|
1 | |
| Send | flags = NO_FLAG_SET, size = 134, size_out = 134 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 5, size_out = 5 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 1, size_out = 1 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 5, size_out = 5 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 48, size_out = 48 |
|
1 | |
| Send | flags = NO_FLAG_SET, size = 53, size_out = 53 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 5, size_out = 5 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 256, size_out = 256 |
|
1 | |
| Send | flags = NO_FLAG_SET, size = 85, size_out = 85 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 5, size_out = 5 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 48, size_out = 48 |
|
1 | |
| Send | flags = NO_FLAG_SET, size = 53, size_out = 53 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 5, size_out = 5 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 48, size_out = 48 |
|
1 | |
| Send | flags = NO_FLAG_SET, size = 69, size_out = 69 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 5, size_out = 5 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 80, size_out = 80 |
|
1 | |
| Send | flags = NO_FLAG_SET, size = 69, size_out = 69 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 5, size_out = 5 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 80, size_out = 80 |
|
1 | |
| Send | flags = NO_FLAG_SET, size = 37, size_out = 37 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 5, size_out = 5 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 80, size_out = 80 |
|
1 | |
| Send | flags = NO_FLAG_SET, size = 309, size_out = 309 |
|
1 | |
| Send | flags = NO_FLAG_SET, size = 2725, size_out = 2725 |
|
1 | |
| Send | flags = NO_FLAG_SET, size = 37, size_out = 37 |
|
2 | |
| Receive | flags = NO_FLAG_SET, size = 5, size_out = 5 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 80, size_out = 80 |
|
1 | |
| Send | flags = NO_FLAG_SET, size = 37, size_out = 37 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 5, size_out = 5 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 96, size_out = 96 |
|
1 | |
| Close | type = SOCK_STREAM |
|
1 |
TCP Server (1)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Listen | local_address = 127.0.0.1, local_port = 49189, queue_length = 2147483647 |
|
1 |
HTTP Sessions (1)
| Information | Value |
|---|---|
| Total Data Sent | 71 bytes |
| Total Data Received | 564 bytes |
| Contacted Host Count | 1 |
| Contacted Hosts | whatismyipaddress.com |
HTTP Session #1
| Information | Value |
|---|---|
| Server Name | whatismyipaddress.com |
| Server Port | 80 |
| Data Sent | 71 |
| Data Received | 564 |
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Open Session | access_type = WINHTTP_ACCESS_TYPE_NO_PROXY, proxy_name = WINHTTP_NO_PROXY_NAME, proxy_bypass = WINHTTP_NO_PROXY_BYPASS |
|
1 | |
| Open Connection | protocol = http, server_name = whatismyipaddress.com, server_port = 80 |
|
1 | |
| Open HTTP Request | http_verb = GET, http_version = HTTP/1.1, target_resource = / |
|
1 | |
| Send HTTP Request | headers = host: whatismyipaddress.com, connection: Keep-Alive, url = whatismyipaddress.com/ |
|
1 | |
| Read Response | size = 4096, size_out = 564 |
|
1 | |
| Close Session | - |
|
1 |
Process #9: vbc.exe
81
0
| Information | Value |
|---|---|
| ID | #9 |
| File Name | c:\windows\microsoft.net\framework\v2.0.50727\vbc.exe |
| Command Line | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\aETAdzjz\AppData\Local\Temp\holdermail.txt" |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:01:28, Reason: Child Process |
| Unmonitor | End Time: 00:01:38, Reason: Self Terminated |
| Monitor Duration | 00:00:10 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x138 |
| Parent PID | 0x140 (c:\users\aetadzjz\appdata\roaming\jsjhdhdhdhjfjhhf.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | YKYD69Q\aETAdzjz |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
9B8
0x
AEC
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000020000 | 0x00020000 | 0x00020fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00031fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00030fff | Private Memory | rw |
|
|
|
- |
| apisetschema.dll | 0x00040000 | 0x00040fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x0000000000050000 | 0x00050000 | 0x0008ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000090000 | 0x00090000 | 0x0018ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000190000 | 0x00190000 | 0x00193fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000001a0000 | 0x001a0000 | 0x001a0fff | Pagefile Backed Memory | r |
|
|
|
- |
| locale.nls | 0x001b0000 | 0x00216fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000000000220000 | 0x00220000 | 0x00220fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000230000 | 0x00230000 | 0x0026ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000310000 | 0x00310000 | 0x0038ffff | Private Memory | rw |
|
|
|
- |
| vbc.exe | 0x00400000 | 0x0051dfff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x0000000000400000 | 0x00400000 | 0x0041afff | Private Memory | rwx |
|
|
|
- |
| private_0x0000000000420000 | 0x00420000 | 0x0051ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000520000 | 0x00520000 | 0x0052ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000580000 | 0x00580000 | 0x0067ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000680000 | 0x00680000 | 0x00807fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000810000 | 0x00810000 | 0x00990fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000009a0000 | 0x009a0000 | 0x01d9ffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000001da0000 | 0x01da0000 | 0x01e9ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001f80000 | 0x01f80000 | 0x01f8ffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x01f90000 | 0x0225efff | Memory Mapped File | r |
|
|
|
- |
| atl.dll | 0x73b70000 | 0x73b83fff | Memory Mapped File | rwx |
|
|
|
- |
| pstorec.dll | 0x73ba0000 | 0x73bacfff | Memory Mapped File | rwx |
|
|
|
- |
| wow64cpu.dll | 0x74ac0000 | 0x74ac7fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x74ad0000 | 0x74b2bfff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x74b30000 | 0x74b6efff | Memory Mapped File | rwx |
|
|
|
- |
| comctl32.dll | 0x74d50000 | 0x74dd3fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x75180000 | 0x7518bfff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x75190000 | 0x751effff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x75210000 | 0x752fffff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x753d0000 | 0x7545ffff | Memory Mapped File | rwx |
|
|
|
- |
| comdlg32.dll | 0x75460000 | 0x754dafff | Memory Mapped File | rwx |
|
|
|
- |
| shlwapi.dll | 0x756d0000 | 0x75726fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75730000 | 0x7583ffff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x75850000 | 0x75895fff | Memory Mapped File | rwx |
|
|
|
- |
| msasn1.dll | 0x758b0000 | 0x758bbfff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x759d0000 | 0x75a6ffff | Memory Mapped File | rwx |
|
|
|
- |
| usp10.dll | 0x75b00000 | 0x75b9cfff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x75ce0000 | 0x75dabfff | Memory Mapped File | rwx |
|
|
|
- |
| ole32.dll | 0x75fb0000 | 0x7610bfff | Memory Mapped File | rwx |
|
|
|
- |
| shell32.dll | 0x76110000 | 0x76d59fff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x76d60000 | 0x76dbffff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x76dc0000 | 0x76ebffff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x76ec0000 | 0x76ed8fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x76fa0000 | 0x7704bfff | Memory Mapped File | rwx |
|
|
|
- |
| crypt32.dll | 0x770e0000 | 0x771fcfff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x0000000077230000 | 0x77230000 | 0x77329fff | Private Memory | rwx |
|
|
|
- |
| private_0x0000000077330000 | 0x77330000 | 0x7744efff | Private Memory | rwx |
|
|
|
- |
| ntdll.dll | 0x77450000 | 0x775f8fff | Memory Mapped File | rwx |
|
|
|
- |
| lpk.dll | 0x77600000 | 0x77609fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77630000 | 0x777affff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007efb0000 | 0x7efb0000 | 0x7efd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007efd8000 | 0x7efd8000 | 0x7efdafff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efdb000 | 0x7efdb000 | 0x7efddfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efde000 | 0x7efde000 | 0x7efdefff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efdf000 | 0x7efdf000 | 0x7efdffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efe0000 | 0x7efe0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f0e0000 | 0x7f0e0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7fffffeffff | Private Memory | r |
|
|
|
- |
Injection Information
| Injection Type | Source Process | Source Os Thread ID | Information | Success | Count | Logfile |
|---|---|---|---|---|---|---|
| Modify Memory | #6: c:\users\aetadzjz\appdata\roaming\jsjhdhdhdhjfjhhf.exe | 0x574 | address = 0x400000, size = 1024 |
|
1 | |
| Modify Memory | #6: c:\users\aetadzjz\appdata\roaming\jsjhdhdhdhjfjhhf.exe | 0x574 | address = 0x401000, size = 68096 |
|
1 | |
| Modify Memory | #6: c:\users\aetadzjz\appdata\roaming\jsjhdhdhdhjfjhhf.exe | 0x574 | address = 0x412000, size = 14336 |
|
1 | |
| Modify Memory | #6: c:\users\aetadzjz\appdata\roaming\jsjhdhdhdhjfjhhf.exe | 0x574 | address = 0x416000, size = 3072 |
|
1 | |
| Modify Memory | #6: c:\users\aetadzjz\appdata\roaming\jsjhdhdhdhjfjhhf.exe | 0x574 | address = 0x418000, size = 12288 |
|
1 | |
| Modify Memory | #6: c:\users\aetadzjz\appdata\roaming\jsjhdhdhdhjfjhhf.exe | 0x574 | address = 0x0, size = 4 |
|
1 | |
| Modify Control Flow | #6: c:\users\aetadzjz\appdata\roaming\jsjhdhdhdhjfjhhf.exe | 0x574 | os_tid = 0x9b8, address = 0x776401c4 |
|
1 |
Host Behavior
File (13)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows Mail\account{047EF9CE-9C1F-4250-9CA7-D206DB8B643C}.oeaccount | desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows Mail\account{1CD43F3B-668B-4CA8-B816-34F74122EC0F}.oeaccount | desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows Mail\account{AF0DB737-2EF9-4633-BF5E-1A6761ED1577}.oeaccount | desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ |
|
1 | |
| Get Info | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc_lng.ini | type = file_attributes |
|
1 | |
| Get Info | C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Profiles | type = file_attributes |
|
1 | |
| Get Info | C:\Users\aETAdzjz\AppData\Roaming\Thunderbird\Profiles | type = file_attributes |
|
1 | |
| Get Info | C:\Program Files (x86)\Mozilla Thunderbird | type = file_attributes |
|
1 | |
| Get Info | C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows Mail\account{047EF9CE-9C1F-4250-9CA7-D206DB8B643C}.oeaccount | type = size |
|
1 | |
| Get Info | C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows Mail\account{1CD43F3B-668B-4CA8-B816-34F74122EC0F}.oeaccount | type = size |
|
1 | |
| Get Info | C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows Mail\account{AF0DB737-2EF9-4633-BF5E-1A6761ED1577}.oeaccount | type = size |
|
1 | |
| Read | C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows Mail\account{047EF9CE-9C1F-4250-9CA7-D206DB8B643C}.oeaccount | size = 1506, size_out = 1506 |
|
1 | |
| Read | C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows Mail\account{1CD43F3B-668B-4CA8-B816-34F74122EC0F}.oeaccount | size = 670, size_out = 670 |
|
1 | |
| Read | C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows Mail\account{AF0DB737-2EF9-4633-BF5E-1A6761ED1577}.oeaccount | size = 1734, size_out = 1734 |
|
1 |
Registry (24)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Qualcomm\Eudora\CommandLine | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Classes\Software\Qualcomm\Eudora\CommandLine\current | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Mozilla\Mozilla Thunderbird | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Google\Google Desktop\Mailboxes | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Identities | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Identities\{31810C36-5D23-4CCE-A3B4-316DED195C38} | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Identities\{31810C36-5D23-4CCE-A3B4-316DED195C38}\Software\Microsoft\Internet Account Manager\Accounts | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Identities\{31810C36-5D23-4CCE-A3B4-316DED195C38}\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\IncrediMail\Identities | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\IncrediMail\Identities | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Group Mail | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\MSNMessenger | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\MessengerService | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Yahoo\Pager | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\IdentityCRL | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Windows Live Mail | - |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Identities\{31810C36-5D23-4CCE-A3B4-316DED195C38} | value_name = Username, data = Main Identity, type = REG_SZ |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Identities | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Identities | - |
|
1 |
Module (32)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | comctl32.dll | base_address = 0x74d50000 |
|
1 | |
| Load | shell32.dll | base_address = 0x76110000 |
|
1 | |
| Load | pstorec.dll | base_address = 0x73ba0000 |
|
1 | |
| Load | crypt32.dll | base_address = 0x770e0000 |
|
2 | |
| Load | advapi32.dll | base_address = 0x759d0000 |
|
3 | |
| Get Handle | c:\windows\microsoft.net\framework\v2.0.50727\vbc.exe | base_address = 0x400000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\microsoft.net\framework\v2.0.50727\vbc.exe, file_name_orig = C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe, size = 260 |
|
2 | |
| Get Address | c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll | function = InitCommonControlsEx, address_out = 0x74d56be6 |
|
1 | |
| Get Address | c:\windows\syswow64\shell32.dll | function = SHGetSpecialFolderPathA, address_out = 0x7635fb26 |
|
1 | |
| Get Address | c:\windows\syswow64\pstorec.dll | function = PStoreCreateInstance, address_out = 0x73ba526c |
|
1 | |
| Get Address | c:\windows\syswow64\crypt32.dll | function = CryptUnprotectData, address_out = 0x77115a7f |
|
2 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = CredReadA, address_out = 0x75a171c1 |
|
3 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = CredFree, address_out = 0x759db2ec |
|
3 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = CredDeleteA, address_out = 0x75a17941 |
|
3 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = CredEnumerateA, address_out = 0x75a17381 |
|
3 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = CredEnumerateW, address_out = 0x75a17481 |
|
3 |
System (2)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Computer Name | result_out = YKYD69Q |
|
1 | |
| Get Info | type = Operating System |
|
1 |
Ini (7)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Read | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.cfg | section_name = General, key_name = ShowGridLines, default_value = 0 |
|
1 | |
| Read | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.cfg | section_name = General, key_name = SaveFilterIndex, default_value = 0 |
|
1 | |
| Read | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.cfg | section_name = General, key_name = AddExportHeaderLine, default_value = 0 |
|
1 | |
| Read | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.cfg | section_name = General, key_name = MarkOddEvenRows, default_value = 0 |
|
1 | |
| Read | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.cfg | section_name = General, key_name = WinPos |
|
1 | |
| Read | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.cfg | section_name = General, key_name = Columns |
|
1 | |
| Read | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.cfg | section_name = General, key_name = Sort, default_value = 0 |
|
1 |
Process #10: vbc.exe
419
0
| Information | Value |
|---|---|
| ID | #10 |
| File Name | c:\windows\microsoft.net\framework\v2.0.50727\vbc.exe |
| Command Line | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\aETAdzjz\AppData\Local\Temp\holderwb.txt" |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:01:38, Reason: Child Process |
| Unmonitor | End Time: 00:01:43, Reason: Self Terminated |
| Monitor Duration | 00:00:05 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xad4 |
| Parent PID | 0x140 (c:\users\aetadzjz\appdata\roaming\jsjhdhdhdhjfjhhf.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | YKYD69Q\aETAdzjz |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
AE0
0x
AE4
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000020000 | 0x00020000 | 0x00020fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00031fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00030fff | Private Memory | rw |
|
|
|
- |
| apisetschema.dll | 0x00040000 | 0x00040fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x0000000000050000 | 0x00050000 | 0x0008ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000090000 | 0x00090000 | 0x0018ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000190000 | 0x00190000 | 0x00193fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000001a0000 | 0x001a0000 | 0x001a0fff | Pagefile Backed Memory | r |
|
|
|
- |
| locale.nls | 0x001b0000 | 0x00216fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000000000220000 | 0x00220000 | 0x00220fff | Pagefile Backed Memory | rw |
|
|
|
- |
| rsaenh.dll | 0x00230000 | 0x0026bfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000230000 | 0x00230000 | 0x0026ffff | Private Memory | rw |
|
|
|
- |
| tzres.dll | 0x00270000 | 0x00270fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000000000280000 | 0x00280000 | 0x00286fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000290000 | 0x00290000 | 0x00291fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000310000 | 0x00310000 | 0x0031ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000340000 | 0x00340000 | 0x003bffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000400000 | 0x00400000 | 0x00457fff | Private Memory | rwx |
|
|
|
- |
| pagefile_0x0000000000460000 | 0x00460000 | 0x005e7fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000005f0000 | 0x005f0000 | 0x006effff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000006f0000 | 0x006f0000 | 0x00870fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000880000 | 0x00880000 | 0x01c7ffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000001d70000 | 0x01d70000 | 0x01d7ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001d80000 | 0x01d80000 | 0x01e7ffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x01e80000 | 0x0214efff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000002150000 | 0x02150000 | 0x0224ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002250000 | 0x02250000 | 0x02350fff | Private Memory | rw |
|
|
|
- |
| nss3.dll | 0x02250000 | 0x02401fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000002250000 | 0x02250000 | 0x023affff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002250000 | 0x02250000 | 0x0234ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002370000 | 0x02370000 | 0x023affff | Private Memory | rw |
|
|
|
- |
| private_0x00000000023b0000 | 0x023b0000 | 0x0256ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000023b0000 | 0x023b0000 | 0x024affff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002400000 | 0x02400000 | 0x024fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002560000 | 0x02560000 | 0x0256ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000002570000 | 0x02570000 | 0x02962fff | Pagefile Backed Memory | r |
|
|
|
- |
| freebl3.dll | 0x70ca0000 | 0x70ceefff | Memory Mapped File | rwx |
|
|
|
- |
| freebl3.dll | 0x70d10000 | 0x70d5efff | Memory Mapped File | rwx |
|
|
|
- |
| softokn3.dll | 0x70d50000 | 0x70d76fff | Memory Mapped File | rwx |
|
|
|
- |
| nssdbm3.dll | 0x70d60000 | 0x70d76fff | Memory Mapped File | rwx |
|
|
|
- |
| softokn3.dll | 0x70d80000 | 0x70da6fff | Memory Mapped File | rwx |
|
|
|
- |
| nssdbm3.dll | 0x70d90000 | 0x70da6fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcp100.dll | 0x70db0000 | 0x70e18fff | Memory Mapped File | rwx |
|
|
|
- |
| mozglue.dll | 0x70e20000 | 0x70e41fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcr100.dll | 0x70e50000 | 0x70f0dfff | Memory Mapped File | rwx |
|
|
|
- |
| winmm.dll | 0x70f10000 | 0x70f41fff | Memory Mapped File | rwx |
|
|
|
- |
| nss3.dll | 0x70f50000 | 0x71104fff | Memory Mapped File | rwx |
|
|
|
- |
| atl.dll | 0x710f0000 | 0x71103fff | Memory Mapped File | rwx |
|
|
|
- |
| pstorec.dll | 0x73b80000 | 0x73b8cfff | Memory Mapped File | rwx |
|
|
|
- |
| wsock32.dll | 0x73b80000 | 0x73b86fff | Memory Mapped File | rwx |
|
|
|
- |
| vaultcli.dll | 0x73ba0000 | 0x73babfff | Memory Mapped File | rwx |
|
|
|
- |
| rsaenh.dll | 0x74890000 | 0x748cafff | Memory Mapped File | rwx |
|
|
|
- |
| wow64cpu.dll | 0x74ac0000 | 0x74ac7fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x74ad0000 | 0x74b2bfff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x74b30000 | 0x74b6efff | Memory Mapped File | rwx |
|
|
|
- |
| cryptsp.dll | 0x74b70000 | 0x74b85fff | Memory Mapped File | rwx |
|
|
|
- |
| comctl32.dll | 0x74d50000 | 0x74dd3fff | Memory Mapped File | rwx |
|
|
|
- |
| version.dll | 0x75070000 | 0x75078fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x75180000 | 0x7518bfff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x75190000 | 0x751effff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x75210000 | 0x752fffff | Memory Mapped File | rwx |
|
|
|
- |
| ws2_32.dll | 0x75300000 | 0x75334fff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x753d0000 | 0x7545ffff | Memory Mapped File | rwx |
|
|
|
- |
| comdlg32.dll | 0x75460000 | 0x754dafff | Memory Mapped File | rwx |
|
|
|
- |
| shlwapi.dll | 0x756d0000 | 0x75726fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75730000 | 0x7583ffff | Memory Mapped File | rwx |
|
|
|
- |
| nsi.dll | 0x75840000 | 0x75845fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x75850000 | 0x75895fff | Memory Mapped File | rwx |
|
|
|
- |
| msasn1.dll | 0x758b0000 | 0x758bbfff | Memory Mapped File | rwx |
|
|
|
- |
| wininet.dll | 0x758d0000 | 0x759c4fff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x759d0000 | 0x75a6ffff | Memory Mapped File | rwx |
|
|
|
- |
| usp10.dll | 0x75b00000 | 0x75b9cfff | Memory Mapped File | rwx |
|
|
|
- |
| urlmon.dll | 0x75ba0000 | 0x75cd5fff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x75ce0000 | 0x75dabfff | Memory Mapped File | rwx |
|
|
|
- |
| iertutil.dll | 0x75db0000 | 0x75faafff | Memory Mapped File | rwx |
|
|
|
- |
| ole32.dll | 0x75fb0000 | 0x7610bfff | Memory Mapped File | rwx |
|
|
|
- |
| shell32.dll | 0x76110000 | 0x76d59fff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x76d60000 | 0x76dbffff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x76dc0000 | 0x76ebffff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x76ec0000 | 0x76ed8fff | Memory Mapped File | rwx |
|
|
|
- |
| oleaut32.dll | 0x76ee0000 | 0x76f6efff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x76fa0000 | 0x7704bfff | Memory Mapped File | rwx |
|
|
|
- |
| crypt32.dll | 0x770e0000 | 0x771fcfff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x0000000077230000 | 0x77230000 | 0x77329fff | Private Memory | rwx |
|
|
|
- |
| private_0x0000000077330000 | 0x77330000 | 0x7744efff | Private Memory | rwx |
|
|
|
- |
| ntdll.dll | 0x77450000 | 0x775f8fff | Memory Mapped File | rwx |
|
|
|
- |
| lpk.dll | 0x77600000 | 0x77609fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77630000 | 0x777affff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007efb0000 | 0x7efb0000 | 0x7efd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007efd8000 | 0x7efd8000 | 0x7efdafff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efdb000 | 0x7efdb000 | 0x7efddfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efde000 | 0x7efde000 | 0x7efdefff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efdf000 | 0x7efdf000 | 0x7efdffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efe0000 | 0x7efe0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f0e0000 | 0x7f0e0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7fffffeffff | Private Memory | r |
|
|
|
- |
Injection Information
| Injection Type | Source Process | Source Os Thread ID | Information | Success | Count | Logfile |
|---|---|---|---|---|---|---|
| Modify Memory | #6: c:\users\aetadzjz\appdata\roaming\jsjhdhdhdhjfjhhf.exe | 0xad0 | address = 0x400000, size = 1024 |
|
1 | |
| Modify Memory | #6: c:\users\aetadzjz\appdata\roaming\jsjhdhdhdhjfjhhf.exe | 0xad0 | address = 0x401000, size = 269824 |
|
1 | |
| Modify Memory | #6: c:\users\aetadzjz\appdata\roaming\jsjhdhdhdhjfjhhf.exe | 0xad0 | address = 0x443000, size = 46592 |
|
1 | |
| Modify Memory | #6: c:\users\aetadzjz\appdata\roaming\jsjhdhdhdhjfjhhf.exe | 0xad0 | address = 0x44f000, size = 5632 |
|
1 | |
| Modify Memory | #6: c:\users\aetadzjz\appdata\roaming\jsjhdhdhdhjfjhhf.exe | 0xad0 | address = 0x452000, size = 22528 |
|
1 | |
| Modify Memory | #6: c:\users\aetadzjz\appdata\roaming\jsjhdhdhdhjfjhhf.exe | 0xad0 | address = 0x0, size = 4 |
|
1 | |
| Modify Control Flow | #6: c:\users\aetadzjz\appdata\roaming\jsjhdhdhdhjfjhhf.exe | 0xad0 | os_tid = 0xae0, address = 0x776401c4 |
|
1 |
Host Behavior
File (305)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat | desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012018090520180906\index.dat | desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\History\Low\History.IE5\index.dat | desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\History\Low\History.IE5\MSHist012017070320170710\index.dat | desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\History\Low\History.IE5\MSHist012017071220170713\index.dat | desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\places.sqlite | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_BACKUP_SEMANTICS, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Get Info | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc_lng.ini | type = file_attributes |
|
1 | |
| Get Info | C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat | type = size |
|
1 | |
| Get Info | C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012018090520180906\index.dat | type = size |
|
1 | |
| Get Info | C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\History\Low\History.IE5\index.dat | type = size |
|
1 | |
| Get Info | C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\History\Low\History.IE5\MSHist012017070320170710\index.dat | type = size |
|
1 | |
| Get Info | C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\History\Low\History.IE5\MSHist012017071220170713\index.dat | type = size |
|
1 | |
| Get Info | C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.dat | type = file_attributes |
|
1 | |
| Get Info | C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\WebCache\WebCacheV24.dat | type = file_attributes |
|
1 | |
| Get Info | C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\history.dat | type = file_attributes |
|
1 | |
| Get Info | C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\places.sqlite | type = file_attributes |
|
1 | |
| Get Info | C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\places.sqlite | type = time |
|
1 | |
| Get Info | C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\profiles.ini | type = file_attributes |
|
1 | |
| Get Info | C:\Program Files (x86)\Mozilla Firefox\nss3.dll | type = file_attributes |
|
3 | |
| Get Info | C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\signons.sqlite | type = file_attributes |
|
1 | |
| Get Info | C:\Program Files (x86)\Mozilla Firefox\sqlite3.dll | type = file_attributes |
|
1 | |
| Get Info | C:\Program Files (x86)\Mozilla Firefox\mozsqlite3.dll | type = file_attributes |
|
1 | |
| Get Info | C:\Users\aETAdzjz\AppData\Roaming\Mozilla\SeaMonkey\profiles.ini | type = file_attributes |
|
1 | |
| Get Info | C:\Program Files (x86)\Sea Monkey\nss3.dll | type = file_attributes |
|
1 | |
| Get Info | C:\Users\aETAdzjz\AppData\Local\Google\Chrome\User Data\CertificateTransparency\Web Data | type = file_attributes |
|
1 | |
| Get Info | C:\Users\aETAdzjz\AppData\Local\Google\Chrome\User Data\CertificateTransparency\Login Data | type = file_attributes |
|
1 | |
| Get Info | C:\Users\aETAdzjz\AppData\Local\Google\Chrome\User Data\Crashpad\Web Data | type = file_attributes |
|
1 | |
| Get Info | C:\Users\aETAdzjz\AppData\Local\Google\Chrome\User Data\Crashpad\Login Data | type = file_attributes |
|
1 | |
| Get Info | C:\Users\aETAdzjz\AppData\Local\Google\Chrome\User Data\Default\Web Data | type = file_attributes |
|
1 | |
| Get Info | - | type = size, size_out = 0 |
|
1 | |
| Get Info | C:\Users\aETAdzjz\AppData\Local\Google\Chrome\User Data\Default\Login Data | type = file_attributes |
|
1 | |
| Get Info | - | type = size, size_out = 0 |
|
1 | |
| Get Info | C:\Users\aETAdzjz\AppData\Local\Google\Chrome\User Data\EVWhitelist\Web Data | type = file_attributes |
|
1 | |
| Get Info | C:\Users\aETAdzjz\AppData\Local\Google\Chrome\User Data\EVWhitelist\Login Data | type = file_attributes |
|
1 | |
| Get Info | C:\Users\aETAdzjz\AppData\Local\Google\Chrome\User Data\FileTypePolicies\Web Data | type = file_attributes |
|
1 | |
| Get Info | C:\Users\aETAdzjz\AppData\Local\Google\Chrome\User Data\FileTypePolicies\Login Data | type = file_attributes |
|
1 | |
| Get Info | C:\Users\aETAdzjz\AppData\Local\Google\Chrome\User Data\OriginTrials\Web Data | type = file_attributes |
|
1 | |
| Get Info | C:\Users\aETAdzjz\AppData\Local\Google\Chrome\User Data\OriginTrials\Login Data | type = file_attributes |
|
1 | |
| Get Info | C:\Users\aETAdzjz\AppData\Local\Google\Chrome\User Data\PepperFlash\Web Data | type = file_attributes |
|
1 | |
| Get Info | C:\Users\aETAdzjz\AppData\Local\Google\Chrome\User Data\PepperFlash\Login Data | type = file_attributes |
|
1 | |
| Get Info | C:\Users\aETAdzjz\AppData\Local\Google\Chrome\User Data\pnacl\Web Data | type = file_attributes |
|
1 | |
| Get Info | C:\Users\aETAdzjz\AppData\Local\Google\Chrome\User Data\pnacl\Login Data | type = file_attributes |
|
1 | |
| Get Info | C:\Users\aETAdzjz\AppData\Local\Google\Chrome\User Data\SSLErrorAssistant\Web Data | type = file_attributes |
|
1 | |
| Get Info | C:\Users\aETAdzjz\AppData\Local\Google\Chrome\User Data\SSLErrorAssistant\Login Data | type = file_attributes |
|
1 | |
| Get Info | C:\Users\aETAdzjz\AppData\Local\Google\Chrome\User Data\SwReporter\Web Data | type = file_attributes |
|
1 | |
| Get Info | C:\Users\aETAdzjz\AppData\Local\Google\Chrome\User Data\SwReporter\Login Data | type = file_attributes |
|
1 | |
| Get Info | C:\Users\aETAdzjz\AppData\Local\Google\Chrome\User Data\WidevineCdm\Web Data | type = file_attributes |
|
1 | |
| Get Info | C:\Users\aETAdzjz\AppData\Local\Google\Chrome\User Data\WidevineCdm\Login Data | type = file_attributes |
|
1 | |
| Get Info | C:\Users\aETAdzjz\AppData\Roaming\Apple Computer\Preferences\keychain.plist | type = file_attributes |
|
1 | |
| Get Info | C:\Users\aETAdzjz\AppData\Roaming\Opera\Opera\wand.dat | type = file_attributes |
|
1 | |
| Get Info | C:\Users\aETAdzjz\AppData\Roaming\Opera\Opera7\profile\wand.dat | type = file_attributes |
|
1 | |
| Read | C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat | size = 32, size_out = 32 |
|
1 | |
| Read | C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat | size = 8, size_out = 8 |
|
23 | |
| Read | C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat | size = 256, size_out = 256 |
|
22 | |
| Read | C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat | size = 384, size_out = 384 |
|
1 | |
| Read | C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012018090520180906\index.dat | size = 32, size_out = 32 |
|
1 | |
| Read | C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012018090520180906\index.dat | size = 8, size_out = 8 |
|
2 | |
| Read | C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012018090520180906\index.dat | size = 256, size_out = 256 |
|
2 | |
| Read | C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\History\Low\History.IE5\index.dat | size = 32, size_out = 32 |
|
1 | |
| Read | C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\History\Low\History.IE5\index.dat | size = 8, size_out = 8 |
|
2 | |
| Read | C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\History\Low\History.IE5\index.dat | size = 256, size_out = 256 |
|
2 | |
| Read | C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\History\Low\History.IE5\MSHist012017070320170710\index.dat | size = 32, size_out = 32 |
|
1 | |
| Read | C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\History\Low\History.IE5\MSHist012017070320170710\index.dat | size = 8, size_out = 8 |
|
94 | |
| Read | C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\History\Low\History.IE5\MSHist012017070320170710\index.dat | size = 256, size_out = 256 |
|
2 | |
| Read | C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\History\Low\History.IE5\MSHist012017071220170713\index.dat | size = 32, size_out = 32 |
|
1 | |
| Read | C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\History\Low\History.IE5\MSHist012017071220170713\index.dat | size = 8, size_out = 8 |
|
94 | |
| Read | C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\History\Low\History.IE5\MSHist012017071220170713\index.dat | size = 256, size_out = 256 |
|
2 | |
| Write | - | size = 2 |
|
1 |
Registry (15)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | Mozilla Firefox\bin | - |
|
3 | |
| Open Key | Mozilla Firefox 25.0\bin | - |
|
1 | |
| Open Key | Mozilla Firefox 25.0\bin | - |
|
1 | |
| Open Key | Mozilla Firefox 25.0\bin | - |
|
1 | |
| Read Value | Mozilla Firefox 25.0\bin | value_name = PathToExe, data = C:\Program Files (x86)\Mozilla Firefox\firefox.exe, type = REG_SZ |
|
1 | |
| Read Value | Mozilla Firefox 25.0\bin | value_name = PathToExe, data = C:\Program Files (x86)\Mozilla Firefox\firefox.exe, type = REG_SZ |
|
1 | |
| Read Value | Mozilla Firefox 25.0\bin | value_name = PathToExe, data = C:\Program Files (x86)\Mozilla Firefox\firefox.exe, type = REG_SZ |
|
1 | |
| Enumerate Keys | - | - |
|
3 | |
| Enumerate Keys | - | - |
|
3 |
Module (67)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | comctl32.dll | base_address = 0x74d50000 |
|
1 | |
| Load | shell32.dll | base_address = 0x76110000 |
|
1 | |
| Load | advapi32.dll | base_address = 0x759d0000 |
|
1 | |
| Load | pstorec.dll | base_address = 0x73b80000 |
|
1 | |
| Load | vaultcli.dll | base_address = 0x73ba0000 |
|
1 | |
| Load | C:\Program Files (x86)\Mozilla Firefox\nss3.dll | base_address = 0x70f50000 |
|
1 | |
| Get Handle | private_0x0000000000400000 | base_address = 0x400000 |
|
18 | |
| Get Handle | C:\Program Files (x86)\Mozilla Firefox\nss3.dll | base_address = 0x0 |
|
1 | |
| Get Handle | c:\program files (x86)\mozilla firefox\nss3.dll | base_address = 0x70f50000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\microsoft.net\framework\v2.0.50727\vbc.exe, file_name_orig = C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe, size = 260 |
|
2 | |
| Get Address | c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll | function = InitCommonControlsEx, address_out = 0x74d56be6 |
|
1 | |
| Get Address | c:\windows\syswow64\shell32.dll | function = SHGetSpecialFolderPathW, address_out = 0x76130468 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = CredReadA, address_out = 0x75a171c1 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = CredFree, address_out = 0x759db2ec |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = CredDeleteA, address_out = 0x75a17941 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = CredEnumerateA, address_out = 0x75a17381 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = CredEnumerateW, address_out = 0x75a17481 |
|
1 | |
| Get Address | c:\windows\syswow64\pstorec.dll | function = PStoreCreateInstance, address_out = 0x73b8526c |
|
1 | |
| Get Address | c:\windows\syswow64\vaultcli.dll | function = VaultOpenVault, address_out = 0x73ba26a9 |
|
1 | |
| Get Address | c:\windows\syswow64\vaultcli.dll | function = VaultCloseVault, address_out = 0x73ba2718 |
|
1 | |
| Get Address | c:\windows\syswow64\vaultcli.dll | function = VaultEnumerateItems, address_out = 0x73ba3099 |
|
1 | |
| Get Address | c:\windows\syswow64\vaultcli.dll | function = VaultFree, address_out = 0x73ba4321 |
|
1 | |
| Get Address | c:\windows\syswow64\vaultcli.dll | function = VaultGetInformation, address_out = 0x73ba24c0 |
|
1 | |
| Get Address | c:\windows\syswow64\vaultcli.dll | function = VaultGetItem, address_out = 0x73ba3242 |
|
2 | |
| Get Address | c:\program files (x86)\mozilla firefox\nss3.dll | function = NSS_Init, address_out = 0x7100d70b |
|
2 | |
| Get Address | c:\program files (x86)\mozilla firefox\nss3.dll | function = NSS_Shutdown, address_out = 0x7100d13c |
|
2 | |
| Get Address | c:\program files (x86)\mozilla firefox\nss3.dll | function = PK11_GetInternalKeySlot, address_out = 0x70fa3c51 |
|
2 | |
| Get Address | c:\program files (x86)\mozilla firefox\nss3.dll | function = PK11_FreeSlot, address_out = 0x70fa3333 |
|
2 | |
| Get Address | c:\program files (x86)\mozilla firefox\nss3.dll | function = PK11_CheckUserPassword, address_out = 0x70f8cbc4 |
|
2 | |
| Get Address | c:\program files (x86)\mozilla firefox\nss3.dll | function = PK11_Authenticate, address_out = 0x70f8d3ca |
|
2 | |
| Get Address | c:\program files (x86)\mozilla firefox\nss3.dll | function = PK11SDR_Decrypt, address_out = 0x70fa00a7 |
|
2 | |
| Get Address | c:\program files (x86)\mozilla firefox\nss3.dll | function = sqlite3_open, address_out = 0x710b1ca0 |
|
1 | |
| Get Address | c:\program files (x86)\mozilla firefox\nss3.dll | function = sqlite3_prepare, address_out = 0x7103ce70 |
|
1 | |
| Get Address | c:\program files (x86)\mozilla firefox\nss3.dll | function = sqlite3_step, address_out = 0x710a5200 |
|
1 | |
| Get Address | c:\program files (x86)\mozilla firefox\nss3.dll | function = sqlite3_column_text, address_out = 0x7105d400 |
|
1 | |
| Get Address | c:\program files (x86)\mozilla firefox\nss3.dll | function = sqlite3_column_int, address_out = 0x7105d3a0 |
|
1 | |
| Get Address | c:\program files (x86)\mozilla firefox\nss3.dll | function = sqlite3_column_int64, address_out = 0x7105d3d0 |
|
1 | |
| Get Address | c:\program files (x86)\mozilla firefox\nss3.dll | function = sqlite3_finalize, address_out = 0x71089f60 |
|
1 | |
| Get Address | c:\program files (x86)\mozilla firefox\nss3.dll | function = sqlite3_close, address_out = 0x7108bde0 |
|
1 | |
| Get Address | c:\program files (x86)\mozilla firefox\nss3.dll | function = sqlite3_exec, address_out = 0x7108a270 |
|
1 |
System (1)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Info | type = Operating System |
|
1 |
Ini (25)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Read | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.cfg | section_name = General, key_name = ShowGridLines, default_value = 0 |
|
1 | |
| Read | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.cfg | section_name = General, key_name = SaveFilterIndex, default_value = 0 |
|
1 | |
| Read | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.cfg | section_name = General, key_name = ShowInfoTip, default_value = 1 |
|
1 | |
| Read | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.cfg | section_name = General, key_name = MarkOddEvenRows, default_value = 0 |
|
1 | |
| Read | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.cfg | section_name = General, key_name = LoadPasswordsIE, default_value = 1 |
|
1 | |
| Read | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.cfg | section_name = General, key_name = LoadPasswordsFirefox, default_value = 1 |
|
1 | |
| Read | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.cfg | section_name = General, key_name = LoadPasswordsChrome, default_value = 1 |
|
1 | |
| Read | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.cfg | section_name = General, key_name = LoadPasswordsOpera, default_value = 1 |
|
1 | |
| Read | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.cfg | section_name = General, key_name = LoadPasswordsSafari, default_value = 1 |
|
1 | |
| Read | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.cfg | section_name = General, key_name = LoadPasswordsSeaMonkey, default_value = 1 |
|
1 | |
| Read | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.cfg | section_name = General, key_name = UseFirefoxProfileFolder, default_value = 0 |
|
1 | |
| Read | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.cfg | section_name = General, key_name = UseFirefoxInstallFolder, default_value = 0 |
|
1 | |
| Read | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.cfg | section_name = General, key_name = UseChromeProfileFolder, default_value = 0 |
|
1 | |
| Read | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.cfg | section_name = General, key_name = UseOperaPasswordFile, default_value = 0 |
|
1 | |
| Read | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.cfg | section_name = General, key_name = FirefoxProfileFolder |
|
1 | |
| Read | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.cfg | section_name = General, key_name = FirefoxInstallFolder |
|
1 | |
| Read | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.cfg | section_name = General, key_name = ChromeProfileFolder |
|
1 | |
| Read | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.cfg | section_name = General, key_name = OperaPasswordFile |
|
1 | |
| Read | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.cfg | section_name = General, key_name = WinPos |
|
1 | |
| Read | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.cfg | section_name = General, key_name = Columns |
|
1 | |
| Read | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.cfg | section_name = General, key_name = Sort, default_value = 0 |
|
1 | |
| Read | C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\profiles.ini | section_name = Profile0, key_name = Path, data_out = Profiles/3y2joh8o.default |
|
1 | |
| Read | C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\profiles.ini | section_name = Profile0, key_name = IsRelative, default_value = 0 |
|
1 | |
| Read | C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\profiles.ini | section_name = Profile1, key_name = Path |
|
1 | |
| Read | C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\profiles.ini | section_name = Profile1, key_name = IsRelative, default_value = 0 |
|
1 |
